This tutorial walks you through pulling the last 100,000 lines of an Apache access log, extracting IP addresses from each entry, and using sort‑uniq to list the top ten clients by request count. It then shows how to view those results directly with cat, or alternatively install goaccess for a web dashboard that highlights the same data without manual grepping. A real‑world example illustrates how an internal machine can dominate traffic at odd hours and how whitelisting it in the firewall can reduce load dramatically. Finally, the article encourages readers to investigate any unfamiliar IPs with ping or traceroute before adding them to a whitelist, offering practical tips for maintaining server health.

Find Top 10 IP Addresses Accessing Your Apache Web Server

If your site’s traffic has been spiking for no reason, you probably want to know which visitors are behind the curtain. This quick guide shows how to pull a list of the top ten IPs hitting your Apache logs in under five minutes.

Grab the access log

sudo tail -n 100000 /var/log/apache2/access.log > recent_access.log

Most servers keep only the last few hundred thousand lines by default. If you need a deeper dive, just bump that number or use -f to stream live.

Strip out the IPs

cut -d' ' -f1 recent_access.log > ips.txt

Apache’s log format starts with the client address followed by a space. Cutting at that space isolates every IP for counting.

Count, sort, and grab the top ten

sort ips.txt | uniq -c | sort -nr | head -n 10 > top_ips.txt

uniq -c turns consecutive duplicates into a count. sort -nr flips that to descending numeric order, so you see the heavy hitters first.

Read the results

cat top_ips.txt

You’ll get lines like:

  1523 192.168.1.42
   987 203.0.113.12

What to do next:

• Check if these IPs belong to known bots or your own internal services.
• If you see a single IP dominating, consider rate‑limiting it via mod_evasive or firewall rules.

Quick sanity check with goaccess

If you’re tired of grepping and sorting by hand:

sudo apt install goaccess
sudo goaccess /var/log/apache2/access.log -o report.html --log-format=COMBINED

Open report.html; the dashboard will instantly show a “Top Clients” section.

But keep in mind: The full tool adds overhead and requires a web server just to view the stats, so for most folks, the one‑liner above is plenty.

Real‑world observation

I once had a small e‑commerce site where a rogue script from an old WordPress plugin kept hammering my server at 3 am every night. The top IP was a single internal machine that no one else used. Once I whitelisted it in the firewall and disabled the cron job, traffic dropped by 90 %, and the CPU usage finally stopped spiking.

Wrap‑up

Now you can spot the big players on your server without wading through terabytes of logs. If you run into a weird IP that keeps popping up, just ping it or use traceroute to see where it’s coming from – sometimes it's a VPN or proxy that belongs in your whitelist.