/ Register

Discover Centmin Mod today
Register Now

PHP-FPM php-fpm 502 bad gateway errors

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Sunka, Nov 16, 2016.

Previous Thread Next Thread
Loading...
Page 1 of 2
  1. Nov 16, 2016 #1
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    For few minutes my php fpm went down.
    In nginx access log I can see in that time lot of this (same IP)
    Code:
    45.32.69.51 - - [15/Nov/2016:15:33:29 +0100] "GET /?FMCuJd=mLnj20&38QLDjwe=HYrlkJJe&XYG=GLGNK&7ikeDcG=RGM00xH3FO1ui5NIPof&c5ImJpwNA2=BdBhfxekVNprAmALvs HTTP/1.1" 502 166 "-" "Mozilla/5.0 (Linux i386; X11) Gecko/20052602 Firefox/20.0"
45.32.69.51 - - [15/Nov/2016:15:33:29 +0100] "GET /?awujLywJPq=3Xnl3qp&140=qnEUjEtiWJoil5l3 HTTP/1.1" 200 257212 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_4_1) Gecko/20061111 Firefox/13.0"
45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?lPi80C7=11MccAedD6pF&hi3FKhQf=mFK8jGq8&bwV3I=SnCSbA&OS27PSNQYr=aHv8HDMMp4Q8cAa7vuV&PBP=M2L4I HTTP/1.1" 502 166 "http://www.yandex.com/PGYWc4" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_0) Gecko/20012501 Firefox/22.0"
45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?BcD=tbVOF62eK5R HTTP/1.1" 200 256708 "http://www.yandex.com/s4oJv5W8?Ux323WG=2g325DPRItfuH&LAKrPBHfR=TCuo&bPDP=nLWSixGelwpfWo2WUa&8RNq6GLI4W=RR0OSpOOU&bkacjCkjk8=OPavU0VpgtsjR&4r0IdNxwG=DUyFYJqDqByv5uw7wKan&umxfP=w2CEW7GetJi&oNqdDRdMPT=P3R2BMf3sHGo" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_3_4) Gecko/20022609 Firefox/21.0"
45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?mRU0Ixofp=T67Ud5kygxulFdo23x&vXrD=lOFW HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Windows; U; MSIE 8.0; Macintosh; .NET CLR 2.0.16502; Intel Mac OS X 10_6_0)"
45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?mtVSH5mEE7=IU2dtLNuqTgX&rHjLeNU=62VVde8jYx2&uRWMfQ6ej=JvRCG6xuqO&20daA=n2UIk2 HTTP/1.1" 200 256384 "http://www.baidu.com/NyGKI?0WuP3Ck=HmEGt4dghwkS3Glat&ROie8aDLD=PdcXg8U3Q7IOnE1n8m&F3C0vJ=4jSeyQutQ6&dVwxsW4gp=3OSYAUy" "Mozilla/5.0 (compatible; MSIE 8.0; Macintosh; .NET CLR 3.5.6072; Intel Mac OS X 11_4_5)"
45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?ukgr=vgMPpsWc1g&umMEKjpki=hTRmNiPbvHWwYt HTTP/1.1" 502 166 "http://www.google.com/OXmL6?lDA=Cn7GG3TRWDxlShTeLj2&qOJQ3w1=hpQUsl&KVRxd=guAsK&jSHc=OJLPiFYjx10&fX2BYkwl=IMm&L3B=88lj3Sni&f06Unp=Xpx0x" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_4_1) Gecko/20090311 Firefox/14.0"
45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?46l=VMrbmC8ithshE6we8fC&xeQdGt4=P24ONCsM526R6RMY HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; .NET CLR 2.1.29612; Win64; x64)"
45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?leLa0xMr=snMFbxu165GH&EyMFo=eaebsVl1QoiIYJ HTTP/1.1" 200 256748 "http://www.google.com/hbdOFUh?b02D=RV1DEQJ6lTWbVm&VCGoH7NNst=EaFSFl6bLPMGd" "Mozilla/5.0 (compatible; MSIE 6.0; Linux i386; .NET CLR 3.5.6072; X11)"
45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?QHurh=hKQpobYHMaKTLJB&nYmHYpYJW=rQKMUOcqKRPJk&4BOvPp=DNAF25u0A5&WXPX=27bSlTNQQHKX&wYembSMb=1ThnNHAjdx HTTP/1.1" 200 255186 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_3_4) AppleWebKit/536.10 (KHTML, like Gecko) Chrome/18.0.604.43 Safari/537.26"
