1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Small Shell Addon for trying to find some Apache Attacks.

Discussion in 'Plesk for Linux - 8.x and Older' started by lvalics, Oct 5, 2005.

  1. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    963
    Likes Received:
    32
    Location:
    Romania
    A lot of people "yell" that is hard to find on a heavy LOAD which Site is under Dos Attack.

    I don't know if is a good start, we have wrote a fel lines, I hope wil help.

    What this script will do?
    Will get out from ALL Access_log which IP how many times accessed a domain.
    On first run will read the whole acces_log, on second run, let's say after 3 minutes only the differences.
    So on second run you can really see who is in TOP of request, from which IP.
    Do not alert if you see 100 or 200 access, it will count all files from access_log, not unique request, so go on ALERT only if you see something like 1000 or more request from same IP.
    If you see it, then add that IP to firewall and see if load will go down.
    Any ideea to improve the script is welcome.

    Code:
    #Work with OLD system /home/httpd/vhosts/
    
    #moving old log files
    mv -f toplog4 toplog5 2> /dev/null
    mv -f toplog3 toplog4 2> /dev/null
    mv -f toplog2 toplog3 2> /dev/null
    mv -f toplog1 toplog2 2> /dev/null
    
    mv -f toplog4.tmp toplog5.tmp 2> /dev/null
    mv -f toplog3.tmp toplog4.tmp 2> /dev/null
    mv -f toplog2.tmp toplog3.tmp 2> /dev/null
    mv -f toplog1.tmp toplog2.tmp 2> /dev/null
    
    #getting from access_log
    #tail -f /home/httpd/vhosts/*/statistics/logs/access_log |
    
    echo >> lastpos.tmp
    mv -f lastpos.tmp lastpos.old.tmp
    
    for file in /home/httpd/vhosts/*/statistics/logs/access_log
    do
        f=`echo -n $file | sed "s/\/home\/httpd\/vhosts\///g;s/\/.\?access_log//;s/\/statistics\/logs//g"`
        
        echo $f
        wc -l $file | cut -f 1 -d " " | tr -d "\n" >>lastpos.tmp ; echo -e "\\t$file" >> lastpos.tmp
        oldlines=`cat lastpos.old.tmp | grep $file | cut -f 1`;
        if [[ $oldlines = "" ]];
        then 
    	oldlines="1";
        fi
        
        cat $file | sed 1,"$oldlines"d | cut -f 1 -d " " | grep \. | grep -v == | sed "s/\$/ $f/"  >> toplog1.tmp
    done;
    
    #add data
    (echo -n "#" ; date) > toplog1 
    (echo -n "#" ; date) > log
    cat toplog1.tmp | uniq -c | sort -n | tac >> toplog1
    
    cat toplog?.tmp | sort | uniq -c | sort -n | tac >> log
    
    
     
  2. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    963
    Likes Received:
    32
    Location:
    Romania
    What was screwed up now?
    I do not see anything in script to screw up something ...
    And I show you that you have done some mistake on Power Toys installing and ART YUM.

    Also please be ADVISED, that any addon solution is always installing on your own risk.
     
  3. ChipMonk

    ChipMonk Guest

    0
     
    sorry bro, i didnt mean to offend you.

    i tried to joke, and i think it was bad joke early in the morning.

    so i took my words back.

    i apologize
     
  4. ganast

    ganast Guest

    0
     
    Wow, that was a cool little bit of code. Thanks a million.

    --gabe
     
Loading...