All Hosting Plan Are Also Available On Monthly, Quarterly And Semi-Annually.
Facebook Youtube
Hot Deals
client Login
Mailwala

10AM to 6PM +5.30 GMT.

02269710695

Mailwala
Skip to main content
How Can We Help?
< All Topics
Print

How to Auto-Block Attackers on LiteSpeed Server: 7-Strike Security Script

Posted
Updated
Byadmin

LiteSpeed Server Ko Attacks Se Kaise Bachayein? [Custom Auto-Block Script]

Cyber attacks aur bot scanning aajkal har server admin ke liye ek badi chinta ka vishey hai. Agar aap cPanel ke saath LiteSpeed Web Server (LSWS) use kar rahe hain, toh sirf firewall kaafi nahi hota. Attackers aksar Proxy Scanning aur Vulnerability Brute-forcing ke zariye server ko slow kar dete hain.

Aaj hum ek aise custom automation script ke baare mein baat karenge jo aapke server logs ko real-time scan karti hai aur attackers ko Imunify360 ke zariye permanent block kar deti hai.

LiteSpeed Security Script Ki Khoobiya

Yeh script sirf ek simple blocker nahi hai, balki ise humne “7-Strike in 1 Hour” rule par design kiya hai:

  • 7-Strike Rule: Agar koi IP ek ghante mein 7 baar galat request (404, 405, 444, etc.) bhejti hai, toh wo block ho jati hai.

  • Subnet Attack Detection: Yeh script sirf individual IP nahi, balki pure network range (/24 subnet) par nazar rakhti hai.

  • Multi-Code Monitoring: Yeh 400, 401, 403, 404, 405, 444, aur 500 jaise sabhi attack-related status codes ko track karti hai.

  • Imunify360 Integration: Block ki gayi IPs seedha Imunify360 ki ‘Drop List’ mein chali jati hain.

HTTP Error Codes: Attackers Ko Pehchanne Ka Tarika

Hamari script un status codes par nazar rakhti hai jo aksar bot attacks ke dauran generate hote hain. Inka matlab samajhna zaruri hai:

Error Code Matlab (Meaning) Kyun Block Karein?
400 Bad Request Jab bot galat syntax ya corrupt data bhejta hai.
401/403 Unauthorized/Forbidden Brute-force attacks ya private directories scan karne par.
404 Not Found Vulnerable files (jaise wp-config.php) dhoondne ki koshish.
405 Method Not Allowed Jab bot CONNECT method se Proxy scanning karta hai.
444 No Response Nginx/LiteSpeed ka special code jo connection turant kaat deta hai.
500 Server Error Exploits jo aapke backend application ko crash karne ki koshish karein.

Full Installation Guide (Step-by-Step)

Step 1: Script File Create Karein

Sabse pehle server par login karein aur script file banayein:

nano /root/litespeed_blocker.sh

Niche diye gaye code ko /root/litespeed_blocker.sh file mein save karein:

#!/bin/bash
# LiteSpeed/Apache Subnet & IP Blocker (7 strikes in 1 HOUR)

LOG_PATH="/usr/local/apache/logs/access_log"
STRIKE_FILE="/tmp/litespeed_strikes.tmp"
touch $STRIKE_FILE

tail -Fn0 "$LOG_PATH" | while read line; do
    # Error codes monitor: 400, 401, 403, 404, 405, 444, 500
    if echo "$line" | grep -qE " 400 | 401 | 403 | 404 | 405 | 444 | 500 "; then
        
        ip=$(echo "$line" | awk '{print $1}')
        timestamp=$(date +%s)

        if [[ ! -z "$ip" && "$ip" != "127.0.0.1" && "$ip" != "::1" ]]; then
            echo "IP:$ip:$timestamp" >> $STRIKE_FILE
            
            # Subnet (/24) extraction
            subnet=$(echo "$ip" | cut -d. -f1-3).0
            echo "SUBNET:$subnet:$timestamp" >> $STRIKE_FILE
            
            one_hour_ago=$((timestamp - 3600))

            # 1. Individual IP Check
            ip_strikes=$(grep "IP:$ip" $STRIKE_FILE | awk -F: -v limit="$one_hour_ago" '$3 > limit' | wc -l)
            if [ "$ip_strikes" -ge 7 ]; then
                imunify360-agent ip-list local add --purpose drop --ip "$ip" --comment "7 Strike in 1 hour (IP Attack)" > /dev/null 2>&1
                sed -i "/IP:$ip/d" $STRIKE_FILE
            fi

            # 2. Subnet Attack Detection
            subnet_strikes=$(grep "SUBNET:$subnet" $STRIKE_FILE | awk -F: -v limit="$one_hour_ago" '$3 > limit' | wc -l)
            if [ "$subnet_strikes" -ge 15 ]; then
                imunify360-agent ip-list local add --purpose drop --ip "$ip" --comment "7 Strike in 1 hour (Subnet Attack Detection)" > /dev/null 2>&1
                sed -i "/SUBNET:$subnet/d" $STRIKE_FILE
            fi
        fi
    fi
done

Step 2: Iske baad permission dein

chmod +x /root/litespeed_blocker.sh

Step 3: Service Installation (Hamesha Chalu Rakhne Ke Liye)

Hum ek systemd service banayenge taaki server restart hone par bhi script apne aap chalu ho jaye.

nano /etc/systemd/system/litespeed-blocker.service

Niche diya gaya content paste karein:

[Unit]
Description=LiteSpeed Real-time Error Blocker
After=network.target lsws.service

[Service]
ExecStart=/bin/bash /root/litespeed_blocker.sh
Restart=always
User=root

[Install]
WantedBy=multi-user.target

Step 4: Service Activation

Naye configuration ko load karein aur service ko enable karein:

systemctl daemon-reload
systemctl enable litespeed-blocker
systemctl start litespeed-blocker

Real-Time Log Tracking Kaise Karein?

Script sahi se kaam kar rahi hai ya nahi, ye check karna bahut aasaan hai.

1. Strikes Monitor Karein

Ye dekhne ke liye ki kaunsi IP par kitne strikes ho chuke hain:

tail -f /tmp/litespeed_strikes.tmp

2. Imunify360 Block List Check Karein

Check karein ki script ne kis IP ko block kiya aur kya comment dala:

imunify360-agent ip-list local list --purpose drop | grep "7 Strike in 1 hour"

3. Service Status Dekhein

Agar script kaam nahi kar rahi, toh status check karein:

systemctl status litespeed-blocker

Automated Maintenance: Cron Job Setup

Server ki performance barkarar rakhne ke liye, humein temporary strike file ko har 24 ghante mein ek baar clear karna chahiye. Isse purana data delete ho jayega aur script fast chalegi.

Cron Job Kaise Lagayein?

  1. Terminal mein niche di gayi command likhein:

    crontab -e

  2. File ke sabse niche ye line add karein:

    0 0 * * * > /tmp/litespeed_strikes.tmp

    Iska matlab hai: Har raat 12:00 baje ye file khali ho jayegi.

Log Analysis: Kaise Pata Karein ki Attack Kis Type ka Hai?

Agar aap ye dekhna chahte hain ki pichli 100 requests mein sabse zyada kaunse status codes (200, 404, 405, 500) aa rahe hain, toh aap is powerful command ka use kar sakte hain:

tail -n 100 /usr/local/apache/logs/access_log | awk '{print $9}' | sort | uniq -c

Is Command Ka Breakdown:

  • tail -n 100: Ye access log ki aakhri 100 lines nikalta hai.

  • awk '{print $9}': Ye log line mein se sirf HTTP Status Code (9th column) ko filter karta hai.

  • sort | uniq -c: Ye codes ko group karta hai aur batata hai ki kaunsa code kitni baar aaya hai.

Example Output:

  • 85 200 (85 requests sahi hain – OK)

  • 10 404 (10 requests aisi hain jahan file nahi mili – Potential Scanner)

  • 5 405 (5 requests Proxy scanning ki hain – Blocked)

Frequently Asked Questions (FAQ Schema for Rank Math)

Q1. Kya ye script valid users ko block karegi?

Nahi, kyunki humne “7 strikes in 1 hour” ka bada window rakha hai. Ek normal user galti se 1-2 baar 404 error hit kar sakta hai, lekin 7 baar sirf bots ya attackers hi karte hain.

Q2. Agar meri apni IP block ho jaye toh kya karein?

Aap kisi doosre network se login karke ye command chala sakte hain: imunify360-agent ip-list local delete --purpose drop --ip [YOUR_IP]

Q3. Subnet attack detection kya hai?

Distributed attack mein attackers alag-alag IPs use karte hain lekin unka network (Subnet) ek hi hota hai. Ye script us pure network pattern ko detect karke block karti hai.

Q4. Kya ye script server load badhayegi?

Nahi, kyunki ye tail -F command ka use karti hai jo bohot hi light-weight hai aur sirf naye log entries par kaam karti hai.

Conclusion

Is script ka sabse bada fayda ye hai ki ye “Subnet Attack Detection” ke saath aati hai, jo distributed attacks (DDoS lite) ko bhi rok leti hai.

 

Tags:
Table of Contents

Windows Hosting is comming soon. All Hosting Plan Are Also Available On Monthly, Quarterly And Semi-Annually.

Mailwala
client Login

Have Any Question?

022 69710695

Facebook Youtube

Call back request.