45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?cHv0HfrYq8=qkUS3qEdwMbHx&Cd0tAo=lhIy2jP&7uWvkc=mBmfbGJieX2cHeh&GYSfN=Fry&7GD=TC18CLem8OpCDstNwfT HTTP/1.1" 502 568 "http://www.bing.com/sCrKwyum1w?hHKdrixE3v=Q8WiP6eEQaTKJ&uXRhu=ftOb&cXakFFBKp=8nXLa3gtUIGY&rsaSnYg=VRf2S8hOTfyCRIvvpmM&JRqNkD2j=wp51WCQxD&eA2=nNbRmSXH5&QWl3A=vPbb8A0gES&nXi4NACcfu=piYur&OUbTng=MWnGjb8KR4ScAstvPYmb" "Mozilla/5.0 (compatible; MSIE 10.0; Linux x86_64; .NET CLR 2.3.19866; X11)"
45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?2Hq=JKGl HTTP/1.1" 200 44429 "-" "Mozilla/5.0 (Windows NT.6.2; Win64; x64) AppleWebKit/537.18 (KHTML, like Gecko) Chrome/29.0.1726.79 Safari/536.14"
45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?L5cNlj=kxOWGx1yptqd&N4jUkLS=QRwERUxBT&i6uE8vCrn=qutVq&EgaHpgjKUC=gktXDtfIjftGN3VWiaB&2M6Aob3K1=kAPVMQAofIAkhUbeBtJ HTTP/1.1" 200 255212 "-" "Mozilla/5.0 (Linux i386; X11) AppleWebKit/535.21 (KHTML, like Gecko) Chrome/16.0.338.21 Safari/536.34"
45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?COqlBippM=yEcjwY HTTP/1.1" 502 166 "http://www.pijanitvor.com/iarc1EBy?xPqpe=74ViMfs4wVXwhnLyv&LG3FwDy=J41lKmn&MxSsG=Asd83npGNBcUCv272AjK&cggK6oJQ=CnJT7yXFox&BoIJqCsY=EONGVbVD2fQtl0t&00ixwXCYG=sicgwgGpMhS&cvgC0HOK=xc2vD3ysF17f&BFNEgmix4=sRUjv4MgtMLHoeCI&YsiLj=xlT2hTF67tL" "Mozilla/5.0 (Linux i386; X11) Gecko/20100809 Firefox/13.0"
45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?VyY8=ksErAlmN1ai&M2uM1=uScbUAj7maDYNWigUMe HTTP/1.1" 502 166 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_1_2) Gecko/20101308 Firefox/16.0"
45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?4l2CO=Iu5l&okO=8yyPYedWJDqCEYX&2EiMYCLq=rqaLXNKhju6Eq&CTwSEKlF=ob7YfnrOuHH30Vp HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 7.0b; Linux i386; .NET CLR 2.0.2727; X11)"
45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?heYYmB=ah8i&PhqV=6QHKNMMRVLo&hMU6UhA=6AFh5U1oXpqqtkBC&rvLE1MoFn=rWgiFUq HTTP/1.1" 502 166 "http://www.baidu.com/MMX8kWS" "Mozilla/5.0 (Linux i386; X11) Gecko/20060305 Firefox/13.0"
45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?HTQj5s=I2GNL&KsYoqsva=YKtGFESKc7lb3tbyFFRI&DJyW20q5=TwFo74df7h&Qyr8=MRUY HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT.6.2; .NET CLR 2.0.16502; WOW64)"
45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?PYs=c3F8w&AFfatpxUs=mrFb6qhIOISbcQ4OX2H&oSlBaFTld1=mWsPvHetyfT HTTP/1.1" 502 568 "http://www.bing.com/TtvRFuvX7h?nToy=PPf2Fh16asbWId4So0A&8gNR0PsPIP=HCpdfPqpe&V3WqVPS4=u7JRnaso2fpS4s&SlFKHHY=BfJS3Ikc0F&CKWtVYm=I1O&AvU6nUoCPV=WOnkiT2owtvO26X&rbpL=7acKdqMMvPtEIwU&HH1t8O301M=fqD3sdNn8GAdw&3xPuQkOLT=3kWkwRW5aH" "Mozilla/5.0 (Linux x86_64; X11) AppleWebKit/536.14 (KHTML, like Gecko) Chrome/21.0.1256.84 Safari/536.21"
45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?fVJUR4=1Sleqt8cMxx&26cwMD=eDf8jsYNjayEKdm&FFwNUfG=5ODstAKxP&7t2GpV=dkmE0RIKbw1&Dn7V=Iy4Q201ldn35j HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.25 (KHTML, like Gecko) Chrome/23.0.407.41 Safari/535.34"
    Should I disable IP or something else regarding this, or should I disable bot names, or what?

