Block 404 🚫 Attack Bots with Fail2Ban (CyberPanel / OpenLiteSpeed)

Posted by sudo
fail2ban
Fail2ban cyberpanel

In this tutorial, I’ll show you how I used Fail2Ban with CyberPanel and OpenLiteSpeed to catch and block IPs automatically, stopping the bad traffic that was hurting my server. I noticed bots were hitting my site with random links, causing a lot of 404 errors. It wasn’t just annoying—it started slowing things down like a mini DDoS attack.

Step 1: Install Fail2Ban

Install fail2ban using your distro’s package manager:

Debian/Ubuntu: 

sudo apt install fail2ban

RHEL/CentOS/AlmaLinux/Rocky:

sudo dnf install fail2ban

Step 2: Create Fail2Ban Filter for 404s

Create a custom filter file:

sudo nano /etc/fail2ban/filter.d/cyberpanel-404.conf

Add this content:

[Definition]
failregex = <HOST> -.*"(GET|POST).*" (404)
ignoreregex =

This regex matches any 404 error regardless of the URL.

📁 Step 3: Configure Jail

Edit (or create) the jail.local file:

sudo nano /etc/fail2ban/jail.local

Add this jail configuration:

[cyberpanel-404]
enabled     = true
port        = http,https
filter      = cyberpanel-404
logpath     = /usr/local/lsws/logs/access.log
             /usr/local/lsws/logs/error.log
maxretry    = 3
findtime    = 60
bantime     = 3600  # 1 hour
#ignoring localhost IPs and some cloudflare IPs if you are using cloudflare CDN
ignoreip    = 127.0.0.1/8 ::1
              173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22
              141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20
              197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13
              104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 2400:cb00::/32
              2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32
              2a06:98c0::/29 2c0f:f248::/32
action      = iptables-multiport[name=cyberpanel-404-403, port="http,https", protocol=tcp]

📂 Common Log Paths for CyberPanel (OpenLiteSpeed)

You can adjust logpath based on where your logs are stored:

  • Default CyberPanel (OpenLiteSpeed):
    • /usr/local/lsws/logs/access.log
    • /usr/local/lsws/logs/error.log
  • Some alternate locations (depending on customization):
    • /usr/local/lsws/logs/ (check files here)
    • /home/yourdomain.com/logs/ (if using vhosts or custom logging)

You can monitor more domains by adding their access.log paths if needed. Although cyberpanel only seem to record 404 requests in access.log I have still added error.log you can decide to skip it if you want from your jail.

Step 4: Restart Fail2Ban

sudo systemctl restart fail2ban

Check if the jail is active:

sudo fail2ban-client status

Fail2ban list banned ips and status for our jail

sudo fail2ban-client status cyberpanel-404

🧪 Test

Trigger a few 404s from a remote IP (e.g., curl a few fake URLs quickly):

curl https://yourdomain.com/notfound123
curl https://yourdomain.com/ghost
curl https://yourdomain.com/fakeadmin

After 3 hits in 60 seconds, the IP should be banned.

Some Caution

As Doctor Strange would say: Warnings come after the spell.
So here it is—this setup will block any IP that hits too many 404s fast, even if it’s not a bot.

Also, it only works on 404s caught by the web server, not your app (like WordPress or Laravel). If your app handles 404s, you’ll need to log those separately and set up a custom rule.

Tags: