Menu
What's new
By:
Filters Better Search

How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi @Martineau, I hope all is good.

All three routers are now displaying the following message when I run HackerPorts.sh:

***Warning IPSET Blocking is in Tracking ONLY mode!

This is a new message. Following is a snip from verbose output leading up to the message:

rrexit off
noglob off
ignoreeof off
interactive off
monitor off
noexec off
stdin off
xtrace on
verbose off
noclobber off
allexport off
notify off
nounset off
vi off
pipefail off
+ VER=v2.06
+ ANSIColours
+ cRESET=\e[0m
+ cBLA=\e[30m
+ cRED=\e[31m
+ cGRE=\e[32m
+ cYEL=\e[33m
+ cBLU=\e[34m
+ cMAG=\e[35m
+ cCYA=\e[36m
+ cGRA=\e[37m
+ cNO=\e[39m
+ cBGRA=\e[90m
+ cBRED=\e[91m
+ cBGRE=\e[92m
+ cBYEL=\e[93m
+ cBBLU=\e[94m
+ cBMAG=\e[95m
+ cBCYA=\e[96m
+ cBWHT=\e[97m
+ cRED_=\e[41m
+ cGRE_=\e[42m
+ aBOLD=\e[1m
+ aDIM=\e[2m
+ aUNDER=\e[4m
+ aBLINK=\e[5m
+ aREVERSE=\e[7m
+ Get_WAN_IF_Name
+ local IF_NAME=
+ nvram get wan0_gw_ifname
+ [ ppp0 != ]
+ nvram get wan0_gw_ifname
+ local IF_NAME=ppp0
+ nvram get pppoe_ifname
+ [ ! -z ]
+ echo ppp0
+ WAN_IF=ppp0
+ echo -e \e[97m
+ [ all == help ]
+ [ all == -h ]
+ nvram get computer_name
+ MYROUTER=RT-AC88U-XYZ
+ [ -d /tmp/mnt/RT-AC88U-XYZ ]
+ MOUNT=/tmp/mnt/RT-AC88U-XYZ
+ SYSLOG=/tmp/syslog.log
+ echo all
+ grep -o in=
+ wc -w
+ [ 0 -eq 1 ]
+ echo all
+ sed -n /[[:space:]]syslog[[:space:]]/p
+ [ -z ]
+ Tracking_Enabled
+ local STATUS=0
+ local FN=
+ grep -iE /jffs/scripts/IPSET_Block\.sh /jffs/scripts/firewall-start
+ grep -vE ^\#
+ [ ! -z ]
+ grep -iE /jffs/scripts/IPSET_Block\.sh /jffs/scripts/services-start
+ grep -vE ^\#
+ [ ! -z sh /jffs/scripts/IPSET_Block.sh init nolog
cru a IPSET_SAVE "0 * * * * /jffs/scripts/IPSET_Block.sh save" #Every hour
cru a IPSET_BACKUP "0 5 * * * /jffs/scripts/IPSET_Block.sh backup" #05:00 every day ]
+ grep -iE /jffs/scripts/IPSET_Block\.sh.*nolog /jffs/scripts/services-start
+ [ -z sh /jffs/scripts/IPSET_Block.sh init nolog ]
+ FN=/jffs/scripts/services-start
+ ipset list BlacklistTRK
+ [ 0 -eq 0 ]
+ STATUS=2
+ echo 2,/jffs/scripts/services-start
+ Parse 2,/jffs/scripts/services-start , TRACKING FN
+ local string IFS
+ TEXT=2,/jffs/scripts/services-start
+ IFS=,
+ shift 2
+ read -r -- TRACKING FN
+ [ 2 == 0 ]
+ [ ! -f /tmp/syslog.log ]
+ [ ! -z all ]
+ [ all != verbose ]
+ echo all
+ grep -o status
+ [ -z ]
+ echo all
+ grep -oE syslog|noipset
+ [ -z ]
+ echo all
+ grep -o num=
+ [ -z ]
+ echo all
+ grep -o all
+ [ -z all ]
+ LOGFILE=/tmp/mnt/RT-AC88U-XYZ/HackerReport.txt
+ Delete_TempFiles
+ rm /tmp/mnt/RT-AC88U-XYZ/HackerReport.txt.tmp
+ rm /tmp/mnt/RT-AC88U-XYZ/HackerReport.txt.new
+ return 0
+ ipset -v
+ grep -o v[4,6]
+ MATCH_SET=--match-set
+ LIST=list
+ CREATE=create
+ SAVE=save
+ RESTORE=restore
+ FLUSH=flush
+ DESTROY=destroy
+ ADD=add
+ SWAP=swap
+ IPHASH=hash:ip
+ NETHASH=hash:net
+ SETNOTFOUND=name does not exist
+ TIMEOUT=timeout
+ lsmod
+ grep -q xt_set
+ basename ./HackerPorts.sh
+ logger -t (HackerPorts.sh) 16532 v2.06 © 2016-2017 Martineau,Hacker Port attacks Report.....
+ echo -e v2.06 \e[4m© 2016-2017 Martineau\e[0m, Hacker Port attacks Report.....
v2.06 © 2016-2017 Martineau, Hacker Port attacks Report.....
+ ipset list Blacklist
+ wc -l
+ [ 765 -eq 0 ]
+ VERBOSE=0
+ echo all
+ grep -o verbose
+ wc -w
+ [ 0 -eq 1 ]
+ TOPX=10
+ echo all
+ grep -o num=
+ wc -w
+ [ 0 -eq 1 ]
+ which uniq
+ [ -z /usr/bin/uniq ]
+ REC_CNT=0
+ GRE_CNT=0
+ nvram get wan0_ifname
+ IFNAME=eth0
+ IIFXT='eth0'
+ ALL_IFTXT=
+ DIG=0
+ LISTED=
+ echo all
+ grep -o dig
+ wc -w
+ [ 0 -eq 1 ]
+ cru l
+ grep IPSET_resume
+ [ ! -z ]
+ iptables -nvL INPUT
+ grep -E DROP.*Blacklist
+ [ -z ]
+ echo -e \e[41m\e[5m\a\n\n\t***Warning IPSET Blocking is in Tracking ONLY mode!\n\e[0m

