This command will show all connections (including IP address) to port 80. You are able to change this port if your web server does not run on this by changing the |grep :80| section in the command below
Show static view of connections to port 80:
netstat -punt | grep ':80.*ESTAB' | awk '{ print $5}' | cut -d':' -f4 | sort | uniq -c | sort -rn | while read i; do echo -n "$i "; curl -s http://ip-api.com/csv/$(echo "$i" | awk '{ print $2 }') | cut -d',' -f2; sleep 1; done
Example output:
6 x.x.x.x "United States" 5 x.x.x.x Ireland 2 x.x.x.x "United Kingdom" 2 x.x.x.x "South Africa" 2 x.x.x.x China 1 x.x.x.x "United Kingdom" 1 x.x.x.x "Czech Republic"
netstat -nap | awk '$4~/:80$/{print$5}' | awk -F: '{print$(NF-1)}' | sort | uniq -c | sort -nr | head -20
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
netstat -ant | egrep ":80|:443" | egrep "ESTABLISHED|SYN_RECV" | awk '{ print $5 }' | sed -e 's/\:\:ffff\://g' | awk -F: '{print $1}' | sort | uniq -c | sort -nr |awk '{print $1 " "$2}'
while x=0; do clear;date;echo "";echo " [Count] | [IP ADDR]";echo "-------------------";netstat -np|grep :80|grep -v LISTEN|awk '{print $5}'|cut -d: -f1|uniq -c; sleep 5;done
Once you have this output you may want to toubleshoot the location. Is this a ddos? an dos?
whois x.x.x.x | grep 'country\|address'
whois x.x.x.x | egrep 'role:|address:|abuse-mailbox:'