1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

Discussion in 'Asuswrt-Merlin' started by Martineau, Mar 7, 2017.

  1. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,859
    Location:
    UK
    This hacked version works on my RT-AC68U.

    NOTE: Country Blocking is no longer included...you can use the latest country blocking script from the Wiki https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset#tor-and-countries-block

    Full credit to member @Adamm for the original script/idea.

    Thanks to @HardCat for spotting the incorrect line.

    EDIT: 24/04/2017 The (too large to post in-line) current version (v3.04) is hosted here:

    https://pastebin.com/zQ3KEe8P

    Code:
    #!/bin/sh
    #================================================================================================= © 2016-2017 Martineau
    # Dynamically block unsolicited access attempts using IPSETs. Useful if U have opened ports >1024 as hopefully hackers will
    #             start their attempts at the more common ports e.g. 22,23 etc. so will be blocked BEFORE they reach your port!
    #
    #     IPSET_Block   [help|-h] | [status [full]] [reset] [delete] [ban [ip_addr]] [unban [ip_addr]] [whitelist]
    #
    #     IPSET_Block   status
    #                   Displays the number of currently blocked I/Ps and the nmber blcoked since the last status request:
    #                   e.g.     Summary Blacklist: 12345 IPs currently banned. 99 New IP's Banned.
    #     IPSET_Block   status full
    #                   Display the contents of IPSETs Whitelist & Blacklist - beware there could be a lot!!!
    #     IPSET_Block   reset
    #                   Temporarily flush the IPSET Blacklist (It will be restored @BOOT or manually using the restore cmd)
    #     IPSET_Block   restore
    #                   Restore the IPSETs Whitelist & Blacklist from the current saved IPSETs.
    #                   (If 'delete' was used then U need to clone the 'backup' file before attempting the restore!)
    #     IPSET_Block   ban 12.34.56.7
    #                   Adds 12.34.56.7 to IPSET Blacklist
    #     IPSET_Block   unban 12.34.56.7
    #                   Removes 12.34.56.7 from IPSET Blacklist
    #     IPSET_Block   delete
    #                   Permanently flush the IPSET Blacklist (It cannot be restored @BOOT or using the restore cmd)
    #
    # /jffs/scripts/init-start
    #      /usr/sbin/cru a IPSET_SAVE   "0 * * * * /jffs/scripts/IPSET_Block.sh save"    #Every hour
    #      /usr/sbin/cru a IPSET_BACKUP "0 5 * * * /jffs/scripts/IPSET_Block.sh backup"  #05:00 every day
    #
    # /jffs/scripts/firewall-start
    #      /jffs/scripts/IPSET_Block.sh init
    #
    # NOTE: Whitelist wil be automatically populated with local LAN subnet, but VLANs will need to be added manually e.g. 10.0.0.0/8 etc.
    #
    # Credit @adamm https://www.snbforums.com/threads/how-to-dynamically-ban-malicious-ips-using-ipset-firewall-addition.16798/#post-115872
    # Print between line beginning with'#==' to first blank line inclusive
    ShowHelp() {
     awk '/^#==/{f=1} f{print; if (!NF) exit}' $0
    }
    MYROUTER=$(nvram get computer_name)
    if [ -d /tmp/mnt/$MYROUTER ]; then
       DIR="/tmp/mnt/"$MYROUTER
    else
       DIR="/tmp"
    fi
    bannedips=$DIR"/IPSET_IP_Count"    # Allows display of new blocked IPs after every implied/ explicit status request
    # 380.63+ for ARM routers, IPSET v6  is available...Load appropriate IPSET modules
    case $(ipset -v | grep -io "v[4,6]") in
      v6)
     MATCH_SET='--match-set'; CREATE='create'; ADD='add'; DELETE='del'; SWAP='swap'; SAVE='save'; FLUSH='flush'; RESTORE='restore'
     IPHASH='hash:ip'; NETHASH='hash:net family inet'; NETHASH6='hash:net family inet6'; SETNOTFOUND='name does not exist'
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
      do
       insmod $module > /dev/null 2>&1
      done
     ;;
      v4)
     MATCH_SET='--set'; CREATE='--create'; ADD='--add'; DELETE='--del'; SWAP='--swap'; SAVE='--save'; FLUSH='--flush'; RESTORE='--restore'
     IPHASH='iphash'; NETHASH='nethash'; SETNOTFOUND='Unknown set'
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
      do
       insmod $module
      done
     ;;
      *)
     logger -st "($(basename $0))" $$ "**ERROR** Unknown ipset version: $(ipset -v). Exiting."
     echo -e "\a"
     exit 99
     ;;
    esac
    
    # Need assistance!???
    if [ "$1" == "help" ] || [ "$1" == "-h" ]; then
     ShowHelp
     exit 0
    fi
    ACTION=$1
    # If the first arg is an I/P address or subnet then assume it is to be blocked.
    # TBA
    # status / ban / unban / reset / delete / save / ban / whitelist / backup
    case $ACTION in
     status)
      echo -en "\n"
      ipset -L Blacklist | grep -vE "^[0-9]"  # Sadly 'ipset -t Blacklist' to list only the IPSET header doesn't work on Asus
      if [ ! -z $2 ];then           # Verbose if 2nd arg
       ipset -L Blacklist        | \
        grep -E "^[0-9]"       | \
        sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | \
        awk ' {printf "%15s\t", $1;}'
       echo " ";echo " "
       ipset -L Whitelist
      fi
      #logger -s -t "($(basename $0))" $$  `ipset -L`
      ;;
     ban)
      if [ -z $2 ];then
       echo "Input IP Address"
       read bannedip
      else
       bannedip=$2
      fi
      logger -st "($(basename $0))" $$  "Adding" $bannedip "to Blacklist] ... ... ..."
      ipset -q -A Blacklist $bannedip
      echo "$bannedip Is Now Banned"
      ;;
     unban)
      if [ -z $2 ]; then
       echo "Input IP Address To Unban"
       read unbannedip
      else
       unbannedip=$2
      fi
      logger -st "($(basename $0))" $$  "Unbanning and removing" $unbannedip "from Blacklist ... ... ..."
      ipset $DELETE Blacklist $unbannedip
      echo "`sed /$unbannedip/d $DIR/IPSET_Rules.txt`" > $DIR/IPSET_Rules.txt
      echo $unbannedip "Is Now Unbanned"
       ;;
     reset)
      logger -st "($(basename $0))" $$  "Temporarily Allowing ALL ("`cat $bannedips`") I/P's in Blacklist IPSET"
      NOW=$(date +"%Y%m%d-%H%M%S")    # current date and time
      mv  $DIR/IPSET_Rules.txt $DIR/IPSET_Rules.txt-$NOW   # Create restore backup
      ipset $SAVE > $DIR/IPSET_Rules.txt        # Save the current IPSETs
      ipset $FLUSH Blacklist
      rm $bannedips      # Reset counter '0'
      ;;
     delete)
      logger -st "($(basename $0))" $$  "Permanently deleting ALL ("`cat $bannedips`") I/Ps from Blacklist."
      ipset $FLUSH Blacklist
      rm $bannedips      # Reset counter '0'
      ipset $SAVE > $DIR/IPSET_Rules.txt
      ;;
     save)
      #echo "Saving Blacklists ... ... ..."
      logger -st "($(basename $0))" $$  "Saving IPSet rules to  $DIR/IPSET_Rules.txt ... ... ..."
      # Only save the IPSETs associated with this script
      ipset $SAVE Blacklist >  $DIR/IPSET_Block.txt
      ipset $SAVE Whitelist >> $DIR/IPSET_Block.txt
      ;;
     whitelist)
      echo "Input file location"      # see /jffs/configs/IPSET_Whitelist
      read WHITELISTFILE
      for IP in `cat $WHITELISTFILE`
       do
        ipset -q -A Whitelist $IP
        echo $IP
       done
      ipset $SAVE > $DIR/IPSET_Rules.txt
      ;;
     backup)
      #echo "Backing Up Current IPSet Rules"
      logger -st "($(basename $0))" $$  "Creating IPSET rule backup to "$DIR"/IPSET_Rules.bak ... ... ..."
      cp -f $DIR/IPSET_Rules.txt $DIR/IPSET_Rules.bak
      ;;
     init)
      # ....called from firewall-start?
     