output from iptables -nvL INPUT
Code: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1227 54137 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set BlockedCountries src
    1    76 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set TorNodes src
   16  1785 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
   10   354 logdrop    icmp --  ppp0   *       0.0.0.0/0            0.0.0.0/0            icmptype 8
  444 31354 SECURITY_PROTECT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
  132  5480 SECURITY_PROTECT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 23
1389K 1468M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
15500  901K logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
31908 3569K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
 389K   88M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmp !type 8
 1043 61463 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0

I did a ./IPSET_Block.sh init reset and the warning message went away.

Perhaps the script needed to be recycled/rebooted? I will repeat the steps on the others unless you have other things you would like me to try.

Regards, Xen
 
Anybody know where BlacklistTRK is supposed to be located? Can I add manually?
 
Xentrk said:
Hi @Martineau, I hope all is good.

All three routers are now displaying the following message when I run HackerPorts.sh:

***Warning IPSET Blocking is in Tracking ONLY mode!

This is a new message. Following is a snip from verbose output leading up to the message:

Code: 
+ iptables -nvL INPUT
+ grep -E DROP.*Blacklist
+ [ -z  ]
+ echo -e \e[41m\e[5m\a\n\n\t***Warning IPSET Blocking is in Tracking ONLY mode!\n\e[0m



I did a ./IPSET_Block.sh init reset and the warning message went away.

Perhaps the script needed to be recycled/rebooted? I will repeat the steps on the others unless you have other things you would like me to try.

Regards, Xen
Click to expand...

Sigh ....

As explained in https://www.snbforums.com/threads/h...t-martineau-version.38748/page-18#post-331132

that you marked as having read? the reason for the message is explained.
 
Xentrk said:
Okay, I have egg on face. Thanks for the reminder. Too many other things going on with a windows 10 laptop issue and a windows server 2008 R2 issue I am trying to resolve that it got pushed aside to the area of the brain called the parking lot. o_O
Click to expand...

Ahh good old Microsoft....Win 10 is still 'officially banned' on our work laptops!
 
skeal said:
Anybody know where BlacklistTRK is supposed to be located? Can I add manually?
Click to expand...

Sigh....

Read the help then issue

Code: 
./IPSET_Block.sh   init   reset   ipset

./IPSET_Block.sh   restore

./IPSET_Block.sh   nolog
 
@Martineau,

A nice to have feature on the report would be list the timestamp of the hack attempt. I looked at the ipset man page and don't see a timestamp option. Is this something you have looked into?
 
