My server is having unusually high CPU usage, and I can see Apache is using way too much memory.I have a feeling, I'm being DOS'd by a single IP - maybe you can help me find the attacker?
I've used the following line, to find the 10 most "active" IPs:
cat access.log | awk '{print $1}' |sort |uniq -c |sort -n |tailThe top 5 IPs have about 200 times as many requests to the server, as the "average" user. However, I can't find out if these 5 are just very frequent visitors, or they are attacking the servers.
Is there are way, to specify the above search to a time interval, eg. the last two hours OR between 10-12 today?
Cheers!
UPDATED 23 OCT 2011 - The commands I needed:
Get entries within last X hours [Here two hours]
awk -vDate=`date -d'now-2 hours'+[%d/%b/%Y:%H:%M:%S` ' { if ($4 > Date) print Date FS $4}' access.logGet most active IPs within the last X hours [Here two hours]
awk -vDate=`date -d'now-2 hours'+[%d/%b/%Y:%H:%M:%S` ' { if ($4 > Date) print $1}' access.log | sort |uniq -c |sort -n | tailGet entries within relative timespan
awk -vDate=`date -d'now-4 hours'+[%d/%b/%Y:%H:%M:%S` -vDate2=`date -d'now-2 hours'+[%d/%b/%Y:%H:%M:%S` ' { if ($4 > Date && $4 < Date2) print Date FS Date2 FS $4}' access.logGet entries within absolute timespan
awk -vDate=`date -d '13:20'+[%d/%b/%Y:%H:%M:%S` -vDate2=`date -d'13:30'+[%d/%b/%Y:%H:%M:%S` ' { if ($4 > Date && $4 < Date2) print $0}' access.log Get most active IPs within absolute timespan
awk -vDate=`date -d '13:20'+[%d/%b/%Y:%H:%M:%S` -vDate2=`date -d'13:30'+[%d/%b/%Y:%H:%M:%S` ' { if ($4 > Date && $4 < Date2) print $1}' access.log | sort |uniq -c |sort -n | tail