      if [ X"`nvram get fw_log_x`" = X"drop" ]
      then
       logger -st "($(basename $0))" $$ "Correct 'logdrop' Setting Detected"
      else
       logger -st "($(basename $0))" $$  "Setting 'logdrop'....."
       nvram set fw_log_x=drop
       nvram commit
      fi
      if [ X"`nvram get fw_enable_x`" = X"1" ]
      then
       logger -st "($(basename $0))" $$ "Correct 'firewall' enabled Setting Detected."
      else
       logger -st "($(basename $0))" $$ "Setting 'enable' firewall....."
       nvram set fw_enable_x=1
       nvram commit
      fi
      logger -st "($(basename $0))" $$  " © 2016-2017 Martineau, IPSET Dynamic blocking initialisation Starting....."
      iptables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 2> /dev/null > /dev/null
      iptables -D INPUT -m set $MATCH_SET Whitelist src -j ACCEPT 2> /dev/null > /dev/null
      iptables -D INPUT -m set $MATCH_SET Blacklist src -j DROP 2> /dev/null > /dev/null
      iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src 2> /dev/null > /dev/null
      # 'init' will restore IPSETs from file  but 'init full' will re-create empty IPSETs
      if [ -s "${DIR}/IPSET_Rules.txt" ] && [ -z "$2" ]; then
       logger -st "($(basename $0))" $$  "IPSET "$DIR"/IPSET_Rules.txt found... restore starting...."
        ipset $RESTORE  < $DIR/IPSET_Rules.txt
      else
        logger -st "($(basename $0))" $$  "IPSETs: Whitelist & Blacklist being created....."
     
        ipset -q -F Whitelist
        ipset -q -F Blacklist
        ipset -q -X Whitelist
        ipset -q -X Blacklist
     
        ipset -q -N Whitelist $NETHASH
        ipset -q -N Blacklist $IPHASH
      fi
      RULENO=`iptables -nvL INPUT --line | grep "lo " | awk '{print $1}'`
      RULENO=$(($RULENO+1))
      #logger -st "($(basename $0))" $$  "**DEBUG RULENO="$RULENO
      iptables -I INPUT $RULENO -m set $MATCH_SET Blacklist src -j DROP
      iptables -I INPUT $RULENO -m set $MATCH_SET Whitelist src -j ACCEPT
      if [ "$?" -gt 0 ];then
        RC=$?
        logger -st "($(basename $0))" $$  "**ERROR** Unable to add - INPUT $MATCH_SET Whitelist RC="$RC
        echo -e "\a`iptables -nvL INPUT --line >> /tmp/syslog.log`"
      fi
      logger -st "($(basename $0))" $$  "IPSETs: 'Whitelist & Blacklist Blocking enabled"
      iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src
      ipset -q -A Whitelist `nvram get lan_ipaddr`/24
      # Remember to manually include all VLANs e.g. 10.0.0.0/8 see /jffs/configs/IPSET_Whitelist
    esac
    # Summary
    if [ ! -s "$bannedips" ]; then
       OLDAMOUNT=0
    else
       OLDAMOUNT=`cat "$bannedips"`
    fi
    if [ `ipset -L Blacklist | grep -vE "^[NTRHSM]" | wc -l` -gt 0 ]; then
       expr `ipset -L Blacklist | grep -vE "^[NTRHSM]" | wc -l` > $bannedips
       NEWAMOUNT=`cat $bannedips`
    else
       NEWAMOUNT=0
    fi
    logger -st "($(basename $0))" $$  "Summary Blacklist: $OLDAMOUNT IPs currently banned. `expr $NEWAMOUNT - $OLDAMOUNT` New IP's Banned. "
     
