Step 1 : Detect attakers ip

First run this code in ssh to get the visitors ip addresses and number of connection of each visitor

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Output :
Number of connections       IP Address
For example, this is a sample output :
sample dos acctack detection
In the above example, This IP : 41.176.11.15 has 144 connection to server. This is unusual and seems to be an attacker.
Note : Never block 127.0.0.1, this is a local ip.

 

Step 2 : Block IP with firewall

Block IP with firewall using webmin : Video tutorial