How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

[Xentrk]

So that confirms why you need to use the 'all' directive.

Presumably 'ppp0' is indeed your physical WAN interface?

Does this return anything? EDIT: Typo

ip addr | grep @

Hopefully the Blacklist chain rules are correct:

iptables --line -nvL INPUT
iptables --line -nvL FORWARD

In the web gui, PPPoE is the WAN Connection Type. Following are the other tid bits for consumption and contemplation

admin@RT-AC88U:#ip addr | grep @
11: vlan1@eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
12: vlan2@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN

And..

admin@RT-AC88U:# nvram show | grep ppp0
wan0_gw_ifname=ppp0
wan0_pppoe_ifname=ppp0

And

admin@RT-AC88U:/jffs/scripts# iptables -L | grep Black
Blacklist  all  --  anywhere             anywhere             state INVALID
DROP       all  --  anywhere             anywhere             match-set Blacklist src
Blacklist  all  --  anywhere             anywhere
Blacklist  all  --  anywhere             anywhere             state INVALID
DROP       all  --  anywhere             anywhere             match-set Blacklist src
Blacklist  all  --  anywhere             anywhere
Chain Blacklist (4 references)
SET        all  --  anywhere             anywhere             state NEW add-set Blacklist src

 

[Martineau]

Tbh if people asking for help had an inkling of self-support. If HackerPorts.sh all is giving you the result, as @Martineau says it removes the eth0 filter, then surely go to the bit of IPSet where it calls HackerPorts and add the all parameter to the call?

Or am I way off course on this?

No you are correct.

A patch to IPSET_Block.sh to change the HackerPorts.sh call to include the 'all' directive

e.g. A seemingly very simple edit (to already shoddy code! )

 if [ -f /jffs/scripts/HackerPorts.sh ]; then
    /jffs/scripts/HackerPorts.sh   num=3          # Requires HackerPorts v2.02
 fi

to

 if [ -f /jffs/scripts/HackerPorts.sh ]; then
    /jffs/scripts/HackerPorts.sh   all   num=3    # Requires HackerPorts v2.02
 fi

should work, but would in fact fail for some users.

However, not sure if having 'an inkling' would allow someone with such insight to see why they should actually code the following

 if [ -f /jffs/scripts/HackerPorts.sh ]; then
    if [ "$(sed -n '2{p;q}' /jffs/scripts/HackerPorts.sh | tr -d '."' | grep -oE "[[:digit:]]+")" -ge 203  ];then
       /jffs/scripts/HackerPorts.sh   all   num=3   # Requires HackerPorts v2.03 or higher
    else
       /jffs/scripts/HackerPorts.sh   num=3         # Requires HackerPorts v2.02
    fi
 fi

to ensure that if they are still running HackerPorts v2.02 that the inappropriate 'all' request doesn't create a strange syntax error.

 

[Jack Yaz]

No you are correct.

A patch to IPSET_Block.sh to change the HackerPorts.sh call to include the 'all' directive

e.g. A seemingly very simple edit (to already shoddy code! )

 if [ -f /jffs/scripts/HackerPorts.sh ]; then
    /jffs/scripts/HackerPorts.sh   num=3          # Requires HackerPorts v2.02
 fi

to

 if [ -f /jffs/scripts/HackerPorts.sh ]; then
    /jffs/scripts/HackerPorts.sh   all   num=3    # Requires HackerPorts v2.02
 fi

should work, but would in fact fail for some users.

However, not sure if having 'an inkling' would allow someone with such insight to see why they should actually code the following

 if [ -f /jffs/scripts/HackerPorts.sh ]; then
    if [ "$(sed -n '2{p;q}' /jffs/scripts/HackerPorts.sh | tr -d '."' | grep -oE "[[:digit:]]+")" -ge 203  ];then
       /jffs/scripts/HackerPorts.sh   all   num=3   # Requires HackerPorts v2.03 or higher
    else
       /jffs/scripts/HackerPorts.sh   num=3         # Requires HackerPorts v2.02
    fi
 fi

to ensure that if they are still running HackerPorts v2.02 that the inappropriate 'all' request doesn't create a strange syntax error.

