How do I view which I.P. addresses are viewing my website?

guygrahamp11 · November 14, 2018, 9:08am

How do I view which I.P. addresses are viewing my website? If there are problem I.P. addresses I need to know exactly what they are in order to block them.

sandro · November 14, 2018, 9:10am

Your server log files.

guygrahamp11 · November 14, 2018, 4:13pm

I don’t suppose you could recommend an east to use and free program to analyse my logs?

sandro · November 14, 2018, 4:17pm

There are too many out there. I’d search for something along the lines of “free apache log analyser”.

guygrahamp11 · November 14, 2018, 7:20pm

I think my site maybe under some kind of attack.

here’s an example of a log file entry

172.68.245.112 - - [14/Nov/2018:05:51:57 -0800] “GET /balfourgroup.com/wp-content/uploads/job-manager-uploads/file/2018/11/XAttacker.gif HTTP/1.1” 404 70976 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”

sandro · November 14, 2018, 7:22pm

Probably just a random crawler.

guygrahamp11 · November 14, 2018, 7:24pm

“XAttacker” in the URL seems a bit shady

sandro · November 14, 2018, 7:25pm

They often are shady

How many of that entries do you have?

guygrahamp11 · November 14, 2018, 7:25pm

loads

sandro · November 14, 2018, 7:26pm

Could you post a couple of sample entries?

guygrahamp11 · November 14, 2018, 7:32pm

172.68.246.131 - - [14/Nov/2018:05:52:08 -0800] “GET /balfourgroup.com/wp-content/uploads/XAttacker.php?X=Attacker HTTP/1.1” 301 20 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”

172.68.11.80 - - [14/Nov/2018:05:53:39 -0800] “GET /balfourgroup.com/wp-content/plugins/barclaycart/uploadify/XAttacker.php?X=Attacker HTTP/1.1” 301 20 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”

sandro · November 14, 2018, 7:34pm

Alright, you are not rewritting IP addresses, so it is difficult to tell where these requests are from.

However you could either define a firewall rule and block requests containing XAttacker or a user agent rule blocking Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31

guygrahamp11 · November 14, 2018, 7:36pm

what do you mean by “you are not rewritting IP addresses”?

sandro · November 14, 2018, 7:39pm

The IP addresses showing up in your log file are Cloudflare’s (as you are proxying requests through their network). If you want to receive the actual client IP you’d need to rewrite that, for example with mod_remoteip on Apache.

guygrahamp11 · November 14, 2018, 7:45pm

is that a complicated thing to do?

sandro · November 14, 2018, 7:47pm

https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html

guygrahamp11 · November 14, 2018, 7:51pm

I’ve had a read. But sadly none of the information on that page makes any sense to me

sandro · November 14, 2018, 7:53pm

Who is maintaining your server?

guygrahamp11 · November 14, 2018, 8:00pm

a website hosting company

sandro · November 14, 2018, 8:03pm

Then you might want to contact them regarding that issue and whether they can configure that.