What's new

How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Can someone please post the links to the new versions? I keep getting HackerPorts ver.2.03 and IPSET_Block ver 3.05 when I follow some of the links already posted.
 
Can someone please post the links

I'll leave this job to its author...

Not sure if HackerPorts.sh is of any use without IPSET_Block.sh, but OK.

Thanks. I misunderstood HackerPorts quite standalone where I might only require changing a few names. Will you have plan to make it a bit more generic so that it can be used e.g. with @spalife ipBLOCKer and @redhat27 yamalwareblocker? I think HackerPorts is an interesting idea.
 
I am getting blocked on speedguide.net. HackerPorts is reporting it as an attempted port hack. It initially does a port scan when you go to the site, but it will not load now.
I think IPSET_Block is blocking the site.
Norton says the site is ok!
Please advise!
 
I am getting blocked on speedguide.net. HackerPorts is reporting it as an attempted port hack. It initially does a port scan when you go to the site, but it will not load now.
I think IPSET_Block is blocking the site.
Norton says the site is ok!
Please advise!

If you are sure that the script is blocking SpeedGuide then add the site to the whitelist as identified in the report.

I have just tried

https://www.speedguide.net/portscan.php

and the test appeared to run as expected, although it could be that the site was immediately blocked after the first port test attempt out of their short penetration test of 85 ports and simply reported a false block 'success'?
 
If you are sure that the script is blocking SpeedGuide then add the site to the whitelist as identified in the report.

I have just tried

https://www.speedguide.net/portscan.php

and the test appeared to run as expected, although it could be that the site was immediately blocked after the first port test attempt out of their short penetration test of 85 ports and simply reported a false block 'success'?
How do I add it to the whitelist?
I did an unban on 68.67.73.20, but I still cannot get the site speedguide.net to come up.
 
How do I add it to the whitelist?
I did an unban on 68.67.73.20, but I still cannot get the site speedguide.net to come up.
Here is the output of my HackerReport file:
19 May 07:27:04: # Unique Ports attacked via ANY interface: 5 (out of 19 attempts) tracked via SYSLOG, May 19 07:15:32 - $

Top 3 Ports attacked:
14 http://www.speedguide.net/port.php?port=51413 e.g. https://dnsquery.org/ipwhois/1.226.15.78
2 http://www.speedguide.net/port.php?port=22 e.g. https://dnsquery.org/ipwhois/173.17.193.42
1 http://www.speedguide.net/port.php?port=81 e.g. https://dnsquery.org/ipwhois/187.160.136.42

Top 3 attackers:
1 https://dnsquery.org/ipwhois/1.226.15.78
1 https://dnsquery.org/ipwhois/173.17.193.42
1 https://dnsquery.org/ipwhois/187.160.136.42

Last 3 most recent attackers:
https://dnsquery.org/ipwhois/187.160.136.42
https://dnsquery.org/ipwhois/217.70.180.137
https://dnsquery.org/ipwhois/1.226.15.78

Ports attacked:
 
I do not think any of the IPSET lists are blocking that IP
Code:
MatchIP 68.67.73.20
68.67.73.20 not found in WhitelistDomains
68.67.73.20 not found in BlacklistDomains
68.67.73.20 not found in BluetackProxyCIDR
68.67.73.20 not found in BluetackProxySingle
68.67.73.20 not found in BluetackWebexploitCIDR
68.67.73.20 not found in BluetackWebexploitSingle
68.67.73.20 not found in BluetackDshieldCIDR
68.67.73.20 not found in BluetackDshieldSingle
68.67.73.20 not found in BluetackSpiderCIDR
68.67.73.20 not found in BluetackSpiderSingle
68.67.73.20 not found in YAMalwareBlock1IP
68.67.73.20 not found in YAMalwareBlock2IP
68.67.73.20 not found in YAMalwareBlock3IP
68.67.73.20 not found in YAMalwareBlockCIDR
68.67.73.20 not found in BlockedCountries
68.67.73.20 not found in TorNodes
68.67.73.20 not found in Whitelist
68.67.73.20 not found in Blacklist
68.67.73.20 not found in MicrosoftSpyServers
68.67.73.20 not found in WhitelistSRCPort
68.67.73.20 not found in Whitelist
68.67.73.20 not found in Blacklist

What happens when you ping it from the router or your client command line?
Code:
ping speedguide.net
Pinging speedguide.net [68.67.73.20] with 32 bytes of data:
Reply from 68.67.73.20: bytes=32 time=1509ms TTL=56
Reply from 68.67.73.20: bytes=32 time=299ms TTL=56
Reply from 68.67.73.20: bytes=32 time=514ms TTL=56
Reply from 68.67.73.20: bytes=32 time=412ms TTL=56
 
