plesk icin yazilmis ama olsun

Determine the source IP addresses and numbers of the connections:

ss -tan state established | grep ":80\|:443" | awk '{print $4}'| cut -d':' -f1 | sort -n | uniq -c | sort -nr

Find the domains which are currently under attack:

for log in /var/www/vhosts/system/*/logs/*access*log; do echo -n "$log "; tail -n10000 "$log" | grep -c 203.0.113.2; done | sort -n -k2

Check the number of connections in SYN_RECV state (possible syn-flood):

ss -tan state syn-recv | wc -l

If there are several IP addresses in Plesk, determine the target IP address under attack:

netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk 1

It is possible that there are not many established connections to the web server, however, there might be a lot of requests that were successfully served by nginx and transferred to Apache and at this point, Apache is under attack. To track these requests do the following:

Navigate to /var/www/vhosts/system:

cd /var/www/vhosts/system

Generate a file requests to fetch the number of requests that were made in the last hour using the command below.

Note: As an example, 24/Jan/2022:20 will be used. Here ":20" is 8 p.m.

for i in *;do echo -n "$i "; grep '24/Jan/2022:20' $i/logs/access_ssl_log | awk '{print $1}' | wc -l;done > ~/requests

Check the generated file:

cat ~/requests | sort -k 2 -r -n | head
example.com 24549
example.net 18545
test.com 3