Reputation: 41
Display IP list attacking my server in Linux (CentOS6)
My goal is to get an accurate list of IPs which are attacking the server, not innocent IPs. I tried to use
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
but I'm far from being sure that it displays the list of attackers, and not innocent ips in the same list.
Most of the attack are in layer 7, so http on port 80.
The purpose is to grab the list, copy and paste in a text file, run a batch script and adding ipset add blacklist at every lines. Then I can block every attacking IPs in a very short time, using ipset and iptables.
Upvotes: 4
Views: 281
Answers (1)
Reputation: 4304
What you are essentially describing is making your own Intrusion Detection System, a program that will detect attacks (in this case, a DDOS) and respond appropriately. Generally, you'd want to use a pre-existing tool (if there is one), especially if you are inexperienced with Linux networking/systems administration.
I would recommend that you try using Snort, a free, open source, highly customizable, lightweight intrusion detection system. I'd also recommend looking into the SnortSam plugin, which adds a few friendlier ways of doing what you desire.
Upvotes: 1
Related Questions
- How to list the allowed ip that can login mysql?
- How can I track IPs to block malicious users?
- Find all IPs attached to server
- Find All Visitor's IP Addresses in Centos
- How to find out your IP addresses using bash
- How to be safe from IP address hacking
- List ip addresses accessing remote machine through ssh
- How to detect and ban attacking ips using php
- How to Deny/Blacklist Unauthorized IP Write Access Attempts on LAMP Server?
- What server log file(with Centos5) must I check to locate specific IP activity?