BestHub
Sign in
Operations 5 min read

How to Auto‑Block Malicious IPs in Nginx with AWK, Shell Script, and Cron

This guide walks you through creating a blockip.conf file, integrating it into Nginx, using AWK to detect IPs with over 60 requests per minute, writing a shell script to generate deny rules, and scheduling the process with cron for automatic IP blocking.

Liangxu Linux
Liangxu Linux
Liangxu Linux
How to Auto‑Block Malicious IPs in Nginx with AWK, Shell Script, and Cron

Many personal websites suffer frequent attacks; this tutorial shows how to automatically block offending IP addresses using Nginx, AWK, a shell script, and cron.

Step 1: Create blockip.conf

In the Nginx conf directory, create a file named blockip.conf and list the IPs to deny, for example:

deny 1.2.3.4;

Step 2: Include the file in the HTTP configuration

Add the following line to the Nginx HTTP block:

include blockip.conf;

Step 3: Reload Nginx

After updating the configuration, reload Nginx to apply the changes:

/usr/local/nginx/sbin/nginx -s reload

Automation Idea: Detect high‑frequency IPs

Use AWK to parse access.log, count requests per IP, and select those exceeding 60 requests per minute:

awk '{print $1}' access.log | sort | uniq -c | awk '{if($1>60) print $0}'

This pipeline extracts the IP column, sorts and counts occurrences, then filters for counts greater than 60.

Shell script to generate deny rules

The script clears any previous block file, runs the AWK pipeline, writes appropriate deny directives, reloads Nginx, and clears the access log for the next interval.

# Clear previous block file
echo "" > /usr/local/nginx/conf/blockip.conf

# Get offending IPs
ip_list=$(awk '{print $1}' access.log | sort | uniq -c | awk '{if($1>60) print $0}')

if [ -z "$ip_list" ]; then
    echo "No offending IPs" >> /usr/local/nginx/logs/11.log
    /usr/local/nginx/sbin/nginx -s reload
else
    echo "deny $ip_list" > /usr/local/nginx/conf/blockip.conf
    # Remove the count column, keep only the IP address
    ip_list2=$(awk '{print $3}' /usr/local/nginx/conf/blockip.conf)
    echo "deny $ip_list2" > /usr/local/nginx/conf/blockip.conf
    /usr/local/nginx/sbin/nginx -s reload
    # Empty the access log for the next round
    echo "" > /usr/local/nginx/logs/access.log
fi

Schedule the script with cron

Add a cron job that runs the script every minute:

crontab -e
* * * * * cd /usr/local/nginx/logs/ && sh ip_test.sh
systemctl restart crond.service

With this setup, Nginx will automatically block any IP that makes more than 60 requests per minute, returning a 403 response for the offending address.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

NginxcronawkIP blockingshell-script
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment