Plesk 對應 DDoS 的方式，以及簡單將存取過多次的 IP 做 IP2Ban 阻擋

參考文章：How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server

新增檔案：auto_ban_ips.sh

#!/bin/bash

# Threshold for number of connections
THRESHOLD=30

# Jail name used in Plesk's ban system
JAIL_NAME="plesk-permanent-ban"

# Temp file for storing high-connection IPs
TMP_FILE="/tmp/heavy_ips.txt"

# Get IPs with more than $THRESHOLD connections
ss -tan state established | \
  awk '$4 ~ /:80$|:443$/ {split($4, a, ":"); ip=a[1]; count[ip]++} END {for (ip in count) if (count[ip] > '"$THRESHOLD"') print ip}' > "$TMP_FILE"

# Ban each IP via Plesk
while read -r IP; do
    # Check if already banned
    if ! plesk bin ip_ban --list | grep -q "$IP"; then
        echo "Banning IP: $IP"
        plesk bin ip_ban --ban "$IP,$JAIL_NAME"
    fi
done < "$TMP_FILE"

# Clean up
rm -f "$TMP_FILE"

加入到 crontab

*/1 * * * * /root/auto_ban_ips.sh

延伸推薦

WordPress 被駭了怎麼辦？被攻擊時的檢查和自救方式

Fail2ban 的啟用流程記錄

客戶的資安廠商說我們的 WordPress 有使用者帳號列舉的潛在風險