Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Skynet - Asus Firewall Addition (Dynamic Malware/Country/Manual IP Blocking)

Discussion in 'Asuswrt-Merlin' started by Adamm, Apr 16, 2014.

  1. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    UPDATED 21/10/2017

    Currently this script is only supported for Asus Routers with IPSet v6

    This will require MerlinWRT v380.68 (or newer) or Johns Fork V26E3 (or newer).



    Skynet - Asus Firewall Addition

    The original tool since 2013.

    This script automates the process of banning/whitelisting IP's you desire. It expands on the built in SPI/DOS/SYN/Brute-force protection adding a more permanent solution with countless other features.

    This is just another line of defence, but it also adds useful IP banning functionality using IPSet which has almost no performance impact on the router when banning hundreds of thousands of IP's.

    Unlike other scripts which just blindly ban, Skynet has built in checks which verify banned IP's are actually suspicious.

    Skynet fully supports (router) OpenVPN implementations and the Astrill VPN Plugin along with user scripts like AB-Solution.

    [​IMG]


    INSTALLATION;

    No entware, USB, modifying system files or bloat required. After downloading it just works.

    This script is now hosted on GitHub, you can follow the most recent changes here.

    In your favourite SSH terminal;

    Code:
    /usr/sbin/wget -O /jffs/scripts/firewall https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
    chmod +x /jffs/scripts/firewall
    sh /jffs/scripts/firewall install
    
    After installation (or reboot) you should see output like the following indicating the script is working.

    Code:
    Jun 24 15:54:26 Skynet: [INFO] Startup Initiated...
    Jun 24 15:54:34 Skynet: [Complete] 130448 IPs / 3020 Ranges Banned. 130448 New IPs / 3020 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [9s]
    


    Features;

    Code:
    "unban"        # <-- Remove Entry From Blacklist (IP/Range/Domain/Port/Country/Malware/Autobans/Nomanual/All)
    "ban"          # <-- Adds Entry To Blacklist (IP/Range/Domain/Port/Country)
    "banmalware"   # <-- Bans Various Malware Domains
    "whitelist"    # <-- Add Entry To Whitelist (IP/Range/Domain/Port/VPN/Remove/Refresh/List)
    "import"       # <-- Bans All IPs From URL
    "deport"       # <-- Unbans All IPs From URL
    "save"         # <-- Save Blacklists To ipset.txt
    "restart"      # <-- Restart Skynet
    "disable"      # <-- Temporarily Disable Skynet
    "update"       # <-- Update Script To Latest Version (check github for changes)
    "debug"        # <-- Debug Features (Disable/Watch/Info)
    "stats"        # <-- Show/Search Stats Of Banned IPs (Requires debugging enabled)
    "install"      # <-- Install Script (Or Change Boot Args)
    "uninstall     # <-- Uninstall All Traces Of Script
    


    USAGE;

    Skynet provides both a user interactive menu, and command line interface for those who prefer it.

    To open the menu its as simple as;

    Code:
    sh /jffs/scripts/firewall
    And for the CLI users, here's a list of possible commands.

    Code:
    Here Are Some Example Unban Commands;
    (sh /jffs/scripts/firewall unban) This Requires Manual Input (Only IPs accepted)
    (sh /jffs/scripts/firewall unban 8.8.8.8) This Unbans The IP Specified
    (sh /jffs/scripts/firewall unban range 8.8.8.8/24) This Unbans the CIDR Block Specified
    (sh /jffs/scripts/firewall unban domain) This Requires Manual Input (Only Domains Accepted)
    (sh /jffs/scripts/firewall unban domain google.com) This Unbans the URL Specified
    (sh /jffs/scripts/firewall unban port 23) This Unbans All Autobans Based On Traffic From Port 23
    (sh /jffs/scripts/firewall unban comment "Apples") This Unbans Entries With Comment Containing The Word Apples
    (sh /jffs/scripts/firewall unban country) This Unbans Entries Added By The "Ban Country" Feature
    (sh /jffs/scripts/firewall unban malware) This Unbans Entries Added By The "Ban Malware" Feature
    (sh /jffs/scripts/firewall unban autobans) This Unbans All Autobans
    (sh /jffs/scripts/firewall unban nomanual) This Unbans Everything But Manual Bans
    (sh /jffs/scripts/firewall unban all) This Unbans All Entries From Both Blacklists
    
