This guide helps identify which website(s) or service(s) a banned IP was accessing before being blocked.
🖥️ Step 1: Identify Access to Individual Websites
Use the following command to search through Apache domain logs (virtual host access logs):
grep -irl "194.116.167.63" /usr/local/apache/domlogs/*- This tells you which domains/sites the IP accessed.
- Useful to detect which hosted account was targeted.
📄 Step 2: Search Global Apache Access Log
Check the main Apache access log to see general HTTP/HTTPS requests:
grep -irl "194.116.167.63" /usr/local/apache/logs/access_log- May show additional info not logged in individual
domlogs.
📁 Step 3: Search Across All System Logs
To identify other services (e.g., Exim, Dovecot, cPHulk, etc.) the IP may have tried to connect to:
grep -irl "194.116.167.63" /var/log/*- This checks all log files under
/var/log/for activity from the IP.
📝 Notes:
- Replace
194.116.167.63with the IP address you want to investigate. - You can append
| lessor> ip_report.txtto any of the commands for easier viewing or saving output. - If the IP tried to attack multiple services, you might see hits in:
/var/log/exim_mainlog(email spam attempts)/var/log/secure(SSH login attempts)/var/log/cphulkd.log(brute-force protection logs)