Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Malware Filter / bad host IPSET

Discussion in 'Asuswrt-Merlin' started by kobejo34, Oct 27, 2016.

  1. spalife

    spalife Regular Contributor

    Joined:
    Jun 20, 2015
    Messages:
    95
    Another alternative

    #WAN Down Values...
    noLnk="0.0.0.0";

    #Get values from NVRAM
    ipAddr="$(nvram get wan0_ipaddr)";
    lnkWan="$(nvram get link_internet)";

    if ( ([ $ipAddr == $noLnk ]) || ([ $lnkWan == 0 ]) );
    then
    echo "Network Down"
    fi
     
  2. swetoast

    swetoast Very Senior Member

    Joined:
    Apr 12, 2016
    Messages:
    527
    im probobly not gonna rely on nvram for future revision since its so bound to asuswrt and i want it to be more generic so im gonna keep on figuring out a way for it to work out of the box for all types.
     
  3. swetoast

    swetoast Very Senior Member

    Joined:
    Apr 12, 2016
    Messages:
    527
    So scrapped the nvram solution so that other distroes can use this script so far the script is only in my git as always its a test version for anyone brave enough to try
     
    visortgw likes this.
  4. visortgw

    visortgw Regular Contributor

    Joined:
    Jun 18, 2015
    Messages:
    116
    This works for me on two arm and one mips routers (all ASUS) running merlin firmware.
     
  5. elorimer

    elorimer Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    226
    No idea what you are tryinig to do, but is it not possible to use ping in a bash script? Why not do the same ping wanduck is doing to that microsoft ncsi address?

    Code:
    RESULT="1"
    PING=$(ping www.msftncsi.com -c 1 | grep -E -o '[0-9]+ received' | cut -f1 -d' ')
    if [ "$RESULT" != "$PING" ]
    then
       DO SOMETHING
    else
       DO SOMETHING
    fi
     
  6. redhat27

    redhat27 Regular Contributor

    Joined:
    Jul 29, 2016
    Messages:
    97
    I believe he has already taken that approach in his git repo
     
  7. visortgw

    visortgw Regular Contributor

    Joined:
    Jun 18, 2015
    Messages:
    116
    But definitely not to that host as many people block it...
     
  8. swetoast

    swetoast Very Senior Member

    Joined:
    Apr 12, 2016
    Messages:
    527
    the only reason online check is in the script is due to if your wan connection is down then it doesnt run and remove the lists, had serious downtime awhile back and i noticed that malware-filter spammed the syslog with empty results and thats why i included online check since its on a cron job and not running from wan_start

    in anycase "happy beerday since its friday ;)"
     
    visortgw likes this.
  9. Xentrk

    Xentrk Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    224
    Location:
    Chiang Mai, Thailand
    Updated malware-block to use revised check_online function and can confirm it works on DD-WRT and ASUS Merlin.
     
  10. elorimer

    elorimer Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    226
    Ah, thanks. Didn't see your post.
     
  11. swetoast

    swetoast Very Senior Member

    Joined:
    Apr 12, 2016
    Messages:
    527
    kewl will update tomorrow once is im sober :D haha dont let this deter anyone from trying my stuff :D
     
  12. swetoast

    swetoast Very Senior Member

    Joined:
    Apr 12, 2016
    Messages:
    527
    Here is the update as promised :)

    Code:
    #!/bin/sh
    # Author: Toast
    # Contributers: Octopus, Tomsk, Neurophile, jimf, spalife, visortgw, Cedarhillguy, redhat27
    # Testers: shooter40sw
    # Supporters: lesandie
    # Revision 19
    
    blocklist=/jffs/malware-filter.list                     # Set your path here
    retries=3                                               # Set number of tries here
    regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value
    
    case $(ipset -v | grep -o "v[4,6]") in
      v6)
        MATCH_SET='--match-set'; CREATE='create'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net family inet'; FLUSH='flush'; DESTROY='destroy';
        lsmod | grep -q "xt_set" || \
        for module in ip_set ip_set_nethash ip_set_iphash xt_set; do
          insmod $module
        done;;
      v4)
        MATCH_SET='--set'; CREATE='--create'; ADD='--add'; SWAP='--swap'; IPHASH='iphash'; NETHASH='nethash'; FLUSH='--flush'; DESTROY='--destroy'
        lsmod | grep -q "ipt_set" || \
        for module in ip_set ip_set_nethash ip_set_iphash ipt_set; do
          insmod $module
        done;;
      *) echo "unsupported version"; exit 1 ;;
    esac
    
    check_online () {
      ping -q -c 1 google.com >/dev/null 2>&1 && get_list || exit 1
    }
    
    get_list () {
    url=https://gitlab.com/swe_toast/malware-filter/raw/master/malware-filter.list
    if [ ! -f $blocklist ]
    then wget $url -O $blocklist; get_source; else get_source; fi
    }
    
