I'd really appreciate some help on this since someone is ddosing or doing something to cause our server to overload. It happens once a day and always from the same isp. I've reported it to abuse email of this isp but they don't seem to care.

It happens once a day. And when I am there to see it I can do a netstat command to see which ip has to many connections and block it with csf firewall, server load goes down within a minute.

But I can't always be there and if I am not this could halt the sites for some time. So I'd like to set up a cron that would execute every minute and check if this is happening and block the ip.

Here is the command I ran to see which ips have a lot of connections:

Code:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
it gives a list of ips with number of connections in front. Example:
Code:
50 96.102.102.102
120 92.45.45.45
This ip that is causing a problem always start with same numbers in the beginning.
As in
92.6x.xx.xx

So what I was hoping to achieve is the script that would execute that netstat command above, grep the ip that has over 50 connections and starts with 92.6
and do "csf -d 92.6x.xx.xx" to block it.

I know there is already something like this out there called ddos deflate but I've tried it and it created other issues so I'd need something that would only block ips with too many connections that are in specific ip range.

Thanks in advance for any suggestions.