Yet another malware block script using ipset (v4 and v6)

[redhat27]

I do not know if your busybox wget was built with ssl support. If you can tell me how you'd typically use wget to download from an https:// url, I can put the fix in the script

 

[Adamm]

Asuswrt-Merlin has a full-fledged wget, it's not the cutdown busybox applet.

I compile it with an option to point it at the CA root file, which I also include in the firmware. That's why the firmware's built-in wget is able to deal with SSL certificates.

Just provide the fully-qualified path to wget, this way you'll know you're using the firmware's version and not any Entware build.

I ran into the same issue today with some of my users, point your wget calls to "/usr/sbin/wget"

 

[redhat27]

Is this busybox wget or entware wget? Please post the output of

which wget

 

[Sebastien Bougie]

I do not know if your busybox wget was built with ssl support. If you can tell me how you'd typically use wget to download from an https:// url, I can put the fix in the script

I never did before...

 

[redhat27]

@Adamm See this post and the next one a few days ago.

I believe @Sebastien Bougie is using a different setup with busybox wget and/or entware wget, not what we have on /usr/sbin

 

[Adamm]

@Adamm See this post and the next one a few days ago.

I believe @Sebastien Bougie is using a different setup with busybox wget and/or entware wget, not what we have on /usr/sbin

Sure, that's why you should replace all your wget commands with the full path to the routers default version as it has SSL support. That way anyone with an entware version etc will be forced to use it.

 

[redhat27]

Sure, that's why you should replace all your wget commands with the full path to the routers default version as it has SSL support. That way anyone with an entware version etc will be forced to use it.

I think you misunderstood me. I was saying that in this case, there is no /usr/sbin/wget (busybox wget is linked from /usr/bin)

asuswrt wget is not busybox: (for me and you, this is what we have for /usr/sbin/wget)

admin@RT-AC66R-D700:/jffs/scripts# wget -V
GNU Wget 1.16 built on linux-gnu.

+digest +https +ipv6 -iri +large-file -nls -ntlm -opie -psl +ssl/openssl

What @Sebastien Bougie is using is Busybox. See post #230

 

[redhat27]

@Sebastien Bougie What is your router model?

 

[Sebastien Bougie]

@Sebastien Bougie What is your router model?

Asus 3100

 

[redhat27]

@Sebastien Bougie I've uploaded a modified version of the script that uses curl instead of wget, can you give that a try and let me know?

 

[Sebastien Bougie]

@Sebastien Bougie I've uploaded a modified version of the script that uses curl instead of wget, can you give that a try and let me know?

Working!

 

[redhat27]

Just checking in: This thread's been quiet lately. Work kept me busy as well.

Does anyone have any issues with the new version 2.2?

It no longer uses wget, and uses curl. @HRearden does it work smoothly on tomato firmware?

Was the timing display (for terminal run) useful at all?

 

[NeoDragon]

I've been unable to make it work. Always displays:

/jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (0) YAMalwareBlock2IP (0) and YAMalwareBlockCIDR (0) in 0 seconds.

The .whites and .url is also not created and missing, have to add them manually to the ipset_list folder.

/jffs/scripts/ya-malware-block.sh
/jffs/scripts/ya-malware-block.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists).../jffs/scripts/ya-malware-block.sh: line 20: can't open /jffs/ipset_lists/ya-malware-block.urls: no such file
grep: /jffs/ipset_lists/ya-malware-block.whites: No such file or directory
 ~0s
>>> Adding data and processing rule for YAMalwareBlock1IP... ~0s
>>> Adding data and processing rule for YAMalwareBlockCIDR... ~0s
>>> Cleaning up... ~0s
/jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (0) and YAMalwareBlockCIDR (0) in 1 seconds

 

[redhat27]

I've been unable to make it work

Can you re-download the script and re-try? The script had a bug several days ago (that was there for a few hours) Now sure if you downloaded the script then. If you just now downloaded the script and its not working, then I'd need to take action.

 

[skeal]

Works like a charm for me guys!!

 

[redhat27]

@skeal Just looked at your signature. Not sure where you got that "Country Block by sobored04" I think the idea orinally was implemented by @ryzhov_al back in March 22 2013. It has since been passed around by a few scripters and yours truly was the last maintainer of it.

Just an FYI

 

[skeal]

I will respectfully change my signature I didn't know thank you for your excellent work!

 

[skeal]

Changed.

 

[smunro622]

i guess i am late to the party here... i am looking thru all of this and i do not see how to set this up. I have a RT3200 running 380.66.4 and with AI Protection but want to take a step farther. I aslo run open dns for additional filtering. Can some one show mw the directions and i should be able to figure it out

 

[mikelees2]

i guess i am late to the party here... i am looking thru all of this and i do not see how to set this up. I have a RT3200 running 380.66.4 and with AI Protection but want to take a step farther. I aslo run open dns for additional filtering. Can some one show mw the directions and i should be able to figure it out

Just go to page 1 and follow the install instructions.