See IP Connections to Web Server and How Many

Issue: CentOS based server at time is undergoing increased load on CPU. Need to see which external IP addresses are connecting to the webserver, port 80 and port 443.

Solution: SSH to server and use netstat:

For port 80 http connections:

netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

For port 443 https connections:

netstat -tn 2>/dev/null | grep :443 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

You can block an IP by adding the entry in CSF, or first perform investigation via sites such as http://dawhois.com/ and then, if required add the IP address or CIDR entry into CSF.

For immediate blocking (null route) of an IP address, the following command would also work:

route add 122.163.226.243 gw xxx.xxx.xxx.xxx lo

or even:

Need to remove the entry?

route delete xxx.xxx.xxx.xxx

To see all inbound and outbound, numeric, TCP connections to the server:

netstat -tn 2>/dev/null

Leave a comment

BlogLogistics