Menu
What's new
By:
Filters Better Search

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

It is indeed very strange.

@Csection Can you tell me a bit how you are running the latest script? From the command prompt or at startup? Did the syslog give any clues what it was doing before the lock-up?

Also, can anybody else with ipset v6.x run the latest version and let me know if it locks up or runs okay?
 
redhat27 said:
It is indeed very strange.

@Csection Can you tell me a bit how you are running the latest script? From the command prompt or at startup? Did the syslog give any clues what it was doing before the lock-up?

Also, can anybody else with ipset v6.x run the latest version and let me know if it locks up or runs okay?
Click to expand...
I am running it from the command-line. I always try to test scripts before I put them into auto-run mode.
I cannot provide any log info cause the router locks up and has to be unplugged to restart it. Even SSH prompt is locked up.

When it reboots, it is set up to autorun ya-malware ver. 2.3 at startup which runs just fine.
 
Csection said:
I am running it from the command-line. I always try to test scripts before I put them into auto-run mode.
I cannot provide any log info cause the router locks up and has to be unplugged to restart it. Even SSH prompt is locked up.

When it reboots, it is set up to autorun ya-malware ver. 2.3 at startup which runs just fine.
Click to expand...
Something to do with whitelisting of LAN IPs maybe?
 
Jack Yaz said:
Something to do with whitelisting of LAN IPs maybe?
Click to expand...
Jack!
I can't tell what it's doing cause it locks up my SSH and I get locked out of everything till I reboot.
Broswer gives the "Cannot access 192.168.1.1" page.

That is why I don't implement a script until I test it first.
 
Csection said:
Jack!
I can't tell what it's doing cause it locks up my SSH and I get locked out of everything till I reboot.
Broswer gives the "Cannot access 192.168.1.1" page.

That is why I don't implement a script until I test it first.
Click to expand...
I more meant did you make sure the whitelist exists and covers your LAN IPs, I can't see any changes looking at commits that changed anything other than the output messages
 
Jack Yaz said:
I more meant did you make sure the whitelist exists and covers your LAN IPs, I can't see any changes looking at commits that changed anything other than the output messages
Click to expand...
Thanks again, Jack!
I'll check for the whitelist and let you know.
 
Csection said:
Thanks again, Jack!
I'll check for the whitelist and let you know.
Click to expand...
You got it, Jack!
I forgot to change the location of the black/white list.
I have it setup to use USB location.
I thought of it when I was setting it up, but I forgot to change it.
Thanks, as usual!
 
Thank @Jack Yaz for honing in on the problem.

@Csection I'm curious: Do you not have /jffs at all? Because if you did, the script should have downloaded the default whitelist file in /jffs/ipset_lists/ya-malware-block.whites
 
I have all 4 level enabled and everything is running fine!!!!
 
redhat27 said:
Thank @Jack Yaz for honing in on the problem.

@Csection I'm curious: Do you not have /jffs at all? Because if you did, the script should have downloaded the default whitelist file in /jffs/ipset_lists/ya-malware-block.whites
Click to expand...
Yes!
I have jffs, but I have the script coded to use my USB stick and it could not locate the "White list" as Jack stated, so it banned all my local ip's. I initially forgot to point at the USB.It may have been trying to create new ones in /jffs, but it locked up before it finished somehow and locked me up.
That is all I can say cause I was not able to get any logs after running it.
Thank you for the reply!
 
Thanks for the update @redhat27. Updated scripts works good on my end. I installed on one of my routers. First with level 1 to 3 enabled. Then, followed by level 4.

