Check active connections to web server – DDOS solution

Here are few commands to check the active connection to apache or to any other web server, you can block IPs having too many connections :

Login to SSH and execute following commands with root access:

1.To see what IPs are connecting to server and how many connections exist from each IP:

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

2.To see how many connections each IP on the server is receiving:

netstat -plan |grep :80 | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -n

3.Get total current active connections to Apache:

netstat -apn | grep :80 | wc -l

Get Apache status update from command line to see which domain is receiving maximum hits (cPanel/WHM server):

lynx http://localhost/whm-server-status

Once you get IPs having most connection from 1st command, now you need to add these IP to deny list. In this post i will not talk about configServer Firewall or any other firewall. As according to my experience if you have high packets DDOS attacks firewall does not help any more. So we will go with .htaccess solution.

Just add following below code in your .htaccess placed under main directory of web site, for cPanel account it is public_html/.htaccess if it does not exist just create it.

deny from (IP that is having too many connections)<pre>

e.g: In below example 127.0.0.1 is assumed as IP having many connections, please replace it accordingly.
<pre>deny from 127.0.0.1

Add same above code for each IP per line.

Save the file and you’re ready to mitigate DDOS attacks. This will help you 50% mitigating but not 100%.

Comments are welcome 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>