gemcneill Posted February 9, 2011 Share Posted February 9, 2011 Hey guys I am looking for a way to create a script to block an ip address using ipsec after it has too many connections from one ip. As you may know there is an issue with sof2 and the getstatus command. Basically they spoof an ip and then send a shit ton of getstatus requests to the server, and it floods the real ip. I have found a script to add and ipsec rule to block an ip. REM ? Microsoft Corporation 1997-2003 REM Packet Fileters for Server Hardening REM REM Name: PacketFilters-ServerHost.CMD REM Version: 1.0 REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy REM that blocks all network traffic to an SMTP Bastion Host except for what is REM explicitly allowed as described in the Windows 2003 Server Solution Guide. REM Please read the entire guide before using this CMD file. REM Revision History REM 0000 - Original March 21, 2003 REM 0001 - Original April 16, 2003 :IPSec Policy Definition netsh ipsec static add policy name="Packet Filters - Your Web Host" description="Server Hardening Policy" assign=no :IPSec Filter List Definitions netsh ipsec static add filterlist name="Banned IPS" description="Server Hardening" :IPSec Filter Action Definitions netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block :IPSec Filter Definitions netsh ipsec static add filter filterlist="Banned IPS" srcaddr=PUT.BANNED.IP.HERE dstaddr=me description="Banned IPS" protocol=any srcport=0 dstport=0 :IPSec Rule Definitions netsh ipsec static add rule name="Banned IP Rule" policy="Packet Filters - Your Web Host" filterlist="Banned IPS" kerberos=yes filteraction=Block This script will create the rule and add the first ip. You then have to activate the rule. Once that is done this command will add further ips netsh ipsec static add filter filterlist="Banned IPS" srcaddr=PUT.BANNED.IP.HERE dstaddr=me description="Banned IPS" protocol=any srcport=0 dstport=0 So the command to add further ips is easy, but is it possible to have something check if too much traffic or too many connections are made from a single ip and then run that last command. If this is possible I think we should explore it as it could be a useful script for game server providers. George Link to comment Share on other sites More sharing options...
adamnp Posted February 10, 2011 Share Posted February 10, 2011 Aluigi's workaround works.... http://aluigi.freeforums.org/sof2-dos-patch-t1701.html Edit: I now see that thats you in that post.... I haven't had any issues recently with anything...Odd? Link to comment Share on other sites More sharing options...
gemcneill Posted February 10, 2011 Author Share Posted February 10, 2011 Yes the patch seems to work but I would still like to explore this script idea to block ips. I really dont know how to write scripts but I am pretty good and finding ones. However all I have found is what I posted above which does a great deal of the work but still manual. I am not sure if it is possible to write a script but I think it is. George Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.