Handy script to check the number of connections the top connecting IPs have to the server. To use, make it executable and then type ./ipcheck 80 for example to see the highest connecting IPs to port 80 and the number of connections.
#!/usr/bin/perl -w
#usage = ./ipcheck 80 (to check port 80)
use strict;
my $minimum = 10;
my $check_port;
my $options;
my $newmin;
for (@ARGV) {
chomp;
s/\s//g;
$check_port = $1 if /^[\-]{0,2}p(?:ort)?=?(\d+)$/i or /^[\-]{0,2}(\d+)$/ && !$check_port;
$options = '-'.lc($1) if /^[\-]{0,2}o(?:ption)?=?-?(\w+)$/i or /^[\-]{0,2}-?(\D+)$/ && !$options;
$newmin = $1 if /^[\-]{0,2}m(?:in|inimum)?=?(\d+)$/i && !$newmin;
}
if (!$check_port or $check_port !~ /^\d+$/) {
die "Check netstat for connections to target IPs and from source IPs. Find attacks, high usage accounts, etc.\n"
. "Specify the port to check connections on/to, any netstat options (-n, -na, -pane, -planet, etc.\n"
. "as well as specify the minimum simultaneous connection criteria for displaying the results.\n\n"
. "Usage: $0 -pPORT [-oOPTIONS (defaults to -n)] [-min=N (defaults to $minimum minimum)]\n";
}
$options = '-n' if !$options;
$minimum = $newmin if ($newmin && $newmin > 0);
chomp(my $hostname = `hostname`);
my %netstatt;
my %netstats;
my %domainips;
## Will modify $extra later to just be able to search for an IP, for all ports:
my $extra = "| grep :$check_port";
my @netstat = `netstat $options $extra`;
my $target;
my $source;
my $port;
open(DI, "/etc/domainips");
while (<DI>) {
s/\s//g;
my ($ip, $domain) = split(/:/, $_, 2);
$domainips{$ip} = $domain;
}
close(DI);
foreach my $netstat (@netstat) {
chomp $netstat;
$netstat =~ s!^\s+!!g;
$netstat =~ s!\s+$!!g;
$netstat =~ s!::ffff:!!g;
($target, $source) = (split(/\s+/, $netstat))[3,4];
($target, $port) = (split(/:/, $target))[0,1];
next if ($port != $check_port);
$source = (split(/:/, $source))[0];
$netstatt{$target} = 1 if (!exists($netstatt{$target}));
$netstats{$source} = 1 if (!exists($netstats{$source}));
$netstatt{$target} = $netstatt{$target} +1 if ($netstatt{$target});
$netstats{$source} = $netstats{$source} + 1 if ($netstats{$source});
}
print "\nConnections to port $check_port on $hostname\n(for minimum simultaneous connections $minimum).\n", '-' x 52;
my $ip;
my $num;
my $s;
format STDOUT =
@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @<< @<<<<< connection@<
$ip, '->', $num, $s
.
print "\nTarget IPs (connecting to):\n", '-' x 52, "\nResults:\n";
foreach my $resultt (reverse sort { $netstatt{$a} <=> $netstatt{$b} } (keys(%netstatt))) {
if ($netstatt{$resultt} >= $minimum) {
$s = ($netstatt{$resultt} == 1) ? '' : 's';
$ip = printip($resultt);
$num = ${netstatt{$resultt}};
write STDOUT;
}
}
print '-' x 52, "\nSource IPs (connecting from):\n", '-' x 52, "\nResults:\n";
foreach my $results (reverse sort { $netstats{$a} <=> $netstats{$b} } (keys(%netstats))) {
if ($netstats{$results} >= $minimum) {
$s = ($netstats{$results} == 1) ? '' : 's';
$ip = printip($results);
$num = ${netstats{$results}};
write STDOUT;
}
}
print '-' x 52, "\n";
sub printip {
my $ip = shift;
if ($ip eq "") {
return "[no valid address]";
} elsif (exists($domainips{$ip})) {
return "$ip ($domainips{$ip})";
} else {
return "$ip";
}
}
Example result:
root@lion [~]# /tools/ipcheck 80
Connections to port 80 on lion.arvixe.com
(for minimum simultaneous connections 10).
----------------------------------------------------
Target IPs (connecting to):
----------------------------------------------------
Results:
74.86.202.40 -> 402 connections
74.86.127.248 (cbe360.com) -> 10 connections
----------------------------------------------------
Source IPs (connecting from):
----------------------------------------------------
Results:
95.178.132.204 -> 26 connections
79.204.107.116 -> 25 connections
94.253.163.126 -> 20 connections
157.55.116.17 -> 15 connections
80.86.224.112 -> 15 connections
95.140.195.2 -> 14 connections
204.236.235.245 -> 11 connections
94.52.152.42 -> 10 connections
----------------------------------------------------
Thank you,
