Skip to main content

Attack IP Discovery using ssh and nginx logs

**2.1 Discover Attacking IPs on Nginx **

Next, check your access logs on your server with the following commands. The first two will check for IPs hitting xmlrpc.php and wp-login.php, and the third will list IP accessing your server as a whole.

**Check for hits on xmlrpc.php: **

cat /var/log/nginx/*access.log | grep xmlrpc | awk '{print $1}' | sort | uniq -c

**Check for hits on wp-login.php: **

cat /var/log/nginx/*access.log | grep wp-login | awk '{print $1}' | sort | uniq -c

**Check overall access for the day: **

Here you’ll need to replace the date with the actual current date:

cat /var/log/nginx/*access.log | grep '11/Dec/2021' | sudo awk '{ print $1}' | sort | uniq -c | sort -nr

Here you may see some IPs with hundreds or thousands of hits on your website. If that’s the case, run this to display the top 50:

cat /var/log/nginx/*access.log | grep '11/Dec/2021' | sudo awk '{ print $1}' | sort | uniq -c | sort -nr | head -n 50

** 2.2 Discover Attacking IPs on OpenLiteSpeed **

**Check for hits on xmlrpc.php: **

cat /var/log/ols/*access.log | grep xmlrpc | awk '{print $1}' | sort | uniq -c

**Check for hits on wp-login.php: **

cat /var/log/ols/*access.log | grep wp-login | awk '{print $1}' | sort | uniq -c

**Check overall access for the day: **

Here you’ll need to replace the date with the actual current date:

cat /var/log/ols/*access.log | grep '11/Dec/2021' | sudo awk '{ print $1}' | sort | uniq -c | sort -nr

Here you may see some IPs with hundreds or thousands of hits on your website. If that’s the case, run this to display the top 50:

cat /var/log/ols/*access.log | grep '11/Dec/2021' | sudo awk '{ print $1}' | sort | uniq -c | sort -nr | head -n 50

**

  1. Ban Offending IP Addresses

**

The above commands may display a list like this:

root@ols-test-server:~# sudo awk '{ print $1}' /var/log/ols/*access.log | sort | uniq -c | sort -nr | head -n 10
1333 "94.137.186.125
399 "1.46.145.212
349 "107.150.94.78
336 "54.93.217.201
333 "122.155.174.174
195 "185.70.52.218
139 "185.225.234.174
92 "185.225.234.59
88 "185.225.234.199
65 "1.46.4.227

You can block these IP’s by running the following command on your server:

ufw deny from {IP.Address}

For example:

ufw deny from 199.199.199.19

New boost