Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Yet another malware block script using ipset (v4 and v6)

Discussion in 'Asuswrt-Merlin' started by redhat27, May 4, 2017.

  1. redhat27

    redhat27 Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    478
    It is indeed very strange.

    @Csection Can you tell me a bit how you are running the latest script? From the command prompt or at startup? Did the syslog give any clues what it was doing before the lock-up?

    Also, can anybody else with ipset v6.x run the latest version and let me know if it locks up or runs okay?
     
  2. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    304
    I am running it from the command-line. I always try to test scripts before I put them into auto-run mode.
    I cannot provide any log info cause the router locks up and has to be unplugged to restart it. Even SSH prompt is locked up.

    When it reboots, it is set up to autorun ya-malware ver. 2.3 at startup which runs just fine.
     
  3. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    562
    Something to do with whitelisting of LAN IPs maybe?
     
    Csection likes this.
  4. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    304
    Jack!
    I can't tell what it's doing cause it locks up my SSH and I get locked out of everything till I reboot.
    Broswer gives the "Cannot access 192.168.1.1" page.

    That is why I don't implement a script until I test it first.
     
  5. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    562
    I more meant did you make sure the whitelist exists and covers your LAN IPs, I can't see any changes looking at commits that changed anything other than the output messages
     
  6. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    304
    Thanks again, Jack!
    I'll check for the whitelist and let you know.
     
  7. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    304
    You got it, Jack!
    I forgot to change the location of the black/white list.
    I have it setup to use USB location.
    I thought of it when I was setting it up, but I forgot to change it.
    Thanks, as usual!
     
    Jack Yaz likes this.
  8. redhat27

    redhat27 Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    478
    Thank @Jack Yaz for honing in on the problem.

    @Csection I'm curious: Do you not have /jffs at all? Because if you did, the script should have downloaded the default whitelist file in /jffs/ipset_lists/ya-malware-block.whites
     
  9. shooter40sw

    shooter40sw Senior Member

    Joined:
    Mar 3, 2013
    Messages:
    271
    Its working great for me
     
    redhat27 likes this.
  10. skeal

    skeal Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    284
    Location:
    Moose Jaw Saskatchewan Canada
    I have all 4 level enabled and everything is running fine!!!!
     
    redhat27 likes this.
  11. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    304
    Yes!
    I have jffs, but I have the script coded to use my USB stick and it could not locate the "White list" as Jack stated, so it banned all my local ip's. I initially forgot to point at the USB.It may have been trying to create new ones in /jffs, but it locked up before it finished somehow and locked me up.
    That is all I can say cause I was not able to get any logs after running it.
    Thank you for the reply!
     
  12. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    872
    Location:
    Chiang Mai, Thailand
    Thanks for the update @redhat27. Updated scripts works good on my end. I installed on one of my routers. First with level 1 to 3 enabled. Then, followed by level 4.

    Code:
    ./ya-malware-block.sh: Adding ya-malware-block rules to firewall...
    >>> Downloading and aggregating malware sources (also processing whitelists)...[128118/118441/9677] ~13s
    >>> Adding data and processing rule for YAMalwareBlock1IP... ~4s
    >>> Adding data and processing rule for YAMalwareBlock2IP... ~3s
    >>> Adding data and processing rule for YAMalwareBlockCIDR... ~0s
    >>> Cleaning up... ~0s
    ./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (52906) and YAMalwareBlockCIDR (9677) in 20 seconds
    
    Code:
    ./ya-malware-block.sh: Adding ya-malware-block rules to firewall...
    >>> Downloading and aggregating malware sources (also processing whitelists)...[223365/211132/12233] ~18s
    >>> Adding data and processing rule for YAMalwareBlock1IP... ~4s
    >>> Adding data and processing rule for YAMalwareBlock2IP... ~4s
    >>> Adding data and processing rule for YAMalwareBlock3IP... ~4s
    >>> Adding data and processing rule for YAMalwareBlock4IP... ~1s
    >>> Adding data and processing rule for YAMalwareBlockCIDR... ~1s
    >>> Cleaning up... ~0s
    ./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (65535) YAMalwareBlock3IP (65535) YAMalwareBlock4IP (14527) and YAMalwareBlockCIDR (12233) in 32 seconds
    
    I will install on the other two routers later today.
     
    redhat27 likes this.
  13. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    562
    No problem, I do tech support and development for a living, so I'm prepared!
     
    redhat27 likes this.
  14. johnathonm

    johnathonm Occasional Visitor

    Joined:
    Aug 1, 2014
    Messages:
    45
    I think my noob stupidity has it all working now. I uncommented the level #url and it looks like that everything is there. Is there a place or way to confirm the rules are add/active?
     
  15. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    304
    I just wanted to give credit where credit is do!
    You and Xentrk have been a big help to me in the past.
     
  16. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    872
    Location:
    Chiang Mai, Thailand
    Put this in /jffs/configs/profile.add

    Code:
    alias blockstats='iptables -vL | sed "2q;d"; (iptables -vL -t raw; iptables -vL) | grep "match-set"; ip6tables -vL | grep "match-set"'
    
    Change permission to be executable e.g. chmod 755 profile.add

    It will run when you start SSH session. Then, enter the command blockstats. You can see the pkts dropped.

    Code:
     pkts bytes target     prot opt in     out     source               destination
        1    40 DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlock4IP src
     3011  156K DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlockCIDR src
      114  6000 DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlock3IP src
     1391 91790 DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlock2IP src
     2690  161K DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlock1IP src
    
     
    Last edited: Jul 9, 2017
  17. johnathonm

    johnathonm Occasional Visitor

    Joined:
    Aug 1, 2014
    Messages:
    45
    Ok, did that, it's telling me "blockstats" is not found.
     
  18. johnathonm

    johnathonm Occasional Visitor

    Joined:
    Aug 1, 2014
    Messages:
    45
    I am running Merlin's latest Beta, fyi. Factory reset and all that jazz... anything you'd like me to try?
     
  19. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    872
    Location:
    Chiang Mai, Thailand
    Sorry. It may require a reboot for the items in profile.add to take affect. You can try running it on the command line by being in the /jffs/configs directory, then typing ./profile.add

    But it should be a shell only script per the wiki
    https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files. Double check it is executable as well.

    Mine does not have the #!/bin/sh on the first line like I do with other scripts.
     
    Last edited: Jul 9, 2017
    johnathonm likes this.
  20. johnathonm

    johnathonm Occasional Visitor

    Joined:
    Aug 1, 2014
    Messages:
    45
    Working on getting an EXT4 drive put together now. I thank you for your help and patience with me. I really do appreciate it and am learning quite a bit.
     

Share This Page