Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Skynet - Asus Firewall Addition (Dynamic Malware/Country/Manual IP Blocking)

Discussion in 'Asuswrt-Merlin' started by Adamm, Apr 16, 2014.

  1. TomT

    TomT Regular Contributor

    Joined:
    Feb 25, 2013
    Messages:
    176
    Hi
    Does any one know if DLMis needed to be installed?
    Thanks
     
  2. Ebag333

    Ebag333 New Around Here

    Joined:
    Jan 2, 2016
    Messages:
    6
    The command is:

    Code:
    sh firewall BANSINGLE
    
    It will then prompt you to enter an IP address. If that doesn't work, see the changes I made to the script below.


    So I've been working on this, to get it working on my RT-N66U. What I have working so far works fine for manually entered blocks, but the automatic part not so much.

    Where it falls down is right here:

    Code:
        #iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src
        #iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src
    
    It's complaining about -add-set, but from what I'm seeing in documentation that SHOULD be a valid command for that version of iptables.

    Unfortunately, I'm no Linux guru. I've read comments about monitoring the syslog, and when a drop is read adding it to the Blacklist ipset. That wouldn't be real time blocking, unless you also reran the firewall script every time (or create a cron job to rerun it every 60 minutes or so?).

    Anyway, here are the tweaks I've made to the script.

    • In each of the if statements, removed the $ from the value side.
      if [ X"[email protected]" = X"$UNBANSINGLE" ] to if [ X"[email protected]" = X"UNBANSINGLE" ]
    • Reordered the whitelist/blacklist/blocked countries section, and added some extra echos to troubleshoot which of the ones were failing.
    • Commented out the three iptables commands for logdrop.
    • I tweaked the BlacklistTotal number to -21 from -26. For some reason, with the IP blocklist empty, it showed -6 (number of non-commented lines in there, coincidence?). -20 worked fine for a while, but then it started showing 1 off between the $NEWAMOUNT and BlacklistTotal (BlacklistTotal showed 1 more than was accurate). -21 seems to work fine, but it might not be accurate until a few IPs are added (or maybe the firewall script is ran a few times?).

    See the next post for the actual code.....
     
  3. Ebag333

    Ebag333 New Around Here

    Joined:
    Jan 2, 2016
    Messages:
    6
    Posting the code in a separate post, to get around the character limit...

    Code:
    #!/bin/sh
    #################################################################################################
    ## - 25/12/2014 ---        RT-AC66U/RT-AC56U/RT-AC68U Firewall Addition v2.5 -          #
    ###################################################################################################################
    ###                    ----- Make Sure To Edit The Following Files -----              #
    ### /jffs/scripts/firewall-start                     <-- Sets up cronjob/iptables rules          #
    ### /jffs/scripts/firewall                     <-- Blacklists IP's From /jffs/scripts/ipset.txt #
    ### /jffs/scripts/ipset.txt                     <-- Banned IP List/IPSet Rules              #
    ###################################################################################################################
    
    ##############################
    #####Commands / Variables#####
    ##############################
    UNBANSINGLE="unban"          # <-- Remove Single IP From Blacklist
    UNBANALL="unbanall"          # <-- Unbans All IPs In Blacklist
    REMOVEBANS="removeall"       # <-- Remove All Entries From Blacklist
    SAVEIPSET="save"             # <-- Save Blacklists to /jffs/scripts/ipset.txt
    BANSINGLE="ban"              # <-- Adds Entry To Blacklist
    BANCOUNTRYSINGLE="country"   # <-- Adds entire country to blacklist
    BANCOUNTRYLIST="bancountry"  # <-- Bans specified countries in this file
    WHITELIST="whitelist"        # <-- Add IPs from path to Whitelist
    NEWLIST="new"                 # <-- Create new IPSet Blacklist
    DUMPCFE="dumpcfe"              # <-- Dumps current CFE to /jffs/scripts/cfe.dump
    UPDATECFE="updatecfe"         # <-- Flash CFE from /jffs/scripts/cfe.flash (reset nvram afterwards)
    ##############################
    
