Ultimate Imunify360 Threat Blocker Guide

July 18, 2025
Ghosted Hosing

GHOSTED.COM

Automatically Block Hackers, Malware, and Botnets with Advanced Threat Intelligence

✓ Production Tested ✓ 10,000+ IPs Blocked ✓ Daily Auto-Updates

Protect Your Server with Enterprise-Grade Threat Intelligence

In today’s digital landscape, servers face constant threats from hackers, malware, and botnets. This comprehensive guide shows you how to implement an automated threat blocking system using Imunify360 that protects your server 24/7.

What This Guide Covers: You’ll learn how to set up an automated system that downloads threat intelligence from multiple trusted sources and automatically blocks malicious IPs before they can harm your server. The system updates itself daily, ensuring you’re always protected against the latest threats.

Automated Protection

Set it once and forget it – updates run automatically every night

Multiple Threat Sources

Blocks threats from 5 trusted security intelligence providers

Proven Results

Typically blocks 8,000-12,000 malicious IPs on first run

Low Resource Usage

Efficient processing – daily updates take only 2-5 minutes

Connect to Your Server via SSH

What This Step Does: Establishes a secure connection to your server so you can run commands and install the threat blocker. SSH (Secure Shell) provides encrypted access to your server’s command line.

First, you’ll need to connect to your server using SSH:

ssh root@your-server-ip

Need a Secure Server or Help Getting Started?

If you don’t have a server yet or need assistance with server setup, reach out to Ghosted.com. We provide managed hosting solutions with Imunify360 pre-installed and expert support to get you started.

Create the Advanced Threat Blocker Script

What This Step Does: Creates a sophisticated bash script on your server that will handle all the threat blocking automation. This script downloads threat lists from multiple security providers, processes the IP addresses, and adds them to Imunify360’s blacklist. The script includes error handling, progress tracking, and detailed logging.

Copy this entire command block and paste it into your SSH session:

cat > /usr/local/bin/threat_blocker_v2.sh << 'ENDOFSCRIPT'
#!/bin/bash

# Advanced Threat Blocker for Imunify360 - Version 2.0
# Developed by Ghosted.com Security Team
# Blocks hackers, malware, botnets from multiple threat intelligence sources

LOG_FILE="/var/log/imunify360_threat_blocker.log"
TEMP_DIR="/tmp/threat_blocklists"

# Create required directories
mkdir -p "$TEMP_DIR"
mkdir -p "$(dirname "$LOG_FILE")"

# Logging function with timestamps
log_message() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
}

log_message "========================================="
log_message "Starting Threat Blocker Update v2.0"
log_message "Powered by Ghosted.com"
log_message "========================================="

TOTAL_NEW=0

# Process threat intelligence lists
process_list() {
    local name="$1"
    local url="$2"
    local description="$3"
    local file="$TEMP_DIR/${name}.txt"
    
    log_message "Processing $name: $description"
    
    # Download threat list with error handling
    if curl -s -f -m 60 "$url" -o "$file" 2>/dev/null; then
        # Count total IPs in downloaded file
        local total_in_file=$(grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' "$file" | wc -l)
        log_message "  Found $total_in_file IPs in $name list"
        
        # Initialize counters
        local added=0
        local already_blocked=0
        local processed=0
        
        # Process each IP address
        grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' "$file" | \
        cut -d' ' -f1 | cut -d';' -f1 | cut -d'#' -f1 | cut -d',' -f1 | \
        sed 's/[[:space:]]*$//' | grep -v '^$' | \
        while IFS= read -r ip; do
            if [ -n "$ip" ]; then
                # Add IP to Imunify360 blacklist
                result=$(imunify360-agent blacklist ip add "$ip" --comment "THREAT:$name" 2>&1)
                
                if echo "$result" | grep -q "already"; then
                    ((already_blocked++))
                else
                    ((added++))
                    echo $added > "$TEMP_DIR/${name}_added.tmp"
                fi
                
                ((processed++))
                
                # Progress update every 100 IPs
                if [ $((processed % 100)) -eq 0 ]; then
                    current_added=$(cat "$TEMP_DIR/${name}_added.tmp" 2>/dev/null || echo 0)
                    echo "  Processed $processed/$total_in_file IPs (Added: $current_added, Already blocked: $already_blocked)"
                fi
            fi
        done
        
        # Get final count
        added=$(cat "$TEMP_DIR/${name}_added.tmp" 2>/dev/null || echo 0)
        
        log_message "  Result: Added $added new IPs, $already_blocked were already blocked"
        TOTAL_NEW=$((TOTAL_NEW + added))
        
