Analysing DOS blocks by country

By 27th February 2015June 9th, 2017No Comments

It can unfortunately be a common occurrence that certain countries are a source of DOS attacks or aggressive crawl bots. It is also possible that these countries do not form part of your target demographic, and as such, it isn't actually necessary that your website needs to be available there.

Using the DOS filter logs, you can analyse the quantity of blocks that have occurred by country. With this simple command, it will parse the logs and show you the quantity of DOS blocks per country code.

Eg. For today's blocks

for IP in $(zcat /microcloud/data/logs/lb1/dos-filter-$(date +%F)*.gz | awk '{print $9}' | sort -u); do 
  geoiplookup $IP 
done | ack-grep '([A-Z]+),' --output='$1' | sort | uniq -c

You could then go on to block by country code using the information displayed.