Search for the Solution?
< All Topics
Print

How to Auto-Block Attackers in Imunify360 on LiteSpeed Server in WHM/cPanel (Advanced Script)

Posted
Updated
BymyglobalHOST

Meta Description: Maximize your Imunify360 firewall by integrating a custom real-time log analyzer. Learn how to auto-drop malicious IPs and subnets instantly on LiteSpeed servers while avoiding false positives.

Imunify360 is arguably the best security suite for cPanel servers, offering advanced WAF and proactive defense. However, during a massive “Log Flood”—where bots generate thousands of 404 or 403 errors per second—waiting for standard rules to trigger can sometimes be too slow for LiteSpeed servers under heavy load.

In this tutorial, we will bridge the gap by creating a Pro-Grade Integration Script (v19). This script parses LiteSpeed logs in real-time, extracts detailed attack data, and commands Imunify360 to DROP the attacker instantly.

Using CSF? If your server uses CSF instead of Imunify360, please refer to our CSF Auto-Block Guide.

The “v19” Advantage

Unlike basic scripts, this edition features:

  1. Safety Filter: It automatically ignores Private IPs (like 10.0.6.2) to prevent the script from accidentally banning your own Gateway or Load Balancer.

  2. CPU Optimization: It checks the Imunify whitelist only after an IP is confirmed malicious, saving massive system resources.

  3. Precise Logging: The block comment in Imunify will tell you exactly which domain was targeted and the attack type.

Prerequisites

  • A server with LiteSpeed Web Server.

  • Imunify360 installed and running.

  • Root SSH access.

Step 1: Create the Integration Script

  1. Access your server via SSH.

  2. Create the script file:

    nano /root/imunify_blocker.sh

  3. Paste the Professional v19 (Imunify Edition) code below:

    #!/bin/bash
# =================================================================
# LiteSpeed/Apache Advanced Defense Blocker - v19 (IMUNIFY SAFE)
# Feature: Auto-Ignores Private/Local IPs (10.x, 192.x, 127.x)
# =================================================================

ACCESS_LOG="/usr/local/apache/logs/access_log"
ERROR_LOG="/usr/local/apache/logs/error_log"
STRIKE_FILE="/tmp/imunify_strikes.tmp"
IMUNIFY="/usr/bin/imunify360-agent"

# Ensure strike file exists and clean on startup
touch "$STRIKE_FILE"
echo "" > "$STRIKE_FILE"

tail -Fn0 "$ACCESS_LOG" "$ERROR_LOG" | while read -r line; do
    [[ "$line" == "==>"* ]] && continue

    if [[ "$line" == *"] ["* ]]; then log_type="Error"; else log_type="Access"; fi

    # 1. IP Extraction
    ip=$(echo "$line" | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)

    # --- SAFETY FILTER (Ignore Private IPs) ---
    if [[ -z "$ip" || "$ip" == "127.0.0.1" || "$ip" == "::1" ]]; then continue; fi
    if [[ "$ip" == 10.* || "$ip" == 192.168.* || "$ip" == 172.1[6-9].* || "$ip" == 172.2[0-9].* || "$ip" == 172.3[0-1].* ]]; then continue; fi
    # ------------------------------------------

    subnet=$(echo "$ip" | cut -d. -f1-3).0

    # 2. Path Extraction
    if [[ "$log_type" == "Access" ]]; then
        path=$(echo "$line" | grep -oP '"(GET|POST|HEAD|PUT) \K[^ ]+' | head -1 | cut -c1-35)
    else
        path=$(echo "$line" | grep -oP '(?<=context \[)[^\]]+|(?<=found \[)[^\]]+' | head -1)
        [[ -z "$path" ]] && path=$(echo "$line" | grep -oP '(GET|POST|HEAD) [^ ]+' | head -1)
    fi
    [[ -z "$path" ]] && path="/"

    domain=$(echo "$line" | grep -oP '(?<=APVH_)[a-zA-Z0-9.-]+' | head -1)
    [[ -z "$domain" ]] && domain="Unknown"

