What's new

Malware Filter / bad host IPSET

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@sobored04 why is that script introduced to this thread ?

updated the wiki with the latest revision with updated instructions.
Hi @swetoast for me it gives me the same error on the mips, thanks

Code:
/opt/var/cache/malware-filter/malware- 100%[=============================================================================>] 294.76K  84.4KB/s   in 3.5s
/opt/var/cache/malware-filter/malware- 100%[=============================================================================>]   7.34K  46.7KB/s   in 0.2s
Bad argument `family'
Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.42.198':File not found

Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.43.75':File not found
 
I am looking at the updated instructions on the wiki and it seems /opt/ does not exist for me, I have a symbolic link to tmp/opt but in reality where it points to does not exist, is /opt/ a folder I should manually create or should I just point the script to a different location?
 
Check on how to install entware or just replace the path with a path of your choosing.. it doesnt have to be /opt it could be whateever you want.
 
Hi @swetoast for me it gives me the same error on the mips, thanks

Code:
/opt/var/cache/malware-filter/malware- 100%[=============================================================================>] 294.76K  84.4KB/s   in 3.5s
/opt/var/cache/malware-filter/malware- 100%[=============================================================================>]   7.34K  46.7KB/s   in 0.2s
Bad argument `family'
Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.42.198':File not found

Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.43.75':File not found
Could be the same issue as in this thread here ... maxelem not supported
http://www.snbforums.com/threads/iphash-maxelem-not-supported-in-ipset-v4-5.35076/
 
please stick to the topic this thread is about the malware script if you want to discuss other scripts start a separate thread, dont threadjack !
 
im gonna add it as soon as more people test it and confirm that is working for em with a new description telling users not to add it to firewall-start unless they wanna wait 5 min when they reboot it better to have it as a service with cru in services-start

add the script to /opt/bin/malware-block

then type this

nano /jffs/scripts/services-start

and append

cru a malware-filter ""0 */12 * * */opt/bin/malware-block"

save it
I just ran the cru command as posted above but got an error about unexpected string. I removed the double ""0 with "0 and it worked. Correction below.
Code:
cru a malware-filter "0 */12 * * */opt/bin/malware-block"
 
Changes for mips please try @shooter40sw tnx for the guidance @tomsk

Code:
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 3

path=/opt/var/cache/malware-filter                               # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='−X'
;;
*)
    MATCH_SET='--match-set'                 # Value for Wildcard Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-filter $i ; done
fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi


iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?
 
Last edited:
hi! @swetoast unfortunate it does not work

Code:
/opt/var/cache/malware-filter/malware-lis 100%[======================================================================================>] 293.48K   258KB/s   in 1.1s
/opt/var/cache/malware-filter/malware-lis 100%[======================================================================================>]   8.02K  --.-KB/s   in 0.1s
ipset v4.5: Couldn't load settype `1.160.42.198':File not found

Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.43.75':File not found

Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.161.165.231':File not found



Changes for mips please try @shooter40sw

Code:
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 3

path=/opt/var/cache/malware-filter                               # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-N'
    SWAPPED='-W'
    DESTROYED='−X'
;;
*)
    MATCH_SET='--match-set'                 # Value for Wildcard Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-filter $i ; done
fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi


iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?
 
try again with the script above made changes.

seems that it failed from looking at it when it adds ip to the actual set
Code:
for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done

so i changed the syntax it should work now :)
 
Last edited:
try again with the script above made changes.

I think its almost done, there is an error at the end but it does fill the ipset, it finishes in aprox 5 minutes 100% CPU, it says bad argument -X


Code:
/opt/var/cache/malware-filter/malware-list. 100%[=============================================================================================>] 296.25K   261KB/s   in 1.1s
/opt/var/cache/malware-filter/malware-list. 100%[=============================================================================================>]   8.02K  --.-KB/s   in 0.1s
Bad argument `−X'
Try `ipset -H' or 'ipset --help' for more information.


Code:
are/var/cache/malware-filter# ipset -L
Name: malware-filter
Type: iphash
References: 2
Header: hashsize: 132859 probes: 8 resize: 50
Members:
180.168.43.142
220.117.24.14
118.34.198.225
114.34.236.41

Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
 
ok so it has an issue with destroying old rules atleast its loaded the list that good news, yepp 5 min seems about right on an older model gonna put nice on it to make it less of a strain on the router
 
Code:
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 3

path=/opt/var/cache/malware-filter                               # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
;;
*)
    MATCH_SET='--match-set'                 # Value for Wildcard Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi


iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?
 
Last edited:
Something went wrong with this one

Code:
opt/var/cache/malware-filter/malware-list.pre    100%[============================================================================================================>] 296.25K   260KB/s   in 1.1s
/opt/var/cache/malware-filter/malware-list.pre    100%[============================================================================================================>]   8.02K  --.-KB/s   in 0.1s
ipset v4.5: Set already exists
ipset v4.5: Couldn't load settype `1.160.42.198':File not found

Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.43.75':File not found

Code:
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 4

path=/opt/var/cache/malware-filter                               # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
;;
*)
    MATCH_SET='--match-set'                 # Value for Wildcard Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-filter $i ; done
fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi


iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?
 
sry missed the syntax again had to many windows up try again :) sorry i updated the script with the correct syntax "SYNTAX='-q -A'" and i added nice to the process so it might take a bit longer to complete but less strain on the CPU
 
sry missed the syntax again had to many windows up try again :) sorry i updated the script with the correct syntax "SYNTAX='-q -A'" and i added nice to the process so it might take a bit longer to complete but less strain on the CPU

No worries ! thanks for the help and patience!
I rebooted the router and got an error while running again the script, it stayed again 100% CPU for 5 m regardless of the nice command

Code:
p/mnt/sda1/entware/var/cache/malware-filter# ./blockip.sh
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set.ko': File exists
/opt/var/cache/malware-filter/malware 100%[==========================================================================>] 159.99K  9.40KB/s   in 17s
/opt/var/cache/malware-filter/malware     [ <=>                                                                       ]   2.34K  --.-KB/s   in 0.005s
/opt/var/cache/malware-filter/malware     [  <=>                                                                      ]  10.51K  46.6KB/s   in 0.2s
/opt/var/cache/malware-filter/malware 100%[==========================================================================>]  17.00K  43.3KB/s   in 0.4s
/opt/var/cache/malware-filter/malware 100%[==========================================================================>] 296.25K   151KB/s   in 2.0s
/opt/var/cache/malware-filter/malware 100%[==========================================================================>]   8.02K  --.-KB/s   in 0.1s
iptables: No chain/target/match by that name


But it did create the ipset

Code:
/tmp/mnt/sda1/entware/var/cache/malware-filter# ipset -L
Name: malware-filter
Type: iphash
References: 1
Header: hashsize: 199288 probes: 8 resize: 50
Members:
81.215.63.197
109.200.241.137
181.198.7.146
93.79.199.182
109.236.221.169
141.101.11.134
109.162.113.190
91.217.100.168


It did place the ipset in the iptables

Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable

And I tested if it was working, I pinged a random IP on the set before the script and responded and after and did not, so its working! Thanks a lot for your work and dedication, If you need any more testing let me know

Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   120 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
 
Awesome posted the version on the wiki and tnx for bearing with me and testing :) gets a little tricky when i dont have a mips router to use 2 different syntaxes
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top