Code: 
./ya-malware-block.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)...[128118/118441/9677] ~13s
>>> Adding data and processing rule for YAMalwareBlock1IP... ~4s
>>> Adding data and processing rule for YAMalwareBlock2IP... ~3s
>>> Adding data and processing rule for YAMalwareBlockCIDR... ~0s
>>> Cleaning up... ~0s
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (52906) and YAMalwareBlockCIDR (9677) in 20 seconds

Code: 
./ya-malware-block.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)...[223365/211132/12233] ~18s
>>> Adding data and processing rule for YAMalwareBlock1IP... ~4s
>>> Adding data and processing rule for YAMalwareBlock2IP... ~4s
>>> Adding data and processing rule for YAMalwareBlock3IP... ~4s
>>> Adding data and processing rule for YAMalwareBlock4IP... ~1s
>>> Adding data and processing rule for YAMalwareBlockCIDR... ~1s
>>> Cleaning up... ~0s
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (65535) YAMalwareBlock3IP (65535) YAMalwareBlock4IP (14527) and YAMalwareBlockCIDR (12233) in 32 seconds

I will install on the other two routers later today.
 
I think my noob stupidity has it all working now. I uncommented the level #url and it looks like that everything is there. Is there a place or way to confirm the rules are add/active?
 
johnathonm said:
I think my noob stupidity has it all working now. I uncommented the level #url and it looks like that everything is there. Is there a place or way to confirm the rules are add/active?
Click to expand...
Put this in /jffs/configs/profile.add

Code: 
alias blockstats='iptables -vL | sed "2q;d"; (iptables -vL -t raw; iptables -vL) | grep "match-set"; ip6tables -vL | grep "match-set"'
Change permission to be executable e.g. chmod 755 profile.add

It will run when you start SSH session. Then, enter the command blockstats. You can see the pkts dropped.

Code: 
 pkts bytes target     prot opt in     out     source               destination
    1    40 DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlock4IP src
 3011  156K DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlockCIDR src
  114  6000 DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlock3IP src
 1391 91790 DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlock2IP src
 2690  161K DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlock1IP src
 
Last edited:
Ok, did that, it's telling me "blockstats" is not found.
 
I am running Merlin's latest Beta, fyi. Factory reset and all that jazz... anything you'd like me to try?
 
johnathonm said:
I am running Merlin's latest Beta, fyi. Factory reset and all that jazz... anything you'd like me to try?
Click to expand...
Sorry. It may require a reboot for the items in profile.add to take affect. You can try running it on the command line by being in the /jffs/configs directory, then typing ./profile.add

But it should be a shell only script per the wiki
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files. Double check it is executable as well.

Mine does not have the #!/bin/sh on the first line like I do with other scripts.
 
Last edited:
Xentrk said:
Sorry. It may require a reboot for the items in profile.add to take affect. You can try running it on the command line by being in the /jffs/configs directory, then typing ./profile.add

But it should be a shell only script per the wiki
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files. Double check it is executable as well.
Click to expand...

Working on getting an EXT4 drive put together now. I thank you for your help and patience with me. I really do appreciate it and am learning quite a bit.
 
You must log in or register to reply here.

Similar threads

A
Helt needed with the yet another antimalware script for the Asus wrt.
Replies
4
Views
517
amnesia
A
MON@H Rasta
Tutorial Using TOR to unblock sites blocked by ISP on [Fork] Asuswrt-Merlin 374 LTS
Replies
14
Views
4K
Vas99
V
mkaand
Tutorial [TUTORIAL] Domain (Policy) based routing with ipset and dnsmaq
Replies
4
Views
4K
mkaand
mkaand
P
IPSET rule keeps disappearing on AC68U
Replies
4
Views
780
peraburek
P
Diamond67
Problem with USB Flash Drive containing Swap File and Entware, no Swap File found after cold boot
2
Replies
25
Views
4K
Diamond67
Diamond67
Similar threads
Thread starter Title Forum Replies Date
D Yet another question about VLANs (any HowTo recommended?) Asuswrt-Merlin 24
S Transfer files to another device (raspi) in the same network Asuswrt-Merlin 3
M Allow admin web GUI access on another interface (tailscale0) Asuswrt-Merlin 0
S Another DNS Director clarification Asuswrt-Merlin 1
Smokindog Might be ready to give AiMesh another look Asuswrt-Merlin 8
D Connecting to internet via another router Asuswrt-Merlin 10
Swistheater Malware /jffs/updater script. Asuswrt-Merlin 167

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 572 (members: 9, guests: 563)
Top