        # Cleanup temp files
        rm -f "$TEMP_DIR/${name}_added.tmp"
    else
        log_message "  ERROR: Failed to download $name list"
    fi
    
    rm -f "$file"
}

# Process all threat intelligence sources
log_message "Downloading threat intelligence from multiple sources..."

# 1. Emerging Threats - Compromised IPs from last 24 hours
process_list "EmergingThreats" \
    "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt" \
    "Compromised IPs from last 24 hours"

# 2. Feodo Tracker - Banking Trojans and Malware C&C
process_list "Feodo" \
    "https://feodotracker.abuse.ch/downloads/ipblocklist.txt" \
    "Banking trojans and malware command & control servers"

# 3. GreenSnow - Active attackers caught in real-time
process_list "GreenSnow" \
    "https://blocklist.greensnow.co/greensnow.txt" \
    "IPs caught attacking servers in real-time"

# 4. Blocklist.de Strong IPs - Aggressive attackers
process_list "BlocklistDE" \
    "https://lists.blocklist.de/lists/strongips.txt" \
    "Aggressive attackers and vulnerability scanners"

# 5. Spamhaus DROP - Hijacked IP blocks
process_list "SpamhausDROP" \
    "https://www.spamhaus.org/drop/drop.txt" \
    "Hijacked IP blocks and criminal networks"

# Clean up temporary directory
rm -rf "$TEMP_DIR"

# Final summary
log_message "========================================="
log_message "Update Complete!"
log_message "Total new threat IPs blocked: $TOTAL_NEW"
log_message "Server protected by Ghosted.com Security"
log_message "========================================="

# Update Imunify360 console log
echo "[$(date)] Threat blocker: $TOTAL_NEW new malicious IPs blocked" >> /var/log/imunify360/console.log 2>/dev/null

exit 0
ENDOFSCRIPT

# Make the script executable
chmod +x /usr/local/bin/threat_blocker_v2.sh

echo "✓ Threat blocker script created successfully!"
echo "✓ Created by Ghosted.com Security Team"

Execute Initial Threat Blocking Run

What This Step Does: Runs the threat blocker script for the first time. This initial run downloads all threat lists and processes thousands of malicious IP addresses. The script will show progress updates as it works through each list, adding bad IPs to your server’s blacklist.

Run the script to start protecting your server:

/usr/local/bin/threat_blocker_v2.sh

⏱️ Expected Runtime: The first run typically takes 15-30 minutes as it processes 8,000-12,000 malicious IPs. You’ll see progress updates every 100 IPs. Daily updates are much faster (2-5 minutes) as they only process new threats.

Configure Automatic Daily Updates (Cron Job)

What This Step Does: Sets up a cron job (scheduled task) that runs the threat blocker automatically every night at 2 AM. This ensures your server stays protected against new threats without any manual intervention. The cron system is Linux’s built-in task scheduler that runs commands at specified times.

Set up automatic nightly updates to keep your protection current:

# Add cron job for 2 AM daily updates
(crontab -l 2>/dev/null | grep -v "threat_blocker"; echo "0 2 * * * /usr/local/bin/threat_blocker_v2.sh >/dev/null 2>&1") | crontab -

# Verify the cron job was added successfully
echo "Checking scheduled jobs:"
crontab -l | grep threat_blocker || echo "No cron job found - please try again"

🕐 Why Run at 2 AM? Running security updates during off-peak hours (2-4 AM) is a best practice because:

Minimal server load – fewer visitors and processes running
Doesn’t impact business operations or user experience
Network bandwidth is typically less congested
Allows time for updates to complete before business hours

⚙️ Customizing the Schedule Time

If you need to change the update time, modify the cron schedule. The format is: minute hour * * *

Examples of different times:

# For 3 AM instead of 2 AM:
(crontab -l 2>/dev/null | grep -v "threat_blocker"; echo "0 3 * * * /usr/local/bin/threat_blocker_v2.sh >/dev/null 2>&1") | crontab -

# For 4 AM:
(crontab -l 2>/dev/null | grep -v "threat_blocker"; echo "0 4 * * * /usr/local/bin/threat_blocker_v2.sh >/dev/null 2>&1") | crontab -

# For 1 AM:
(crontab -l 2>/dev/null | grep -v "threat_blocker"; echo "0 1 * * * /usr/local/bin/threat_blocker_v2.sh >/dev/null 2>&1") | crontab -

# To check your server's current time zone:
date
timedatectl

Cron Time Format Explained:

0 = Minutes (0-59)
2 = Hour (0-23, where 2 = 2 AM)
* = Every day of month
* = Every month
* = Every day of week

✅ After This Step: Your server will automatically update its threat protection every night, downloading the latest malicious IPs and adding them to the blacklist while your server has minimal traffic.