    If yes, how?
     
  2. Nov 16, 2016 #2
    eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nothing to do with bad bot blocking as that gets 444 status not 502, looks like you're being attacked by that ip
    45.32.69.51 on old chrome user agents which is a vultr ip http://www.tcpiputils.com/browse/ip-address/45.32.69.51

    but looks like baidu and yandex UA are present. Could be they overwhelmed you php-fpm server as it could be down hence 502
     
  3. Nov 16, 2016 #3
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    But I get error 502
    Also few minutes ago same happened
     
  4. Nov 16, 2016 #4
    eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    502 bad gateway means nginx can't communicate with php-fpm backend because php-fpm is down, unavailable or overloaded.
     
  5. Nov 16, 2016 #5
    eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  6. Nov 16, 2016 #6
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Seems to me that I have to play with this settings:

    Code:
    pm = dynamic
pm.max_children = 16
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 6
pm.min_spare_servers = 4
pm.max_spare_servers = 12
pm.max_requests = 500
...
php_admin_value[memory_limit] = 512M
     
  7. Nov 16, 2016 #7
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Trying right now:
    Code:
    pm = dynamic
pm.max_children = 12
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 6
pm.min_spare_servers = 4
pm.max_spare_servers = 10
pm.max_requests = 200
php_admin_value[memory_limit] = 1024M
     
  8. Nov 16, 2016 #8
    eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    CSF Firewall block the ip first
    Code (Text):
    csf -d 45.32.69.51
     
  9. Nov 16, 2016 #9
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    How to block them?
     
  10. Nov 16, 2016 #10
    eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  11. Nov 16, 2016 #11
    eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    fyi some SSH commands to filter your nginx access.log just change accesslog variable to point to your domain.com's log/access.log location
    Code (Text):
    accesslog='/home/nginx/domains/domain.com/log/access.log'
read -ep "Filter which status code ? i.e. 404 : " var ; awk -v errno=${var} '$9 == 'errno' { print $1 }' $accesslog | sort | uniq -c | sort -n

    Then you can filter log based on http status code i.e. 502
    i.e.
    Code (Text):
    Filter which status code ? i.e. 404 : 405
      2 190.129.35.245
      2 85.230.197.63
      3 158.69.244.240
      4 149.56.102.92
      4 192.99.144.140
      4 198.27.89.245
      9 164.132.201.51
     
  12. Nov 16, 2016 #12
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Code:
    # read -ep "Filter which status code ? i.e. 404 : " var ; awk -v errno=${var} '$9 == 'errno' { print $1 }' $accesslog | sort | uniq -c | sort -n
Filter which status code ? i.e. 404 : 502
      1 109.228.89.178
      1 109.245.156.121
      1 109.245.39.40
      ...
     10 134.90.132.13
     10 31.147.65.248
     10 93.143.31.169
     12 37.187.141.25
     13 79.101.136.129
     16 207.46.13.186
     17 180.191.111.244
     18 136.243.152.18
     18 207.46.13.193
     19 68.180.229.238
     21 207.46.13.172
   3579 45.32.69.51
 112100 158.69.116.62
    last two blocked
     
