So, I hacked this together while undergoing a DDOS attack to pull naughty ips out of my logs. Anyone have any improvements or other suggestions to make it better?
Here's the general idea:
- pull ip's only out of log file
- sort them
- uniq and count them
- sort them again
And the string o'pipes:
cut --delim " " -f7 /var/log/apache_access | sort | uniq -c | sort -rn > sorted-ips.txt
Best Answer
I've always used this:
tail -1000 /var/log/apache_access | awk '{print $1}' | sort -nk1 | uniq -c | sort -nk1
With
tail
I'm able to set the limit of how far back I really want to go - good if you don't use log rotate (for whatever reason), second I'm making use ofawk
- since most logs are space delimited I've left my self with the ability to pull additional information out (possibly what URLs they were hitting, statuses, browsers, etc) by adding the appropriate$
variable. Lastly a flaw inuniq
it only works in touching pairs - IE:Will produce:
Not the desired output. So we sort the first column (in this case the ips, but we could sort other columns) then
uniq
them, finally sort the count ascending so I can see the highest offenders.