If the edit was made with the statment it requires 2.03 or later then it would be fine

 

[HRearden]

I am still going through the process of elimination. I have test occasionally as the family is wondering what is happening to the internet. It also takes a few hours from change to breakage. I run dnscrypt, so it may be that this script is hosing dnscrypt-proxy. When it dies, traffic seems to be able to come in and the lan works, but any new lookups to go out don't get an address.

rearden

I have never bothered with the Trend Micro AI 'protection' so I wouldn't know what it does when the EULA prompt is accepted.

As explained in a previous post, the Blacklist blocking is pretty much applied as the last rules that are processed rather than the first, so I can't see how the script would affect the Trend Micro stuff?

You will need to manually list the Firewall rules to confirm the precise order in which they are triggered.

 

[Martineau]

When it dies, traffic seems to be able to come in and the lan works, but any new lookups to go out don't get an address.

Well when it dies I suggest you issue

nslookup   www.ibm.com

service restart_dnsmasq

nslookup   www.ibm.com

IPSET_Block (in theory) only blocks unsolicited inbound requests, but if it is 'confused' then that is why the Whitelist exists.

Anyway if the dnsmasq restart fails to fix DNS lookups, then you could always try to temporarily disable the blocking by flushing the Blacklist IPSET.

Issue:

./IPSET_Block.sh   reset

and if you really want be be sure, you can delete the Blacklist Firewall blocking rules

Issue:

iptables --line -nvL INPUT

          then for each rule number x that references Blacklist issue

iptables -D INPUT   x 

          then repeat for  

iptables --line -nvL FORWARD

 

[Jack Yaz]

I am still going through the process of elimination. I have test occasionally as the family is wondering what is happening to the internet. It also takes a few hours from change to breakage. I run dnscrypt, so it may be that this script is hosing dnscrypt-proxy. When it dies, traffic seems to be able to come in and the lan works, but any new lookups to go out don't get an address.

rearden

Whitelist IP of dnscrypt server you're connecting to

 

[skeal]

These two scripts are awesome @Martineau!!!! I don't know much about code but it works real well? I wouldn't use the word shoddy to describe it for sure!!! Bravo mate!!

 

[bayern1975]

what is this? ***ATTENTION 1 GRE (Generic Route Encapsulation) aka Virtual Private Network (VPN) attacks.

admin@RT-AC3200-0000:/jffs/scripts# ./HackerPorts.sh all
(HackerPorts.sh): 12103 v2.03 Hacker Port attacks Report.....

Scanning /tmp/syslog.log for ANY interface violations, please wait.....

985 records scanned from Syslog ('/tmp/syslog.log')


08 May 19:35:11: # Unique Ports attacked via ANY interface: 71 (out of 522 attempts) tracked via SYSLOG, Aug 1 02:00:12 - May 8 19:35:10

        ***ATTENTION 1 GRE (Generic Route Encapsulation) aka Virtual Private Network (VPN) attacks.


        Top 10 Ports attacked:
  272 http://www.speedguide.net/port.php?port=23    e.g.  https://dnsquery.org/ipwhois/1.34.62.113
   42 http://www.speedguide.net/port.php?port=1433  e.g.  https://dnsquery.org/ipwhois/1.24.89.90
   40 http://www.speedguide.net/port.php?port=22    e.g.  https://dnsquery.org/ipwhois/103.207.39.148
   22 http://www.speedguide.net/port.php?port=81    e.g.  https://dnsquery.org/ipwhois/1.1.206.177
   17 http://www.speedguide.net/port.php?port=7547  e.g.  https://dnsquery.org/ipwhois/111.220.124.38
   12 http://www.speedguide.net/port.php?port=2323  e.g.  https://dnsquery.org/ipwhois/109.98.58.188
    8 http://www.speedguide.net/port.php?port=8080  e.g.  https://dnsquery.org/ipwhois/163.172.168.251
    8 http://www.speedguide.net/port.php?port=80    e.g.  https://dnsquery.org/ipwhois/185.94.191.14
    7 http://www.speedguide.net/port.php?port=443   e.g.  https://dnsquery.org/ipwhois/123.133.65.58
    6 http://www.speedguide.net/port.php?port=53    e.g.  https://dnsquery.org/ipwhois/121.196.225.202

