How to Automatically Block IPs in Nginx Using AWK, Shell Scripts, and Cron

Create a blockip.conf file in the Nginx conf directory and list IPs to deny, for example deny 1.2.3.4;. Include this file in the HTTP block with include blockips.conf; and reload Nginx using /usr/local/nginx/sbin/nginx -s reload to see 403 responses.

To automate blocking, use AWK to parse access.log, count requests per IP per minute, and output IPs with more than 60 hits.

awk '{print $1}' access.log | sort | uniq -c | awk '{if($1>60) print $0}'

Write a shell script that clears the previous block list, runs the AWK command, writes deny lines to blockip.conf, reloads Nginx, and clears the access log.

# clear previous block list
 echo "" > /usr/local/nginx/conf/blockip.conf
# get offending IPs
 ip_list=$(awk '{print $1}' access.log | sort | uniq -c | awk '{if($1>60) print $0}')
if test -z "$ip_list"; then
    echo "empty" >> /usr/local/nginx/logs/11.log
    /usr/local/nginx/sbin/nginx -s reload
else
    echo "deny $ip_list" > /usr/local/nginx/conf/blockip.conf
    ip_list2=$(awk '{print $3}' /usr/local/nginx/conf/blockip.conf)
    echo "deny $ip_list2;" > /usr/local/nginx/conf/blockip.conf
    /usr/local/nginx/sbin/nginx -s reload
    echo "" > /usr/local/nginx/logs/access.log
fi

Schedule the script with crontab to run every minute.

crontab -e
* * * * * cd /usr/local/nginx/logs/ && sh ip_test.sh
systemctl restart crond.service