Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

What blocking scripts to install?

Discussion in 'Asuswrt-Merlin' started by Henrik!, Jul 11, 2017.

  1. Henrik!

    Henrik! Occasional Visitor

    Joined:
    Jul 11, 2017
    Messages:
    22
    Location:
    Denmark
    Hi all

    I'm new to this firmware so forgive me if I'm asking stupid questions.
    I installed the 380.67 Beta3 firmware on my AC68U (Rev. A1) with no problems and all seems to work and good performance.

    I would like to install some of the blocking scripts, but do they overlap or should I just install them all ?
    Primarily I want to block outside and in (Bots and other probing attacks). Second blocking for ads and malicious sites inside and out.

    I have looked at these scripts:

    Skynet (Block. from inside or outside or both?)
    iblocklist-loader (Block. from inside or outside or both?)
    AB_Solution (Ad blocking from inside)
    ya-malware-block (Ad blocking from inside)

    Maybe I just need Skynet and AB_Solution ?

    I have a little problem finding out what actually to use, they all seem very good, but maybe they block the same things ?


    Best regards
    Henrik
     
  2. pattiri

    pattiri Regular Contributor

    Joined:
    Dec 27, 2016
    Messages:
    147
    Location:
    Istanbul, Turkey
    Henrik! likes this.
  3. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    3,550
    Location:
    Switzerland
    AB-Solution is a pure ad-blocker. If you want that, this is the one.
    All other scripts you listed are firewall scripts, mainly to block malicious attempts from the outside.
    They all work well with AB, but don't install more than one firewall script.
     
    Henrik! likes this.
  4. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    988
    AB-Solution does just as the name suggests, blocks ads from hosts files downloaded. It's a different category per say to the other scripts listed and the best (only?) public adblocking script for this firmware by far.

    Skynet blocks both inbound and outbound connections, it adds on to the routers built in firewall functionality (SSH BFD/SPI Firewall Banning), also sourcing from known malware lists, and user defined input (accepts domains/ips/ranges/countries/custom lists etc) with extended stat reporting and a bunch of other features. I'd consider it to be more of an all in one script.

    As the name suggests, it sources lists from iBlocklist and blocks all inbound connections.

    A minimalist malware IP blocking script which blocks inbound connections.


    Most of the malware scripts on this forum source from similar lists, the difference is the implementation and features.
     
    Henrik! likes this.
  5. Henrik!

    Henrik! Occasional Visitor

    Joined:
    Jul 11, 2017
    Messages:
    22
    Location:
    Denmark
    Thanks for the answers. They clear things up very much.
     
  6. elorimer

    elorimer Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    335
    I use skynet and Ab-Solution. Work fine together.

    I would start with Ab-solution first, and see how it goes. You are likely to find that some of the sites regularly visited by your users will be blocked, and it is relatively easy to find out which ones and then whitelist them. It is also fairly easy to find out which ads are not being blocked by inspecting the elements of the page, and then blacklist them. I use the shootersw compilation of sources to block a good midpoint between not aggressive and too aggressive.

    Then, add skynet to the mix. I find this to be very aggressive, with lots of innocent IPs blocked. When I hear from someone that they can't reach a regular website, the skynet script is very efficient at figuring out if the domain is on an IP that is blocked. For some reason, for example, the official website of Notre Dame in Paris is blocked. So is my local town blog on Wordpress. But my log is still showing IPs banging on the door, so the first rule is not to allow ssh or telnet or webgui access from WAN.

    EDIT: And Grand Central Terminal in NY.
     
    Last edited: Jul 12, 2017
    Henrik! likes this.
  7. Henrik!

    Henrik! Occasional Visitor

    Joined:
    Jul 11, 2017
    Messages:
    22
    Location:
    Denmark
    Am now running with Skynet and AB-Solution :)
    Started with Skynet so had to unblock a "yoyo" site to allow AB-Solution to download a file before it would work.
    But works great so far :)

    Thanks for all the comments. Helped a lot.
     
  8. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    3,550
    Location:
    Switzerland
    AB-Solution makes sure to whitelist their download domains if one of the firewall scripts is present.
    I would hope that these script writers do the same for AB. Some do but of course this only takes effect once the other script is installed.
     
  9. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    988
    Skynet whitelists the yoyo server that's being refereed to every time the banmalware command is run, if you have a full list of other host files you download I'd be happy to add them too.
     
  10. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    3,550
    Location:
    Switzerland
    At the moment, this is a temp file generated during the update of the blocking file and removed once it's done the job.
    But I could write it to a persistent path location, to be renewed once a week. Somewhere accessible for all scripts would be good so all can use it.
    /jffs/shared-AB-whitelist
    or something? One domain per line.
     
    Adamm likes this.
  11. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    988
    That would be perfect, will add the changes on my end for whenever you push it.
     
  12. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    3,550
    Location:
    Switzerland
    That will be with the release of AB-Solution 3.8.2 which is still in beta testing. So it will be a little while.

    So it's set then, I'll place and update weekly /jffs/shared-AB-whitelist for all other script writers to include as a whitelist.
    Please do not add or append to this file, make your own in the same format for me to use if you have a whitelist (domains only, one per line).
    Then let me know so I can include it in my script.

    This file could be included as such:
    Code:
    if [ -f "/jffs/shared-*-whitelist" ] ; then
    ....
    fi
    (code not tested, should work tough with the wildcard)
     
  13. Henrik!

    Henrik! Occasional Visitor

    Joined:
    Jul 11, 2017
    Messages:
    22
    Location:
    Denmark
    Yeah, I can see in your code that you whitelist 213.230.210.230, if ab-solution.sh is present. However I had setup Skynet first, and then ab-solution.sh was not present.
    So when I tried to install ab-solution the ip was still blocked, and had to unban it manually.

    So it's a matter of what is installed first.
     
  14. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    988
    No worries, I've pushed the new code for whenever your update comes out of beta. Will remove the legacy code when it does.

    Code:
    Domain_Lookup () {
            nslookup "$1" | grep -woE '([0-9]{1,3}\.){3}[0-9]{1,3}' | awk 'NR>2'
    }
    
    
            if [ -f "/jffs/shared-AB-whitelist" ]; then
                while IFS= read -r domain; do
                    for ip in $(Domain_Lookup "$domain"); do
                        ipset -q -A Whitelist "$ip"
                        ipset -q -D Blacklist "$ip"
                    done
                done </jffs/shared-AB-whitelist
            fi
     
    thelonelycoder likes this.
  15. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    3,550
    Location:
    Switzerland
  16. Henrik!

    Henrik! Occasional Visitor

    Joined:
    Jul 11, 2017
    Messages:
    22
    Location:
    Denmark
    Have you thought about when people install the different scripts in different order ?
    I have not looked at the other scripts code, but in Adamm's post he only whitelist if the shared-AB_whitelist is present.
    But if people install Ab-Solution AFTER Skynet then the ip's will still be blocked.
     
  17. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    3,550
    Location:
    Switzerland
    It's a cat and mouse game. It will sort itself out once both are installed and both had their scheduled update.
    AB runs it's update once per week, others dayly or even more.
    I see no problem with that, since you can run all the scripts manually.
    In AB this is the u option that will do this once 3.8.2 is out.
     
  18. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    3,550
    Location:
    Switzerland
    One afterthought, please only read uncommented lines, this way I can add an explanatory header to the file.
     
  19. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    988
    Done.

    Code:
            if [ -f "/jffs/shared-AB-whitelist" ]; then
                grep -vF "#" /jffs/shared-AB-whitelist | while IFS= read -r domain; do
                    for ip in $(Domain_Lookup "$domain"); do
                        ipset -q -A Whitelist "$ip"
                        ipset -q -D Blacklist "$ip"
                    done
                done
            fi
     
    elorimer and thelonelycoder like this.
  20. elorimer

    elorimer Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    335
    Adamm, while you are at it, in would be nice to have a link in root, the way ab-s does. So when I putty in I can do "sh firewall etc,etc" instead of sh /jffs/scripts/firewall etc etc.

    I've added it myself.
     

Share This Page