Automatic cron security ban

[theking81]

I have created a script that runs every 1 hour on my servers with a cronjob.
Basically it bans ips on a server using CSF any unusual hits over 500 or whatever you want on a server.

This helps me a lot as i have websites that get lot of bot hits (wordpress, prestashops etc).
With the script 3 years now... the server is fully healthy and rested.
The only config needed is the path of the websites to look for the ssls logs and the amount of hits each ip gives everyday.

I made a safe, production script that scans the SSL logs of accounts on server , finds IPs with > 500 hits today (or whatever you want to add for your needs), and automatically blocks them via CSF in one go.

It also:

• skips private/local IPs,

• avoids duplicate blocks (checks /etc/csf/csf.deny first),

• logs actions to /var/log/auto-blocker.log,

• only reloads CSF once if there were changes,

• supports --dry-run to test without blocking, and

• is cron-friendly.

Save it as /usr/local/sbin/protect.sh, chmod +x, and run with sudo (CSF requires root).

#!/usr/bin/env bash
#
# auto-blocker.sh
#
# Scan today's SSL access logs for abusive IPs and block them in CSF if they
# exceed a defined request threshold. Intended for cPanel/CSF environments.
#
# Usage:
#   sudo /usr/local/sbin/protect.sh
#   sudo /usr/local/sbin/protect.sh --dry-run
#   sudo /usr/local/sbin/protect.sh --threshold 300
#


# Notes:
#   - Logs actions to /var/log/auto-blocker.log
#   - Threshold defaults to 500 hits per IP (per day, per vhost log)
#   - Skips private/reserved IPs
#   - Checks csf.deny before adding duplicates
#
# Dependencies:
#   - bash 4+ (for associative arrays)
#   - csf (ConfigServer Firewall)
#
# Exit codes:
#   0  success
#   1  bad usage / missing requirement
#

set -uuo pipefail

# -----------------------------------------------------------------------------
# Configuration
# -----------------------------------------------------------------------------

THRESHOLD_DEFAULT=500
LOG_DATE="$(date +%d/%b/%Y)"
CSF_DENY_FILE="/etc/csf/csf.deny"
ACTION_LOG="/var/log/auto-blocker.log"

# siteLabel|/path/to/logfile|reason
SITES=(
  "site1|/home/site1/access-logs/site1.com-ssl_log|site1 abuse"
  "site2|/home/site2/access-logs/site2.com-ssl_log|site2 abuse"
  "site3|/home/site3/access-logs/site3.com-ssl_log|site3 abuse"
  "site4|/home/site4/access-logs/site4.com-ssl_log|site4 abuse"
)

# quick private/reserved prefixes for IPv4 / IPv6
PRIVATE_PREFIXES_IPV4=(
  "10."
  "192.168."
  "127."
  "169.254."
  "172.16." "172.17." "172.18." "172.19." "172.20." "172.21." "172.22." "172.23."
  "172.24." "172.25." "172.26." "172.27." "172.28." "172.29." "172.30." "172.31."
)

PRIVATE_PREFIXES_IPV6=(
  "::1"
  "fe80:"
  "fc00:"
  "fd"
)

# -----------------------------------------------------------------------------
# Helper functions
# -----------------------------------------------------------------------------

# log: write timestamped message to stdout and ACTION_LOG
log() {
  local msg="$1"
  printf '%s %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$msg" | tee -a "$ACTION_LOG"
}

# is_private_ip <ip>
# returns 0 if IP looks private/reserved, 1 otherwise
is_private_ip() {
  local ip="$1"

  # crude prefix match is enough for our use-case
  if [[ "$ip" == *:* ]]; then
    # IPv6
    for p in "${PRIVATE_PREFIXES_IPV6[@]}"; do
      [[ "$ip" == "$p"* ]] && return 0
    done
  else
    # IPv4
    for p in "${PRIVATE_PREFIXES_IPV4[@]}"; do
      [[ "$ip" == "$p"* ]] && return 0
    done
  fi

  return 1
}

# in_csf_deny <ip>
# returns 0 if IP already exists in csf.deny, 1 otherwise
in_csf_deny() {
  local ip="$1"

  [[ -f "$CSF_DENY_FILE" ]] || return 1
  if grep -Fq -- "$ip" "$CSF_DENY_FILE"; then
    return 0
  fi

  return 1
}

# usage: print CLI help
usage() {
  cat <<EOF
auto-blocker.sh — scan logs and auto-block heavy IPs via CSF

Options:
  --threshold N    Hits threshold to block (default ${THRESHOLD_DEFAULT})
  --dry-run        Do not run csf -d / csf -r. Just report actions.
  --help, -h       Show this help and exit.

