Issue: CentOS based server at time is undergoing increased load on CPU. Need to see which external IP addresses are connecting to the webserver, port 80 and port 443.
Solution: SSH to server and use netstat:
For port 80 http connections:
netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
For port 443 https connections:
netstat -tn 2>/dev/null | grep :443 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
You can block an IP by adding the entry in CSF, or first perform investigation via sites such as http://dawhois.com/ and then, if required add the IP address or CIDR entry into CSF.
For immediate blocking (null route) of an IP address, the following command would also work:
route add 122.163.226.243 gw xxx.xxx.xxx.xxx lo
or even:
Need to remove the entry?
route delete xxx.xxx.xxx.xxx
To see all inbound and outbound, numeric, TCP connections to the server:
netstat -tn 2>/dev/null