How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

[Csection]

@Martineau I ran the scripts as you requested. I had a problem with the one ./IPSET_Block init reset ipset. Here is the output:
admin@RT-AC3100-0000:/jffs/scripts# ./IPSET_Block.sh init reset ipset

v4.03 © 2016-2017 Martineau, Dynamic IPSET Blocking.....

IPSETs: 'Blacklist*/Whitelist*' created empty - reset!

Restoring permanently banned I/P addresses to Blacklist from '/mnt/ASUS/IPSET_Logs/IPSET_Block.config.add'.....
Bad argument `59'
Try `iptables -h' or 'iptables --help' for more information.

Summary Blacklist: 0+0 Successful blocks! ( 0 IPs currently banned - 0 added ), Entries auto-expire after 7 days 00:00:00hrs


v2.06 © 2016-2017 Martineau, Hacker Port attacks Report.....

Scanning /tmp/syslog.log for ANY interface (IN=eth0) violations, please wait.....

1261 records scanned from Syslog ('/tmp/syslog.log')


25 May 12:26:24: # Unique Ports attacked via ANY interface: 8 (out of 152 attempts) tracked via SYSLOG, May 25 11:53:11 - May 25 12:26:24


Top 3 Ports attacked:
131 http://www.speedguide.net/port.php?port=51413 e.g. https://www.speedguide.net/ip/1.204.101.188
11 http://www.speedguide.net/port.php?port=23 e.g. https://www.speedguide.net/ip/122.116.73.161
3 http://www.speedguide.net/port.php?port=1433 e.g. https://www.speedguide.net/ip/103.236.254.83

Top 3 attackers:
1 https://www.speedguide.net/ip/1.204.101.188
1 https://www.speedguide.net/ip/122.116.73.161
1 https://www.speedguide.net/ip/103.236.254.83

Last 3 most recent attackers:
https://www.speedguide.net/ip/189.200.48.67
https://www.speedguide.net/ip/1.204.101.188
https://www.speedguide.net/ip/45.76.25.206
also the output from the status:
admin@RT-AC3100-0000:/jffs/scripts# ./IPSET_Block.sh status

v4.03 © 2016-2017 Martineau, Dynamic IPSET Blocking.....

Name: Blacklist Name: Whitelist Name: BlacklistTRK
Type: hash:ip Type: hash:net Type: hash:net,port
Revision: 0 Revision: 0 Revision: 1
Header: family inet hashsize 8192 maxelem 65536 timeout 604800 Header: family inet hashsize 1024 maxelem 65536 Header: family inet hashsize 1024 maxelem 65536 timeout 604800
Size in memory: 328088 Size in memory: 8532 Size in memory: 15028
References: 3 References: 2 References: 2
Members: Members: Members:
(Total=19357) (Total=1) (Total=150)



Summary Blacklist: 82+0 Successful blocks! ( 19334 IPs currently banned - 23 added ), Entries auto-expire after 7 days 00:00:00hrs


v2.06 © 2016-2017 Martineau, Hacker Port attacks Report.....

Retrieving IPSET BlacklistTRK data for 'eth0' violations, please wait.....

150 members retrieved from IPSET (BlacklistTRK - Entries auto-expire after 7 days 00:00:00 hrs)


25 May 12:44:45: # Unique Ports attacked via 'eth0': 8 (out of 150 attempts) tracked via IPSET


Top 3 Ports attacked:
135 http://www.speedguide.net/port.php?port=51413 (tcp,udp) e.g. https://www.speedguide.net/ip/1.174.250.129
8 http://www.speedguide.net/port.php?port=23 (tcp,udp) e.g. https://www.speedguide.net/ip/117.239.12.66
2 http://www.speedguide.net/port.php?port=1433 (tcp,udp) e.g. https://www.speedguide.net/ip/104.192.111.12

Top 3 attackers:
1 https://www.speedguide.net/ip/1.174.250.129
1 https://www.speedguide.net/ip/117.239.12.66
1 https://www.speedguide.net/ip/104.192.111.12

 

[Csection]

Here is the output of the reset:
admin@RT-AC3100-0000:/jffs/scripts# ./IPSET_Block.sh restore

v4.03 © 2016-2017 Martineau, Dynamic IPSET Blocking.....

Restoring IPSET Blocking config from '/mnt/ASUS/IPSET_Logs/IPSET_Block.config'.....

Restoring permanently banned I/P addresses to Blacklist from '/mnt/ASUS/IPSET_Logs/IPSET_Block.config.add'.....

Summary Blacklist: 28+0 Successful blocks! ( 0 IPs currently banned - 19334 added ), Entries auto-expire after 7 days 00:00:00hrs


v2.06 © 2016-2017 Martineau, Hacker Port attacks Report.....

Retrieving IPSET BlacklistTRK data for 'eth0' violations, please wait.....

129 members retrieved from IPSET (BlacklistTRK - Entries auto-expire after 7 days 00:00:00 hrs)


25 May 12:39:06: # Unique Ports attacked via 'eth0': 7 (out of 129 attempts) tracked via IPSET


Top 3 Ports attacked:
116 http://www.speedguide.net/port.php?port=51413 (tcp,udp) e.g. https://www.speedguide.net/ip/1.174.250.129
8 http://www.speedguide.net/port.php?port=23 (tcp,udp) e.g. https://www.speedguide.net/ip/117.239.12.66
1 http://www.speedguide.net/port.php?port=81 (tcp,udp) e.g. https://www.speedguide.net/ip/187.160.75.244

Top 3 attackers:
1 https://www.speedguide.net/ip/1.174.250.129
1 https://www.speedguide.net/ip/117.239.12.66
1 https://www.speedguide.net/ip/187.160.75.244

 

[Csection]

Here is the "Syslog" printout.
May 25 12:44:41 (IPSET_Block.sh): 16441 v4.03 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
May 25 12:44:44 (IPSET_Block.sh): 16441 Summary Blacklist: 82 Successful blocks! ( 19334 IPs currently banned - 23 added )
May 25 12:44:45 (HackerPorts.sh): 16788 v2.06 © 2016-2017 Martineau,Hacker Port attacks Report.....
May 25 12:44:45 (HackerPorts.sh): 16788 Hacker report created '/tmp/HackerReport.txt' - Statistics: Total Unique Ports attacked: 8 (out of 150 attempts) tracked using IPSET

 

[Martineau]

Bad argument `59'
Try `iptables -h' or 'iptables --help' for more information

I'm not sure why there was an initial error during the upgrade

but can you please issue:

./IPSET_Block.sh

and post the output.

Hopefully there are no errors, and the expected statistics/reports are produced from the IPSET correctly?

 

[Csection]

I'm not sure why there was an initial error during the upgrade

but can you please issue:

./IPSET_Block.sh

and post the output.

Hopefully there are no errors, and the expected statistics/reports are produced from the IPSET correctly?

Yes!
It seems to be running fine. Just thought you'd want to see that weird output in case it was an issue.
Here is the output from current run:

admin@RT-AC3100-0000:/jffs/scripts# ./IPSET_Block.sh

v4.03 © 2016-2017 Martineau, Dynamic IPSET Blocking.....

Summary Blacklist: 616+0 Successful blocks! ( 19433 IPs currently banned - 168 added ), Entries auto-expire after 7 days 00:00:00hrs


v2.06 © 2016-2017 Martineau, Hacker Port attacks Report.....

Retrieving IPSET BlacklistTRK data for 'eth0' violations, please wait.....

389 members retrieved from IPSET (BlacklistTRK - Entries auto-expire after 7 days 00:00:00 hrs)


25 May 13:38:58: # Unique Ports attacked via 'eth0': 11 (out of 389 attempts) tracked via IPSET


Top 3 Ports attacked:
346 http://www.speedguide.net/port.php?port=51413 (tcp,udp) e.g. https://www.speedguide.net/ip/1.174.250.129
25 http://www.speedguide.net/port.php?port=23 (tcp,udp) e.g. https://www.speedguide.net/ip/117.192.212.32
8 http://www.speedguide.net/port.php?port=1433 (tcp,udp) e.g. https://www.speedguide.net/ip/103.236.254.108

Top 3 attackers:
1 https://www.speedguide.net/ip/1.174.250.129
1 https://www.speedguide.net/ip/117.192.212.32
1 https://www.speedguide.net/ip/103.236.254.108
I have one question.
Why does the time say 00:00:00 ?
I'm sorry. I meant the auto expiration time.

