Find country from Apache logs

Forum Moderators: phranque

Message Too Old, No Replies

Find country from Apache logs

born2run

10:55 pm on Apr 26, 2018 (gmt 0)

Hi I want a linux command that'll resolve ips by their resolved names (if available) and then sort by times they have accessed my site.

I need this to find out some ips in a particular country that's sending huge number of bot traffic without much clue. Thanks!

born2run

11:08 pm on Apr 26, 2018 (gmt 0)

I'm searching for logresolve scripts in google. I want only the IPs sorted by counts (but not print the counts). Then I"ll do a logresolve on the ip list.

phranque

11:09 pm on Apr 26, 2018 (gmt 0)

i would write a perl script to do that.

born2run

11:18 pm on Apr 26, 2018 (gmt 0)

I have this command that works:

cat access.log | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -20

this gives a list like this (includes count):

898 54.166.172.33

I don't want the 898 .. just the IP address.. so in the command above what's printing the number of counts? Thanks!

born2run

11:28 pm on Apr 26, 2018 (gmt 0)

It's uniq -c but if I remove -c it doesn't seem to work..

TorontoBoy

11:57 pm on Apr 26, 2018 (gmt 0)

The unix host command will give you the host name:

$ host 54.166.172.33
33.172.166.54.in-addr.arpa domain name pointer ec2-54-166-172-33.compute-1.amazonaws.com

or in-address arpa + "domain name pointer" + host name

I usually write a shell script. To each his own.

-unique first, then sort, then process unique IPs to host names
-kill using htaccess!

born2run

12:19 am on Apr 27, 2018 (gmt 0)

So I managed to create a list of unique IP addresses from access log file. The list contains only the unique ip addresses. Is there any way I can run a script to resolve these ip addresses? If you can please share the script. Thanks!

keyplyr

1:15 am on Apr 27, 2018 (gmt 0)

Have a look at Analog [mirror.reverse.net]

born2run

2:08 am on Apr 27, 2018 (gmt 0)

Thanks keyplyr.. I also found a script on google that resolves a file of list of ip addresses:

======
#!/bin/sh
for IP in `cat ./ipaddress.txt`;
do
printf "%-4s", $IP
nslookup $IP | grep -v nameserver | cut -f 2 | grep name | cut -f 2 -d "=" | sed 's/ //';

done
======

TorontoBoy

2:26 am on Apr 27, 2018 (gmt 0)

Shell script works.

phranque

2:57 am on Apr 27, 2018 (gmt 0)

then sort by times they have accessed my site.

i misunderstood this.

Is there any way I can run a script to resolve these ip addresses?

see TorontoBoy 's response above...

phranque

2:59 am on Apr 27, 2018 (gmt 0)

i didn't see some of the responses when i posted.

host or nslookup works...

TorontoBoy

3:40 am on Apr 27, 2018 (gmt 0)

input IP: 197.231.221.211
script output: 197.231.221.211,exit1.ipredator.se

It might be helpful to output the netname instead: CYBERDYNE-VPN01

$ host 197.231.221.211
211.221.231.197.in-addr.arpa domain name pointer exit1.ipredator.se

Try a whois lookup on some of these IPs. The host name may not be helpful. Also some suspect IPs often don't have a host name set up, on purpose, so you might get something odd returned from the script. Bots IPs will try any trick they can to not be identified.

$ whois 197.231.221.211
% This is the AfriNIC Whois server.

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '197.231.221.0 - 197.231.221.255'

% No abuse contact registered for 197.231.221.0 - 197.231.221.255

inetnum: 197.231.221.0 - 197.231.221.255
netname: CYBERDYNE-VPN01
descr: Cyberdynes VPN users, block 01.
country: LR
admin-c: NW2-AFRINIC
tech-c: NW2-AFRINIC
status: ASSIGNED PA
mnt-by: CyberdyneSA-MNT
source: AFRINIC # Filtered
parent: 197.231.220.0 - 197.231.223.255

<snip>
nic-hdl: NW2-AFRINIC
mnt-by: GENERATED-WVURFBJ8EPYM0NQF6GHLKDUQS7QK9DL3-MNT
source: AFRINIC # Filtered

[edited by: not2easy at 4:13 am (utc) on Apr 27, 2018]
[edit reason] see Charter/ToS [/edit]