Tails the apache / nginx logs for the last 5000 and excludes requests to static assets and then either block on firewall or challenges on Cloudflare

quickie_bash_challenge_bots

#!/bin/bash
LOG=/var/www/path_to/log/access.log

COUNTS=`/usr/bin/tail -5000 $LOG | grep -iv "Cloudflare-Healthchecks\|M2ePro\|UptimeRobot\|api\| 403 \|googlebot\|AdsBot-Google\|bing\|png\|jpg\|gif\|svg\|css\|js" | awk {'print $1'} | sort  | uniq -c | sort -rn | head -1 | awk {'print $1'}`

IPADDRESS=`/usr/bin/tail -5000 $LOG | grep -iv "Cloudflare-Healthchecks\|M2ePro\|UptimeRobot\|api\| 403 \|googlebot\|AdsBot-Google\|bing\|png\|jpg\|gif\|svg\|css\|js" | awk {'print $1'} | sort  | uniq -c | sort -rn | head -1 | awk {'print $2'}`

COUNTRY=`/usr/bin/geoiplookup $IPADDRESS | grep Country | awk {'print $5'}`


if [[ $COUNTS -gt 75 && $COUNTRY != "Australia" && $COUNTRY != "Japan" && $COUNTRY != "New Zealand" ]]
   then
   if ! grep -q $IPADDRESS /scripts/blocked
        then
echo $COUNTS
echo $IPADDRESS
            /usr/bin/curl -X POST "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" \
                -H "X-Auth-Email: <api@user.com>" \
                -H "X-Auth-Key: <auth_key>" \
                -H "Content-Type: application/json" \
                --data '{"mode":"challenge","configuration":{"target":"ip","value":"'$IPADDRESS'"},"notes":"Heavy site usage"}'
            #echo "$IPADDRESS from $COUNTRY blocked" | mailx -r "user@email.com" -s "AWS: $IPADDRESS from $COUNTRY blocked on <server>" "user@email.com"

            #/usr/sbin/ufw ufw deny from $IP_ADDRESS to any 
            echo $IPADDRESS >> blocked
   fi
fi