I do not think any of the IPSET lists are blocking that IP
Code:
MatchIP 68.67.73.20
68.67.73.20 not found in WhitelistDomains
68.67.73.20 not found in BlacklistDomains
68.67.73.20 not found in BluetackProxyCIDR
68.67.73.20 not found in BluetackProxySingle
68.67.73.20 not found in BluetackWebexploitCIDR
68.67.73.20 not found in BluetackWebexploitSingle
68.67.73.20 not found in BluetackDshieldCIDR
68.67.73.20 not found in BluetackDshieldSingle
68.67.73.20 not found in BluetackSpiderCIDR
68.67.73.20 not found in BluetackSpiderSingle
68.67.73.20 not found in YAMalwareBlock1IP
68.67.73.20 not found in YAMalwareBlock2IP
68.67.73.20 not found in YAMalwareBlock3IP
68.67.73.20 not found in YAMalwareBlockCIDR
68.67.73.20 not found in BlockedCountries
68.67.73.20 not found in TorNodes
68.67.73.20 not found in Whitelist
68.67.73.20 not found in Blacklist
68.67.73.20 not found in MicrosoftSpyServers
68.67.73.20 not found in WhitelistSRCPort
68.67.73.20 not found in Whitelist
68.67.73.20 not found in Blacklist

What happens when you ping it from the router or your client command line?
Code:
ping speedguide.net
Pinging speedguide.net [68.67.73.20] with 32 bytes of data:
Reply from 68.67.73.20: bytes=32 time=1509ms TTL=56
Reply from 68.67.73.20: bytes=32 time=299ms TTL=56
Reply from 68.67.73.20: bytes=32 time=514ms TTL=56
Reply from 68.67.73.20: bytes=32 time=412ms TTL=56
I can ping it just fine from the router, but I cannot browse to the site speedguide.net.
I enabled the browser for that site, but still cannot reach it.
This only started since I upgraded to 380.66.
 
I can ping it just fine from the router, but I cannot browse to the site speedguide.net.
I enabled the browser for that site, but still cannot reach it.
This only started since I upgraded to 380.66.
Did you try different browsers? Try a different DNS service, Google's for example 8.8.8.8 and 8.8.4.4 to see if that works. OPENDNS is another DNS service to try.
 
Another thing to try is the command

nslookup speedguide.net

from a dos prompt or from the router command line
 
Did you try different browsers? Try a different DNS service, Google's for example 8.8.8.8 and 8.8.4.4 to see if that works. OPENDNS is another DNS service to try.
Another thing to try is the command

nslookup speedguide.net

from a dos prompt or from the router command line
I did try IE11, FF and Chrome before I posted about the problem. None work!
nslookup gives the ip address 68.67.73.20
I'm going to try turning off DNSSEC on the router. Maybe it is causing the problem. I also took out Norton's DNS servers, but that didn't work.
I'll let you know!
I hate to turn off IPSET cause I don't want to lose my banned ip's. The only other script I have running is "Malware-Filter".
 
Maybe try turning off anti-virus temporarily? When I type the website url, I don't get an error. But I get a There’s a problem with this website’s security certificate when I type the IP address. So maybe your anti-virus is blocking it?
 
Maybe try turning off anti-virus temporarily? When I type the website url, I don't get an error. But I get a There’s a problem with this website’s security certificate when I type the IP address. So maybe your anti-virus is blocking it?
I don't think that is it, cause Norton gives the site an OK.
I usually check Norton's "Safe site" before I go to any site.
 
Can someone please post the links to the new versions? I keep getting HackerPorts ver.2.03 and IPSET_Block ver 3.05 when I follow some of the links already posted.

Did you ever find them? I cannot...
 
I am getting blocked on speedguide.net. HackerPorts is reporting it as an attempted port hack. It initially does a port scan when you go to the site, but it will not load now.
I think IPSET_Block is blocking the site.
Norton says the site is ok!
Please advise!

I have pushed v4.02/v2.05 which should allow you to issue
Code:
./IPSET_Block.sh   suspend

and the IPSET Blacklist blocking will be DISABLED for 5 mins and then it will automatically be re-ENABLED ( or issue 'resume' to restart the blocking immediately)

Hopefully this should allow you to re-test and see if the script was originally causing the access issue.
 
Last edited:
I have pushed v4.02/v2.05 which should allow you to issue
Code:
./IPSET_Block.sh   suspend

and the IPSET Blacklist blocking will be DISABLED for 5 mins and then it will automatically be re-ENABLED ( or issue 'resume' to restart the blocking immediately)

Hopefully this should allow you to re-test and see if the script was originally causing the access issue.
I can confirm. Speedguide ran with the "Suspend" option. It is definitely being blocked by IPSET_Block!
Thank you for the testing data and your help!
What should I do to unblock this permanently?
 
I reran it and gave 1.34.240.122 an unban and it worked.
Thank you for all the hard work and followups.

Well I don't have that IP in my 12614 Blacklist entries???
Code:
./IPSET_Block.sh query 1.34.240.122

   v4.03 © 2016-2017 Martineau, Dynamic IPSET Blocking.....

 1.34.240.122 is NOT in set Blacklist.

 Summary Blacklist: 38+0 Successful blocks! ( 12614 IPs currently banned - 1 added since: May 21 20:23 ), Entries auto-expire after 3 days 00:00:00 hrs

and looking at the details held by SpeedGuide.net database:

https://www.speedguide.net/ip/1.34.240.122


upload_2017-5-21_20-32-45.png



I'm not sure why unblocking this (possibly dubious?, although the 'Blacklist Check' button on that page shows 'green' for 'clean') I/P fixes your issue? :confused:
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top