How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

[Csection]

As explained in

https://www.snbforums.com/threads/h...t-martineau-version.38748/page-20#post-336316

you can verify if the reported 74,284 is correct, and you can check if 31801 is accurate:

ipset -L Blacklist | grep -E "^[0-9]" | wc -l

When I ran the "Grep" it produce the number 31303.
It is the 74k that my question is referring about.

 

[Martineau]

When I ran the "Grep" it produce the number 31303.
It is the 74k that my question is referring about.

<sigh>

What is the value reported by the iptables command output?

 

[Jack Yaz]

When I ran the "Grep" it produce the number 31303.
It is the 74k that my question is referring about.

Did you run the other command as per the referenced post?

iptables --line -nvL INPUT | grep -E "set.*Blacklist|^num"

 

[Csection]

Did you run the other command as per the referenced post?

iptables --line -nvL INPUT | grep -E "set.*Blacklist|^num"

No! I didn't see it. Thanks Jack as usual.
Output of that is :
admin@RT-AC3100-0000:/jffs/scripts# iptables --line -nvL INPUT | grep -E "set.*Blacklist|^num"
num pkts bytes target prot opt in out source destination
9 37 2143 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Blacklist src
admin@RT-AC3100-0000:/jffs/scripts#
I'm not sure how to interpret that though.

 

[Jack Yaz]

No! I didn't see it. Thanks Jack as usual.
Output of that is :
admin@RT-AC3100-0000:/jffs/scripts# iptables --line -nvL INPUT | grep -E "set.*Blacklist|^num"
num pkts bytes target prot opt in out source destination
9 37 2143 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Blacklist src
admin@RT-AC3100-0000:/jffs/scripts#
I'm not sure how to interpret that though.

That's only showing 37 packets, hm, try

iptables --line -nvL FORWARD | grep -E "set.*Blacklist|^num"

 

[Csection]

That's only showing 37 packets, hm, try

iptables --line -nvL FORWARD | grep -E "set.*Blacklist|^num"

admin@RT-AC3100-0000:/jffs/scripts# iptables --line -nvL FORWARD | grep -E "set.*Blacklist|^num"
num pkts bytes target prot opt in out source destination
56 0 0 XHits all -- eth0 * 0.0.0.0/0 0.0.0.0/0 match-set Blacklist src
admin@RT-AC3100-0000:/jffs/scripts#

 

[Jack Yaz]

admin@RT-AC3100-0000:/jffs/scripts# iptables --line -nvL FORWARD | grep -E "set.*Blacklist|^num"
num pkts bytes target prot opt in out source destination
56 0 0 XHits all -- eth0 * 0.0.0.0/0 0.0.0.0/0 match-set Blacklist src
admin@RT-AC3100-0000:/jffs/scripts#

Hm, that's not verifying either. Have you recently rebooted between the 71k figure and now?

 

[Csection]

Hm, that's not verifying either. Have you recently rebooted between the 71k figure and now?

No!
That is from a few min. ago.

 

[Mikiya]

Hi
Thanks for your scripts !
I can find IPSET_Block v3.05 with HackerPorts v2.03, but apparently they are not the latest versions, i can't find v4.X with V2.06 or more. Can you provide links or update first post ?

Thanks

 

[topmusic]

Hi All,

Have the Asus RT-AC87U with Firmware:380.68_4
Script version :
(IPSET_Block.sh): 20974 v3.04 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

Name: Blacklist
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 604800
Size in memory: 4092
References: 0
Number of entries: 75
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Syslog 'Block =' messages enabled


Summary Blacklist: 0 Successful blocks! ( 75 IPs currently banned - 0 added since: Oct 8 19:11 ), Entries auto-expire after 168:00:00 hrs

But it's writing nothing to my iptables, when i list them it is showing no banned ip's.

Do i need the new beta version to get it running ?

 

[Builder71]

I edited the Wiki so it reflects this script only works with Ipset v6.

 

[amplatfus]

Hi. Please, how can I add 162.x.0.0/16 range to whitelist? Thank you in advance.

nslookup: can't resolve '162.x.0.0/16'

 

[Mikiya]

Hi
You can set whitelist when it's already started (with sh /jffs/scripts/IPSET_Block.sh init reset nolog for example) with :
sh /jffs/scripts/IPSET_Block.sh unban 162.x.0.0/16 whitelist (just replace x with your value)

 

[Dee Fever]

./IPSET_Block.sh init
(IPSET_Block.sh): 31870 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
(IPSET_Block.sh): 31870 IPSET restore from '/tmp/mnt/RouterDrive/IPSET/IPSET_Block.config' starting.....
ipset v6.32: The set with the given name does not exist
iptables v1.4.15: Set Blacklist doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.15: Set Blacklist doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.15: Set Blacklist doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
(IPSET_Block.sh): 31870 Dynamic IPSET Blacklist banning enabled.
ipset v6.32: The set with the given name does not exist
ipset v6.32: The set with the given name does not exist

Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )

(HackerPorts.sh): 32021 v2.03 Hacker Port attacks Report.....

***ERROR IPSET Blacklist does not exist! - Please run 'IPSET_Block.sh init'



Please help using v3.05 and v2.03 of HackerPorts. I could not find the latest version after going through everything in threads.

 

[amplatfus]

Hi,

Please, do you know if HackerPorts works well with Cloudflare?

Thank you!

 

[bmn1]

So I suggest you create it as /jffs/scripts/IPSET_Block.sh, and as per the help info documented in the script, you will need to update firewall-start and init-start accordingly.

I followed these steps:
Create the ipset_block.sh.
"chmod +x" the script.
Edit the firewall-start, adding this line:
"sh /jffs/scripts/firewall start hackerports=/jffs/scripts/ipset_block.sh #hackerports" (Underneath the Skynet line)

Edit the init-start, adding this line:
"/jffs/scripts/ipset_block.sh init-start"

Then executed init-start: "sh init-start".


Now, this resulted in the following to appear:

(ipset_block.sh): 23088 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Syslog 'Block =' messages enabled
ipset v6.32: The set with the given name does not exist
ipset v6.32: The set with the given name does not exist
Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )

I assume I missed something?
I'm running Merlin 384.8_2, with Skynet, Stubby and Deversion. On a RT-AC5300.

Thanks in advance!

 

[Jack Yaz]

I followed these steps:
Create the ipset_block.sh.
"chmod +x" the script.
Edit the firewall-start, adding this line:
"sh /jffs/scripts/firewall start hackerports=/jffs/scripts/ipset_block.sh #hackerports" (Underneath the Skynet line)

Edit the init-start, adding this line:
"/jffs/scripts/ipset_block.sh init-start"

Then executed init-start: "sh init-start".


Now, this resulted in the following to appear:


I assume I missed something?
I'm running Merlin 384.8_2, with Skynet, Stubby and Deversion. On a RT-AC5300.

Thanks in advance!

Skynet supercedes a lot of this script - you don't need both.

 

[bmn1]

I thought so, but I'm not sure if Skynet starts blocking IP's (be it for a week) when they start making attempts at accessing multiple ports.

 

[Jack Yaz]

I thought so, but I'm not sure if Skynet starts blocking IP's (be it for a week) when they start making attempts at accessing multiple ports.

I'm not sure on the ins and outs - I think it used to, but it was discontinued as it caused more problems than it solved. @Adamm would be the one to ask