    start_time=`date +%s`
    cat /jffs/scripts/firewall | head -28
    
    #####################################################################################################################################
    # - Unban / Unbanall / Removeall / Save / Ban / Country / Bancountry / Whitelist / Hideme / Findme/ DumpCFE / UpdateCFE  / Backup - #
    #####################################################################################################################################
    
    
    if [ X"[email protected]" = X"UNBANSINGLE" ]
    then
        echo "Input IP Address To Unban"
        read unbannedip
        logger -t Firewall "[Unbanning And Removing $unbannedip From Blacklist] ... ... ..."
        ipset  -D Blacklist $unbannedip
        echo "`sed /$unbannedip/d /jffs/scripts/ipset.txt`" > /jffs/scripts/ipset.txt
        echo "$unbannedip Is Now Unbanned"
    
    elif [ X"[email protected]" = X"UNBANALL" ]
    then
        echo "[Unbanning All IP's] ... ... ..."
        logger -t Firewall "[Unbanning All IP's] ... ... ..."
        ipset --flush Blacklist
        ipset --flush BlockedCountries
    
    elif [ X"[email protected]" = X"REMOVEBANS" ]
    then
        nvram set Blacklist=`expr \`ipset -L Blacklist | wc -l\` - 6`
        echo "[Deleting All `echo \`nvram get Blacklist\`` Entries From Blacklist] ... ... ..."
        logger -t Firewall "[Deleting All `echo \`nvram get Blacklist\`` Entries From Blacklist] ... ... ..."
        ipset --flush Blacklist
        ipset --flush BlockedCountries
        ipset --save > /jffs/scripts/ipset.txt
    
    elif [ X"[email protected]" = X"SAVEIPSET" ]
    then
        echo "[Saving Blacklists] ... ... ..."
        ipset --save > /jffs/scripts/ipset.txt
        echo "`sed '/crond: USER admin/d' /tmp/syslog.log`" > /tmp/syslog.log
    
    elif [ X"[email protected]" = X"BANSINGLE" ]
    then
        echo "Input IP Address"
        read bannedip
        logger -t Firewall "[Adding $bannedip To Blacklist] ... ... ..."
        ipset -q -A Blacklist $bannedip
        echo "$bannedip Is Now Banned"
    
    elif [ X"[email protected]" = X"BANCOUNTRYSINGLE" ]
    then
        echo "Input Country Abbreviation"
        read country
        for IP in $(wget -q -O - http://www.ipdeny.com/ipblocks/data/countries/$country.zone)
        do
        ipset -q -A BlockedCountries $IP
        done
    
    elif [ X"[email protected]" = X"BANCOUNTRYLIST" ]
    then
        echo "[Banning Spam Countries] ... ... ..."
        for country in pk cn in jp ru sa
        do
            for IP in $(wget -q -O - http://www.ipdeny.com/ipblocks/data/countries/$country.zone)
               do
            ipset -q -A BlockedCountries $IP
        done
        done
    
    elif [ X"[email protected]" = X"WHITELIST" ]
    then
        echo "Input file location"
        read WHITELISTFILE
        for IP in `cat $WHITELISTFILE`
        do
        ipset -q -A Whitelist $IP
        echo $IP
        done
        ipset --save > /jffs/scripts/ipset.txt
    
    elif [ X"[email protected]" = X"NEWLIST" ]
    then
        echo "Does The Blacklist Need To Be Downloaded? yes/no"
        read ENABLEDOWNLOAD
            if [ X"$ENABLEDOWNLOAD" = X"yes" ]; then
                echo "Input URL For IPSet Blacklist"
                read DOWNLOADURL
                wget -O /jffs/scripts/ipset2.txt $DOWNLOADURL
            fi
        echo "Input New Set Name"
        read SETNAME
        sed -i "s/Blacklist/$SETNAME/g" /jffs/scripts/ipset2.txt
        ipset -q -R  < /jffs/scripts/ipset2.txt
        echo "Successfully Added New Set"
    
