Who’s trashing my web server ?
Do you ever find that your server performance has suddenly taken a nose dive ?
One of the most common causes of this is a brute force attack on your web server. You can quickly determine if this is the case by using top or ps. It is often caused by a small number of IP addresses making a very large number of requests, and the easiest way to gain control is to block them with your firewall by using the following process:
- Get a list of IP addresses from your access logs:
awk -F " " '{print $2}' access_log > access_list
- Count the number of occurrences of each IP address and sort ascending:
(note that uniq counts the number of contiguous entries, so you need to sort first)sort access_list | uniq -c | sort -n
- Look for the IP’s with an obviously high number of accesses and block them:
(obviously you need to replace 1111.2222.3333.4444 with the IP address)iptables -I INPUT -s 1111.2222.3333.4444 -j DROP
- Now check your system load!
It should start to come down right away.
If not, then you have another issue …
- If you file like it, you can later unblock the IP’s:
iptables -D INPUT -s 1111.2222.3333.4444 -j DROP
This article applies to the default log format on a Centos server, which has the IP address in column 2. If you have a different log format, you’ll need to adjust the $2 in the awk script to reference the appropriate column.
($1 for column 1, $2 for column 2 …)