    Last edited: Apr 24, 2017
    HardCat and skeal like this.
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    2,007
    Location:
    /etc
    Sorry I screwed up. Please advise where to put this code is it in init-start or firewall-start do i paste all of it in one chunk and to what locations. the original post on page 1 of this thread doesn't really help me.
     
  4. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    2,007
    Location:
    /etc
    Can you help me with what code goes where please?
     
  5. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,859
    Location:
    UK
    Follow the wiki on how to create scripts and make them executable.
    https://github.com/RMerl/asuswrt-merlin/wiki

    ..basically cut'n'paste either into WinSCP editor or nano editor from the command line.

    So I suggest you create it as /jffs/scripts/IPSET_Block.sh, and as per the help info documented in the script, you will need to update firewall-start and init-start accordingly.
     
  6. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    2,007
    Location:
    /etc
    Thank you @Martineau your help is greatly appreciated. I was able to put it together and get it working. Thanks again for your script writing skills!
     
  7. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    991
    @Martineau
    Thank you for this script. I have to ask, I don't understand how blocked ip get in to "Blacklist" chain?
     
  8. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,859
    Location:
    UK
    The script ensures the 'Logged packets type=Dropped' is enabled in the Firewall->General GUI

    A rule is added to the '-t filter logdrop' chain
    Code:
    iptables -nvL logdrop --line -t filter
    
    Chain logdrop (9 references)
    num   pkts bytes target     prot opt in     out     source               destination      
    1      248 11883 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
    2      248 11883 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP "
    3      367 17965 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0  
     
    Last edited: Mar 11, 2017
  9. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    991
    Okey, thanks, I see it now. :D
    Code:
    iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src
     
  10. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    991
    I have run this script for a half day and have HUGE amont of "DROPIN=vlan11" in log.
    Hope it subsides when the Blacklist log becomes full of IP numbers.
    Code:
    Chain logdrop (8 references)
    num   pkts bytes target     prot opt in     out     source               destination        
    1      344 17509 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
    2      368 18669 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP"
    3      368 18669 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0  
     
  11. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,859
    Location:
    UK
    Well that's an annoying nusiance isn't it! :D

    In the script there is a block of code commented out..any idea what it would do if enabled?;)
    Code:
    #############Why destroy Syslog???#########
    #echo "`sed '/DROP IN=/d' /tmp/syslog.log`" > /tmp/syslog.log
    #echo "`sed '/DROP IN=/d' /tmp/syslog.log-1`" > /tmp/syslog.log-1
    One of the reasons I personally don't want the Syslog to be sanitised is because I run a cron job every hour that creates a report from the "DROP IN" messages of all the blocked access attempts:

    Sat Mar 11 12:00:00 GMT 2017
    1 http://www.speedguide.net/port.php?port=21
    108 http://www.speedguide.net/port.php?port=22
    523 http://www.speedguide.net/port.php?port=23
    3 http://www.speedguide.net/port.php?port=53
    17 http://www.speedguide.net/port.php?port=80
    6 http://www.speedguide.net/port.php?port=81
    8 http://www.speedguide.net/port.php?port=88
    2 http://www.speedguide.net/port.php?port=110
    2 http://www.speedguide.net/port.php?port=111
    1 http://www.speedguide.net/port.php?port=115
    1 http://www.speedguide.net/port.php?port=119
    1 http://www.speedguide.net/port.php?port=123
    1 http://www.speedguide.net/port.php?port=137
    1 http://www.speedguide.net/port.php?port=138
    1 http://www.speedguide.net/port.php?port=139
    1 http://www.speedguide.net/port.php?port=194
    1 http://www.speedguide.net/port.php?port=264
    2 http://www.speedguide.net/port.php?port=389
    1 http://www.speedguide.net/port.php?port=443
    9 http://www.speedguide.net/port.php?port=445
    1 http://www.speedguide.net/port.php?port=502
    1 http://www.speedguide.net/port.php?port=513
    3 http://www.speedguide.net/port.php?port=514
    1 http://www.speedguide.net/port.php?port=631
    3 http://www.speedguide.net/port.php?port=636
    2 http://www.speedguide.net/port.php?port=808
    2 http://www.speedguide.net/port.php?port=990
    1 http://www.speedguide.net/port.php?port=992
    2 http://www.speedguide.net/port.php?port=993
    4 http://www.speedguide.net/port.php?port=995
    2 http://www.speedguide.net/port.php?port=1028
    1 http://www.speedguide.net/port.php?port=1080
    1 http://www.speedguide.net/port.php?port=1099
    8 http://www.speedguide.net/port.php?port=1433
    1 http://www.speedguide.net/port.php?port=1521
    1 http://www.speedguide.net/port.php?port=1883
    1 http://www.speedguide.net/port.php?port=1911
    1 http://www.speedguide.net/port.php?port=2077
    1 http://www.speedguide.net/port.php?port=2081
    1 http://www.speedguide.net/port.php?port=2086
    1 http://www.speedguide.net/port.php?port=2095
    1 http://www.speedguide.net/port.php?port=2096
    13 http://www.speedguide.net/port.php?port=2222
    49 http://www.speedguide.net/port.php?port=2323
    1 http://www.speedguide.net/port.php?port=2375
    1 http://www.speedguide.net/port.php?port=2376
    1 http://www.speedguide.net/port.php?port=2433
    1 http://www.speedguide.net/port.php?port=2638
    1 http://www.speedguide.net/port.php?port=3128
    1 http://www.speedguide.net/port.php?port=3299
    1 http://www.speedguide.net/port.php?port=3306
    12 http://www.speedguide.net/port.php?port=3389
    1 http://www.speedguide.net/port.php?port=3390
    1 http://www.speedguide.net/port.php?port=3391
    1 http://www.speedguide.net/port.php?port=3393
    1 http://www.speedguide.net/port.php?port=3541
    1 http://www.speedguide.net/port.php?port=4028
    1 http://www.speedguide.net/port.php?port=4899
    1 http://www.speedguide.net/port.php?port=5060
    2 http://www.speedguide.net/port.php?port=5093
    1 http://www.speedguide.net/port.php?port=5222
    3 http://www.speedguide.net/port.php?port=5351
    156 http://www.speedguide.net/port.php?port=5358
    3 http://www.speedguide.net/port.php?port=5432
    1 http://www.speedguide.net/port.php?port=5631
    1 http://www.speedguide.net/port.php?port=5900
    1 http://www.speedguide.net/port.php?port=5902
    2 http://www.speedguide.net/port.php?port=6379
    1 http://www.speedguide.net/port.php?port=6789
    1 http://www.speedguide.net/port.php?port=7001
    1 http://www.speedguide.net/port.php?port=7002
    2 http://www.speedguide.net/port.php?port=7071
    2 http://www.speedguide.net/port.php?port=7300
    4 http://www.speedguide.net/port.php?port=7547
    1 http://www.speedguide.net/port.php?port=8000
    1 http://www.speedguide.net/port.php?port=8022
    2 http://www.speedguide.net/port.php?port=8080
    2 http://www.speedguide.net/port.php?port=8081
    1 http://www.speedguide.net/port.php?port=8088
    1 http://www.speedguide.net/port.php?port=8118
    1 http://www.speedguide.net/port.php?port=8883
    1 http://www.speedguide.net/port.php?port=9000
    1 http://www.speedguide.net/port.php?port=9191
    1 http://www.speedguide.net/port.php?port=9200
    1 http://www.speedguide.net/port.php?port=9999
    1 http://www.speedguide.net/port.php?port=10000
    1 http://www.speedguide.net/port.php?port=11211
    1 http://www.speedguide.net/port.php?port=13868
    1 http://www.speedguide.net/port.php?port=17185
    1 http://www.speedguide.net/port.php?port=25565
    1 http://www.speedguide.net/port.php?port=27017
    1 http://www.speedguide.net/port.php?port=33389
    1 http://www.speedguide.net/port.php?port=33399
    1 http://www.speedguide.net/port.php?port=35860
    1 http://www.speedguide.net/port.php?port=49153
    1 http://www.speedguide.net/port.php?port=50100
    1 http://www.speedguide.net/port.php?port=50802