 

[Martineau]

        Summary Blacklist: 616+0 Successful blocks! ( 19433 IPs currently banned - 168 added ), Entries auto-expire after 7 days 00:00:00hrs

389 members retrieved from IPSET (BlacklistTRK - Entries auto-expire after 7 days 00:00:00 hrs)

I have one question.
Why does the time say 00:00:00 ?
I'm sorry. I meant the auto expiration time.

If you look closely, the auto-expire timeout values for both IPSETs are now expressed using the human-friendly extended dd hh:mm:ss format

Entries auto-expire after 7 days 00:00:00 hrs which was previously reported as 168:00:00 hrs

It is explained in post

https://www.snbforums.com/threads/h...ng-ipset-martineau-version.38748/#post-318045

However, if the 7 day expiry value isn't appropriate, you can change it inflight i.e.

e.g. Set the timeout value to 3 days for both IPSETs

./IPSET_Block.sh   restore   72:00:00   both

then if you only wish to block entries for say just over 1.5 days issue
e.g. Set the timeout value

./IPSET_Block.sh   restore   40:30:20

Since you don't have 'dig' installed, the script will not mark confirmed banned IP/CIDRs as 'permanently banned' i.e 'timeout 0', but you can manually add them if you wish, and they will be saved in 'IPSET_Block.config.add' which will be restored to an empty Blacklist IPSET.

NOTE: The HIT count shows the INPUT chain then the FORWARD chain counts:

e.g. In your current period

616+0 Successful blocks!

means you have had 616 hits on the INPUT chain blocking rule, and 0 hits on the FORWARD chain blocking rule.

 

[skeal]

Hi this may be a dumb butt situation but when I run './IPSET_Block.sh init nolog' the 'HackerPorts' information is not there and it fails. If I run without 'nolog' it works but I get the block entries in the syslog. If I run ./HackerPorts.sh wipe hourly though it keeps up and my syslog is a little easier to read. Am I doing something wrong? I'm running the new code.

 

[Martineau]

Hi this may be a dumb butt situation but when I run './IPSET_Block.sh init nolog' the 'HackerPorts' information is not there and it fails. If I run without 'nolog' it works but I get the block entries in the syslog. If I run ./HackerPorts.sh wipe hourly though it keeps up and my syslog is a little easier to read. Am I doing something wrong? I'm running the new code.

Did you follow the instructions?

e.g.

./IPSET_Block.sh   init   reset   ipset

allows tracking by IPSET yet still has the tracking messages in Syslog, so HackerPorts.sh can selectively use both methods.

e.g. To only use the IPSET for recording stats rather than requiring/creating the tracking Syslog messages.

./IPSET_Block.sh   init   reset   ipset   nolog

So once the tracking IPSET is in use, after the next 'save', all that is required in firewall-start/services start is

/jffs/scripts/IPSET_Block.sh   init

EDIT: Due to a HackerPorts.sh v2.06 bug, to enable Blocking/reporting silently you will also need to manually issue:

./IPSET_Block.sh   nolog

until v2.07 is released

 

[skeal]

Did you follow the instructions?

e.g.

./IPSET_Block.sh   init   reset   ipset

allows tracking by IPSET yet still has the tracking messages in Syslog, so HackerPorts.sh can selectively use both methods.

e.g. To only use the IPSET for recording stats rather than requiring/creating the tracking Syslog messages.

./IPSET_Block.sh   init   reset   ipset   nolog

So once the tracking IPSET is in use, after the next 'save', all that is required in firewall-start/services start is

./IPSET_Block.sh   init   nolog

and Blocking/reporting should be available silently.

Ahh I see the light oh Jedi Master I understand now thanks!