Verify Protection Status

What This Step Does: Runs a series of verification commands to confirm the threat blocker is working correctly. These commands show you how many malicious IPs are blocked, which threat sources are active, and confirm that automatic updates are scheduled.

Run these verification commands to confirm everything is working:

# Check 1: Total count of blocked threat IPs
echo "=== Ghosted.com Threat Protection Status ==="
echo "Total malicious IPs blocked: $(imunify360-agent blacklist ip list | grep "THREAT:" | wc -l)"

# Check 2: Breakdown by threat intelligence source
echo -e "\nThreat IPs by source:"
imunify360-agent blacklist ip list | grep "THREAT:" | awk -F: '{print "  "$2}' | sort | uniq -c | sort -nr

# Check 3: Sample of recently blocked threats
echo -e "\nSample blocked threat IPs:"
imunify360-agent blacklist ip list | grep "THREAT:" | tail -10

# Check 4: Verify automatic updates are scheduled
echo -e "\nAutomatic update schedule:"
crontab -l | grep threat_blocker || echo "  WARNING: No cron job found!"

# Check 5: Review the activity log
echo -e "\nRecent threat blocker activity:"
tail -10 /var/log/imunify360_threat_blocker.log | grep -E "Update Complete|Result:|ERROR"

# Check 6: System protection summary
echo -e "\n=== Protection Summary ==="
echo "✓ Threat blocker installed: Yes"
echo "✓ Automatic updates: $(crontab -l | grep -q threat_blocker && echo 'Enabled (2 AM daily)' || echo 'Not configured')"
echo "✓ Protected by: Ghosted.com Security Solutions"

✅ Expected Results After Successful Setup:

Total blocked IPs: 8,000-12,000 malicious IPs
Threat sources active: 5 different providers (EmergingThreats, Feodo, GreenSnow, BlocklistDE, SpamhausDROP)
Automatic updates: Scheduled for 2:00 AM daily
Log file: Shows “Update Complete!” message
Server status: Protected against known threats

📊 Threat Intelligence Sources Explained

Your server is now protected by multiple layers of threat intelligence from industry-leading security providers:

Source	What It Blocks	Update Frequency	Typical IP Count
EmergingThreats	Compromised computers and active malware infections	Every 5 minutes	~1,500 IPs
Feodo Tracker	Banking trojans, ransomware C&C servers	Every 5 minutes	~6,000 IPs
GreenSnow	Real-time attackers caught in honeypots	Real-time updates	~2,000 IPs
Blocklist.de	Aggressive scanners and brute force attackers	Every 2 hours	~300 IPs
Spamhaus DROP	Hijacked networks and criminal infrastructure	Daily	~1,500 IP ranges

🛠️ Server Management Commands

Use these commands to manage and monitor your threat protection:

# View current protection statistics
imunify360-agent blacklist ip list | grep "THREAT:" | wc -l

# Run manual threat update (if needed)
/usr/local/bin/threat_blocker_v2.sh

# Monitor threat blocker activity in real-time
tail -f /var/log/imunify360_threat_blocker.log

# Search for specific threat source
imunify360-agent blacklist ip list | grep "THREAT:Feodo"

# Check if a specific IP is blocked
imunify360-agent blacklist ip list | grep "1.2.3.4"

# Remove automatic updates (if needed)
crontab -l | grep -v "threat_blocker" | crontab -

# View Imunify360 service status
systemctl status imunify360

# Emergency: Remove all threat blocks (use with caution)
# imunify360-agent blacklist ip list | grep "THREAT:" | awk '{print $1}' | \
# while read ip; do imunify360-agent blacklist ip delete "$ip"; done

Need Professional Server Security Management?

If you need assistance implementing this threat blocker or want managed security services, contact Ghosted.com. Our security experts can help protect your infrastructure with enterprise-grade solutions.

🌟 About Ghosted.com Hosting Solutions

Ghosted.com provides enterprise-grade web hosting, dedicated servers, and comprehensive security solutions. We specialize in high-performance hosting with advanced protection against cyber threats.

Web Hosting

Lightning-fast shared and VPS hosting with 99.9% uptime

Dedicated Servers

Powerful dedicated servers with full root access and management

Security Solutions

Imunify360, CloudLinux, and advanced DDoS protection

Control Panels

cPanel, WHM, and custom control panel solutions

Our team of experts is available 24/7 to help you implement security solutions like this threat blocker, manage your servers, and ensure your online presence is always protected and performing at its best.

Contact Ghosted.com for Expert Hosting Solutions