Installing perl dependencies:
CentOS:
yum install bind-utils perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN perl-IO-Socket-INET6 perl-Socket6 perl-IO-Socket-Multicast ipset -y
Debian/Ubuntu:
apt install libwww-perl liblwp-protocol-https-perl libtemplate-plugin-gd-perl ipset
Then CSF installing:
cd /usr/src rm -fv csf.tgz wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf sh install.sh
LF_EMAIL_ALERT = "0"
LF_PERMBLOCK_ALERT = "0"
LF_INTERVAL = "86400"
grep 'User Processing' /var/log/lfd.log | grep -o "EXE:.*" | awk '{ print $1 }' | sort | uniq | sed -e 's/EXE/exe/g'
Quick:
csf -d 46.229.160.0/20 do not delete abuser SemRush csf -d 216.244.64.0/24 do not delete abuser DotBot csf -d 54.36.148.0/23 do not delete abuser AhrefsBot csf -d 151.80.39.0/24 do not delete abuser AhrefsBot
DirectAdmin Search:
grep -h MJ12bot /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser MJ12bot"}' | sh grep -h DotBot /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser DotBot"}' | sh grep -h BUbiNG /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser BUbiNG"}' | sh grep -h AhrefsBot /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser AhrefsBot"}' | sh grep -h BLEXBot /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser BLEXBot"}' | sh # if not needed grep -h Yandex /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser YandexBot"}' | sh
DirectAdmin Search at once:
egrep -h 'SemRush|MJ12bot|DotBot|BUbiNG|AhrefsBot|BLEXBot|SMTBot|MauiBot' /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser BADBOT"}' | sh
Cpanel Search at once:
egrep -h 'SemRush|MJ12bot|DotBot|BUbiNG|AhrefsBot|BLEXBot|SMTBot|MauiBot' /etc/apache2/logs/domlogs/* | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser BADBOT"}' | sh
Find bad bot'd
awk -F\" '{print $6}' /var/log/httpd/domains/*.log | sort | uniq -c | sort -n | tail
Add to cron:
#block bruteforce * * * * * root /bin/egrep -h "POST.*wp-login.php.*200" /var/log/nginx/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq -c | /bin/awk '$1>=5{print "/usr/sbin/csf -d "$2" wp-login abuser"}' | /bin/sh >/dev/null 2>&1 #block xmlrpc attack * * * * * root /bin/egrep -h "POST.*xmlrpc.php.*200" /var/log/nginx/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq -c | /bin/awk '$1>=5{print "/usr/sbin/csf -d "$2" xmlrpc abuser"}' | /bin/sh >/dev/null 2>&1 #bad bots block */30 * * * * root /bin/egrep -h 'MJ12bot|DotBot|BUbiNG|AhrefsBot|BLEXBot|SMTBot' /var/log/nginx/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq | /bin/awk '{print "/usr/sbin/csf -d "$1" do not delete abuser BADBOT"}' | /bin/sh
/bin/egrep -h "POST.*wp-login.php.*200" /var/log/httpd/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq -c | /bin/awk '$1>=5{print "/usr/sbin/csf -d "$2" wp-login abuser"}' | /bin/sh /bin/egrep -h "POST.*xmlrpc.php.*200" /var/log/httpd/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq -c | /bin/awk '$1>=5{print "/usr/sbin/csf -d "$2" xmlrpc abuser"}' | /bin/sh
In csf.conf edit
DYNDNS = "600"
To csf.dyndns add Your wanted domain
tcp|out|d=25|d=smtp.google.com -- edit appropriately for ports/hostnames etc.
Restart CSF
csf -ra
In csf.conf add ports which should be redirected to non https:
MESSENGER_HTTPS_IN = "443,2222"
DirectAdmin enable SSL (SNI) - only for CentOS7:
MESSENGER_HTTPS_CONF = "/usr/local/directadmin/data/users/*/httpd.conf"