Discover Centmin Mod today
Register Now

PHP-FPM php-fpm 502 bad gateway errors

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Sunka, Nov 16, 2016.

  1. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    For few minutes my php fpm went down.
    In nginx access log I can see in that time lot of this (same IP)
    Code:
    45.32.69.51 - - [15/Nov/2016:15:33:29 +0100] "GET /?FMCuJd=mLnj20&38QLDjwe=HYrlkJJe&XYG=GLGNK&7ikeDcG=RGM00xH3FO1ui5NIPof&c5ImJpwNA2=BdBhfxekVNprAmALvs HTTP/1.1" 502 166 "-" "Mozilla/5.0 (Linux i386; X11) Gecko/20052602 Firefox/20.0"
    45.32.69.51 - - [15/Nov/2016:15:33:29 +0100] "GET /?awujLywJPq=3Xnl3qp&140=qnEUjEtiWJoil5l3 HTTP/1.1" 200 257212 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_4_1) Gecko/20061111 Firefox/13.0"
    45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?lPi80C7=11MccAedD6pF&hi3FKhQf=mFK8jGq8&bwV3I=SnCSbA&OS27PSNQYr=aHv8HDMMp4Q8cAa7vuV&PBP=M2L4I HTTP/1.1" 502 166 "http://www.yandex.com/PGYWc4" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_0) Gecko/20012501 Firefox/22.0"
    45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?BcD=tbVOF62eK5R HTTP/1.1" 200 256708 "http://www.yandex.com/s4oJv5W8?Ux323WG=2g325DPRItfuH&LAKrPBHfR=TCuo&bPDP=nLWSixGelwpfWo2WUa&8RNq6GLI4W=RR0OSpOOU&bkacjCkjk8=OPavU0VpgtsjR&4r0IdNxwG=DUyFYJqDqByv5uw7wKan&umxfP=w2CEW7GetJi&oNqdDRdMPT=P3R2BMf3sHGo" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_3_4) Gecko/20022609 Firefox/21.0"
    45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?mRU0Ixofp=T67Ud5kygxulFdo23x&vXrD=lOFW HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Windows; U; MSIE 8.0; Macintosh; .NET CLR 2.0.16502; Intel Mac OS X 10_6_0)"
    45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?mtVSH5mEE7=IU2dtLNuqTgX&rHjLeNU=62VVde8jYx2&uRWMfQ6ej=JvRCG6xuqO&20daA=n2UIk2 HTTP/1.1" 200 256384 "http://www.baidu.com/NyGKI?0WuP3Ck=HmEGt4dghwkS3Glat&ROie8aDLD=PdcXg8U3Q7IOnE1n8m&F3C0vJ=4jSeyQutQ6&dVwxsW4gp=3OSYAUy" "Mozilla/5.0 (compatible; MSIE 8.0; Macintosh; .NET CLR 3.5.6072; Intel Mac OS X 11_4_5)"
    45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?ukgr=vgMPpsWc1g&umMEKjpki=hTRmNiPbvHWwYt HTTP/1.1" 502 166 "http://www.google.com/OXmL6?lDA=Cn7GG3TRWDxlShTeLj2&qOJQ3w1=hpQUsl&KVRxd=guAsK&jSHc=OJLPiFYjx10&fX2BYkwl=IMm&L3B=88lj3Sni&f06Unp=Xpx0x" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_4_1) Gecko/20090311 Firefox/14.0"
    45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?46l=VMrbmC8ithshE6we8fC&xeQdGt4=P24ONCsM526R6RMY HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; .NET CLR 2.1.29612; Win64; x64)"
    45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?leLa0xMr=snMFbxu165GH&EyMFo=eaebsVl1QoiIYJ HTTP/1.1" 200 256748 "http://www.google.com/hbdOFUh?b02D=RV1DEQJ6lTWbVm&VCGoH7NNst=EaFSFl6bLPMGd" "Mozilla/5.0 (compatible; MSIE 6.0; Linux i386; .NET CLR 3.5.6072; X11)"
    45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?QHurh=hKQpobYHMaKTLJB&nYmHYpYJW=rQKMUOcqKRPJk&4BOvPp=DNAF25u0A5&WXPX=27bSlTNQQHKX&wYembSMb=1ThnNHAjdx HTTP/1.1" 200 255186 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_3_4) AppleWebKit/536.10 (KHTML, like Gecko) Chrome/18.0.604.43 Safari/537.26"