    ..so out of curiosity I can identify which ports are currently popular targets.

    Clearly, well known ports 23 and 22 (523 and 108 attempts respectively) are not surprisingly popular targets, but why/who are 5358 and 2323 (156 and 49 attempts) ? - so the report makes it easy for me to simply click on a helpful 'live' URL description when I review the report.

    The IPSET can grow very large, and I did consider exploiting the IPSET v6.4 'timeout' option to have the IPSET automatically discard entries older than say 24hours etc., but chances are they would eventually (if not the next day :() reappear in the IPSET!
     
    Last edited: Mar 14, 2017
    mazo22 likes this.
  12. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    991
    @Martineau
    "Code commented out..any idea what it would do if enabled?" Yes now when you mention that. :)
    Code:
    echo "`sed '/DROP IN=/d' /tmp/syslog.log`" > /tmp/syslog.log
    I want to use this to minimise annoying log flooding. I use synlink to /mnt there my log is saved. Will this "sed" command work?
    Code:
     ln -s /mnt/rt-ac68/logs/syslog.log /tmp/syslog.log
    I really appreciate your all kind of scripts, is using part of it or all. :)
     
  13. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,859
    Location:
    UK
    Yes...I too have Syslog writing to a flash drive mounted on /tmp/mnt/RT-AC68U

    You can prove the 'sed' command works by trying this on the command line before you edit the script!
    Code:
    grep "DROP IN" /tmp/syslog.log | wc -l
    sed '/DROP IN=/d' /tmp/syslog.log > /tmp/syslog.log
    grep "DROP IN" /tmp/syslog.log | wc -l
     
  14. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    991
    Seems to working, had to modified "DROPIN".
    Code:
    [email protected]:/tmp/home/root# grep "DROPIN" /tmp/syslog.log | wc -l
    1260
    After this log is deleted and started to log DROP again after first write to log from router program.
    Code:
    [email protected]:/tmp/home/root# sed '/DROPIN=/d' /tmp/syslog.log > /tmp/syslog.log
    EDIT: I found what was wrong, I have my log point to /mnt. Adjusted sed to:
    Code:
    [email protected]:/tmp/home/root# sed '/DROPIN=/d' /tmp/syslog.log > /mnt/rt-ac68/logs/syslog.log
    Code:
    [email protected]:/tmp/home/root# grep "DROPIN" /tmp/syslog.log | wc -l
    0
    @Martineau
     
    Last edited: Apr 12, 2017
  15. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,859
    Location:
    UK
    Hmm, no idea why I have "DROP IN=", whereas you have "DROPIN=", also I don't have interface "vlan11" either.

    Anyway glad you can now have the port hackers silently blocked!
     
  16. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    991
    I don't know why we have different DROP but I use IPTV internet vlan11.
    Well it only working until new data writing to log.
    "After this log is deleted and started to log DROP again after first write to log from router program."
    @Martineau
     
    Last edited: Mar 14, 2017
  17. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,679
    Location:
    The Land of Smiles
    Thank you @Martineau for the revised script.

    I installed it last night at the two routers I have at home and the router at the school. I don't have any attempts for the two home routers. But at the school, the following was generated in the past 12 hours:

    Code:
    (IPSET_Block.sh): 26779 Summary Blacklist: 300 IPs currently banned. 15 New IP's Banned.
    
