Bash script that blocks web server (apache/nginx/litespeed) scanners.

Bash script that blocks web server (apache/nginx/litespeed) scanners

Bash script that blocks web server (apache/nginx/litespeed) scanners. It checks the 400-408 errors or any other in the log you will choose to scan and extracts IP addresses of scanners which are trying to scan a web server and adds IP addresses to the ipset which drops the connection.

#!/bin/bash
#Look for the file and if does not exist create it.
for x in /opt/blacklist/ipaddresses.txt ; do
[ ! -f $x ] && touch $x;
done
################################################################################################################################################
# display the Apache log file and pass it to grep, grep all the lines not containing the word bot and pass it to grep, 
# grep all the lines not containing the word google and pass it to grep, 
# grep all the lines that do not contain the word " 404 " (spaces are specially inserted - see what the apache2 log looks like) and pass it to awk, 
# use awk to display the first column and pass it to awk, 
# use awk to display a regexp to extract IP addresses from the log file,
# use ip as the string that starts with the character listed above (something between 0 and 9) and display the string and pass it to sed, 
# use sed to remove any blank lines and pass it to uniq, 
# use uniq to show me how many times the IP address has been listed and pass it to awk, 
# use awk to select the first column and if it is 3 or more then display what is in column 2 and pass it to grep, 
# use grep to separate all this from /root/ipaddresses. txt and the rest that is left should be put into /tmp/webbanned.log
################################################################################################################################################
cat /var/log/httpd/access_log | grep -v bot | grep -v google | grep " 404 " | awk '{ print $1 }' | awk '{match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip}' | sed '/^$/d' | uniq -c | awk '$1>0{print $2}'| grep -F -x -v -f /opt/blacklist/ipaddresses.txt > /tmp/webbanned.log
################################################################################################################################################
# If file /tmp/webbanned.log is not empty then add to file /root/ipaddresses.txt what is in file /tmp/webbanned.log, 
# for IP which is in /tmp/webbanned.log run a command that adds IP addresses from a file 
# and/or use commands to add each IP address to the ipset/firewalld ipset
################################################################################################################################################
if [ -s /tmp/webbanned.log ]
then
cat /tmp/webbanned.log >> /opt/blacklist/ipaddresses.txt
firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=/tmp/webbanned.log
for ip in $(cat /tmp/webbanned.log); do /usr/sbin/ipset add blacklist $ip;done
for ip in $(cat /tmp/webbanned.log); do firewall-cmd --permanent --ipset=blacklist --add-entry=$ip;done
# Reload firewalld
firewall-cmd --reload
fi
# Delete the below file
rm /tmp/webbanned.log