    45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?cHv0HfrYq8=qkUS3qEdwMbHx&Cd0tAo=lhIy2jP&7uWvkc=mBmfbGJieX2cHeh&GYSfN=Fry&7GD=TC18CLem8OpCDstNwfT HTTP/1.1" 502 568 "http://www.bing.com/sCrKwyum1w?hHKdrixE3v=Q8WiP6eEQaTKJ&uXRhu=ftOb&cXakFFBKp=8nXLa3gtUIGY&rsaSnYg=VRf2S8hOTfyCRIvvpmM&JRqNkD2j=wp51WCQxD&eA2=nNbRmSXH5&QWl3A=vPbb8A0gES&nXi4NACcfu=piYur&OUbTng=MWnGjb8KR4ScAstvPYmb" "Mozilla/5.0 (compatible; MSIE 10.0; Linux x86_64; .NET CLR 2.3.19866; X11)"
    45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?2Hq=JKGl HTTP/1.1" 200 44429 "-" "Mozilla/5.0 (Windows NT.6.2; Win64; x64) AppleWebKit/537.18 (KHTML, like Gecko) Chrome/29.0.1726.79 Safari/536.14"
    45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?L5cNlj=kxOWGx1yptqd&N4jUkLS=QRwERUxBT&i6uE8vCrn=qutVq&EgaHpgjKUC=gktXDtfIjftGN3VWiaB&2M6Aob3K1=kAPVMQAofIAkhUbeBtJ HTTP/1.1" 200 255212 "-" "Mozilla/5.0 (Linux i386; X11) AppleWebKit/535.21 (KHTML, like Gecko) Chrome/16.0.338.21 Safari/536.34"
    45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?COqlBippM=yEcjwY HTTP/1.1" 502 166 "http://www.pijanitvor.com/iarc1EBy?xPqpe=74ViMfs4wVXwhnLyv&LG3FwDy=J41lKmn&MxSsG=Asd83npGNBcUCv272AjK&cggK6oJQ=CnJT7yXFox&BoIJqCsY=EONGVbVD2fQtl0t&00ixwXCYG=sicgwgGpMhS&cvgC0HOK=xc2vD3ysF17f&BFNEgmix4=sRUjv4MgtMLHoeCI&YsiLj=xlT2hTF67tL" "Mozilla/5.0 (Linux i386; X11) Gecko/20100809 Firefox/13.0"
    45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?VyY8=ksErAlmN1ai&M2uM1=uScbUAj7maDYNWigUMe HTTP/1.1" 502 166 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_1_2) Gecko/20101308 Firefox/16.0"
    45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?4l2CO=Iu5l&okO=8yyPYedWJDqCEYX&2EiMYCLq=rqaLXNKhju6Eq&CTwSEKlF=ob7YfnrOuHH30Vp HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 7.0b; Linux i386; .NET CLR 2.0.2727; X11)"
    45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?heYYmB=ah8i&PhqV=6QHKNMMRVLo&hMU6UhA=6AFh5U1oXpqqtkBC&rvLE1MoFn=rWgiFUq HTTP/1.1" 502 166 "http://www.baidu.com/MMX8kWS" "Mozilla/5.0 (Linux i386; X11) Gecko/20060305 Firefox/13.0"
    45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?HTQj5s=I2GNL&KsYoqsva=YKtGFESKc7lb3tbyFFRI&DJyW20q5=TwFo74df7h&Qyr8=MRUY HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT.6.2; .NET CLR 2.0.16502; WOW64)"
    45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?PYs=c3F8w&AFfatpxUs=mrFb6qhIOISbcQ4OX2H&oSlBaFTld1=mWsPvHetyfT HTTP/1.1" 502 568 "http://www.bing.com/TtvRFuvX7h?nToy=PPf2Fh16asbWId4So0A&8gNR0PsPIP=HCpdfPqpe&V3WqVPS4=u7JRnaso2fpS4s&SlFKHHY=BfJS3Ikc0F&CKWtVYm=I1O&AvU6nUoCPV=WOnkiT2owtvO26X&rbpL=7acKdqMMvPtEIwU&HH1t8O301M=fqD3sdNn8GAdw&3xPuQkOLT=3kWkwRW5aH" "Mozilla/5.0 (Linux x86_64; X11) AppleWebKit/536.14 (KHTML, like Gecko) Chrome/21.0.1256.84 Safari/536.21"
    45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?fVJUR4=1Sleqt8cMxx&26cwMD=eDf8jsYNjayEKdm&FFwNUfG=5ODstAKxP&7t2GpV=dkmE0RIKbw1&Dn7V=Iy4Q201ldn35j HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.25 (KHTML, like Gecko) Chrome/23.0.407.41 Safari/535.34"
    Should I disable IP or something else regarding this, or should I disable bot names, or what?