    
    elif [ X"[email protected]" = X"DUMPCFE" ] && [ X"`nvram get model`" = X"RT-AC68U" ]
    then
        echo "Dumping CFE"
        logger -t Firewall "[Dumping CFE] ... ... ..."
        OLDCFE="`strings /dev/mtd0 | grep model` - `strings /dev/mtd0 | grep bl_v` - `strings /dev/mtd0 | grep 0:ccode` - `strings /dev/mtd0 | grep et0macaddr` - `strings /dev/mtd0 | grep 0:macaddr` - `strings /dev/mtd0 | grep 1:macaddr` - `strings /dev/mtd0 | grep secret_code`"
        cat /dev/mtd0 > /jffs/scripts/cfe.dump
        echo "Sucessfully Dumped CFE - $OLDCFE"
        logger -t Firewall "Sucessfully Dumped CFE - $OLDCFE"
    
    elif [ X"[email protected]" = X"UPDATECFE" ] && [ X"`nvram get model`" = X"RT-AC68U" ]
    then
        echo "Flashing new CFE"
        logger -t Firewall "[Flashing new CFE] ... ... ..."
        OLDCFE="`strings /dev/mtd0 | grep et0macaddr`  `strings /dev/mtd0 | grep 0:macaddr`  `strings /dev/mtd0 | grep 1:macaddr`  `strings /dev/mtd0 | grep secret_code`"
        NEWCFE="`strings /jffs/scripts/cfe.flash | grep et0macaddr`  `strings /jffs/scripts/cfe.flash | grep 0:macaddr`  `strings /jffs/scripts/cfe.flash | grep 1:macaddr`  `strings /jffs/scripts/cfe.flash | grep secret_code`"
            if [ X"`echo $OLDCFE`" = X"`echo $NEWCFE`" ]; then
                echo "Correct Values Detected"
                /jffs/scripts/mtd-write cfe.flash boot && status="Successfully flashed new CFE. `strings /dev/mtd0 | grep bl_v`   `strings /dev/mtd0 | grep 0:ccode`   $NEWCFE"  || status="Failed flashing new CFE"
                logger -t Firewall "$status ... ... ..."
                echo "$status"
            else
                echo "Values Missing From New CFE - Make Sure Values Are Hex'd In" && status="Values Missing From New CFE - Make Sure Values Are Hex'd In"
                echo "Old CFE - $OLDCFE"
                echo "New CFE - $NEWCFE"
                logger -t Firewall "$status ... ... ..."
            fi
    
    else
            if [ X"`nvram get fw_enable_x`" = X"1" ]
            then
                echo "Correct Settings Detected."
            else
                echo "Enabled SPI Firewall"
                nvram set fw_enable_x=1
                nvram commit
            fi
    
            if [ X"`nvram get fw_log_x`" = X"drop" ]
            then
                echo "Correct Settings Detected"
            else
                echo "Enabled Firewall Logging"
                nvram set fw_log_x=drop
                nvram commit
            fi
    
            if [ X"`nvram get clkfreq`" != X"1200,800" ] && [ X"`nvram get model`" = X"RT-AC68U" ]
            then
                echo "Enabled Overclock - Current Clock `nvram get clkfreq`"
                nvram set clkfreq=1200,800
                nvram commit
            else
                echo "Correct Settings Detected."
            fi
    
    
        echo "`sed '/IP Banning Started/d' /tmp/syslog.log`" > /tmp/syslog.log
        echo "[IP Banning Started] ... ... ..."
        logger -t Firewall "[IP Banning Started] ... ... ..."
        ipset -q -R  < /jffs/scripts/ipset.txt
    
        echo "[Loading Blacklist] ... ... ..."
        ipset -q -N Blacklist iphash
        iptables -D INPUT -m set --set Blacklist src -j DROP
        iptables -I INPUT -m set --set Blacklist src -j DROP
    
        echo "[Loading Blocked Countries] ... ... ..."
        ipset -q -N BlockedCountries nethash
        iptables -D INPUT -m set --set BlockedCountries src -j DROP
        iptables -I INPUT -m set --set BlockedCountries src -j DROP
    
        echo "[Loading Whitelist] ... ... ..."
        ipset -q -N Whitelist nethash
        iptables -D INPUT -m set --set Whitelist src -j ACCEPT
        iptables -I INPUT -m set --set Whitelist src -j ACCEPT
        ipset -q -A Whitelist 192.168.1.0/24
        ipset -q -A Whitelist 192.168.0.0/24
        ipset -q -A Whitelist 192.3.148.0/24
        ipset -q -A Whitelist `nvram get lan_ipaddr`/24
    
