The DDoS-defense.sh script configures and deploys iptables rules designed to safeguard a Cardano stakepool from a range of DDoS attack vectors, ensuring rule persistence across reboots. This script is designed to be fully compatible with UFW and boot resistent.
████ ██ ████
██░░████ ████░░████ ████░░██
██░░░░░░██████░░░░░░░░░░██████░░░░░░██
██░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░██
██░░░░░░░░░░░░ ░░ ░░ ░░░░░░░░░░░░██
██░░░░░░░░ ░░░░░░ ░░░░░░ ░░░░░░░░██
██░░░░░░ ░░░░ ░░░░ ░░░░░░██
██░░░░░░░░ ░░░░ ░░░░ ░░░░░░░░██
██░░░░░░ ░░░░ ░░░░ ░░░░░░██ _____ _____ _____ _____ __
██░░░░░░ ░░░░ ░░░░ ░░░░░░██ | __ \| __ \ / ____| | __ \ / _|
██░░░░ ░░░░ ░░░░ ░░░░██ | | | | | | | ___| (___ | | | | ___| |_ ___ _ __ ___ ___
██░░░░░░░░░░░░ ░░░░░░░░░░░░██ | | | | | | |/ _ \\___ \ | | | |/ _ \ _/ _ \ '_ \/ __|/ _ \
██░░░░ ░░░░░░ ░░░░░░ ░░░░██ | |__| | |__| | (_) |___) | | |__| | __/ || __/ | | \__ \ __/
██░░░░░░ ░░░░ ░░░░ ░░░░░░██ |_____/|_____/ \___/_____/ |_____/ \___|_| \___|_| |_|___/\___|
██░░░░░░ ░░ ░░ ░░░░░░██
██░░░░░░░░░░ ░░░░░░░░░░██
██░░░░░░░░░░░░░░░░░░██
██░░░░░░░░░░░░░░██
██░░░░░░░░░░██
██░░░░░░██
██████
IMPORTANT: To ensure that everything is set up correctly, please run the script manually (sudo /FILE-PATH/DDoS-Defense.sh) on one of your relays first and verify that the node is working fine.
- Download the script to your local drive and grant execute permissions:
wget https://raw.githubusercontent.com/CardenPool/stakepool-DDoS-defense/main/DDoS-defense.sh -P /<DESTINATION-PATH>/ chmod +x /<DESTINATION-PATH>/DDoS-defense.sh
- Customize the script
Edit the script and update the value within the angle brackets for all the fields.
nano /<DESTINATION-PATH>/DDoS-defense.sh
- Schedule the cronjob
Every iptable added by command line is not boot proof and will be forget at reboot time. To make the defense rules loading at boot time, we have to schedule its loading with crontab.
Since this script uses iptables command that requires administrative priviledges to operate, we have to run the script with root priviledges. To achieve this, we have to edit the root cronjob list(containing tasks run with root priviledges) makeng use of the command:
This will open the contab text editor interface where we have to add the call to our script. Please replace with the right path of your local file and add the call at the end of the list.
sudo crontab -e
PressCTRL+o to save and update the contab list, then CTRL+x to come back to te terminal. The call run the script at every boot, 20 seconds after boot time to ensure UFW and other services are up and running. You're done!#Apply DDoS iptables rules. NOTE: can't use iptables-persistant since we're using UFW (conflict!) @reboot sleep 20; /<FILE-PATH>/DDoS-defense.sh