    If yes, how?
     
  2. eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nothing to do with bad bot blocking as that gets 444 status not 502, looks like you're being attacked by that ip
    45.32.69.51 on old chrome user agents which is a vultr ip http://www.tcpiputils.com/browse/ip-address/45.32.69.51

    but looks like baidu and yandex UA are present. Could be they overwhelmed you php-fpm server as it could be down hence 502
     
  3. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    But I get error 502
    Also few minutes ago same happened
     
  4. eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    502 bad gateway means nginx can't communicate with php-fpm backend because php-fpm is down, unavailable or overloaded.
     
  5. eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  6. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Seems to me that I have to play with this settings:

    Code:
    pm = dynamic
    pm.max_children = 16
    ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
    pm.start_servers = 6
    pm.min_spare_servers = 4
    pm.max_spare_servers = 12
    pm.max_requests = 500
    ...
    php_admin_value[memory_limit] = 512M
     
  7. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Trying right now:
    Code:
    pm = dynamic
    pm.max_children = 12
    ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
    pm.start_servers = 6
    pm.min_spare_servers = 4
    pm.max_spare_servers = 10
    pm.max_requests = 200
    php_admin_value[memory_limit] = 1024M
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    CSF Firewall block the ip first
    Code (Text):
    csf -d 45.32.69.51
     
  9. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    How to block them?
     
  10. eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  11. eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    fyi some SSH commands to filter your nginx access.log just change accesslog variable to point to your domain.com's log/access.log location
    Code (Text):
    accesslog='/home/nginx/domains/domain.com/log/access.log'
    read -ep "Filter which status code ? i.e. 404 : " var ; awk -v errno=${var} '$9 == 'errno' { print $1 }' $accesslog | sort | uniq -c | sort -n

    Then you can filter log based on http status code i.e. 502
    i.e.
    Code (Text):
    Filter which status code ? i.e. 404 : 405
          2 190.129.35.245
          2 85.230.197.63
          3 158.69.244.240
          4 149.56.102.92
          4 192.99.144.140
          4 198.27.89.245
          9 164.132.201.51
     
