stackoom
  简体   繁体   中英

DDOS Attack on WHM with CentOS 6

 原文  2015-01-11 22:25:08       linux/ apache/ bash/ tcp/ awk

Question

I have the following command to get the current IPs connected: 

netstat -ntu | awk '{print $5}' | egrep -o -e '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*' | sort | uniq -c  | awk '{if ($1 > 50) print $2" # "$1" times."}' | sort -n

When I ran the above command will get the following results: 

68.4.90.74 # 185 times.
77.42.241.230 # 258 times.
78.40.177.38 # 658 times.
79.171.81.237 # 798 times.
79.172.252.26 # 435 times.

run this to get details of on of the above IPs 

netstat -noap | grep 68.4.90.74

will give you (simple of): 

tcp        0      0 xxx.xxx.xxx.xxx:80          68.4.90.74:56484            ESTABLISHED 10561/httpd         keepalive (6398.07/0/0)
tcp        0      0 xxx.xxx.xxx.xxx:53          68.4.90.74:56480            ESTABLISHED 10519/httpd         keepalive (6379.57/0/0)
tcp        0      0 xxx.xxx.xxx.xxx:53          68.4.90.74:56481            ESTABLISHED 9817/httpd          keepalive (6379.56/0/0)
tcp        0      0 xxx.xxx.xxx.xxx:53          68.4.90.74:56483            ESTABLISHED 9838/httpd          keepalive (6379.56/0/0)
tcp        0      0 xxx.xxx.xxx.xxx:80          68.4.90.74:56482            ESTABLISHED 10505/httpd         keepalive (6379.34/0/0)

My Question is how to update the first code to get the IPs connected through none of port 80 Although the following code can be get the IPs connected via specific port: 

netstat -ntu | awk '/\:80\ / {print $5}' | egrep -o -e '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*' | sort | uniq -c  | awk '{if ($1 > 50) print $2" # "$1" times."}' | sort -n

1 answers

solution1
 0  2015-01-11 23:02:37

This awk script does most of the work for you: 

netstat -ntu | awk '/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ && !($5 ~ /:80$/){split($5,a,":");++seen[a[1]]}END{for(i in seen)print i, "#", seen[i], "times."}'

The first pattern is similar to yours but I have used + rather than * to match one or more digits. The second pattern ensures that the 5th field does not end in :80 . Only process lines that match the first pattern but not the second.

Split the 5th field into the array a and keep a count of all IP addresses in the array seen . At the end, loop through all elements in seen and print the output.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question DDOS attack mitigation on Centos 7 WHM hosted on Hetzner How to program a project to prevent a DDoS attack Scaling filesystem on centos whm and nginx webservers Script to send me an e-mail and reboot tomcat attack DDOS DDoS attack on /wp-admin/admin-ajax.php Help with SVN+SSH permissions with CentOS/WHM setup What is the best secure, complete process for setting up CentOS server for WHM/cPanel? WHM - Console not working DDOS mod Rewrite IP Request Disable security rule on whm/cpanel
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM