1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Script to block DoS IP addresses reported in the log

Discussion in 'NETGEAR AC Wireless' started by multicast, Mar 14, 2019.

  1. multicast

    multicast Occasional Visitor

    Feb 7, 2019
    Hi everyone

    Just in case someone need it, I wrote a script to block the IP addresses reported as DoS attacks in the log for the R9000 using Voxel's firmware, just add it to your crontab and have it run hourly, it will capture all the IPs reported and block them in the INPUT filter in IPTABLES

    add in crontab

    0 * * * * * /root/shieldup.sh attackers.txt


    *note: remove .txt from the extension.

    Attached Files:

    Last edited: Mar 14, 2019
    L&LD likes this.
  2. Lexyan

    Lexyan New Around Here

    Jul 29, 2018
    Hello multicast,

    thanks for the script, just a little comment :
    - when you filter local ip adress with sed you must escape the dot in the regex
    - to store list of ip to block you use 3 files "/root/attackers.txt" "attackers.txt" and "$1" (first argument on cli) => probably the same file but its better to stick to the same naming,
    - to filter dns server, you can read resolver file instead of hardcoding your dns in the script
    - your file contain many spaces at end of line and on new line, i have removed them

    The update script is attached, the cli argument $1 is use if you want to provide additional ip to block

    *note: remove .txt from the extension.

    Attached Files:

  3. kamoj

    kamoj Senior Member

    May 12, 2017
  4. percy3

    percy3 Regular Contributor

    Sep 21, 2018
    Also be careful with false positives. I've attempted to check a few IPs from log and most of them were WhatsApp and Facebook related.