From 09a513c4c51ea9e3f8d4d5abf8cc89f497f23088 Mon Sep 17 00:00:00 2001
From: Pawel Krawczyk <p.krawczyk@kainos.com>
Date: Thu, 8 Jan 2015 23:44:22 +0000
Subject: [PATCH] add OpenWRT script

---
 router-drop.sh | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 router-drop.sh

diff --git a/router-drop.sh b/router-drop.sh
new file mode 100644
index 0000000..06fd4c7
--- /dev/null
+++ b/router-drop.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# Block an IP using Linux ipset on a remoter router
+# Utility script for OSSEC active response
+# Expect: srcip
+# Author: Pawel Krawczyk
+
+# THIS MUST BE CONFIGURED
+ROUTER=root@gw.example.com
+
+# You also need to add SSH keys to the root account
+# on OSSEC server (active response scripts are run
+# as root) that will allow root login to the destination
+# router.
+
+ACTION=$1
+USER=$2
+IP=$3
+
+LOCAL=$(dirname $0);
+cd $LOCAL
+cd ../
+PWD=$(pwd)
+BLACKLIST=manual-blacklist
+
+# Logging the call
+echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
+
+
+# IP Address must be provided
+if [ "x${IP}" = "x" ]; then
+   echo "$0: Missing argument <action> <user> (ip)"
+   exit 1;
+fi
+
+# Use ipset to handle the IP 
+if [ "x${ACTION}" = "xadd" ]; then
+    ssh ${ROUTER} ipset -! add ${BLACKLIST} ${IP}
+elif [ "x${ACTION}" = "xdelete" ]; then
+    ssh ${ROUTER} ipset -! del ${BLACKLIST} ${IP}
+
+# Invalid action
+else
+   echo "$0: invalid action: ${ACTION}"
+fi
+
+exit 1