Xentrk said:
@Martineau,

A nice to have feature on the report would be list the timestamp of the hack attempt. I looked at the ipset man page and don't see a timestamp option. Is this something you have looked into?
Click to expand...

When only using the BlacklistTRK IPSET for tracking (rather than the Syslog 'BLOCK IN=' messages) then unfortunately there is no available timestamp so this is the penalty sacrifice for invisible tracking i.e. a clean/uncluttered Syslog. :(

Basically as I schedule 'IPSET_Block.sh save' every hour, it will also call HackerPorts.sh to create HackerReport.txt so you may be able to deduce from HackerReport.txt in which hour the first attempt occurred.

With this limitation in mind, I have implemented (in v2.07) 'rrdtool' as an alternative to manually running HackerPorts.sh on the command line.

The graphical reporting of trends could be useful, with my current graph based on a 1 hour interval. (NOTE: the drop in the green line is when I rebooted yesterday and again earlier today - hence the Hits count was reset).

upload_2017-6-21_18-15-40.png


P.S. To be honest I'm not sure if knowing precisely when the hack attempt occurred is actually useful? - apart from perhaps possibly confirming that most hack attempts occur during your local 'night-time' hours? :eek:
 
Last edited:
@Martineau !
I have a request.
When the "Summary blacklist:" runs on IPSET_Block. It has a green background and white letters.
I cannot see the white letters in the box. Is it possible to change the letters color from white to say black in that msg. box for visibility?
The red box with white letters shows up just fine!
Sorry! I should have stated that I do a "cat" of Hacker Report to see this.
 
Csection said:
@Martineau !
When the "Summary blacklist:" runs on IPSET_Block. It has a green background and white letters.
I cannot see the white letters in the box. Is it possible to change the letters color from white to say black in that msg. box for visibility?
The red box with white letters shows up just fine!
Sorry! I should have stated that I do a "cat" of Hacker Report to see this.
Click to expand...

Try changing IPSET_Block.sh LINE 476
Code: 
\e[42m$HITS Successful blocks!
change to
Code: 
\e[30;48;5;82m$HITS Successful blocks!
If this garish choice isn't to your liking then you may pick one that suits:

see https://en.wikipedia.org/wiki/ANSI_escape_code

and if you scroll to the bottom of the article you will see the colours and their ANSI escape sequences.
 
Martineau said:
Try changing IPSET_Block.sh LINE 476
Code: 
\e[42m$HITS Successful blocks!
change to
Code: 
\e[30;48;5;82m$HITS Successful blocks!
If this garish choice isn't to your liking then you may pick one that suits:

see https://en.wikipedia.org/wiki/ANSI_escape_code

and if you scroll to the bottom of the article you will see the colours and their ANSI escape sequences.
Click to expand...
On line 476. I have NOLog=1
I can't locate the code you refer to.
 
Csection said:
On line 476. I have NOLog=1
I can't locate the code you refer to.
Click to expand...

So which version of IPSET_Block.sh do you have?

Why not search in IPSET_Block.sh for the text
Code: 
HITS Successful blocks
and replace the ANSI colour codes on that line? :rolleyes:
 
Martineau said:
So which version of IPSET_Block.sh do you have?

Why not search in IPSET_Block.sh for the text
Code: 
HITS Successful blocks
and replace the ANSI colour codes on that line? :rolleyes:
Click to expand...
I'm on ver. 4.03. I found the HITS, but I really don't know what to change.
code reads:
TEXT=$cRESET"Summary Blacklist: $cGRE_${IHITS}+$FHITS Successful blocks!$cRESET ( $cRED_$OLDAMOUNT IPs currentl$
TEXT2="Summary Blacklist: $HITS Successful blocks! ( $OLDAMOUNT IPs currently banned - $DELTA $UP_DOWN $INTERVA$
 
Csection said:
I'm on ver. 4.03. I found the HITS, but I really don't know what to change.
code reads:
TEXT=$cRESET"Summary Blacklist: $cGRE_${IHITS}+$FHITS Successful blocks!$cRESET ( $cRED_$OLDAMOUNT IPs currentl$
Click to expand...

Ah! :oops: OK..I forgot that you are one of the few using v4.xx (rather than v3.05), and I defined the routine AnsiColours to make it easier to see in the script which colours are in use rather than the cryptic ANSI escape sequences.