        #iptables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options  > /dev/null 2>&1
        #iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src
        #iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src
    
        echo "`sed '/DROP IN=/d' /tmp/syslog.log`" > /tmp/syslog.log
        echo "`sed '/DROP IN=/d' /tmp/syslog.log-1`" > /tmp/syslog.log-1
    
    fi
    
    ###############
    # - Logging - #
    ###############
    OLDAMOUNT=`nvram get Blacklist`
    nvram set Blacklist=`expr \`ipset -L Blacklist | wc -l\` - 6 `
    NEWAMOUNT=`nvram get Blacklist`
    #nvram set BlacklistTotal=`expr \`ipset -L | wc -l\` - 21`
    start_time=$(expr `date +%s` - $start_time)
    echo "[Complete] $NEWAMOUNT IPs currently banned. `expr $NEWAMOUNT - $OLDAMOUNT` New IP's Banned. `nvram get BlacklistTotal` Banned Overall [`echo $start_time`s]"
    logger -t Firewall "[Complete] $NEWAMOUNT IPs currently banned. `expr $NEWAMOUNT - $OLDAMOUNT` New IP's Banned. `nvram get BlacklistTotal` Banned Overall [`echo $start_time`s]"
    
     
    Last edited: Jan 2, 2016
  4. fryedchikin

    fryedchikin Occasional Visitor

    Joined:
    Apr 9, 2015
    Messages:
    27
    The Whitelist rule needs to come before the Blacklist rule otherwise its essentially useless. The intent of the Whitelist is to always allow access from those addresses, even if something should trigger them getting added to the Blacklist.
     
  5. Ebag333

    Ebag333 New Around Here

    Joined:
    Jan 2, 2016
    Messages:
    6
    And by "before" you really mean "after"? :)

    Makes sense. The original script had the cleanup done in reverse order of the insert.
     
  6. fryedchikin

    fryedchikin Occasional Visitor

    Joined:
    Apr 9, 2015
    Messages:
    27
    lol..yeah, I was thinking order of execution. "After" in the actual script would also be correct :)
     
  7. majeedun

    majeedun Occasional Visitor

    Joined:
    Oct 31, 2013
    Messages:
    17
    Can this be modified to be run on XVortex RMerlin for R7000? Can I just comment the lines about CFE backup and flash (since I didn't flash modified CFE and chose to stay on Netgear). I have a very stable working version 380.57 and I want to try this script. Thanks
     
  8. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    873
    Sorry but Netgear R7000 isnt supported by RMerlins fork.
    Support here: http://www.linksysinfo.org/index.php?threads/asuswrt-merlin-on-netgear-r7000.71108/
    Supported devices are ASUS:
    * RT-N66U
    * RT-AC66U
    * RT-AC56U
    * RT-AC68U
    * RT-AC68P
    * RT-AC87U
    * RT-AC3200
    * RT-AC88U
    * RT-AC3100
    * RT-AC5300
     
  9. majeedun

    majeedun Occasional Visitor

    Joined:
    Oct 31, 2013
    Messages:
    17
  10. Ebag333

    Ebag333 New Around Here

    Joined:
    Jan 2, 2016
    Messages:
    6
    The script mostly uses ipset and iptable. Assuming you have a place for the script to live (like jffs), and a way to run it, there's no reason you couldn't come up with a way to do it. How much of an adaptation that'd be, I have no idea.
     
    majeedun likes this.
  11. Poopiepants

    Poopiepants Occasional Visitor

    Joined:
    Dec 4, 2015
    Messages:
    10
    Ebag333

    I copied your script and now it's working for me now.
    I think the original script might be broken, perhaps after some updates to the router software?
    I will monitor and check to make sure the country and single bans are working properly.

    How do you check the logs to see what parts of the script are failing?
    The regular log button inside the router gui?

    Thanks for all your help!
     
  12. Ebag333

    Ebag333 New Around Here

    Joined:
    Jan 2, 2016
    Messages:
    6
    I don't know the original script was broken, but I suspect a few parts didn't work quite right. Since it's a different version of iptables and ipset, it's hard to say.

