Search for the Solution?
< All Topics
Print

How to Auto-Block Attackers in CSF on LiteSpeed Server in WHM/cPanel (Advanced Script)

Posted
Updated
BymyglobalHOST

Running a web hosting business requires keeping your servers stable, especially when offering cheap WordPress hosting where resources are shared. One of the biggest challenges for cPanel/WHM administrators is dealing with “bot scanners” and distributed attacks that bypass standard firewall rules.

While LiteSpeed Web Server is incredibly fast, high-frequency attacks can still drive up CPU usage. In this guide, we will set up an Advanced Real-Time Log Analyzer (v19). Unlike simple fail2ban scripts, this custom solution distinguishes between harmless errors and dangerous ModSecurity hits, bans entire subnets intelligently, and—most importantly—includes a Safety Filter to prevent banning your own internal gateway IPs.

Using Imunify360? If your server uses Imunify360 instead of CSF, please refer to our Imunify360 Auto-Block Guide.

Why Use This Custom Solution?

  • Safety First: Automatically ignores private IPs (e.g., 10.0.x.x, 192.168.x.x) to prevent accidental self-banning.

  • Smart Categorization: Distinguishes between a harmless 404 error and a dangerous SQL Injection attempt.

  • Detailed Evidence: The block reason in CSF will show you exactly which domain and which file path triggered the ban.

  • Bot Farm Protection: Automatically bans the entire subnet (/24) if a bot farm attacks you from multiple IPs.

Prerequisites

  • A VPS or Dedicated Server with root access.

  • LiteSpeed Web Server installed.

  • CSF (ConfigServer Security & Firewall) installed and active.

Step 1: Create the Advanced Blocker Script

We will create a bash script that monitors your LiteSpeed access logs in real-time.

  1. Login to your server via SSH as root.

  2. Create the script file:

    nano /root/litespeed_blocker.sh

  3. Paste the following Professional v19 code. This version includes the critical Safety Filter to ignore internal IPs.

    #!/bin/bash
# =================================================================
# LiteSpeed/Apache Advanced Defense Blocker - v19 (CSF SAFE EDITION)
# Feature: Auto-Ignores Private/Local IPs (10.x, 192.x, 127.x)
# =================================================================

ACCESS_LOG="/usr/local/apache/logs/access_log"
ERROR_LOG="/usr/local/apache/logs/error_log"
STRIKE_FILE="/tmp/litespeed_strikes.tmp"
CSF_BIN="/usr/sbin/csf"
CSF_ALLOW="/etc/csf/csf.allow"
CSF_IGNORE="/etc/csf/csf.ignore"

# Ensure strike file exists and clean on startup
touch "$STRIKE_FILE"
echo "" > "$STRIKE_FILE"

tail -Fn0 "$ACCESS_LOG" "$ERROR_LOG" | while read -r line; do
    [[ "$line" == "==>"* ]] && continue

    # Detect Log Type
    if [[ "$line" == *"] ["* ]]; then log_type="Error"; else log_type="Access"; fi

    # 1. IP Extraction
    ip=$(echo "$line" | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)

    # --- SAFETY FILTER (Ignore Private IPs) ---
    if [[ -z "$ip" || "$ip" == "127.0.0.1" || "$ip" == "::1" ]]; then continue; fi
    if [[ "$ip" == 10.* || "$ip" == 192.168.* || "$ip" == 172.1[6-9].* || "$ip" == 172.2[0-9].* || "$ip" == 172.3[0-1].* ]]; then continue; fi
    # ------------------------------------------

    subnet=$(echo "$ip" | cut -d. -f1-3).0

    # 2. Path Extraction
    if [[ "$log_type" == "Access" ]]; then
        path=$(echo "$line" | grep -oP '"(GET|POST|HEAD|PUT) \K[^ ]+' | head -1 | cut -c1-35)
    else
        path=$(echo "$line" | grep -oP '(?<=context \[)[^\]]+|(?<=found \[)[^\]]+' | head -1)
        [[ -z "$path" ]] && path=$(echo "$line" | grep -oP '(GET|POST|HEAD) [^ ]+' | head -1)
    fi
    [[ -z "$path" ]] && path="/"

    # 3. Domain Extraction
    domain=$(echo "$line" | grep -oP '(?<=APVH_)[a-zA-Z0-9.-]+' | head -1)
    [[ -z "$domain" ]] && domain="Unknown"

    # --- Helper: Check Whitelist ---
    is_whitelisted() {
        if grep -q "$1" "$CSF_ALLOW" || grep -q "$1" "$CSF_IGNORE"; then return 0; else return 1; fi
    }