    Code:
     pkts bytes target     prot opt in     out     source               destination
         0     0 ACCEPT     all  --  any    any     anywhere             anywhere             match-set Whitelist src
     1162 70396 DROP       all  --  any    any     anywhere             anywhere             match-set Blacklist src
    
     
  18. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,859
    Location:
    UK
    I have updated my OP https://www.snbforums.com/threads/h...et-firewall-addition.16798/page-7#post-312136

    There are slight functional differences in my version vs. @Adamm's i.e. Malware blocking is not included - I'll leave that to your supported Malware script(s)

    The main difference is that my script exploits the IPSET v6.3 feature which allows the user to specify how long the Blacklist entries remain in the IPSET before they expire.

    e.g passing the 'init' arg in the firewall-start script will instigate a search for a '.config' file to reload a previous populated Blacklist IPSET
    Code:
    /jffs/scripts/IPSET_Block.sh init
    however, if the following syntax is used:
    Code:
    /jffs/scripts/IPSET_Block.sh init [full [hh:mm:ss]]
    
    e.g.
    
    IPSET_Block.sh init full 24:00:00
    then when the Blacklist IPSET is created the member entries will expire after 24 hrs.
    (The default hard-coded in the script is 168:00:00 hrs = 7 days)

    e.g. You can see how much longer (until its timeout values reaches 0) each entry will remain in the IPSET based on its initial 86400 seconds value:
    Code:
    ipset list Blacklist
    
    Name: Blacklist
    Type: hash:ip
    Revision: 0
    Header: family inet hashsize 4096 maxelem 65536 timeout 86400
    Size in memory: 187832
    References: 1
    Members:
    190.85.182.61 timeout 45111
    118.101.215.238 timeout 44722
    120.197.100.106 timeout 45112
    <snip>
    Also, I don't remove the DROP messages from Syslog, because I have a supplementary script that reports on the Blacklist entries:
    Code:
    ./HackerPorts.sh
    
    (HackerPorts.sh): 8647 Syslog Hacker report starting.....
    (HackerPorts.sh): 8647 Hacker report created '/tmp/mnt/RT-AC68U/HackerReport.txt' (Total Ports attacked: 218)
     
    Last edited: Apr 12, 2017
    amplatfus and Denna like this.
  19. Denna

    Denna Senior Member

    Joined:
    Aug 4, 2016
    Messages:
    297
    @Martineau,

    I like the timeout feature. Genius !

    If someone could spoof an IP address of a legitimate destination and that address end up in a blocklist, wouldn't that be a form of DoS ?

    The timeout feature partially protects against that.​
     
    Last edited: Apr 24, 2017
  20. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    Hello... First post in this thread. Interesting read. So I trying to understand the purpose of the script better. Is it that the script looks at the syslog for packets already being dropped by the firewall and puts them in a blacklist ipset. So what is the benefit gained? The new rule would have a target of DROP as opposed to logdrop and won't show in the firewall log. Other than that, what is the benefit gained?
     
  21. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,679
    Location:
    The Land of Smiles
    For @Martineau version, the script goes in /jffs/scripts/IPSET_Block.sh. Make sure it is executable:
    chmod 755 IPSET_Block.sh

    In the /jffs/scripts/init-start
    Code:
    /usr/sbin/cru a IPSET_SAVE   "0 * * * * /jffs/scripts/IPSET_Block.sh save"    #Every hour
    /usr/sbin/cru a IPSET_BACKUP "0 5 * * * /jffs/scripts/IPSET_Block.sh backup"  #05:00 every day
    In /jffs/scripts/firewall-start
    Code:
    /jffs/scripts/IPSET_Block.sh init
    To get help:
    Code:
    cd /jffs/scripts
    ./IPSET_Block.sh help
     
    amplatfus likes this.
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!