Examples:
  sudo ./auto-blocker.sh
  sudo ./auto-blocker.sh --dry-run
  sudo ./auto-blocker.sh --threshold 300
EOF
}

# -----------------------------------------------------------------------------
# Argument parsing
# -----------------------------------------------------------------------------

THRESHOLD="$THRESHOLD_DEFAULT"
DRY_RUN=0

while [[ $# -gt 0 ]]; do
  case "$1" in
    --threshold)
      THRESHOLD="$2"
      shift 2
      ;;
    --dry-run)
      DRY_RUN=1
      shift
      ;;
    --help|-h)
      usage
      exit 0
      ;;
    *)
      echo "Unknown option: $1" >&2
      usage
      exit 1
      ;;
  esac
done

if (( DRY_RUN == 1 )); then
  log "Starting auto-blocker (DRY RUN) — threshold ${THRESHOLD} for date ${LOG_DATE}"
else
  log "Starting auto-blocker — threshold ${THRESHOLD} for date ${LOG_DATE}"
fi

# -----------------------------------------------------------------------------
# Preconditions
# -----------------------------------------------------------------------------

# We only enforce csf calls when not in dry-run mode.
if (( DRY_RUN == 0 )); then
  if [[ $EUID -ne 0 ]]; then
    log "ERROR: script must be run as root to block. Exiting."
    exit 1
  fi

  if ! command -v csf >/dev/null 2>&1; then
    log "ERROR: csf binary not found. Install CSF and try again."
    exit 1
  fi
fi

# -----------------------------------------------------------------------------
# Collect offenders
# -----------------------------------------------------------------------------

# Use associative arrays to:
# - store max hit count per IP
# - store which sites that IP abused
declare -A OFFENDERS_COUNT
declare -A OFFENDERS_REASON

for def in "${SITES[@]}"; do
  IFS='|' read -r label log_path reason <<<"$def"

  if [[ ! -f "$log_path" ]]; then
    log "[$label] log not found: ${log_path} — skipping"
    continue
  fi

  # Extract today's requests, count per IP.
  # Output format per line: "<count> <ip>"
  mapfile -t lines < <(
    awk -v d="$LOG_DATE" '$0 ~ d {print $1}' "$log_path" \
      | sort \
      | uniq -c \
      | awk '{print $1 " " $2}'
  )

  if [[ ${#lines[@]} -eq 0 ]]; then
    log "[$label] no hits today."
    continue
  fi

  for ln in "${lines[@]}"; do
    # ln looks like "1234 1.2.3.4"
    cnt="${ln%% *}"
    ip="${ln##* }"

    # skip anything weird
    if ! [[ "$cnt" =~ ^[0-9]+$ ]]; then
      continue
    fi

    # Only track if over threshold
    if (( cnt > THRESHOLD )); then
      prev="${OFFENDERS_COUNT[$ip]:-0}"

      # keep highest count
      if (( cnt > prev )); then
        OFFENDERS_COUNT["$ip"]="$cnt"
      fi

      # append site label/reason
      OFFENDERS_REASON["$ip"]="${OFFENDERS_REASON[$ip]:-}${label}:${reason};"
    fi
  done
done

# -----------------------------------------------------------------------------
# No offenders case
# -----------------------------------------------------------------------------

if ((${#OFFENDERS_COUNT[@]} == 0)); then
  log "No offenders above threshold (${THRESHOLD}). Exiting."
  exit 0
fi