    Here Are Some Example Ban Commands;
    (sh /jffs/scripts/firewall ban) This Requires Manual Input (Only IPs accepted)
    (sh /jffs/scripts/firewall ban 8.8.8.8 Apples) This Bans The IP Specified With Comment Apples
    (sh /jffs/scripts/firewall ban range 8.8.8.8/24 Apples) This Bans the CIDR Block Specified With Comment Apples
    (sh /jffs/scripts/firewall ban domain) This Requires Manual Input (Only Domains Accepted)
    (sh /jffs/scripts/firewall ban domain google.com) This Bans the URL Specified
    (sh /jffs/scripts/firewall ban country "pk cn sa") This Bans The Known IPs For The Specified Countries (accepts single/multiple inputs if quoted) http://www.ipdeny.com/ipblocks/data/countries/
    
    Here Are Some Example Banmalware Commands;
    (sh /jffs/scripts/firewall banmalware) This Bans IPs From The Predefined Filter List
    (sh /jffs/scripts/firewall banmalware google.com/filter.list) This Uses The Fitler List From The Specified URL
    
    Here Are Some Example Whitelist Commands;
    (sh /jffs/scripts/firewall whitelist) This Requires Manual Input (Only IPs accepted)
    (sh /jffs/scripts/firewall whitelist 8.8.8.8 Apples) This Whitelists The IP or Range Specified With Comment Apples
    (sh /jffs/scripts/firewall whitelist domain) This Requires Manual Input (Only Domains Accepted)
    (sh /jffs/scripts/firewall whitelist domain google.com) This Whitelists the URL Specified
    (sh /jffs/scripts/firewall whitelist port 23) This Whitelists All Autobans Based On Traffic From Port 23
    (sh /jffs/scripts/firewall whitelist vpn) Refresh VPN Whitelist
    (sh /jffs/scripts/firewall whitelist remove) This Removes All Non-Default Entries
    (sh /jffs/scripts/firewall whitelist remove ip 8.8.8.8) This Removes IP Specified
    (sh /jffs/scripts/firewall whitelist remove comment "apple" ) This Removes Entries With Comment Containing The Word Apple
    (sh /jffs/scripts/firewall whitelist refresh ) Regenerate Shared Whitelist Files
    (sh /jffs/scripts/firewall whitelist list ) List All Whitelist Entries
    (sh /jffs/scripts/firewall whitelist list ips ) List Manually Added IP Entries
    (sh /jffs/scripts/firewall whitelist list domains ) List Manually Added Domain Entries
    
    Here Are Some Example Import Commands;
    (sh /jffs/scripts/firewall import URL) This Bans All IPs From URL
    
    Here Are Some Example Deport Commands;
    (sh /jffs/scripts/firewall deport URL) This Unbans All IPs From URL
    
    Here Are Some Example Update Commands;
    (sh /jffs/scripts/firewall update) Standard Update Check - If Nothing Detected Exit
    (sh /jffs/scripts/firewall update check) Check For Updates Only - Wont Update If Detected
    (sh /jffs/scripts/firewall update -f) Force Update Even If No Changes Detected
    
    Here Are Some Example Debug Commands;
    (sh /jffs/scripts/firewall debug disable) Disable Raw Debugging
    (sh /jffs/scripts/firewall debug watch) Show Debug Entries As They Appear
    (sh /jffs/scripts/firewall debug info) Print Usefull Debug Info
    
