most frequent ip addresses apache server

How to Find Most Frequent IP Addresses Accessing Apache Server

When you run a website, it is important to keep track of the most frequent IP addresses accessing your website. It will help you spot and prevent malicious attacks to your servers. You can easily do this by parsing your server’s log files. Log files also contain a lot of other useful information such as request type, datetime of access, URL requested, server response and so on. In this article, we will look at how to find most frequent IP addresses accessing Apache server. If your website goes down or gets overloaded, it might be useful to analyze traffic from these frequent visitors.


How to Find Most Frequent IP Addresses Accessing Apache Server

Here are the steps to find most frequent IP addresses accessing Apache server. Here is the default path for Apache server log

/var/log/http/access_log      [For RedHat based systems]
/var/log/apache2/access.log   [For Debian based systems]
/var/log/http-access.log      [For FreeBSD]

Here is the command to find the most frequent IP addresses accessing your server.

# awk '{ print $1}' /var/log/http/access_log | sort | uniq -c | sort -nr | head -n 10

You will get an output like the one shown below. It displays the top 10 most frequent IP addresses sending requests to your website, along with the number of hits from each IP address

542 13.28.37.178
536 66.29.78.168
197 66.29.93.145
192 157.5.39.251
194 66.29.93.142
191 66.29.93.148
180 64.23.173.178
180 10.1.183.134
181 64.23.173.182
152 157.5.39.251

In the above code, awk command prints the log file’s 1st column which contains IP address, which is piped to sort & uniq commands which determine unique IPs and count the number of occurrences of each IP. The head command picks the top 10 rows for 10 most frequent IPs.

This is a very useful command for any system administrator and can be easily modified according to your requirements.

In fact you can create a shell script to automatically parse your log file and display the frequent IP addresses. Create an empty shell file with the following command.

$ sudo vi parse_log.sh

Add the following lines to it.

#!/bin/sh

echo `date`
sudo awk '{ print $1}' /var/log/http/access_log | sort | uniq -c | sort -nr | head -n 10

Save and close the file. Make it executable with the following command.

$ sudo chmod +x parse_log.sh

You can run it with the following command. It will display present datetime along with most frequent IP addresses.

$ ./parse_log.sh
2021-07-22 10:05:00
542 13.28.37.178
536 66.29.78.168
197 66.29.93.145
192 157.5.39.251
194 66.29.93.142
191 66.29.93.148
180 64.23.173.178
180 10.1.183.134
181 64.23.173.182
152 157.5.39.251

If you want to regularly run this command then it is advisable to create a cronjob for it. Open crontab with the following command.

$ sudo crontab -e

Add the following line to it.

0 10 * * * sudo ./parse_log.sh >>/home/log.txt 2>&1

In the above command, we simply create a cronjob that runs our shell script everyday at 10.a.m. and appends the output to /home/log.txt file.

So you can simply open the /home/log.txt file to see the most frequent IPs accessing your website every day.

$ sudo cat /home/log.txt

That’s it. In this article, we have looked at how to calculate 10 most frequent IPs accessing your Apache server, created a shell script for it, and also set up a cronjob to automatically run it every day at 10.a.m.

Also read:

How to Zip Files & Folders in Linux
What are different shells available in Linux
How to Fix Permission Denied Error in Shell Script
How to Get Filename from Path in Shell Script
Shell Script to Trim Whitespace

Leave a Reply

Your email address will not be published. Required fields are marked *