        Top 10 attackers:
    1 https://dnsquery.org/ipwhois/1.34.62.113
    1 https://dnsquery.org/ipwhois/1.24.89.90
    1 https://dnsquery.org/ipwhois/103.207.39.148
    1 https://dnsquery.org/ipwhois/1.1.206.177
    1 https://dnsquery.org/ipwhois/111.220.124.38
    1 https://dnsquery.org/ipwhois/109.98.58.188
    1 https://dnsquery.org/ipwhois/163.172.168.251
    1 https://dnsquery.org/ipwhois/185.94.191.14
    1 https://dnsquery.org/ipwhois/123.133.65.58
    1 https://dnsquery.org/ipwhois/121.196.225.202

        Last 10 most recent attackers:
      https://dnsquery.org/ipwhois/89.108.104.233
      https://dnsquery.org/ipwhois/180.97.239.30
      https://dnsquery.org/ipwhois/61.160.6.64
      https://dnsquery.org/ipwhois/192.40.95.31
      https://dnsquery.org/ipwhois/60.191.38.78
      https://dnsquery.org/ipwhois/74.63.223.34
      https://dnsquery.org/ipwhois/71.6.167.142
      https://dnsquery.org/ipwhois/169.54.244.84
      https://dnsquery.org/ipwhois/209.134.5.178
      https://dnsquery.org/ipwhois/80.82.77.139

 

[Csection]

Ok!
So I updated to ver. 3.05 of IPSET_Block today and it works perfectly again!
I also updated to HackerPorts ver. 2.03.
They both are working together!
I'm a happy camper again!
Thank you Martineau for the good work!

 

[Csection]

I keep getting an error in HackerPorts It says "Scanning /tmp/syslog.log for 'eth0' violations. Please wait ...
Then it says "Syntax error in line 286 : unexpected newline"
Any help will be appreciated!

 

[Xentrk]

I keep getting an error in HackerPorts It says "Scanning /tmp/syslog.log for 'eth0' violations. Please wait ...
Then it says "Syntax error in line 286 : unexpected newline"
Any help will be appreciated!

Did you try the all option? e.g. ./HackerPorts.sh all

Run the following two commands and post output
nvram get wan0_ifname and
grep "Block IN" /tmp/syslog.log | tail | grep -oE "IN=.*DPT=[0-9]+" | awk '{a[$1]++;}END{for(i in a)print i, a;}'

Here are my values:

#nvram get wan0_ifname
eth0

#grep "Block IN" /tmp/syslog.log | tail | grep -oE "IN=.*DPT=[0-9]+" | awk '{a[$1]++;}END{for(i in a)print i, a[i];}'
IN=ppp0 10

 

[Csection]

Did you try the all option? e.g. ./HackerPorts.sh all

Run the following two commands and post output
nvram get wan0_ifname and
grep "Block IN" /tmp/syslog.log | tail | grep -oE "IN=.*DPT=[0-9]+" | awk '{a[$1]++;}END{for(i in a)print i, a;}'

Here are my values:

#nvram get wan0_ifname
eth0

#grep "Block IN" /tmp/syslog.log | tail | grep -oE "IN=.*DPT=[0-9]+" | awk '{a[$1]++;}END{for(i in a)print i, a[i];}'
IN=ppp0 10

Ok!
I got "Eth0" from the nvram command, but when I ran the "Grep". I didn't get any output at all.
When I ran HP with the "All" option. I got "559 records scanned.
Syslog says "Hacker report created '/tmp/HackerReport.txt' - Statistics: Total Unique Ports attacked: 0 (out of 0 attempts".
Is that right?

