CloudStick is a server control panel for developers and agencies that lets you manage cloud servers on AWS, DigitalOcean, Vultr, Linode, and Hetzner without using the command line. Plans start at $9/month — the Basic plan covers 1 server with unlimited websites; Pro at $19/month and Business at $49/month cover unlimited servers.

Will features I pay for ever get moved to a higher plan?

No. CloudStick is committed to keeping all features you currently pay for within your existing plan. New features may be added to higher tiers, but existing plan features will never be removed or require a forced upgrade.

What happens to my servers if I cancel CloudStick?

Your servers remain fully operational after cancellation. CloudStick does not host your servers — it manages them. If you cancel, you lose access to the CloudStick dashboard, but your servers continue running on your cloud provider.

Is there a free trial for CloudStick?

Yes. CloudStick offers a 7-day free trial on all paid plans with no credit card required. You can explore every feature and upgrade, downgrade, or cancel at any time during or after the trial.

SERVER HARDENING

June 24, 2026

How to Detect and Block Malicious Traffic to Your Server

9 min read

CloudStick Team

Backend Developer

Share this article

Detect and Block Malicious Traffic

Identifying Malicious Traffic

Malicious traffic falls into several categories: automated scanners probing for known vulnerabilities, brute-force login attempts, scrapers hammering your content, DDoS floods, and targeted attacks against specific application endpoints like WordPress's wp-login.php or xmlrpc.php.

The tell-tale signs in logs: a single IP making hundreds of requests per minute, requests to paths that do not exist (scanning for vulnerabilities), HTTP 4xx response floods, and patterns of failed authentication attempts. The first step is reading your logs well enough to spot these patterns.

Analyze Nginx Access Logs

Nginx's access log at /var/log/nginx/access.log records every request. Use standard shell tools to surface the worst offenders:

# Top 20 IPs by request volume
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20
# Most requested URLs (find scanner targets)
awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20
# Requests returning 404 (scanner probes)
grep ' 404 ' /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20
# Requests in the last 5 minutes
sudo tail -f /var/log/nginx/access.log

Block Malicious IPs with UFW

Once you have identified a malicious IP or range, block it at the firewall level. UFW deny rules are evaluated before traffic reaches Nginx — this is more efficient than Nginx-level blocking because it drops packets before your web server has to process them.

# Block a single IP
sudo ufw deny from 192.168.1.100 to any
# Block an IP range (CIDR)
sudo ufw deny from 203.0.113.0/24 to any
# Block and confirm
sudo ufw status numbered
# Remove a block rule by number
sudo ufw delete 5

Nginx Rate Limiting

Rate limiting at the Nginx level caps how many requests a single IP can make per second. This is particularly effective against scrapers and brute-force attacks on login endpoints. Add to your Nginx configuration:

# In /etc/nginx/nginx.conf (http block)
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/s;
# In your site server block
# Block wp-login.php brute-force:
location = /wp-login.php {
    limit_req zone=login burst=3 nodelay;
    fastcgi_pass unix:/run/php/php8.3-fpm.sock;
}

The burst parameter allows short request spikes above the rate before returning 503 errors. The nodelay option processes burst requests immediately rather than queuing them — better for user-facing pages.

Cloudflare for DDoS Protection

For volumetric DDoS attacks, server-level rate limiting is not enough — by the time traffic reaches your server, the bandwidth is already consumed. Cloudflare's free plan provides meaningful DDoS protection by absorbing traffic at their network edge before it reaches your origin server.

Point your domain's DNS to Cloudflare, enable the orange cloud (proxied) for web traffic records, and activate the Web Application Firewall (WAF) rules under the Security tab. Cloudflare's free tier includes OWASP-based WAF rules and bot fight mode — both effective against common attack patterns.

CloudStick Firewall and Cloudflare Integration

CloudStick integrates with Cloudflare's API — you can manage DNS records and toggle proxy status for your domains directly from the CloudStick dashboard. The CloudStick firewall panel also lets you add IP block rules without SSH access, making it straightforward to respond to an active attack by blocking offending ranges while investigating the logs.