    Here Are Some Example Stats Commands;
    (sh /jffs/scripts/firewall stats) Compile Stats With Default Top10 Output
    (sh /jffs/scripts/firewall stats 20) Compile Stats With Customiseable Top20 Output
    (sh /jffs/scripts/firewall stats tcp) Compile Stats Showing Only TCP Entries
    (sh /jffs/scripts/firewall stats tcp 20) Compile Stats Showing Only TCP Entries With Customiseable Top20 Output
    (sh /jffs/scripts/firewall stats search port 23) Search All Debug Data For Entries On Port 23
    (sh /jffs/scripts/firewall stats search port 23 20) Search All Debug Data For Entries On Port 23 With Customiseable Top20 Output
    (sh /jffs/scripts/firewall stats search ip 8.8.8.8) Search All Debug Data For Entries On 8.8.8.8
    (sh /jffs/scripts/firewall stats search ip 8.8.8.8 20) Search All Debug Data For Entries On 8.8.8.8 With Customiseable Top20 Output
    (sh /jffs/scripts/firewall stats search malware 8.8.8.8) Search Malwarelists For Specified IP
    (sh /jffs/scripts/firewall stats search autobans) Search For All Autobans
    (sh /jffs/scripts/firewall stats search manualbans) Search For All Manual Bans
    (sh /jffs/scripts/firewall stats reset) Reset All Collected Debug Data
    

    About;
     
    Last edited: Oct 20, 2017 at 11:27 AM
  2. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    3,065
    Location:
    In the heart of Switzerland
    That evolved quickly and nicely! Thank you.
    I use differing LAN settings and others may too.
    I would have to download the sript manually first and install it that way.
    To help others you could insert a direct download link or post the content of the files in your first post.
     
  3. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

    Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and unban) anything incorrectly on your Blacklist!

    1.) Enable Debug Mode via the installer
    Code:
    sh /jffs/scripts/firewall install
    2.) Open the blocked application/website and use the command;

    Code:
    sh /jffs/scripts/firewall debug watch
    Now look for a flood of [BLOCKED - RAW] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

    3.) Copy the IP following "SRC=" it should look something like this;
    Code:
    SRC=175.115.37.52
    4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault.

    Code:
    https://otx.alienvault.com/indicator/ip/175.115.37.52/
    5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

    Code:
    sh /jffs/scripts/firewall whitelist 175.115.37.52
     
    Last edited: Oct 7, 2017
  4. jernau

    jernau Occasional Visitor

    Joined:
    May 30, 2013
    Messages:
    45
    Unfortunately this script doesn't work for me, I just get loads of errors stating that the --match-set argument is not available in the version of iptables installed;

    iptables v1.3.8: Unknown arg `--match-set'

    I'm running 374.41 Beta 1

    Also the firewall.sh script as downloaded appears to be in DOS format i.e. includes windows linefeeds (^M) so wouldn't run until I ran dos2unix on another machine against the file.
     
  5. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    Thanks for pointing that out, for some reason my encoding settings seem to hate me and constantly change back (lol). Fixed and tested it to make sure it works.
     
  6. shooter40sw

    shooter40sw Senior Member

    Joined:
    Mar 3, 2013
    Messages:
    271
    Hi guys, I already have donwload manager installed, and no planes de uninstall it, or install entware, also have active ssh brute force prevention on the admin page, can I use this script?, I also use a "wierd" :D LAN setup! x.x.x.x/27 thanks
     
  7. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    Yes this will also work with DLM installed, the requirement is so that optware is installed which happens during the DLM setup process.

    This script also should not interfere with any settings so go wild. The script also automatically detects your lan setup on start-up and whitelist's it (using the lan_ipaddr var)

    Hope this helps.
     
  8. jernau

    jernau Occasional Visitor

    Joined:
    May 30, 2013
    Messages:
    45
    Does this script only work on certain Merlin versions as I mentioned before I keep getting the following error when running the script;

    iptables v1.3.8: Unknown arg `--match-set'
     
  9. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    What router are you running and which firmware? Your IPTables is out of date compared to the latest release which the script is based on.

