Hi,
My main goal is to enter the attacker's IP address into the CSF firewall in real time to block them. This is because there's a current trend in Asia where attackers inject gambling sites into various websites. They then generate traffic to these injected pages, which contain gambling promotions, by sending millions of software-driven bots.
Each bot uses a different IP address, making it difficult for standard DDoS protection to detect them. These attacks involve millions of IP addresses, and even Cloudflare IPs are being used.
The web server is overwhelmed by the millions of access requests it receives. I have included an example of this attack in the uploaded image.
I would like to ask about the most effective way to obtain client IP addresses, rather than manually checking the logs in cPanel's domlog. I am currently using a script to extract IPs. However, this is inefficient because if the attacker frequently changes the target domain, I have to manually update the log file path.
Example my script:
My main goal is to enter the attacker's IP address into the CSF firewall in real time to block them. This is because there's a current trend in Asia where attackers inject gambling sites into various websites. They then generate traffic to these injected pages, which contain gambling promotions, by sending millions of software-driven bots.
Each bot uses a different IP address, making it difficult for standard DDoS protection to detect them. These attacks involve millions of IP addresses, and even Cloudflare IPs are being used.
The web server is overwhelmed by the millions of access requests it receives. I have included an example of this attack in the uploaded image.
I would like to ask about the most effective way to obtain client IP addresses, rather than manually checking the logs in cPanel's domlog. I am currently using a script to extract IPs. However, this is inefficient because if the attacker frequently changes the target domain, I have to manually update the log file path.
Example my script:
Code:
#!/bin/bash
# Configuration
LOG_FILE="/var/log/apache2/domlogs/smknngaw/smkn1ngid-ssl_log"
SCRIPT_LOG="/var/log/malicious_ip_blocker.log"
URL_PATTERN="acgwin"
BAN_DURATION=84600 # Ban duration in seconds (1 day)
MAX_BATCH_SIZE=100 # Maximum number of IPs to process in one batch
TEMP_IP_LIST=$(mktemp) # Temporary file to store the IP list
# Initialize script log
echo "$(date) - Script malicious IP blocker started in real-time mode" >> $SCRIPT_LOG
# Function to add IP to CSF temporary ban
add_to_csf_temp_ban() {
local ip=$1
# Directly add the IP to CSF without prior checking
# CSF will handle if the IP is already blocked
output=$(csf -td $ip $BAN_DURATION "Access to malicious URL - moodlee injection" 2>&1)
# Check if the IP was already blocked
if [[ $output == *"already temporarily blocked"* ]]; then
# Already in the ban list, no need for duplicate logging
return 1
else
echo "$(date) - Real-time blocking: IP $ip via CSF for $BAN_DURATION seconds" >> $SCRIPT_LOG
return 0 # Successfully added
fi
}
Last edited: