Apache – Top 10 IP addresses accessing your Apache webserver

Default log paths

/var/log/http/access_log[For RedHat based systems]
/var/log/apache2/access.log[For Debian based systems]
/var/log/http-access.log[For FreeBSD]

Command

awk '{ print $1}' access.log | sort | uniq -c | sort -nr | head -n 10

Output

5482 103.28.37.178
5356 66.249.78.168
1977 66.249.93.145
1962 157.55.39.251
1924 66.249.93.142
1921 66.249.93.148
1890 64.233.173.178
1860 108.61.183.134
1841 64.233.173.182
1582 157.55.39.251

Command explain

207.46.13.11 - - [29/Mar/2021:06:46:11 +0200] "GET /robots.txt HTTP/1.1" 404 493 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 13.66.139.16 - - [29/Mar/2021:06:46:25 +0200] "GET /kontakt1 HTTP/1.1" 404 493 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 178.255.168.95 - - [29/Mar/2021:06:46:35 +0200] "-" 408 0 "-" "-"

awk ‘{ print $1}’ access.log – take the access.log and print first group (separated by white space)

sort – sort records

uniq -c – omit repeated lines and prefix it with count of occurence

sort -nr – sort records again by number and in reverse order (highest values first)

head -n 10 – print just top 10 lines

Leave a Comment

Your email address will not be published. Required fields are marked *