How to see what IPs accessing server

[slinky]

I am having problems with high load on several occasions. I'm finding that many of these are Chinese spiders or repetitive access from international countries with questionable policing of such hackers and spammers. Is there a way to see a list of IPs currently pinging your server akin to what logs would be like as generated by each domain? Some packages require stats modules to be installed on every domain which makes tracking difficult and it is usually mysql based and slow. I don't need too much running data, just to see a running tab of who is connecting from where and how often.

[slinky]

So how do you guys see what is causing high loads? How do you detect what is causing overload or potential attacks on your server? Right now I can only try to check error logs per domain or logs afterwards to see what is going on.

[bhd]

Try running something like this

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It will give you a list of IPs sorted by number of connections.

If you run SuPHP, this is also helpful -

1. tail -f /usr/local/apache/logs/suphp_log - it will show you which users are getting hit the most.

2. Once you know that, you can go tail the log file for that user

tail -f /homeN/username/access-logs/domain.com

It's pretty easy once you have the correct log file to see what's going on there.

[Spiral]

I'm finding that many of these are Chinese spiders or repetitive access from international countries with questionable policing of such hackers and spammers.

If you have GeoIP installed, you could put in limit policies into your server and / or web sites to block the "questionable policy" countries flat out.

See: maxmind.com

http://www.maxmind.com/app/c

http://www.maxmind.com/app/mod_geoip

Most common "high abuse ratio" GeoIP country codes in order: RU,NG,CN,RO,KR,HK,NL

I generally don't recommend this action globally used where you might have clients who might
have legitimate traffic from these areas. However, some items such as English speaking forums
or sites that have no normal traffic coming from that region, it can be beneficial to limit connections
to just those target regions which they serve.

[Arcat]

Here's a quick tool to get location from an IP address:
My IP Address


Lots of other useful tools are available here:
AlphaPatrol Home

[slinky]

If you have GeoIP installed, you could put in limit policies into your server and / or web sites to block the "questionable policy" countries flat out.

See: maxmind.com

MaxMind - GeoIP C API

MaxMind - GeoIP Apache API

Most common "high abuse ratio" GeoIP country codes in order: RU,NG,CN,RO,KR,HK,NL

I generally don't recommend this action globally used where you might have clients who might
have legitimate traffic from these areas. However, some items such as English speaking forums
or sites that have no normal traffic coming from that region, it can be beneficial to limit connections
to just those target regions which they serve.

Thanks - this is an idea. One of the big ones is also India. They speak English but 99% of the traffic are Indians trying to post garbage on our site, hired by whatever American firm it is who wants to drop their junk to create backlinks.

[Spiral]

Highest Problem Areas in order:

CN, RU, KR, NG, HK, NL, IR, PK, IN, DE

[slinky]

Try running something like this

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

tail -f /homeN/username/access-logs/domain.com

Thanks - couldn't get these to work. Will have to ask my host about netstat. That seemed the best. I think that it would be very beneficial for cpanel to have a couple of things:

1) A panel that will show the current IPs hitting your server (even if just a snapshot from moment in time)

2) A way to ban IPs from hitting the server server-wide, not just by domain. I think you can do this in httpd.conf but having an easy way would be nice.

[Spiral]

Thanks - couldn't get these to work. Will have to ask my host about netstat. That seemed the best. I think that it would be very beneficial for cpanel to have a couple of things:

Host? Are you the server owner or just a cpanel user (hosting account)?

If the later then "netstat" wouldn't be available to you.

1) A panel that will show the current IPs hitting your server (even if just a snapshot from moment in time)

Actually Cpanel already has the but it's a WHM root function.

It wouldn't be available to you if you are just a regular hosting user.

2) A way to ban IPs from hitting the server server-wide, not just by domain. I think you can do this in httpd.conf but having an easy way would be nice.

Again this is already built into the server (and extended by CSF **recommended***)

If you are an end user, might be able to move to a host with better security. If you are a sever owner, might be able to improve the security on your server. If you are an end hosting user but want more administrative control like the things you just mentioned, you might want to move to a VPS or small dedicated server and in doing so gain more control over these items.

Message me and I'd be glad to discuss your current situation and what options you might have available to you.