Who’s trashing my web server ?

Do you ever find that your server performance has suddenly taken a nose dive ?

One of the most common causes of this is a brute force attack on your web server. You can quickly determine if this is the case by using top or ps. It is often caused by a small number of IP addresses making a very large number of requests, and the easiest way to gain control is to block them with your firewall by using the following process:

  • Get a list of IP addresses from your access logs:
    awk -F " " '{print $2}' access_log > access_list
  • Count the number of occurrences of each IP address and sort ascending:
    (note that uniq counts the number of contiguous entries, so you need to sort first)

    sort access_list | uniq -c | sort -n
  • Look for the IP’s with an obviously high number of accesses and block them:
    (obviously you need to replace 1111.2222.3333.4444 with the IP address)

    iptables -I INPUT -s  1111.2222.3333.4444 -j DROP
  • Now check your system load!
    It should start to come down right away.
    If not, then you have another issue …
  • If you file like it, you can later unblock the IP’s:
    iptables -D INPUT -s  1111.2222.3333.4444 -j DROP

Date: February 13, 2015

Category: Linux Admin Tips

Author: John Taylor

Responses To This Post:

  1. John Taylor says:

    This article applies to the default log format on a Centos server, which has the IP address in column 2. If you have a different log format, you’ll need to adjust the $2 in the awk script to reference the appropriate column.
    ($1 for column 1, $2 for column 2 …)

Respond To This Post: