參考文章:How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server
新增檔案:auto_ban_ips.sh
#!/bin/bash
# Threshold for number of connections
THRESHOLD=30
# Jail name used in Plesk's ban system
JAIL_NAME="plesk-permanent-ban"
# Temp file for storing high-connection IPs
TMP_FILE="/tmp/heavy_ips.txt"
# Get IPs with more than $THRESHOLD connections
ss -tan state established | \
awk '$4 ~ /:80$|:443$/ {split($4, a, ":"); ip=a[1]; count[ip]++} END {for (ip in count) if (count[ip] > '"$THRESHOLD"') print ip}' > "$TMP_FILE"
# Ban each IP via Plesk
while read -r IP; do
# Check if already banned
if ! plesk bin ip_ban --list | grep -q "$IP"; then
echo "Banning IP: $IP"
plesk bin ip_ban --ban "$IP,$JAIL_NAME"
fi
done < "$TMP_FILE"
# Clean up
rm -f "$TMP_FILE"
加入到 crontab
*/1 * * * * /root/auto_ban_ips.sh