Analysing DOS blocks by country

It can unfortunately be a common occurrence that certain countries are a source of DOS attacks or aggressive crawl bots. It is also possible that these countries do not form part of your target demographic, and as such, it isn't actually necessary that your website needs to be available there.

Using the DOS filter logs, you can analyse the quantity of blocks that have occurred by country. With this simple command, it will parse the logs and show you the quantity of DOS blocks per country code.

Eg. For today's blocks

for IP in $(zcat /microcloud/data/logs/lb1/dos-filter-$(date +%F)*.gz | awk '{print $9}' | sort -u); do 
  geoiplookup $IP 
done | ack-grep '([A-Z]+),' --output='$1' | sort | uniq -c

You could then go on to block by country code using the information displayed.