GoDaddy Help

Review active connections

Active connections may be normal traffic, bots (search engine crawlers) or potentially malicious traffic (brute force attack). It is important to be able to review active connections to your server and determine if they are legitimate or malicious.

Why should I review active connections?

Excessive connections may cause:
  • site slowness
  • errors on pages
  • other tasks on server are slow (like mail)

How do I review active connections?

CHECK ACTIVE CONNECTIONS BY IP
root@myserver [~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
      1 1.2.3.4
      1 5.6.7.8
      4 9.10.11.12
      5 20.21.22.23
    300 13.14.15.16

The example above shows one IP address with alot more connections than other IPs. This may be a sign of malicious traffic.

CHECK ACTIVE CONNECTIONS BY PORT

This example shows a large amount of connections to port 25 (SMTP). This may be a sign of an issue with mail.

root@myserver [~]# netstat -tuna | awk -F':+| +' 'NR>2{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

      1 953
      1 993
      1 995
      3 80
    200 25

Once you find the connections, you need to determine what they are trying to access.

SEARCH ACCESS LOGS FOR FREQUENTLY REQUESTED PAGE
root@myserver [~]#cat /usr/local/apache/domlogs/*/* | awk '{print $7}' | sort | uniq -c | sort -n | less

     30 /wp-content/uploads/2018/08/guitars.jpg
     36 /wp-includes/js/jquery/jquery.js?ver=1.12.4
     36 /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
     46 /user-account/
     56 /favicon.ico
     65 /website-stuff/
     89 /results.json
    140 /robots.txt
    169 /wp-login.php
    270 /wp-admin/admin-ajax.php
    441 /xmlrpc.php
    448 /

Entries for "/" would be the index page of each site and likely normal traffic. Entries that are 10x higher than other pages (ie. /xmlrpc.php vs guitars.jpg) may indicate suspicious activity.

CHECK APACHE OR PHP-FPM ERROR LOG FOR ERRORS
Review the Apache Error log
Review the PHP-FPM error log

Next steps

Once you have the malicious IPs, and what they're trying to access, you can block them server wide (firewall) or per site (.htaccess)
  • Block malicious IPs in the server's firewall (Windows Firewall, iptables, firewalld).
  • Use Plesk or WHM (cphulk) to block malicious IPs.
  • Using WordPress? Check out Common WordPress attacks.

Share this article