Overview

You may see abuse from specific IP addresses, which is generally the result of bots visiting your site. However, you may notice IP addresses that aren’t linked with bots viewing your site.

This section contains a collection of SSH commands that can be used to detect which IPs are accessing your site.

Because the logs are rotated daily, there are only a few days worth of logs available at any given moment. If you need long-term logs, you must back them up on a regular basis. GreggHost keeps HTTP logs for three days by default, as required by GDPR.

Logging into your server

You must first log onto your server through SSH to run the scripts below:

Overview of SSH
Navigate to the relevant logs directory after you’ve logged in.

What logs directory do I need to look at?
There will be two directories if you have applied an SSL certificate to your website. One is for /http, and the other is for /https. Consider the following scenario:

/logs/example.com/http \s/logs/example.com/https
If you visit your site and see that the URL is HTTPS (https://example.com), you should look at the /https directory. Instead of looking at the /http directory, you’d look at the /http directory if your site displays HTTP when you visit it. The examples that follow presume that your site is secured with HTTPS.

cd /logs/example.com/https [server]$
The following commands will be run from here.

Listing IP hits

Command Description
[server]$ awk ‘print $1’ | sort | uniq -c |sort -n |cat access.log via SSH
Creates a list of IP addresses that are preceded by the number of times they have visited a website.
[server]$ tail -10000 access.log| awk ‘print $1’ | sort | uniq -c |sort -n | sort | uniq -c |sort -n
Creates a list of the site’s most recent 10,000 hits.
[server]$ crawl-66-249-66-167.googlebot.com host 66.249.66.167 167.66.249.66.in-addr.arpa domain name pointer
The ‘host’ command determines which hosting provider a given IP is accessing a website from. The IP address in this case belongs to Google.
tail -f -q access.log via SSH[server]$
Watches your server logs in real time to see if the problem is caused by a certain IP address (for intermittent issues).
allow,deny,deny,deny,deny,deny,deny,deny, 66.249.66.167 is open to all.
In an.htaccess file, the IP is blocked. In this case, the.htaccess file prevents the above-mentioned Google IP from being used.
a list of the most important files, folders, and domains
[server]$ awk ‘print $7’ access.log|cut -d? -f1|sort|uniq -c|sort -nk1|tail -n10|sort|uniq -c|sort -nk1|tail -n10
Creates a list of the most frequently visited files or directories on your site.
[server]$ do wc -l $k | sort -r -n; done for k in ‘ls -S */https/access.log’ via SSH
Produces a traffic report for all domains listed under a specific user (on a shared server).
This command must be executed in the /logs/ directory of your computer.
SHELL users on a Virtual Private Server (VPS) or Dedicated Server
The commands below only display sites for a single Shell user. View the section below titled Admin users on a Dedicated Server if you need to see all site logs on your server.

Command Description
[server]

wc -l $k | sort -r -n; done $ for k in ‘ls -S /home/*/logs/*/https/access.log’

A list of all traffic for all domains under a single SHELL user is generated.

This command can be executed from any directory.
[server]
/home/*/logs/*/https/access.log $ tail -f -q
Watches your server logs in real time (as a single Shell user) to see if the problem occurs with a certain IP address (for intermittent issues).
This command can be executed from any directory.
Admin users on a Dedicated Server
The commands below will only function if your Dedicated Server has a ‘Admin’ account. After that, you must log in as your ‘root’ user. Only then will you be able to examine all logs for all of your server’s sites.

After coming in as a ‘admin’ user, how can I switch to the ‘root’ user?
After logging in as your ‘admin’ account, follow the steps below to log in as a ‘root’ user on your server.

Log in as the ‘admin’ user on your server.
su: [server] sudo su: [server] sudo su: [server] sudo su:
For instance, $ sudo su [sudo] password
user:
Enter your ‘admin’ user’s password here.
You are now logged in as the user ‘root.’ This is shown in the command prompt:
root@ds123456#
To view logs for all sites on your server, log in as the ‘root’ account and run the following instructions.

Command Description
[server]
wc -l $k | sort -r -n; done $ for k in ‘ls -S /home/*/logs/*/https/access.log’ via SSH.
On a Dedicated Server, this function generates a list of all traffic for all domains.
This command can be executed from any directory.
[server]
/home/*/logs/*/https/access.log via SSH $ tail -f -q
Watches your server logs in real time to see if the problem is caused by a certain IP address (for intermittent issues).
This command can be executed from any directory.
My Unique IP is making a lot of connections
Your site’s Unique IP may be making a lot of connections, according to your access.log via SSH. This isn’t a problem and may be safely overlooked.

This happens because Apache generates these connections internally in order to shut down superfluous processes.

You can learn more about it by clicking here.

Troubleshooting

After performing the command to view all traffic for all domains on a server, you may receive the following error message.

[server]

ls: cannot access /home/*/logs/*/https/access.log: No such file or directory $ for k in ‘ls -S /home/*/logs/*/https/access.log’; do wc -l $k | sort -r -n; done
When you perform the command as an SFTP user, you’ll get this error. On a VPS, you must run it as a ‘Shell’ user, and on a Dedicated Server, you must run it as a ‘Shell’ or ‘Admin’ user.