My goal is to get an accurate list of IP addresses attacking the server, not innocent IP addresses. I tried to use
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
but I'm not sure if it displays a list of intruders, not innocent un in the same list. Most of the attack is in layer 7, so http is on port 80. The goal is to grab a list, copy and paste into a text file, run a batch script package and add ipset add blackliston each line. Then I can block all attacking IP addresses in a very short time using ipset and iptables.
source
share