  13. Nov 16, 2016 #13
    eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, 502 status doesn't mean the ip is bad as it could be a legit visitor hitting server while php-fpm is down. Though i doubt any legit user would have that mean instances logged for their ip so you'd want to check the ip's user agent in your access logs
     
  14. Nov 16, 2016 #14
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Yep, this last two are blocked, others no.
    I will block only with "extra numbers > 200"

    Any shortcut command for that?
     
  15. Nov 16, 2016 #15
    eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  16. Nov 16, 2016 #16
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    I can list all rows containg one IP
    Code:
    grep -iw "31.223.139.91" /home/nginx/domains/pijanitvor.com/log/access.log
    but how to show and print only useragent of that IP?
     
  17. Nov 16, 2016 #17
    eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    probably need to learn how to use awk i.e. if you're using 123.09beta01 default nginx log format which is customised for nginx amplify compatibility, then fields/columns minus date would look like
    Code (Text):
    awk '/IP.ADDR/{print $1,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22}' access.log | sort | uniq -c | sort -n

    where IP.ADDR is the ip address you want to search for

    i.e. partial ip match on 180.76.15 gives me
    Code (Text):
    awk '/180.76.15/{print $1,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22}' access.log | sort | uniq -c | sort -n           
      1 180.76.15.138 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.140 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.143 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.14 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.154 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.159 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.160 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.161 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.19 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.22 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.23 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.26 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.29 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.32 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      1 180.76.15.7 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      2 180.76.15.136 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      2 180.76.15.13 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      2 180.76.15.16 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      2 180.76.15.18 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      2 180.76.15.20 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      3 180.76.15.155 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      3 180.76.15.163 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
      4 180.76.15.156 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-

    awk and grep are important commands to master as is sort and uniq commands ;)
     
  18. Nov 16, 2016 #18
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Tried, but still get 1000 rows for same IP
     
  19. Nov 16, 2016 #19
    eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what commad you used?

    try using tail command to list last 10 entries
    Code (Text):
    awk '/IP.ADDR/{print $1,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22}' access.log | sort | uniq -c | sort -n|tail -10

    Changing access.log to the full path to yours i.e.
    /home/nginx/domains/domain.com/log/access.log
     
  20. Nov 16, 2016 #20
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    That is better now.
    Code:
    # awk '/45.32.69.51/{print $1,$12,$13,$14,$15,$16,$17,$18,$19,0,$21,$22}' /home/nginx/domains/pijanitvor.com/log/access.log | sort | uniq -c | sort -n|tail -10
     26 45.32.69.51 "Mozilla/5.0 (compatible; MSIE 8.0; Linux x86_64; .NET CLR 0 X11)"
     26 45.32.69.51 "Mozilla/5.0 (Linux x86_64; X11) Gecko/20080210 Firefox/21.0"   0 
     29 45.32.69.51 "Mozilla/5.0 (compatible; MSIE 6.1; Linux x86_64; .NET CLR 0 X11)"
     33 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 10.0; Macintosh; .NET CLR 0 Intel Mac
     44 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 6.0; Macintosh; .NET CLR 0 Intel Mac
     46 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 9.0; Macintosh; .NET CLR 0 Intel Mac
     51 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 6.1; Macintosh; .NET CLR 0 Intel Mac
     54 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 7.0b; Macintosh; .NET CLR 0 Intel Mac
     62 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 8.0; Macintosh; .NET CLR 0 Intel Mac
     69 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 7.0; Macintosh; .NET CLR 0 Intel Mac
    ip's user agent - Mozilla?

    Same IP has many other user agents, but in last 10 is Mozilla
    What could be suspicious ip's user agent
     
Previous Thread Next Thread
Loading...
Page 1 of 2

.