Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Yet another malware block script using ipset (v4 and v6)

Discussion in 'Asuswrt-Merlin' started by redhat27, May 4, 2017.

  1. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    2,754
    Location:
    In the heart of Switzerland
    Scripts in the /jffs/configs/ folder don't need to be set as executable nor do they need a shebang (just to make this clear).
    They just add to the config files and are not scripts that run commands.
    This is different for the /jffs/scripts/ folder where you place scripts that run either their own code or add/replace by way of shell commands.
    Don't confuse users.
     
  2. johnathonm

    johnathonm Occasional Visitor

    Joined:
    Aug 1, 2014
    Messages:
    36
    Sweet... that worked for changing the cache-size. Can I give you a hug now?
     
  3. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    775
    Location:
    Chiang Mai, Thailand
    Thanks for clarifying. It was many moons ago I had last touched this file or did anything with it.

    I reread the wiki (made more sense with the second pass) and see including an example of profile.add would be helpful. I wiill see what I can do to motivate myself to make it happen.:rolleyes:
     
    Last edited: Jul 9, 2017
    thelonelycoder likes this.
  4. skeal

    skeal Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    263
    Location:
    Moose Jaw Saskatchewan Canada
    @redhat27 Can you tell me simply if you can exempt a single ip address on your network from ya-malware-block protection? Sort of like dmz.
     
  5. redhat27

    redhat27 Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    469
    I don't know of a straightforward way. Have you actually tried putting that IP in DMZ? Others can chime in if they know.
    I would question why you'd want to do this... Is it one particular device getting blocked all too often? It's easy to whitelist...
     
  6. skeal

    skeal Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    263
    Location:
    Moose Jaw Saskatchewan Canada
    Thanks! I have a Linux media box I would like to get more use of. Seems a lot of my stream sources may be blocked I was hoping to test. However when I connect the box to my cell phone hot spot boom everything works like it should.....do you follow me?

    I'm willing to accept the fact that I'm better off with the protection I'm just trying to figure this out.
     
  7. redhat27

    redhat27 Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    469
    This is what I use to whitelist... I ping the blocked source (lets say xyz.com/whatever is blocked) I'll ping xyz.com and get the IP (there will be no responses as its blocked, just knowing the IP is good enough to unblock). Just append that IP to /jffs/ipset_lists/ya-malware-block.whites and re-run the ya-malware-block.sh script. It should be unblocked immediately after that.
     
  8. skeal

    skeal Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    263
    Location:
    Moose Jaw Saskatchewan Canada
    Speaking about the router where is a good place to find or what is a good way to check for connections made and refused by the router? Sys log shows nothing but would dropped packet logging or inbound packet dropping shed some light on the needed info to unblock??
     
  9. redhat27

    redhat27 Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    469
    You can enable firewall logging of DROPped packets. In addition you need to change the ya-malware-block.sh script in two places (search for the text DROP and replace it with logdrop). Reboot to take effect. Be aware that it will add volume to the syslog where each packet dropped will be logged.
     
  10. skeal

    skeal Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    263
    Location:
    Moose Jaw Saskatchewan Canada
    Thank you exactly what I need I can engage to track and then disable thank you again!!!!
     
  11. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    775
    Location:
    Chiang Mai, Thailand
    skeal likes this.
  12. skeal

    skeal Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    263
    Location:
    Moose Jaw Saskatchewan Canada
  13. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    775
    Location:
    Chiang Mai, Thailand
    Yep, I had to do the same thing last night. I tried to access GitHub.com and got a blank page. I used MatchIP to find out where it was blocked. I recently expanded ya-malware-filter to include the fourth list. That is what did it.
     
  14. Builder71

    Builder71 Senior Member

    Joined:
    Oct 14, 2012
    Messages:
    433
    Location:
    The Netherlands
    Installed.
    Much appreciated!

    Code:
    Jul 26 21:32:44 Firewall: ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (36671) and YAMalwareBlockCIDR (6156) in 36 seconds
    
     
  15. skeal

    skeal Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    263
    Location:
    Moose Jaw Saskatchewan Canada
  16. Jack Yaz

    Jack Yaz Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    362
    Pretty sure it was @redhat27
     
  17. skeal

    skeal Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    263
    Location:
    Moose Jaw Saskatchewan Canada
    Thanks I want to give credit to his work on my signature! Thanks again my learned colleagues!!
     
  18. redhat27

    redhat27 Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    469
    And thank you for that nice write-up! :) @VZ3 just posted a way to make it better (no entware needed)
     
  19. Jack Yaz

    Jack Yaz Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    362
    Oh yeah I forgot I put on wiki lol. I'll update it with @VZ3's improvement, unless it's already done by time i get to it later!
     
    redhat27 likes this.
  20. VZ3

    VZ3 Occasional Visitor

    Joined:
    Nov 4, 2016
    Messages:
    35
    After using this script for a bit longer than a day - I feel lonely...

    No more scrip-kiddies from all over the world trying to brute-force me :). Before it was like 10 - 30 different IP's.

    Looks like quality of block lists by FireHOL is really good. So far I have no false positives (using default levels 1, 2 and 3). And thanks to redhat27 for bringing this goodness to us.

    From my point of view this way of blocking pesky IPs is better and more flexible than geofencing entire countries.

    Peace and tranquility! :).
     
    redhat27 likes this.

Share This Page