Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to Dynamically Ban Malicious IP's using IPSet (adamm version)

Discussion in 'Asuswrt-Merlin' started by Adamm, Apr 16, 2014.

  1. el pescador

    el pescador Regular Contributor

    Joined:
    Jan 15, 2016
    Messages:
    131
    Hope this is the right place.
    Any way of blocking a range of ips.
    For example 159.153.76.xxx
    Im using ddwrt but also have merlin on the Ac88U which i switch over every week or few days.
     
  2. Denna

    Denna Senior Member

    Joined:
    Aug 4, 2016
    Messages:
    220
    @Adamm,

    Would it be good idea to have an option that uses a timeout on the blocked addresses so the list doesn't grow too big ?

    I doubt seriously someone would be foolish enough to continually use the same IP address.​
     
    Last edited: Apr 11, 2017
  3. Adamm

    Adamm Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    452
    [Check OP]
     
    Last edited: May 16, 2017
  4. Adamm

    Adamm Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    452
    IPSet is very lightweight, in tests it can ban hundreds of thousands of IP's without any noticeable performance impact. I let mine go for months before bothering to purge it, I average about 200 new blocked IP's every hour. Been running it for 3-4 years now on this device without any issues. Good to see people still making use of it (and their own versions based on the same idea).
     
  5. swetoast

    swetoast Guest

    Joined:
    Apr 12, 2016
    Messages:
    804
    @Martineau or @Adamm planning on maintaining that script ? cause if you are i could add it to the wiki
     
  6. Adamm

    Adamm Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    452
    My version is fairly basic and modular via using IF statements so its hard to break per say, I don't think compatibility wise anything has needed to be changed majorly in the past few years since IPSet was implemented. If it were to be added to the wiki thought i'd cut out the CFE and overclocking functions as it was a multipurpose script for personal use when I first made it. I can PM you a slightly edited version if you like.

    Edit;

    Nevermind, updated the version posted on the previous page, not sure why I kept those parts anyway on the public version.
     
    Last edited: Apr 12, 2017
  7. swetoast

    swetoast Guest

    Joined:
    Apr 12, 2016
    Messages:
    804
    What i want is for someone to upload and maintain on github :)
     
  8. takitezsdc

    takitezsdc Occasional Visitor

    Joined:
    Mar 26, 2015
    Messages:
    20
    hello....would you be so kind to explain exactly how this needs to be installed? I know how to use putty and login to my router using ssh....../ putty but how do i put this script into my router once i ssh in? and you also say to make all 3 code into one file? please explain? Sorry I am new to scripting.

    thanks.......

    PS ive read all of this post and i think you all forget that for the novice....your talking way over our heads...
     
  9. Adamm

    Adamm Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    452
    In simplest terms, this is a persistent list of known bad IP's who have actively tried to attack in whatever way that were detected this time by the built in FW. This is just a small line of defence to prevent them from successfully doing this in future. Not to mention it gives the user some very simple and efficient IP banning functionality for anything custom they would like to add/import with almost no overhead.
     
    Xentrk likes this.
  10. redhat27

    redhat27 Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    395
    @Adamm Thank you.

    Maybe the script can later be changed to also include IPs that were ACCEPTed in the FW, but had no legitimate business in being allowed. For example, if an user opens his port 22 for a specific set of people (whitelisted), but wants to block login attempts from others (bots/hackers), those IPs should also go to the blacklist bucket. It would need some other ways to scan the syslog, as FW log of ACCEPTed packets may be of little help.
     
  11. swetoast

    swetoast Guest

    Joined:
    Apr 12, 2016
    Messages:
    804
    So yay or nay on hosting a version at github or gitlab for that matter ?
     
  12. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    218
    Are those scripts strictly for the rt-68?
    Can they work on an rt-3100?
     
  13. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    551
    Location:
    Chiang Mai, Thailand
  14. skeal

    skeal Regular Contributor

    Joined:
    Apr 30, 2016
    Messages:
    192
    Location:
    Moose Jaw Saskatchewan Canada
    Sorry for sounding stupid but how do I check status of @Adamm script? If there are commands what prompt are they entered at? Are the commands run from normal ssh command prompt? I just want to check status is all.
     
