==== TRAFFIC ANALYSIS ==== Function: Display Top 10 IP's with Top 5 requests past hour Usage: curl -s https://raw.githubusercontent.com/tahz7/traffic_analyser/master/traffic_analyser.py | python - --hour 1 --ip 10 5 Function: Apache Status Usage: /etc/init.d/httpd fullstatus Function: Server Status Usage: curl -IL localhost/server-status?auto Function: Outside IP Usage: curl -s checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//' Function: Watch which files are changing' Usage: watch -n 1 -d ls -l ./*?log Function: Watch Connections Usage: bash <(curl -s4 https://hoshisato.com/tools/code/watchconnections.sh) Function: Apache Most Called Element Usage: awk '{print $7}' *access?log | cut -d? -f1|sort|uniq -c|sort -nk1|tail -n10 Function: Top Connected IPs Usage: netstat -antu | grep :80 | grep -v LISTEN | awk '{print $5}' | sort | uniq -c | sort -rn Function: Top Connected IPs II Usage: netstat -anpt|grep httpd|grep ESTABLISHED|cut -b45-60|cut -d':' -f1|sort -rn|uniq -c Function: Total Web Connections Usage: netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1 | wc -l Function: Unique IP Connection Count Usage: netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l Function: Hits per hour Usage: grep "1/Nov" *access?log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c Function: Hits per minute Usage: grep "23/Jan/2013:06" *access?log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c | awk '{ if ($1 > 10) print $0}' Function: Hit Server X times Usage: cat *access?log | cut -d- -f1 | sort | uniq -c | sort -nr | head Function: tcpdump 53 Usage: tcpdump -i any port 53 Function: Wordpress Failed Login IPs Usage: cat *access?log | grep wp-login.php | awk '{print $1}' | sort | uniq -c | sort -rn Function: Scan for all TCP and UDP Open Ports Usage: sudo nmap -n -PN -sT -sU -p- 0.0.0.0 .... Unsorted cd /tmp; wget https://hoshisato.com/tools/code/parse-tcpdump-udp-port-53.php; tcpdump -vvv -s 0 -l -n port 53 | php -f parse-tcpdump-udp-port-53.php varnishncsa -a -w /var/log/varnish/access.log -D -P /var/run/varnishncsa.pid cat /var/log/httpd/*access?log | awk '$10 ~ /50[0-9]/ {print $0}' | less grep "1/Jan" *access?log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2,$3":00"}' | sort -n | uniq -c for i in $(ls access_log*gz); do echo $i && zcat $i | awk '{s+=$10} END {print s}'; done