    If you have ssh setup, you can run the script or individual commands manually. You may need to add some additional debug logging to the script, but any errors should kick out.
     
  13. Poopiepants

    Poopiepants Occasional Visitor

    Joined:
    Dec 4, 2015
    Messages:
    10
    After a night of testing it looks like there are still some issues.
    The singlebanip is not working properly.
    It's not banning IP's I add but if I use the command ipset -A Blacklist 69.162.124.228 it states it's already there.
    It does say it added the IP but it still passes through the traffic.
    Telnet port (23) is being forwarded to my workstation.
    Could it be that it forwards port 23 first and doesn't bother blocking traffic?


    The one change, if I had the knowledge would be to switch from ipdeny to ipblocklist for countries and other lists.
    Ipdeny seems to be missing a lot ranges from China and it would be nice to use other lists not specifically related to countries.
    Iblocklist has some really good pay lists that are only 10.00 a year, that are related to spam, bots, malware, exploits etc.

    I also use on my pc peerblock with Ipblocklist, so I see what countries are failing with ipdeny.

    Thanks for all your fine work, it has made my life easier.
     
  14. Ebag333

    Ebag333 New Around Here

    Joined:
    Jan 2, 2016
    Messages:
    6
    What is the exact command you're using? Banning a single IP works fine for me, I haven't messed with banning countries at all.

    What router are you using this on?

    Country bans will never be perfect. Lists will lag behind the actual changes, plus there are plenty of ways to mask what country you are coming from. I have no plans to use country bans personally.
     
  15. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    11,532
    Location:
    San Diego, CA
    The problem with scripts like this is they are reactive and static - and can't respond quickly to new threats unless someone is watching logs and updating the scripts for new hosts...

    Fail2Ban would be nice, but since it runs in Python, and as such, has a lot of overhead attached to it, isn't a good embedded option - however...

    sshguard looks interesting, as it's C based as a small binary, and despite it's name, can support other ports and services - and plays well with iptables...

    http://www.sshguard.net
     
    peraburek likes this.
  16. peraburek

    peraburek Regular Contributor

    Joined:
    Mar 13, 2015
    Messages:
    146
    @sfx2000 your idea with sshguard is cool!

    does anybody know how Enable SSH Brute Force Protection actually works, blocking IP that has tried to logon 20 times in 20 minutes???
     
    Last edited: Jan 15, 2016
  17. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,211
    Location:
    UK
    I believe the Firewall code uses this statement for SSH Brute Force Protection to populate the iptables SSHBFP Chain:

    Code:
    fprintf(fp, "-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j %s\n", logdrop);
     
  18. Poopiepants

    Poopiepants Occasional Visitor

    Joined:
    Dec 4, 2015
    Messages:
    10
    To ban Ip's I have used both
    sh firewall BANSINGLE
    then Ip address
    and it accepts the command and adds it to the list.

    I also manually tried:
    ipset -q -A Blacklist 123.123.123.123
    It tells me it is already in the blacklist.

    I still see traffic from that ip address coming through on the workstation that has port 23 forwarded to it.

    Thanks for the help.
     
  19. Poopiepants

    Poopiepants Occasional Visitor

    Joined:
    Dec 4, 2015
    Messages:
    10
    Peraburek

    Here is my nat-start script for brute force protection for telnet, you should be able to re-arrange it.


    #!/bin/sh
    logger "firewall" "Applying nat-start rules"
    iptables -N TELNETBFP -t nat
    iptables -A TELNETBFP -t nat -m recent --set --name TELNET --rsource
    iptables -A TELNETBFP -t nat -m recent --update --seconds 7200 --hitcount 5 --name TELNET --rsource -j RETURN
    iptables -A TELNETBFP -t nat -p tcp --dport 23 -m state --state NEW -j DNAT --to-destination 192.168.1.57:23
    iptables -I VSERVER -t nat -i eth0 -p tcp --dport 23 -m state --state NEW -j TELNETBFP
     
  20. Poopiepants

    Poopiepants Occasional Visitor

    Joined:
    Dec 4, 2015
    Messages:
    10
    The IP ban seems to have just started working magically.
    I am not going to complain. :)
    Thanks for all the help!
     

Share This Page