What's new
By:

Malware Filter / bad host IPSET

swetoast said:
@sobored04 why is that script introduced to this thread ?

updated the wiki with the latest revision with updated instructions.
Click to expand...
Hi @swetoast for me it gives me the same error on the mips, thanks

Code: 
/opt/var/cache/malware-filter/malware- 100%[=============================================================================>] 294.76K  84.4KB/s   in 3.5s
/opt/var/cache/malware-filter/malware- 100%[=============================================================================>]   7.34K  46.7KB/s   in 0.2s
Bad argument `family'
Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.42.198':File not found

Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.43.75':File not found
 
I am looking at the updated instructions on the wiki and it seems /opt/ does not exist for me, I have a symbolic link to tmp/opt but in reality where it points to does not exist, is /opt/ a folder I should manually create or should I just point the script to a different location?
 
Check on how to install entware or just replace the path with a path of your choosing.. it doesnt have to be /opt it could be whateever you want.
 
shooter40sw said:
Hi @swetoast for me it gives me the same error on the mips, thanks

Code: 
/opt/var/cache/malware-filter/malware- 100%[=============================================================================>] 294.76K  84.4KB/s   in 3.5s
/opt/var/cache/malware-filter/malware- 100%[=============================================================================>]   7.34K  46.7KB/s   in 0.2s
Bad argument `family'
Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.42.198':File not found

Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.43.75':File not found
Click to expand...
Could be the same issue as in this thread here ... maxelem not supported
http://www.snbforums.com/threads/iphash-maxelem-not-supported-in-ipset-v4-5.35076/
 
please stick to the topic this thread is about the malware script if you want to discuss other scripts start a separate thread, dont threadjack !
 
swetoast said:
im gonna add it as soon as more people test it and confirm that is working for em with a new description telling users not to add it to firewall-start unless they wanna wait 5 min when they reboot it better to have it as a service with cru in services-start

add the script to /opt/bin/malware-block

then type this

nano /jffs/scripts/services-start

and append

cru a malware-filter ""0 */12 * * */opt/bin/malware-block"

save it
Click to expand...
I just ran the cru command as posted above but got an error about unexpected string. I removed the double ""0 with "0 and it worked. Correction below.
Code: 
cru a malware-filter "0 */12 * * */opt/bin/malware-block"
 
Changes for mips please try @shooter40sw tnx for the guidance @tomsk

Code: 
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 3

path=/opt/var/cache/malware-filter                               # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='−X'
;;
*)
    MATCH_SET='--match-set'                 # Value for Wildcard Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-filter $i ; done
fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi


iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?
 
Last edited:
hi! @swetoast unfortunate it does not work

Code: 
/opt/var/cache/malware-filter/malware-lis 100%[======================================================================================>] 293.48K   258KB/s   in 1.1s
/opt/var/cache/malware-filter/malware-lis 100%[======================================================================================>]   8.02K  --.-KB/s   in 0.1s
ipset v4.5: Couldn't load settype `1.160.42.198':File not found

Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.43.75':File not found

Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.161.165.231':File not found



swetoast said:
Changes for mips please try @shooter40sw

Code: 
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 3

path=/opt/var/cache/malware-filter                               # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-N'
    SWAPPED='-W'
    DESTROYED='−X'
;;
*)
    MATCH_SET='--match-set'                 # Value for Wildcard Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-filter $i ; done
fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi


iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?
Click to expand...
 
try again with the script above made changes.

seems that it failed from looking at it when it adds ip to the actual set
Code: 
for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done

so i changed the syntax it should work now :)
 
Last edited:
swetoast said:
try again with the script above made changes.
Click to expand...

I think its almost done, there is an error at the end but it does fill the ipset, it finishes in aprox 5 minutes 100% CPU, it says bad argument -X


Code: 
/opt/var/cache/malware-filter/malware-list. 100%[=============================================================================================>] 296.25K   261KB/s   in 1.1s
/opt/var/cache/malware-filter/malware-list. 100%[=============================================================================================>]   8.02K  --.-KB/s   in 0.1s
Bad argument `−X'
Try `ipset -H' or 'ipset --help' for more information.


Code: 
are/var/cache/malware-filter# ipset -L
Name: malware-filter
Type: iphash
References: 2
Header: hashsize: 132859 probes: 8 resize: 50
Members:
180.168.43.142
220.117.24.14
118.34.198.225
114.34.236.41

Code: 
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
 
ok so it has an issue with destroying old rules atleast its loaded the list that good news, yepp 5 min seems about right on an older model gonna put nice on it to make it less of a strain on the router
 
Code: 
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 3

path=/opt/var/cache/malware-filter                               # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
;;
*)
    MATCH_SET='--match-set'                 # Value for Wildcard Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi


iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?
 
