ufw block automatic IP's that are infected and create high cpu useage and always request the same wp-json even it dosent exist....

block-keyword-ufw.sh

#!/bin/bash

# Path to the access log file
ACCESS_LOG="access.log"

# Path to the file that will store unique IP addresses
IP_LIST="ip_list.txt"

# Function to extract IP addresses and add them to the IP list
extract_ips() {
    echo "Extracting IP addresses from $ACCESS_LOG..."

    # Extract IP addresses and append to the IP_LIST file
    awk '/wp-json/ {print $1}' "$ACCESS_LOG" >> "$IP_LIST"

    # Sort and remove duplicates
    sort -u -o "$IP_LIST" "$IP_LIST"

    echo "Unique IP addresses written to $IP_LIST"
}

# Function to add unique IP addresses to the UFW deny list
block_ips() {
    echo "Adding unique IP addresses to the UFW deny list..."

    # Reset UFW rules
    ufw --force reset
    echo "Reset UFW firewall done..."

    ufw default deny incoming

    # Add deny rules for IP addresses
    while read -r ip; do
        ufw deny from "$ip"
        echo "Blocked IP address: $ip"
    done < "$IP_LIST"

    # Add allow rules for ports 22 and 80 first
    ufw allow 22/tcp
    echo "Allowed port: 22/tcp"
    ufw allow 80/tcp
    echo "Allowed port: 80/tcp"


    # Enable UFW without prompting for confirmation
    ufw --force enable
}

# Check if the access log file exists
if [ -f "$ACCESS_LOG" ]; then
    echo "Monitoring $ACCESS_LOG for /wp-json/ requests..."
    # Extract IP addresses from the log file
    extract_ips

    # Block unique IP addresses
    block_ips
else
    echo "Error: $ACCESS_LOG not found in the current directory."
fi