# -----------------------------------------------------------------------------
# Summary report
# -----------------------------------------------------------------------------

log "Found ${#OFFENDERS_COUNT[@]} offender(s) above threshold:"
printf "%-39s  %8s  %s\n" "IP" "HITS" "SITES/REASONS" | tee -a "$ACTION_LOG"

for ip in "${!OFFENDERS_COUNT[@]}"; do
  printf "%-39s  %8s  %s\n" \
    "$ip" \
    "${OFFENDERS_COUNT[$ip]}" \
    "${OFFENDERS_REASON[$ip]}" \
    | tee -a "$ACTION_LOG"
done

# -----------------------------------------------------------------------------
# Enforce blocks
# -----------------------------------------------------------------------------

CHANGES=0

for ip in "${!OFFENDERS_COUNT[@]}"; do
  # Do not touch private / reserved IPs
  if is_private_ip "$ip"; then
    log "SKIP ${ip} — private/reserved"
    continue
  fi

  # Skip if already denied
  if in_csf_deny "$ip"; then
    log "ALREADY DENIED ${ip} — skipping"
    continue
  fi

  block_reason="auto-block hits>${THRESHOLD} ${OFFENDERS_REASON[$ip]}"

  if (( DRY_RUN == 1 )); then
    log "DRY: would run: csf -d ${ip} \"${block_reason}\""
    CHANGES=$((CHANGES + 1))
  else
    log "Blocking ${ip} — reason: ${block_reason}"

    if csf -d "$ip" "$block_reason"; then
      CHANGES=$((CHANGES + 1))
      log "Blocked ${ip} successfully."
    else
      log "ERROR: failed to block ${ip} with csf -d"
    fi
  fi
done

# Reload firewall rules if we actually made changes
if (( CHANGES > 0 )); then
  if (( DRY_RUN == 1 )); then
    log "DRY-RUN: ${CHANGES} would be changed. No csf -r executed."
  else
    log "Reloading CSF to apply ${CHANGES} new deny(s) (csf -r)..."
    csf -r && log "csf -r completed"
  fi
else
  log "No new denies were required."
fi

log "auto-blocker finished."
exit 0

To use it

sudo chmod +x /usr/local/sbin/protect.sh
# Make run every 5 minutes (or more if you want - depended on your site traffic)
sudo crontab -e
*/5 * * * * /usr/local/sbin/protect.sh >> /var/log/auto-blocker-run.log 2>&1

And you can run it anytime you need with
sudo ./protect.sh

Let me know if this helps you out.

[Aetherinox]

If you want to submit it as a helper script, clean it up, add a header, with instructions on how to use it and what it does.

Then submit a PR with it placed in the extras/scripts.

That's if you want to of course.

[theking81]

Clean it up?
What to clean?
Sure i want to post it there also. It will save a lot of time of devs from attacks etc.

[Aetherinox]

I meant conformity

Add a header with your name

# #
#   
#   ConfigServer Firewall - NAME OF SCRIPT
#   
#   @author         theking81
#   @package        ConfigServer Firewall
#   @file           protect.sh
#   @type           extras/helper
#   @license        MIT (or whatever license you pick)
#   @desc           What this script does
#                   If you need another line, continue indent
# #

# #
#   @usage          sudo /usr/local/sbin/protect.sh
#                   sudo /usr/local/sbin/protect.sh --dry-run
#                   sudo /usr/local/sbin/protect.sh --threshold 300
#   
#   @notes          - Logs actions to /var/log/auto-blocker.log
#                   - Threshold defaults to 500 hits per IP (per day, per vhost log)
#                   - Skips private/reserved IPs
#                   - Checks csf.deny before adding duplicates
# #

This is the format all scripts are going to use once I finish re-writing them.

I am currently re-writing all of mine to be POSIX compliant so that even older systems can use them.

#!/bin/sh

[theking81]

Yes, done this its up and ready to roll.

This will help out a lot of people against bots etc.

[theking81]

Actually i redo it in POSIX also to work in any system, so no Bash is required.

So that will help more people also.

[Aetherinox]

Nice. Submit a PR with the added script and I'll approve it.