    # --- CASE A: CRITICAL ATTACKS ---
    if echo "$line" | grep -qE "RECAPTCHA|ACL|Access to context|ModSecurity"; then
        trigger=$(echo "$line" | grep -oE "RECAPTCHA|ACL|ModSecurity" | head -1)
        echo "SEC_IP:$ip" >> "$STRIKE_FILE"
        echo "SEC_SUB:$subnet" >> "$STRIKE_FILE"

        if [ $(grep -c "SEC_IP:$ip" "$STRIKE_FILE") -ge 3 ]; then
            if ! $IMUNIFY ip-list local list --purpose white | grep -wq "$ip"; then
                $IMUNIFY ip-list local add --purpose drop "$ip" --comment "LS_Block: Critical (3) | $trigger | $domain | $path" > /dev/null 2>&1
                sed -i "/SEC_IP:$ip/d" "$STRIKE_FILE"
            fi
        fi
        if [ $(grep -c "SEC_SUB:$subnet" "$STRIKE_FILE") -ge 10 ]; then
            if ! $IMUNIFY ip-list local list --purpose white | grep -wq "$ip"; then
                $IMUNIFY ip-list local add --purpose drop "$subnet/24" --comment "LS_Block: Critical Subnet (10) | $trigger" > /dev/null 2>&1
                sed -i "/SEC_SUB:$subnet/d" "$STRIKE_FILE"
            fi
        fi

    # --- CASE B: SCANNERS ---
    elif echo "$line" | grep -qE " 400 | 401 | 403 | 404 | 405 | 500 |File not found"; then
        code=$(echo "$line" | grep -oE "\s(40[0-9]|4[1-4][0-9]|50[0-9])\s" | tr -d ' ' | head -1)
        echo "SCAN_IP:$ip" >> "$STRIKE_FILE"
        echo "SCAN_SUB:$subnet" >> "$STRIKE_FILE"

        if [ $(grep -c "SCAN_IP:$ip" "$STRIKE_FILE") -ge 7 ]; then
            if ! $IMUNIFY ip-list local list --purpose white | grep -wq "$ip"; then
                $IMUNIFY ip-list local add --purpose drop "$ip" --comment "LS_Block: Scan (7) | Code $code | $domain | $path" > /dev/null 2>&1
                sed -i "/SCAN_IP:$ip/d" "$STRIKE_FILE"
            fi
        fi
        if [ $(grep -c "SCAN_SUB:$subnet" "$STRIKE_FILE") -ge 20 ]; then
            if ! $IMUNIFY ip-list local list --purpose white | grep -wq "$ip"; then
                $IMUNIFY ip-list local add --purpose drop "$subnet/24" --comment "LS_Block: Scan Subnet (20)" > /dev/null 2>&1
                sed -i "/SCAN_SUB:$subnet/d" "$STRIKE_FILE"
            fi
        fi
    fi
done

  4. Save and exit (Ctrl+X -> Y -> Enter).

Step 2: Set Permissions

Make the script executable:

chmod +x /root/imunify_blocker.sh

Step 3: Automate with Systemd

We will create a service to keep this script running in the background.

  1. Create the service file:

    nano /etc/systemd/system/imunify-blocker.service

  2. Paste the following:

    [Unit]
Description=LiteSpeed Advanced Imunify Bridge
After=network.target lsws.service

[Service]
ExecStart=/bin/bash /root/imunify_blocker.sh
Restart=always
User=root

[Install]
WantedBy=multi-user.target

  3. Save and exit.

Step 4: Enable the Service

Run the following commands to start the protection immediately:

systemctl daemon-reload
systemctl enable imunify-blocker
systemctl start imunify-blocker

Check the status to confirm it is running:

systemctl status imunify-blocker

Step 5: Hourly Maintenance

To prevent the temporary memory file from growing infinitely, we must clear it every hour.

  1. Edit the root cron file:

    nano /var/spool/cron/root

  2. Add this line at the bottom:

    0 * * * * echo "" > /tmp/imunify_strikes.tmp

  3. Save and exit.

  4. Important: Reload the cron service so the change takes effect instantly.

    service crond reload

Conclusion

Your LiteSpeed server is now feeding malicious IP addresses directly into the Imunify360 “Drop” list in real-time. By implementing this advanced bridge, you ensure that high-volume attacks are stopped at the network level, keeping your legitimate traffic safe and your server CPU usage low.

Protect your assets with Managed VPS Hosting India or scale globally with our premium Cloud Hosting solutions at myglobalHOST.

Tags:
Table of Contents
Close
Get 75% + extra 10% Discount on web Hosting Plans by myglobalHOST

Extra 10% OFF

Coupon Code

EXTRA10

Applicable on

FLAT Rs 100 OFF

Coupon Code

FLAT100

Applicable on

How to Avail: Simply browse the most appropriate hosting plan for you and avail extra discount on all orders.

Expert Advice

+91-79862-84663

11AM to 6PM

Live Chat : 11AM to 6PM