 

[skeal]

Ahh I see the light oh Jedi Master I understand now thanks!

After a reboot HackerPorts would not run. Says tracking is not enabled.
/jffs/scripts/firewall-start

#!/bin/sh
# Load ipset filter rules
/jffs/scripts/IPSET_Block.sh init nolog
/jffs/scripts/ya-malware-block.sh

[ -x /jffs/dnscrypt/manager ] && /jffs/dnscrypt/manager fw-rules

When I run "/jffs/scripts/IPSET_Block.sh init nolog" from the command prompt the results are as follows

Using username .


ASUSWRT-Merlin RT-AC68U 380.66-2 Wed May 17 03:00:05 UTC 2017
:/tmp/home/root# /jffs/scripts/IPSET_Block.sh init
nolog

   v4.03 © 2016-2017 Martineau, Dynamic IPSET Blocking.....

        IPSET(s) restored from '/tmp/mnt/EXT4/IPSET_Block.config'

        Restoring permanently banned I/P addresses to Blacklist from '/tmp/mnt/EXT4/IPSET_Block.config.add'.....

        Summary Blacklist: 0+0 Successful blocks! ( 0 IPs currently banned - 12 added ), Entries auto-expire after 7 days 00:00:00hrs



        ***ERROR Tracking not enabled? - check '/jffs/scripts/firewall-start' 'IPSET_Block.sh init' is used WITHOUT 'nolog'

:/tmp/home/root#

HackerPorts doesn't seem to be running with this problem I've caused can you help? I must be doing something wrong.

 

[Martineau]

After a reboot HackerPorts would not run. Says tracking is not enabled.
/jffs/scripts/firewall-start

#!/bin/sh
# Load ipset filter rules
/jffs/scripts/IPSET_Block.sh init nolog
/jffs/scripts/ya-malware-block.sh


        ***ERROR Tracking not enabled? - check '/jffs/scripts/firewall-start' 'IPSET_Block.sh init' is used WITHOUT 'nolog'

:/tmp/home/root#

HackerPorts doesn't seem to be running with this problem I've caused can you help?.

Whoops , can you try the following entry in

/jffs/scripts/firewall-start

/jffs/scripts/IPSET_Block.sh   init   ipset

EDIT: 1st bug,...Using the above, the tracker messages are still produced, so until I push a fix to HackerPorts.sh you will need to also issue the following second command:

./IPSET_Block.sh   nolog

 

[skeal]

Whoops , can you try the following entry in

/jffs/scripts/firewall-start

/jffs/scripts/IPSET_Block.sh   init   ipset

EDIT: 1st bug,...Using the above, the tracker messages are still produced, so until I push a fix to HackerPorts.sh you will need to also issue the following second command:

./IPSET_Block.sh   nolog

Ok I replaced what I had in firewall-start and rebooted. HackerPorts runs now however with the drop messages in the syslogs. Should I use the "wipe" switch every hour or is there yet another way to run this without the log spam....thanks seems to run fine!

 

[Martineau]

Ok I replaced what I had in firewall-start and rebooted. HackerPorts runs now however with the drop messages in the syslogs. Should I use the "wipe" switch every hour or is there yet another way to run this without the log spam....thanks seems to run fine!

I updated post https://www.snbforums.com/threads/h...t-martineau-version.38748/page-16#post-327215

 

[skeal]

I updated post https://www.snbforums.com/threads/h...t-martineau-version.38748/page-16#post-327215

I'm not sure if this is ok but I ran this command and it worked.

/jffs/scripts/IPSET_Block.sh init ipset nolog

 

[skeal]

I'm not sure if this is ok but I ran this command and it worked.

/jffs/scripts/IPSET_Block.sh init ipset nolog

This didn't work actually. I can't get HackerPorts to run at all. whether at boot or at command line. Can you suggest any ideas? I have tried the above commands but they don't seem to give me any results or changes. IPSET_Block runs fine it just keeps saying that "init" is used without "nolog". Sorry to be a bother.
EDIT: I reverted to defaults and still no HackerPorts. What have I done to bring this on? I'm an idiot I'm sure it's something simple.

