The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to see what IPs accessing server

Discussion in 'Security' started by slinky, Oct 19, 2009.

  1. slinky

    slinky Well-Known Member

    Joined:
    Jul 26, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    I am having problems with high load on several occasions. I'm finding that many of these are Chinese spiders or repetitive access from international countries with questionable policing of such hackers and spammers. Is there a way to see a list of IPs currently pinging your server akin to what logs would be like as generated by each domain? Some packages require stats modules to be installed on every domain which makes tracking difficult and it is usually mysql based and slow. I don't need too much running data, just to see a running tab of who is connecting from where and how often.
     
  2. slinky

    slinky Well-Known Member

    Joined:
    Jul 26, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    So how do you guys see what is causing high loads? How do you detect what is causing overload or potential attacks on your server? Right now I can only try to check error logs per domain or logs afterwards to see what is going on.
     
  3. bhd

    bhd Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    149
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    JNB ZA
    cPanel Access Level:
    Root Administrator
    Try running something like this

    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    It will give you a list of IPs sorted by number of connections.

    If you run SuPHP, this is also helpful -

    1. tail -f /usr/local/apache/logs/suphp_log - it will show you which users are getting hit the most.

    2. Once you know that, you can go tail the log file for that user

    tail -f /homeN/username/access-logs/domain.com

    It's pretty easy once you have the correct log file to see what's going on there.
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    If you have GeoIP installed, you could put in limit policies into your server and / or web sites to block the "questionable policy" countries flat out.

    See: maxmind.com

    http://www.maxmind.com/app/c

    http://www.maxmind.com/app/mod_geoip

    Most common "high abuse ratio" GeoIP country codes in order: RU,NG,CN,RO,KR,HK,NL

    I generally don't recommend this action globally used where you might have clients who might
    have legitimate traffic from these areas. However, some items such as English speaking forums
    or sites that have no normal traffic coming from that region, it can be beneficial to limit connections
    to just those target regions which they serve.
     
    #4 Spiral, Oct 20, 2009
    Last edited: Oct 20, 2009
  5. Arcat

    Arcat Registered

    Joined:
    Oct 29, 2009
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
  6. slinky

    slinky Well-Known Member

    Joined:
    Jul 26, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Thanks - this is an idea. One of the big ones is also India. They speak English but 99% of the traffic are Indians trying to post garbage on our site, hired by whatever American firm it is who wants to drop their junk to create backlinks.
     
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Highest Problem Areas in order:

    CN, RU, KR, NG, HK, NL, IR, PK, IN, DE
     
  8. slinky

    slinky Well-Known Member

    Joined:
    Jul 26, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Thanks - couldn't get these to work. Will have to ask my host about netstat. That seemed the best. I think that it would be very beneficial for cpanel to have a couple of things:

    1) A panel that will show the current IPs hitting your server (even if just a snapshot from moment in time)

    2) A way to ban IPs from hitting the server server-wide, not just by domain. I think you can do this in httpd.conf but having an easy way would be nice.
     
  9. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Host? Are you the server owner or just a cpanel user (hosting account)?

    If the later then "netstat" wouldn't be available to you.

    Actually Cpanel already has the but it's a WHM root function.

    It wouldn't be available to you if you are just a regular hosting user.

    Again this is already built into the server (and extended by CSF **recommended***)

    If you are an end user, might be able to move to a host with better security. If you are a sever owner, might be able to improve the security on your server. If you are an end hosting user but want more administrative control like the things you just mentioned, you might want to move to a VPS or small dedicated server and in doing so gain more control over these items.

    Message me and I'd be glad to discuss your current situation and what options you might have available to you.
     
Loading...

Share This Page