 

[Csection]

I have a problem again!
I d/led and installed v3.05 of IPSET_Block.sh and HackerPorts v2.03. they were both working fine saving banned ip's etc.
Then I rebooted the router and now IPSET_Block is not saving banned ip's again!
I am getting a msg. in the log saying, "Iptables : No chain/target/match by that name"
Please help!

 

[bayern1975]

I have a problem again!
I d/led and installed v3.05 of IPSET_Block.sh and HackerPorts v2.03. they were both working fine saving banned ip's etc.
Then I rebooted the router and now IPSET_Block is not saving banned ip's again!
I am getting a msg. in the log saying, "Iptables : No chain/target/match by that name"
Please help!

what do you get with this command?

cd /jffs/scripts
./IPSET_Block.sh

do you have all scripts in unix mode? did you set IPSET_Block.config in correct directory?

 

[Csection]

what do you get with this command?

cd /jffs/scripts
./IPSET_Block.sh

do you have all scripts in unix mode? did you set IPSET_Block.config in correct directory?

Yes!
They are all in Unix format.
IPSET_Block.config is saved on my USB stick. It has been saved there successfully up until I rebooted the router.
When I run the script. I get the output that was in original post (Iptables : No chain etc.).
I did notice one thing after looking things over. I cannot change HackerPorts.sh to writeable format with chmod.

 

[Xentrk]

Here is a small utility script to download IPSET_Block.sh and HackerPorts.sh, format for Linux and chmod 755 on the files. Call whatever you want (e.g. get-ipblock-scripts.sh), just remember to chmod to be executable. e.g. chmod 755 get-ipblock-scripts.sh.

#!/bin/sh

#Get IPSET_Block.sh script from pastebin, convert to linux format and set permissions to 755
wget https://pastebin.com/raw/zQ3KEe8P -O /jffs/scripts/IPSET_Block.sh; dos2unix /jffs/scripts/IPSET_Block.sh
chmod 755 /jffs/scripts/IPSET_Block.sh

#Get HackerPorts.sh script from pastebin, convert to linux format and set permissions to 755
wget https://pastebin.com/raw/LRHJih8Z -O /jffs/scripts/HackerPorts.sh; dos2unix /jffs/scripts/HackerPorts.sh
chmod 755 /jffs/scripts/HackerPorts.sh

 

[Jack Yaz]

Here is a small utility script to download IPSET_Block.sh and HackerPorts.sh, format for Linux and chmod 755 on the files. Call whatever you want (e.g. get-ipblock-scripts.sh), just remember to chmod to be executable. e.g. chmod 755 get-ipblock-scripts.sh.

#!/bin/sh

#Get IPSET_Block script from pastebin, convert to linux format and set permissions to 755
wget https://pastebin.com/raw/zQ3KEe8P -O /jffs/scripts/IPSET_Block.sh; dos2unix /jffs/scripts/IPSET_Block.sh
chmod 755 /jffs/scripts/IPSET_Block.sh

#Get HackerPorts.sh script from pastebin, convert to linux format and set permissions to 755
wget https://pastebin.com/raw/zQ3KEe8P -O /jffs/scripts/HackerPorts.sh; dos2unix /jffs/scripts/HackerPorts.sh
chmod 755 /jffs/scripts/HackerPorts.sh

I wonder if this would be useful to generalise to take parameters for file to grab and directory to save, for use by anyone downloading a script from pastebin or github? If there's demand I can throw something together

 

[Xentrk]

I wonder if this would be useful to generalise to take parameters for file to grab and directory to save, for use by anyone downloading a script from pastebin or github? If there's demand I can throw something together

I was thinking the same thing. Have the script prompt for the http address and file name for example.

 

[Jack Yaz]

I've been caught our by line endings a couple of times, so I run it through notepad++ and do an EOL conversion

 

[Xentrk]

I've been caught our by line endings a couple of times, so I run it through notepad++ and do an EOL conversion

Check the client you use to make sure the ASCII setting is turned on. Here is my setting from MobaXterm:

I've never had an issue with the eol dos characters, except when I did the wget on HackerPorts.sh from pastebin raw. Never had the problem with GitHub raw file links before.