    # --- CASE A: CRITICAL ATTACKS (ModSec/ACL) ---
    if echo "$line" | grep -qE "RECAPTCHA|ACL|Access to context|ModSecurity"; then
        trigger=$(echo "$line" | grep -oE "RECAPTCHA|ACL|ModSecurity" | head -1)
        echo "SEC_IP:$ip" >> "$STRIKE_FILE"
        echo "SEC_SUB:$subnet" >> "$STRIKE_FILE"

        if [ $(grep -c "SEC_IP:$ip" "$STRIKE_FILE") -ge 3 ]; then
            if ! is_whitelisted "$ip"; then
                $CSF_BIN -d "$ip" "LS_Block: Critical (3) | $trigger | $domain | $path" > /dev/null 2>&1
                sed -i "/SEC_IP:$ip/d" "$STRIKE_FILE"
            fi
        fi
        if [ $(grep -c "SEC_SUB:$subnet" "$STRIKE_FILE") -ge 10 ]; then
            if ! is_whitelisted "$ip"; then
                $CSF_BIN -d "$subnet/24" "LS_Block: Critical Subnet (10) | $trigger" > /dev/null 2>&1
                sed -i "/SEC_SUB:$subnet/d" "$STRIKE_FILE"
            fi
        fi

    # --- CASE B: SCANNERS (403/404/500) ---
    elif echo "$line" | grep -qE " 400 | 401 | 403 | 404 | 405 | 500 |File not found"; then
        code=$(echo "$line" | grep -oE "\s(40[0-9]|4[1-4][0-9]|50[0-9])\s" | tr -d ' ' | head -1)
        echo "SCAN_IP:$ip" >> "$STRIKE_FILE"
        echo "SCAN_SUB:$subnet" >> "$STRIKE_FILE"

        if [ $(grep -c "SCAN_IP:$ip" "$STRIKE_FILE") -ge 7 ]; then
            if ! is_whitelisted "$ip"; then
                $CSF_BIN -d "$ip" "LS_Block: Scan (7) | Code $code | $domain | $path" > /dev/null 2>&1
                sed -i "/SCAN_IP:$ip/d" "$STRIKE_FILE"
            fi
        fi
        if [ $(grep -c "SCAN_SUB:$subnet" "$STRIKE_FILE") -ge 20 ]; then
            if ! is_whitelisted "$ip"; then
                $CSF_BIN -d "$subnet/24" "LS_Block: Scan Subnet (20) | Code $code" > /dev/null 2>&1
                sed -i "/SCAN_SUB:$subnet/d" "$STRIKE_FILE"
            fi
        fi
    fi
done

  4. Save and exit (Press Ctrl+X, then Y, then Enter).

Step 2: Set Permissions

Make the script executable so the system can run it.

chmod +x /root/litespeed_blocker.sh

Step 3: Create the Background Service

To ensure this protection runs 24/7, we will create a systemd service file.

  1. Create the file:

    nano /etc/systemd/system/litespeed-blocker.service

  2. Paste the following configuration:

    [Unit]
Description=LiteSpeed Advanced CSF Blocker
After=network.target lsws.service

[Service]
ExecStart=/bin/bash /root/litespeed_blocker.sh
Restart=always
User=root

[Install]
WantedBy=multi-user.target

  3. Save and exit.

Step 4: Enable and Start the Service

Now, register the service and start it immediately.

systemctl daemon-reload
systemctl enable litespeed-blocker
systemctl start litespeed-blocker

To verify it is working, check the status:

systemctl status litespeed-blocker

You should see Active (running) in green.

Step 5: Configure Hourly Maintenance

We need to clear the “Strike List” every hour. This prevents the script from blocking legitimate users who made small mistakes (like typing a wrong password) days ago.

  1. Open the root cron file:

    nano /var/spool/cron/root

  2. Add this line at the very bottom:

    0 * * * * echo "" > /tmp/litespeed_strikes.tmp

  3. Save and exit.

  4. Crucial Step: Reload the cron service to apply this change immediately.

    service crond reload

Conclusion

You have now successfully deployed a Pro-Grade Auto-Blocker for your LiteSpeed server. Your system will now instantly detect attacks, cross-reference them with your whitelist, and ban malicious IPs or Subnets directly in CSF, all while keeping your internal network safe.

Protect your assets with Managed VPS Hosting India or scale globally with our premium Cloud Hosting solutions at myglobalHOST.

Tags:
Table of Contents
Close
Get 75% + extra 10% Discount on web Hosting Plans by myglobalHOST

Extra 10% OFF

Coupon Code

EXTRA10

Applicable on

FLAT Rs 100 OFF

Coupon Code

FLAT100

Applicable on

How to Avail: Simply browse the most appropriate hosting plan for you and avail extra discount on all orders.

Expert Advice

+91-79862-84663

11AM to 6PM

Live Chat : 11AM to 6PM