So for v4.03

Change in the line above

Code: 
$cGRE_
(GREen background, rather than $cGRE GREen foreground text) to

Code: 
\e[30;48;5;82m

P.S. Which terminal client are you using? PuTTY/Xshell5,MobaXterm etc?
 
Last edited:
Martineau said:
Ah! :oops: OK..I forgot that you are one of the few using v4.xx (rather than v3.05), and I defined the routine AnsiColours to make it easier to see in the script which colours are in use rather than the cryptic ANSI escape sequences.

So for v4.03

Change in the line above

Code: 
$cGRE_
(GREen background, rather than $cGRE GREen foreground text) to

Code: 
\e[30;48;5;82m

P.S. Which terminal client are you using? PuTTY/Xshell5,MobaXterm etc?
Click to expand...
I am using Putty.
I changed that code, but now Hacker Report doesn't show any boxes at all! Neither green or red. None of them show up.
 
Csection said:
I am using Putty.
I changed that code, but now Hacker Report doesn't show any boxes at all! Neither green or red. None of them show up.
Click to expand...
I may not have made myself clear enough of what I wanted to do.
I only wanted to change the text color in the green box to say maybe black so it was more visible than the white lettering that was default for that box.
Thank you for the help you have given me though!
 
Csection said:
I may not have made myself clear enough of what I wanted to do.
I only wanted to change the text color in the green box to say maybe black so it was more visible than the white lettering that was default for that box.
Thank you for the help you have given me though!
Click to expand...

I changed the line as follows:
Code: 
TEXT=$cRESET"Summary Blacklist: \e[30;48;5;82m${IHITS}+$FHITS Successful blocks!$cRESET ( $cRED_$OLDAMOUNT IPs currently banned - $DELTA $UP_DOWN$cRESET $INTERVAL)"

and here is the before/after image. And given the text being blurred is irrelevant, it clearly shows the dramatic change from White-on-DarkGreen to Black-on-BrightGreen

upload_2017-7-9_19-15-46.png


Csection said:
I changed that code, but now Hacker Report doesn't show any boxes at all! Neither green or red. None of them show up.
Click to expand...

No idea what you actually typed nor edited.

So as it is more worthwhile to teach someone than do it for them, I gave you the Wiki page to allow you to enter your desired colour for the text.
 
Martineau said:
I changed the line as follows:
Code: 
TEXT=$cRESET"Summary Blacklist: \e[30;48;5;82m${IHITS}+$FHITS Successful blocks!$cRESET ( $cRED_$OLDAMOUNT IPs currently banned - $DELTA $UP_DOWN$cRESET $INTERVAL)"

and here is the before/after image. And given the text being blurred is irrelevant, it clearly shows the dramatic change from White-on-DarkGreen to Black-on-BrightGreen

View attachment 9756



No idea what you actually typed nor edited.

So as it is more worthwhile to teach someone than do it for them, I gave you the Wiki page to allow you to enter your desired colour for the text.
Click to expand...
Thank you so much!
That is exactly what I was referring to.
 
Csection said:
Thank you so much!
That is exactly what I was referring to.
Click to expand...
I changed the line as you suggested and it works fantastically!
Thank you so much!
I can now read the text in that green box.
God bless!
P.S. Script is working great. It flushes old ip's as they get old and the permanently banned ones are saved as well.
 
Csection said:
I changed the line as you suggested and it works fantastically!
I can now read the text in that green box.
Click to expand...

No problem, although I'm not sure if there are subtle variations in the way that Xshell5 vs. PuTTY actually renders the colours on screen.
 
You must log in or register to reply here.

Similar threads

MON@H Rasta
Tutorial Using TOR to unblock sites blocked by ISP on [Fork] Asuswrt-Merlin 374 LTS
Replies
14
Views
4K
Vas99
V
redhat27
Yet another malware block script using ipset (v4 and v6)
24 25 26
Replies
512
Views
129K
thelonelycoder
thelonelycoder
N
Ipset not working
Replies
0
Views
1K
Nikecow
N
R
How to disable Windows 10 tracking using ipset + Entware
6 7 8
Replies
155
Views
53K
swetoast
swetoast
Similar threads
Thread starter Title Forum Replies Date
devhell How I can dynamically manage VPN director rules list by CLI Asuswrt-Merlin 0
G Malicious sites being blocked but AiProtection is off Asuswrt-Merlin 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 842 (members: 22, guests: 820)
Top