When a server is under attack you will need to identify the attacking IP’s and block them using your firewall and other tools such as mod_security.
(note: for linux)
Netstat is your best friend:
show ip connections to port 80 apache:
netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more
Update :80 to whatever port you need – e.g. 443 for ssh, 25 for smtp etc…
Bulk IP Address Geo Location Lookup:
https://ipligence.com/iplocation
List all Processes:
ps auxwwwf
Pipe to grep for specific details:
ps auxwwwf | grep public_html
ps auxwwwf | grep ssh
ps auxwwwf | grep ftp
etc…
View all TCP processes:
tcpdump
tcpdump | grep http
tcpdump | grep smtp
tcpdump | grep imap
etc…
Watch output of command in real time:
watch -n 1 'netstat -ano | grep SYN_RECV'
Creating Quick Country CIDR Blocklists:
https://www.countryipblocks.net/country_selection.php
NOTE: having a large range in your firewall will slow all connections down – but better slow than locked up…