  12. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Code:
    # read -ep "Filter which status code ? i.e. 404 : " var ; awk -v errno=${var} '$9 == 'errno' { print $1 }' $accesslog | sort | uniq -c | sort -n
    Filter which status code ? i.e. 404 : 502
          1 109.228.89.178
          1 109.245.156.121
          1 109.245.39.40
          ...
         10 134.90.132.13
         10 31.147.65.248
         10 93.143.31.169
         12 37.187.141.25
         13 79.101.136.129
         16 207.46.13.186
         17 180.191.111.244
         18 136.243.152.18
         18 207.46.13.193
         19 68.180.229.238
         21 207.46.13.172
       3579 45.32.69.51
     112100 158.69.116.62
    last two blocked
     
  13. eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, 502 status doesn't mean the ip is bad as it could be a legit visitor hitting server while php-fpm is down. Though i doubt any legit user would have that mean instances logged for their ip so you'd want to check the ip's user agent in your access logs
     
  14. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Yep, this last two are blocked, others no.
    I will block only with "extra numbers > 200"

    Any shortcut command for that?
     
  15. eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  16. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    I can list all rows containg one IP
    Code:
    grep -iw "31.223.139.91" /home/nginx/domains/pijanitvor.com/log/access.log
    but how to show and print only useragent of that IP?
     
  17. eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    probably need to learn how to use awk i.e. if you're using 123.09beta01 default nginx log format which is customised for nginx amplify compatibility, then fields/columns minus date would look like
    Code (Text):
    awk '/IP.ADDR/{print $1,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22}' access.log | sort | uniq -c | sort -n
    

    where IP.ADDR is the ip address you want to search for

    i.e. partial ip match on 180.76.15 gives me
    Code (Text):
    awk '/180.76.15/{print $1,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22}' access.log | sort | uniq -c | sort -n           
          1 180.76.15.138 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.140 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.143 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.14 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.154 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.159 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.160 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.161 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.19 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.22 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.23 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.26 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.29 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.32 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          1 180.76.15.7 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          2 180.76.15.136 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          2 180.76.15.13 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          2 180.76.15.16 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          2 180.76.15.18 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          2 180.76.15.20 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          3 180.76.15.155 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          3 180.76.15.163 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
          4 180.76.15.156 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
    

    awk and grep are important commands to master as is sort and uniq commands ;)
     
  18. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Tried, but still get 1000 rows for same IP
     
  19. eva2000

    eva2000 Administrator Staff Member

    55,802
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what commad you used?

    try using tail command to list last 10 entries
    Code (Text):
    awk '/IP.ADDR/{print $1,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22}' access.log | sort | uniq -c | sort -n|tail -10
    

    Changing access.log to the full path to yours i.e.
    /home/nginx/domains/domain.com/log/access.log
     
  20. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:41 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    That is better now.
    Code:
    # awk '/45.32.69.51/{print $1,$12,$13,$14,$15,$16,$17,$18,$19,0,$21,$22}' /home/nginx/domains/pijanitvor.com/log/access.log | sort | uniq -c | sort -n|tail -10
         26 45.32.69.51 "Mozilla/5.0 (compatible; MSIE 8.0; Linux x86_64; .NET CLR 0 X11)"
         26 45.32.69.51 "Mozilla/5.0 (Linux x86_64; X11) Gecko/20080210 Firefox/21.0"   0 
         29 45.32.69.51 "Mozilla/5.0 (compatible; MSIE 6.1; Linux x86_64; .NET CLR 0 X11)"
         33 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 10.0; Macintosh; .NET CLR 0 Intel Mac
         44 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 6.0; Macintosh; .NET CLR 0 Intel Mac
         46 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 9.0; Macintosh; .NET CLR 0 Intel Mac
         51 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 6.1; Macintosh; .NET CLR 0 Intel Mac
         54 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 7.0b; Macintosh; .NET CLR 0 Intel Mac
         62 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 8.0; Macintosh; .NET CLR 0 Intel Mac
         69 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 7.0; Macintosh; .NET CLR 0 Intel Mac
    ip's user agent - Mozilla?

    Same IP has many other user agents, but in last 10 is Mozilla
    What could be suspicious ip's user agent