 

[Martineau]

This didn't work actually. I can't get HackerPorts to run at all. whether at boot or at command line. Can you suggest any ideas? I have tried the above commands but they don't seem to give me any results or changes. IPSET_Block runs fine it just keeps saying that "init" is used without "nolog". Sorry to be a bother.
EDIT: I reverted to defaults and still no HackerPorts. What have I done to bring this on? I'm an idiot I'm sure it's something simple.

HackerPorts.sh uses grep to look for the string '/IPSET_Block.sh.*nolog' in services-start and if it finds it in a non-comment line will abort its execution even if IPSET BlacklistTRK exists.

It is easily overcome by removing 'nolog' from services-start.

However, fixing the script is obviously the preferred solution, now that I can finally see the bug - unfortunately I can't upload to pastebin at the moment.

i.e. typo '$LIST' should be 'list' but since I don't need the actual size of the IPSET in this context, for performance efficiency we might as well reduce the command while we are at it!

So can you apply the one-line patch to

/jffs/scripts/HackerPorts.sh Line: 175

if [ "$(ipset $LIST BlacklistTRK 2> /dev/null | wc -l)" -gt 0 ]; then

change to

ipset list BlacklistTRK >/dev/null 2>&1;if [ $? -eq 0 ]; then

and leave

/jffs/scripts/service-start

with the 'nolog' statement as shown:

sh /jffs/scripts/IPSET_Block.sh   init   nolog

This should allow you to again configure 'silent' IPSET Tracking

./IPSET_Block.sh   init   reset   ipset

At this point all should be working, although you will probably have no previous Blacklist entries.
NOTE:If you have a populated backup of 'IPSET_Block.config' or 'IPSET_Block.configbak', then you may be able restore it manually, then follow the original sequence of commands to convert to silent IPSET tracking.

Otherwise issue

./IPSET_Block.sh   save

and reboot to prove that it still works.

Spoiler: New features in IPSET_Block.sh v4.03 and HackerPorts.sh v2.06 (Updated 07June2017)

Changes IPSET_Block.sh

1. IPSET_Block.sh should now be able to run silently without the need to spam the Syslog with tracking 'Block IN=' messages
2. Entries in Blacklist can be marked 'Permanent' i.e. never expire, either manually, or automatically if entware 'dig' utility is installed.
3. The default expiry time for the Blacklist and the new BlacklistTRK tracking IPSET can be changed dynamically on the command line.
4. The interface for Blacklist can be explicitly specified as WAN only. (Default is ALL/ANY i.e. interface br0/vlan2/ppp0 etc.
5. New commands: 'query', 'suspend/resume' (see help)
6. New command 'status rules' to assist in diagnostics i.e. show the actual iptables rules and IPSET summary size and member count (perm members if used)

Fixes.

1. Blacklist entries for Broadcast messages (DST=224.0.0.0/24) are no longer added.
2. Blacklist entries from LAN (SRC=192.168.1.0/24 etc.) are never added to Blacklist IPSET, so never need to be explicitly included in Whitelist IPSET.
3. 07June When using 'unban', don't accidentally wipe out 'IPSET_Block.config'

Changes HackerPorts.sh

1. Added ability to report idividually on TCP or UDP attempts (Default is to report on Both and combine their total.
2. New commands: 'port=', 'dig' (see help)

Fixes.

1. Layout / formatting tweaks e.g. Expiry times now include day i.e 169:30:12 hrs is displayed as 7 days 01:30:12 hrs
2. If using the BlacklistTRK for tracking rather than Syslog don't attempt to display last attackers since there are no timestamps available.
3. 07June Fix detection of IPSET tracking method

 

[skeal]

HackerPorts.sh uses grep to look for the string '/IPSET_Block.sh.*nolog' in services-start and if it finds it in a non-comment line will abort its execution even if IPSET BlacklistTRK exists.

It is easily overcome by removing 'nolog' from services-start.

