Script to block DoS IP addresses reported in the log

[multicast]

Hi everyone

Just in case someone need it, I wrote a script to block the IP addresses reported as DoS attacks in the log for the R9000 using Voxel's firmware, just add it to your crontab and have it run hourly, it will capture all the IPs reported and block them in the INPUT filter in IPTABLES

add in crontab

0 * * * * * /root/shieldup.sh attackers.txt

Enjoy!


*note: remove .txt from the extension.

 

[Lexyan]

Hi everyone

Just in case someone need it, I wrote a script to block the IP addresses reported as DoS attacks in the log for the R9000 using Voxel's firmware, just add it to your crontab and have it run hourly, it will capture all the IPs reported and block them in the INPUT filter in IPTABLES

add in crontab

0 * * * * * /root/shieldup.sh attackers.txt

Enjoy!


*note: remove .txt from the extension.

Hello multicast,

thanks for the script, just a little comment :
- when you filter local ip adress with sed you must escape the dot in the regex
- to store list of ip to block you use 3 files "/root/attackers.txt" "attackers.txt" and "$1" (first argument on cli) => probably the same file but its better to stick to the same naming,
- to filter dns server, you can read resolver file instead of hardcoding your dns in the script
- your file contain many spaces at end of line and on new line, i have removed them

The update script is attached, the cli argument $1 is use if you want to provide additional ip to block

*note: remove .txt from the extension.

 

[kamoj]

Just a Heads Up:
https://www.snbforums.com/threads/doubts-about-r7800-firmware-ipv6-support.55215/#post-468241

It might be that these scripts does not work as wanted/expected since Netgear rewrites the iptables at unknown intervals/actions.
The reason you think they work might be because you run them again every hour.

 

[percy3]

Also be careful with false positives. I've attempted to check a few IPs from log and most of them were WhatsApp and Facebook related.