This Docker Image remotely sets up a dynamic IP blacklist on your UniFi Security Gateway (USG).
This is kind of a lightweight Intrusion Prevention System (IPS) only based on known blacklisted IP addresses. It retains USG's hardware offloading feature.
The following sources are used:
- Spamhaus.org
- EmergingThreats.net
- TOR Exit Nodes
Based on and inspired by the great script at: https://github.com/brontide/usg-blacklist
- Create an IPv4 firewall group named "Dynamic Threat List".
- Create firewall rules in WAN_LOCAL, WAN_OUT, WAN_IN to drop traffic from/to this group.
- Optional: Create an IPv6 firewall group named "Dynamic Threat List IPv6".
- Optional: Create firewall rules in WAN_LOCAL, WAN_OUT, WAN_IN to drop traffic from/to this group.
- Create an SSH key using
ssh-keygenand install the public key in your UniFi SDN Controller under: Settings > Site > Device Authentication
The rules are updates only once per day. If you run the container more than once per day, the update operation is skipped. This is useful to reinstall the rules after rebooting the USG, as existing rules are reset on reboot.
I recommend running this regularly (i.e. via a cronjob).
docker run --rm \
-e "MODE=update" \
-e "IPV6=true" \
-e "HOST=10.10.1.1" \
-e "USER=unifi-ssh-user" \
-v ${PWD}/ssh-key:/root/ssh-key:ro \
virtualzone/usg-blacklist
docker run --rm \
-e "MODE=stats" \
-e "IPV6=true" \
-e "HOST=10.10.1.1" \
-e "USER=unifi-ssh-user" \
-v ${PWD}/ssh-key:/root/ssh-key:ro \
virtualzone/usg-blacklist
Tested on a UniFi USG3 with firmware 4.4.44. Use at your own risk.