    [email protected]:/tmp/home/root# iptables -V
    iptables v1.4.14

    [email protected]:/tmp/home/root# ipset -V
    ipset v4.5, protocol version 4.
    Kernel module protocol version 4.


    Edit; Okay so just realized the AC66U for whatever reason is based on an older IPTables version. For now support is limited to the AC56U and AC68U. Sorry about that.
     
    Last edited: Apr 16, 2014
  10. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    873
    Use: -m set --match-set
     
    Last edited: Nov 7, 2016
  11. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    I will eventually make the script dynamically adjust the IPTables syntax based on the router model, currently the N56U/AC66U/AC68U all run different versions of IPTables and IPSet which makes things painful as I'm maintaining 3 different scripts that do the same thing. I'll get around to it sooner or later.
     
  12. wbennett77

    wbennett77 Regular Contributor

    Joined:
    Jan 5, 2014
    Messages:
    156
    Location:
    Canada
    Hey Adamm,

    Thanks for sharing your work with us. I am using your script and being this is the first time I have ever used SSH and I have one question. I just upgraded the firmare to Merlins final .41 and I wanted to know if this area gets overwritten during the upgrade. I don't see the "starting ...." but I do see this:
    Apr 19 09:45:52 Firewall: [Complete] 0 IPs currently banned. 0 New IP's Banned.
    I am assuming that this means that it didn't get overwritten but being a rookie in this area just need to know for sure.

    Cheers!
     
  13. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    Looks like its working fine, if you see anything like that in the syslog you can confirm its been executed.
     
  14. wbennett77

    wbennett77 Regular Contributor

    Joined:
    Jan 5, 2014
    Messages:
    156
    Location:
    Canada
    Thanks Adamm!
     
  15. idolza

    idolza New Around Here

    Joined:
    Apr 6, 2014
    Messages:
    3
    @Adamm thank you so much.

    Managed to get it working and its been doing its work for me :

    Apr 21 15:11:38 Firewall: [IP Banning Started] ... ... ...
    Apr 21 15:11:39 Firewall: [Complete] 159 IPs currently banned. 2 New IP's Banned.

    Having teenagers on the network, who aren't as careful - this also helps along with all the other measures I've put in place.
     
  16. wbennett77

    wbennett77 Regular Contributor

    Joined:
    Jan 5, 2014
    Messages:
    156
    Location:
    Canada
    That's a lot of banned IPs. Did you add anything to the defaults such as additional countries?
    Cheers!

    Sent from my Galaxy S4 using Tapatalk
     
  17. sinshiva

    sinshiva Very Senior Member

    Joined:
    Nov 8, 2013
    Messages:
    1,030
    Location:
    FL
    sometimes JFFS is overwritten during upgrades so it would definitely be wise to backup from time to time.
     
  18. wbennett77

    wbennett77 Regular Contributor

    Joined:
    Jan 5, 2014
    Messages:
    156
    Location:
    Canada
    One possibly strange question (rookie) but do I have to leave SSH enabled on the router for this to run correctly? The reason I ask is because as soon as I enable SSH the router log showed this but nothing before being enabled:
    Maybe it's just a coincidence?

    Cheers!
     
  19. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    I believe your question was answered on IRC but for convience of others, no SSH being enabled is not a requirement but it is required to install the script (that or Telnet).

    And for clarification, the "firewall-start" script is how the firewall addition is initiated on boot (or firewall restart), along with setting up two conjobs that save the IP list and back it up.


    For others to see the scripts effectiveness, here's my firewalls results after a week.

     
    Last edited: Apr 22, 2014
  20. wbennett77

    wbennett77 Regular Contributor

    Joined:
    Jan 5, 2014
    Messages:
    156
    Location:
    Canada
    Good morning,

    Yes, after writing here I went directly to IRC and got the answer I was looking for.

    A couple other things.....how do I get an update as to how many ip's have currently been banned and where would I go to get a country list that works with your script.

    Thanks again!

    Cheers!
     

Share This Page