However, fixing the script is obviously the preferred solution, now that I can finally see the bug - unfortunately I can't upload to pastebin at the moment.

i.e. typo '$LIST' should be 'list' but since I don't need the actual size of the IPSET in this context, for performance efficiency we might as well reduce the command while we are at it!

So can you apply the one-line patch to

/jffs/scripts/HackerPorts.sh Line: 175

if [ "$(ipset $LIST BlacklistTRK 2> /dev/null | wc -l)" -gt 0 ]; then

change to

ipset list BlacklistTRK >/dev/null 2>&1;if [ $? -eq 0 ]; then

and leave

/jffs/scripts/service-start

with the 'nolog' statement as shown:

sh /jffs/scripts/IPSET_Block.sh   init   nolog

This should allow you to again configure 'silent' IPSET Tracking

./IPSET_Block.sh   init   reset   ipset

At this point all should be working, although you will probably have no previous Blacklist entries.
NOTE:If you have a populated backup of 'IPSET_Block.config' or 'IPSET_Block.configbak', then you may be able restore it manually, then follow the original sequence of commands to convert to silent IPSET tracking.

Otherwise issue

./IPSET_Block.sh   save

and reboot to prove that it still works.

Spoiler: New features in IPSET_Block.sh v4.03 and HackerPorts.sh v2.06

Changes IPSET_Block.sh

1. IPSET_Block.sh should now be able to run silently without the need to spam the Syslog with tracking 'Block IN=' messages
2. Entries in Blacklist can be marked 'Permanent' i.e. never expire, either manually, or automatically if entware 'dig' utility is installed.
3. The default expiry time for the Blacklist and the new BlacklistTRK tracking IPSET can be changed dynamically on the command line.
4. The interface for Blacklist can be explicitly specified as WAN only. (Default is ALL/ANY i.e. interface br0/vlan2/ppp0 etc.
5. New commands: 'query', 'suspend/resume' (see help)
6. New command 'status rules' to assist in diagnostics i.e. show the actual iptables rules and IPSET summary size and member count (perm members if used)

Fixes.

1. Blacklist entries for Broadcast messages (DST=224.0.0.0/24) are no longer added.
2. Blacklist entries from LAN (SRC=192.168.1.0/24 etc.) are never added to Blacklist IPSET, so never need to be explicitly included in Whitelist IPSET.

Changes HackerPorts.sh

1. Added ability to report idividually on TCP or UDP attempts (Default is to report on Both and combine their total.
2. New commands: 'port=', 'dig' (see help)

Fixes.

1. Layout / formatting tweaks e.g. Expiry times now include day i.e 169:30:12 hrs is displayed as 7 days 01:30:12 hrs
2. If using the BlacklistTRK for tracking rather than Syslog don't attempt to display last attackers since there are no timestamps available.

Excellent support. Everything you said to do I did and success it works now!!

 

[Martineau]

Excellent support. Everything you said to do I did and success it works now!!

Apologies for the frustrating inconvenience during the upgrade, but thanks for being a thorough beta-tester!

 

[Xentrk]

I have been having the same issue as @skeal. If I had the nolog option specified in services-start the HackerPorts.sh report would complain about it and not produce report output. So, I would specify

./IPSET_Block.sh init log ipset

in the services-start to get around the HackerPorts.sh report error. But logging to System Log file would occur since the log option was being specified.

 

[Martineau]

I have been having the same issue as @skeal. If I had the nolog option specified in services-start the HackerPorts.sh report would complain about it and not produce report output. So, I would specify

./IPSET_Block.sh init log ipset

in the services-start to get around the HackerPorts.sh report error. But logging to System Log file would occur since the log option was being specified.

Did you follow post

https://www.snbforums.com/threads/h...t-martineau-version.38748/page-16#post-327312

and the apply the code fix to HackerPorts.sh ?

If you have applied the fix, and ensured that 'init nolog' is present in services-start then if it is inconvenient to reboot the router simply issue:

./IPSET_Block.sh   nolog

and if IPSET tracking is already correctly enabled, the Syslog 'spam' messages should immediately stop, and HackerPorts.sh should now continue to create its reports from the tracking IPSET.