Last edited:
Something went wrong with this one

Code: 
opt/var/cache/malware-filter/malware-list.pre    100%[============================================================================================================>] 296.25K   260KB/s   in 1.1s
/opt/var/cache/malware-filter/malware-list.pre    100%[============================================================================================================>]   8.02K  --.-KB/s   in 0.1s
ipset v4.5: Set already exists
ipset v4.5: Couldn't load settype `1.160.42.198':File not found

Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.43.75':File not found

swetoast said:
Code: 
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 4

path=/opt/var/cache/malware-filter                               # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
;;
*)
    MATCH_SET='--match-set'                 # Value for Wildcard Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-filter $i ; done
fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi


iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?
Click to expand...
 
sry missed the syntax again had to many windows up try again :) sorry i updated the script with the correct syntax "SYNTAX='-q -A'" and i added nice to the process so it might take a bit longer to complete but less strain on the CPU
 
swetoast said:
sry missed the syntax again had to many windows up try again :) sorry i updated the script with the correct syntax "SYNTAX='-q -A'" and i added nice to the process so it might take a bit longer to complete but less strain on the CPU
Click to expand...

No worries ! thanks for the help and patience!
I rebooted the router and got an error while running again the script, it stayed again 100% CPU for 5 m regardless of the nice command

Code: 
p/mnt/sda1/entware/var/cache/malware-filter# ./blockip.sh
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set.ko': File exists
/opt/var/cache/malware-filter/malware 100%[==========================================================================>] 159.99K  9.40KB/s   in 17s
/opt/var/cache/malware-filter/malware     [ <=>                                                                       ]   2.34K  --.-KB/s   in 0.005s
/opt/var/cache/malware-filter/malware     [  <=>                                                                      ]  10.51K  46.6KB/s   in 0.2s
/opt/var/cache/malware-filter/malware 100%[==========================================================================>]  17.00K  43.3KB/s   in 0.4s
/opt/var/cache/malware-filter/malware 100%[==========================================================================>] 296.25K   151KB/s   in 2.0s
/opt/var/cache/malware-filter/malware 100%[==========================================================================>]   8.02K  --.-KB/s   in 0.1s
iptables: No chain/target/match by that name


But it did create the ipset

Code: 
/tmp/mnt/sda1/entware/var/cache/malware-filter# ipset -L
Name: malware-filter
Type: iphash
References: 1
Header: hashsize: 199288 probes: 8 resize: 50
Members:
81.215.63.197
109.200.241.137
181.198.7.146
93.79.199.182
109.236.221.169
141.101.11.134
109.162.113.190
91.217.100.168


It did place the ipset in the iptables

Code: 
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable

And I tested if it was working, I pinged a random IP on the set before the script and responded and after and did not, so its working! Thanks a lot for your work and dedication, If you need any more testing let me know

Code: 
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   120 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
 
Awesome posted the version on the wiki and tnx for bearing with me and testing :) gets a little tricky when i dont have a mips router to use 2 different syntaxes
 
You must log in or register to reply here.

Similar threads

L
YazFi IPCamsBlock.sh with YazFi ??
Replies
2
Views
340
lokester
L
M
Tutorial Application based VPN routing
Replies
0
Views
1K
Mikii
M
Adamm
Skynet Skynet v8 - Router Firewall & Security Enhancements
12 13 14
Replies
279
Views
28K
SolCutter
SolCutter
K
Quectel RM520N-GL 5G modem – Dual WAN setup guide
Replies
0
Views
3K
kuchkovsky
K
M
Skynet Skynet filter list issue - [*] List Content Error Detected - Stopping Banmalware
2 3
Replies
50
Views
4K
Tech9
Tech9
Similar threads
Thread starter Title Forum Replies Date
R Malware infection or not on phone Asuswrt-Merlin 13
spacemanspiff RT-AX86U running Merlin serving DNS - possible Malware infection Asuswrt-Merlin 31
AngelSing [Suggestion] Individual Enable/Disable toggle for Wireless MAC Filter entries Asuswrt-Merlin 3
B CleanBrowsing Family filter bypass on Apple devices with Safari inPrivate browsing Asuswrt-Merlin 7
D Feature Request - Add regex filter in system log Asuswrt-Merlin 10
Alyred Network Services Filter - broken? Asuswrt-Merlin 3
C Firewall URL filter bypassed by guest networks with disabled intranet access Asuswrt-Merlin 4
MacG32 Bad sectors in dev sda... repairable? Asuswrt-Merlin 5

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 8,955 (members: 18, guests: 8,937)
Back
Top