Plesk 對應 DDoS 的方式,以及簡單將存取過多次的 IP 做 IP2Ban 阻擋

參考文章:How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server

新增檔案:auto_ban_ips.sh

#!/bin/bash

# Threshold for number of connections
THRESHOLD=30

# Jail name used in Plesk's ban system
JAIL_NAME="plesk-permanent-ban"

# Temp file for storing high-connection IPs
TMP_FILE="/tmp/heavy_ips.txt"

# Get IPs with more than $THRESHOLD connections
ss -tan state established | \
  awk '$4 ~ /:80$|:443$/ {split($4, a, ":"); ip=a[1]; count[ip]++} END {for (ip in count) if (count[ip] > '"$THRESHOLD"') print ip}' > "$TMP_FILE"

# Ban each IP via Plesk
while read -r IP; do
    # Check if already banned
    if ! plesk bin ip_ban --list | grep -q "$IP"; then
        echo "Banning IP: $IP"
        plesk bin ip_ban --ban "$IP,$JAIL_NAME"
    fi
done < "$TMP_FILE"

# Clean up
rm -f "$TMP_FILE"

加入到 crontab

*/1 * * * * /root/auto_ban_ips.sh