    get_source () {
    wget -q --tries=$retries --show-progress -i $blocklist -O /tmp/malware-filter-raw.part
        awk '!/(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)/' /tmp/malware-filter-raw.part > /tmp/malware-filter-presort.part
        cat /tmp/malware-filter-presort.part | grep -oE "$regexp" | sort -u > /tmp/malware-filter-sorted.part
    }
    
    run_ipset () {
    echo "adding ipset rule to firewall this will take time."
    ipset -L malware-filter >/dev/null 2>&1
    if [ $? -ne 0 ]; then
        if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
        nice -n 2 ipset $CREATE malware-filter $IPHASH
        if [ -f /opt/bin/xargs ]; then
        /opt/bin/xargs -P10 -I "PARAM" -n1 -a /tmp/malware-filter-sorted.part nice -n 2 ipset  $ADD malware-filter PARAM
        else cat /tmp/malware-filter-sorted.part | xargs -I {} ipset $ADD malware-filter {}; fi
    fi
    else
        nice -n 2 ipset $CREATE malware-update $IPHASH
        if [ -f /opt/bin/xargs ]; then
        /opt/bin/xargs -P10 -I "PARAM" -n1 -a /tmp/malware-filter-sorted.part nice -n 2 ipset  $ADD malware-update PARAM
        else cat /tmp/malware-filter-sorted.part | xargs -I {} ipset $ADD malware-update {}; fi
        nice -n 2 ipset $SWAP malware-update malware-filter
        nice -n 2 ipset $DESTROY malware-update
    fi
    iptables -L | grep malware-filter > /dev/null 2>&1
    if [ $? -ne 0 ]; then
        nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
    else
        nice -n 2 iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
        nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
    fi }
    
    cleanup () {
    logger -s -t system "Malware Filter loaded $(ipset -L malware-filter | wc -l | awk '{print $1-7}') unique ip addresses."
    find /tmp -name 'malware-filter-*.part' -exec rm {} +
    }
    
    check_online
    run_ipset
    cleanup
    
    exit $?
     
    Xentrk and shooter40sw like this.
  13. shooter40sw

    shooter40sw Senior Member

    Joined:
    Mar 3, 2013
    Messages:
    222
    Hi, I tested this one, and the difference between this and the 17 version is that now I get printed on the ssh screen this:
    Code:
    pset v4.5: 181.214.63.133 is already in set malware-update.
    ipset v4.5: 181.215.113.46 is already in set malware-update.
    ipset v4.5: 181.215.244.14 is already in set malware-update.
    system: Malware Filter loaded 37930 unique ip addresses.
    and I suppose that it does it the 37930 times. The script works


     
  14. swetoast

    swetoast Very Senior Member

    Joined:
    Apr 12, 2016
    Messages:
    527
    must have been interrupted when it ran before but its not a problem since it tries again then swaps the rules.
     
    shooter40sw likes this.
  15. florid

    florid Occasional Visitor

    Joined:
    Jan 15, 2017
    Messages:
    21
    I do not agree with this suggestion. As this is for blocking known bad, why we need to use REJECT to actively respond to all malicious requests? REJECT only increases the router load and potentially allows more malicious requests.
    In company firewall configuration, it is common sense to use the DROP action instead of REJECT.
    This is not like M$ privacy filter that timeout will be a concern for web page loading. As malware filter, it is more IP based, not URL based. Timeout is not usually observed by normal users. It's the time to check your system security if you see long waiting time loading a suspicious website.
     
  16. swetoast

    swetoast Very Senior Member

    Joined:
    Apr 12, 2016
    Messages:
    527
    well thats easily changed i can make a simple value for it in the settings does that sound better ?
     
  17. florid

    florid Occasional Visitor

    Joined:
    Jan 15, 2017
    Messages:
    21
    If there's option to choose REJECT or DROP, it will suit everyone.

    BTW, are these the three lines to change REJECT to DROP if I want to modify it myself? I am not a script person, only working in infosec.
    Code:
    nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
    else
       nice -n 2 iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
       nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
     
  18. shooter40sw

    shooter40sw Senior Member

    Joined:
    Mar 3, 2013
    Messages:
    222
    Hi @swetoast a question, apart of the discussion of whether reject or drop is the correct option, maybe drop is the correct one... but Im looking at the command iptables -L -v -n and Im looking and rejected inputs...

    Code:
     pkts bytes target     prot opt in     out     source               destination
        5   915 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
    7865K 2324M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    
    So great its working, ... is there a command that I cant execute that can tell me if the rejected package is from what source IP address? I want to know if this is coming from an internal IP or external

    regards, great scripts!
     
  19. swetoast

    swetoast Very Senior Member

    Joined:
    Apr 12, 2016
    Messages:
    527
    @florid next revision will have it, and yes those are the 3 lines or you could grab a new version from my git.
    @shooter40sw yes you have to create an additional rule that logs rejected packages.
     
    Last edited: Mar 20, 2017
    shooter40sw likes this.
  20. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    806
    Everyone can do what they want with their skills and experience. Feel free to do what suits the individual.
     
    Xentrk and swetoast like this.

Share This Page