  15. skeal

    skeal Regular Contributor

    Joined:
    Apr 30, 2016
    Messages:
    192
    Location:
    Moose Jaw Saskatchewan Canada
    I tried the above command at ssh prompt.....firewall whitelist and it fails says firewall: not found . Can you help me please?

    Edit: I tried using the command ipset list Blacklist and it works gives me a big list of IP's is this verification that the script is running?
     
    Last edited: Apr 14, 2017
  16. Adamm

    Adamm Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    452
    cd /jffs/scripts
    ./firewall *command*

    You need to be in the current directory for it to execute, if you have entware installed you can make a symlink from the bin folder so it can be executed from anywhere

    The syslog in the router GUI should also give you hourly updates on how many IP's are banned (and freshly banned)
     
  17. skeal

    skeal Regular Contributor

    Joined:
    Apr 30, 2016
    Messages:
    192
    Location:
    Moose Jaw Saskatchewan Canada
    I don't get the hourly updates in my log and when I run the command ./firewall it says a file can not be inserted because it already exists then displays stats like it's just starting. Any ideas?
     
  18. Adamm

    Adamm Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    452
    Please copy the exact output.


    EDIT;

    That's just lsmod trying to load a kernel module that's already loaded. You can ignore that error, ill silence it in future.

    Running the script by its-self wont prompt you for input, you have to specify the command when executing. For example..

    Code:
    sh /jffs/scripts/firewall save

    Also, the hourly update in your log should look like the following (if you setup the "/jffs/scripts/firewall-start" script as shown)

     
    Last edited: Apr 15, 2017
  19. skeal

    skeal Regular Contributor

    Joined:
    Apr 30, 2016
    Messages:
    192
    Location:
    Moose Jaw Saskatchewan Canada
    The output is as follows:


    @Lil_Kitty:/jffs/scripts# ./firewall
    #!/bin/sh
    #################################################################################################
    ## - 12/04/2017 --- RT-AC56U/RT-AC68U Firewall Addition By Adamm v2.9 - #
    ###################################################################################################################
    ### ----- Make Sure To Edit The Following Files ----- #
    ### /jffs/scripts/firewall-start <-- Sets up cronjob/iptables rules #
    ### /jffs/scripts/firewall <-- Blacklists IP's From /jffs/scripts/ipset.txt #
    ### /jffs/scripts/ipset.txt <-- Banned IP List/IPSet Rules #
    ###################################################################################################################
    ##############################
    ### Commands ###
    ##############################
    UNBANSINGLE="unban" # <-- Remove Single IP From Blacklist
    UNBANALL="unbanall" # <-- Unbans All IPs In Blacklist
    REMOVEBANS="removeall" # <-- Remove All Entries From Blacklist
    SAVEIPSET="save" # <-- Save Blacklists to /jffs/scripts/ipset.txt
    BANSINGLE="ban" # <-- Adds Entry To Blacklist
    BANCOUNTRYSINGLE="country" # <-- Adds entire country to blacklist
    BANCOUNTRYLIST="bancountry" # <-- Bans specified countries in this file
    BANMALWARE="banmalware" # <-- Bans various malware domains
    WHITELIST="whitelist" # <-- Add IPs from path to Whitelist
    NEWLIST="new" # <-- Create new IPSet Blacklist
    ##############################
    Correct Settings Detected.
    Correct Settings Detected
    [IP Banning Started] ... ... ...
    insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/xt_set.ko': File exists
    [Complete] 4 IPs currently banned. 3 New IP's Banned. 43076 Banned Overall [1s]
    @Lil_Kitty:/jffs/scripts#



    Any ideas?

    Edit: I changed the permissions on the ipset.txt in jffs/scripts to writable and I can do a ./firewall save now successfully.
     
    Last edited: Apr 15, 2017
  20. Adamm

    Adamm Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    452
    That output is perfectly normal and the script is running as it should, what are you trying todo specifically?
     

Share This Page