Code Snippets

Find top most common IPs through apache to prevent DoS | linux

So realistically this won't stop DoS (Denial Of Service) since a single IP won't take you down unless it's aimed at a heavy script you left open or something and is running in parallel and not series. But it can allow you to block an annoying bot. At some time or another, you are highly likely to get some IP overhitting you. I just had to ban one now which was a form filling scraper which was submitting to my DB because I couldn't be bothered to recaptcha it.

I wrote a bot once which was stuck in a serial loop scraping a competitor's markup. (They used it as an opportunity to strategically sue my company (i.e. waste my time) to claim that my single IP bot was taking their site down, with a 2.5 second latency proxy trip, lol. But I digress...)

And it certainly won't stop DDoS - the number of IPs will be uncatchable with this method.

This assumes your log file is /var/log/httpd/access_log

Change if necessary.

This will give you the top 10 IPs who are hitting your server. So if you are getting DoS'd by the same IP you can identify it easily.

You can it up on a bash cron to email you, or to automatically ban the IP either in apache/load balance/varnish server/php application. You should have this kind of thing in place anyway in one form or another, it's super basic. Not doing it, in fact, is negligent. Unless you have something like Modsecurity installed which will throttle them automatically (Even behind ELB).

So, e.g. in the bash, just run the command every 15 mins or whatever, write it to a file > x.txt, then parse this in PHP on every hit, store it in APCu or memcached/redis etc, if the IP is a bad guy just give him a 'die();' or 301 him to a gay porn site or whatever. I would specify a time out of about an hour (you can even just 'unlink' the file on a rand() basis in index.php if you're in a rush, lol).

You should probably have a system for 'repeat offenders' who get perma bans and an email to the sysadmin to see whose IP it is. It is probably a bot got stuck in a loop. Or one of those SEO bots that seem to be over anxious.

I don't think this will work behind ELBs unless you setup your LogFormat in httpd.conf correctly

Why ELB's don't have IP blocking APIs yet is beyond me.

awk '{ print $1}' /var/log/httpd/access_log  | sort | uniq -c | sort -nr | head -n 10

Published: Mon 5th February 2018
||COMMENTS|| This site proudly uses PrismJS to display code snippets

If you like this page, please share it.

Code Links - PHP, JS, CSS, Bootstrap, Bash, Emmet, IntelliJ, Sublime etc.

My personal list of links which I keep here publicly incase they help someone else one day.

Code Snippets

Snippets of PHP code I have gathered over the years. I keep them here for my own repository but also to share with others. I always link back when I remember the source.

My Github Repos

A work in progress. I am going to make as many modules that I write in my devbox public as possible.

Kit's Homepage

This site was originally intended as a test bed for code. It now includes my blog about business and powerlifting, as well as games for Spanish language learning

© 2018