Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Yet another malware block script using ipset (v4 and v6)

Discussion in 'Asuswrt-Merlin' started by redhat27, May 4, 2017.

  1. VZ3

    VZ3 Occasional Visitor

    Joined:
    Nov 4, 2016
    Messages:
    35
    Update:

    Found false positives which is pretty important for households with Nintendo Switch and kids. It' s block of IPs somehow connected with Nintendo's parental control. If you care you should add it into /jffs/ipset_lists/ya-malware-block.whites.

    216.239.32.21
    216.239.34.21
    216.239.36.21
    216.239.38.21

    or use grep regex for all 4 IPs like this:

    ^216\.239\.3[2468]\.21
     
  2. redhat27

    redhat27 Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    469
    Added a commit to include the regex. Will affect those who will install the script new or delete their existing ya-malware-block.whites file.
     
  3. smunro622

    smunro622 New Around Here

    Joined:
    Jun 3, 2017
    Messages:
    5
    after reading thru 20 pages i am guessing if i see this i did it correctly....

    wget --no-check-certificate -O /jffs/scripts/ya-malware-block.sh https://raw.githubusercontent.com/sh
    ounak-de/misc-scripts/master/ya-malware-block.sh
    --2017-08-12 19:20:48-- https://raw.githubusercontent.com/shounak-de/misc-scripts/master/ya-malware-block.sh
    Resolving raw.githubusercontent.com... 151.101.184.133
    Connecting to raw.githubusercontent.com|151.101.184.133|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 4248 (4.1K) [text/plain]
    Saving to: '/jffs/scripts/ya-malware-block.sh'

    /jffs/scripts/ya-malware-blo 100%[===============================================>] 4.15K --.-KB/s in 0.001s

    2017-08-12 19:20:49 (5.57 MB/s) - '/jffs/scripts/ya-malware-block.sh' saved [4248/4248]

    [email protected]:/# chmod +x /jffs/scripts/ya-malware-block.sh
    [email protected]:/# cru a UpdateYAMalwareBlock "0 */6 * * * /jffs/scripts/ya-malware-block.sh"
    [email protected]:/#
    [email protected]:/#
    [email protected]:/# /jffs/scripts/ya-malware-block.sh
    /jffs/scripts/ya-malware-block.sh: Adding ya-malware-block rules to firewall...
    >>> Downloading and aggregating malware sources (also processing whitelists)...[78157/71469/6688] ~3s
    >>> Adding data and processing rule for YAMalwareBlock1IP... ~5s
    >>> Adding data and processing rule for YAMalwareBlock2IP... ~1s
    >>> Adding data and processing rule for YAMalwareBlockCIDR... ~1s
    >>> Cleaning up... ~0s
    /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (5934) and YAMalwareBlockCIDR (6688) in 12 seconds
    [email protected]:/# /jffs/ipset_lists/ya-malware-block.url_list
    -sh: /jffs/ipset_lists/ya-malware-block.url_list: not found
    [email protected]:/# wget --no-check-certificate -q -O- "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master
    /fi
    > rehol_level3.netset" | wc -l
    0
    [email protected]:/# /jffs/ipset_lists/ya-malware-block.url_list
    [email protected]:/#
     
  4. redhat27

    redhat27 Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    469
    No need to read through 20 pages ;)
    I try to keep post #1 updated with all the current details.
    The above is not necessary
     
  5. smunro622

    smunro622 New Around Here

    Joined:
    Jun 3, 2017
    Messages:
    5

    Thanks...I am running an AC 3200 with faily paid open dns. Looking to try other scripts soon. I need to find how to schedule them.
     
  6. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    289
    I have a question.
    Since changing USB drives to update to nvram-save 25a. My black, white and url files are not updating.
    Here is the code:
    #!/bin/sh
    # Author: redhat27, Version 2.4
    # snbforums thread: https://www.snbforums.com/threads/yet-another-malware-block-script-using-ipset-v4-and-v6.38935/

    URLList=/mnt/ASUS/ipset_lists/ya-malware-block.urls # Change to an appropriate download location if needed (This file h$
    WhiteList=/mnt/ASUS/ipset_lists/ya-malware-block.whites # Change to an appropriate download location if needed (This fi$
    BlackList=/mnt/ASUS/ipset_lists/ya-malware-block.blacks # Change to an appropriate location if needed (This file is opt$
    GitURLBase=https://raw.githubusercontent.com/shounak-de/misc-scripts/master/

    What seems to be the problem with updating?
    Program seems to run fine!
     
  7. Supernova

    Supernova New Around Here

    Joined:
    Aug 14, 2017
    Messages:
    7
    Thanks for the script. :) Subscribing to thread for updates.
     
  8. redhat27

    redhat27 Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    469
    These files (ya-malware-block.urls, ya-malware-block.whites, ya-malware-block.blacks) do not update unless they are missing. This is expected and not related to nvram-save 25a.
    These files normally reside on /jffs/ipset_lists/ directory, and has a one-time creation when the script runs for the first time. The user can then manually modify those to their choosing (if desired) Subsequent run of the script does not auto-update those files (that will be counter-intuitive and overwrite user changes!)

    Your installation and use is good, nothing is wrong. ;)

    You're very welcome! :)
     
  9. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    289
    Thanks for the reply!
    I just wanted to be sure it was ok.
    I did delete a few and re-run just to be sure but it was still ok. So I'm glad it is working as it should.
    It is set to run every 8 hrs. Maybe over-kill, but I don't want any malware as I have children using network and my daughter working from home.
    Thanks again RH27 for checking on this!

    P.S. I have had some issues with USB sticks using NTFS. I do this so I can run John's script which is a "Life-saver" in cases where problems occur and a reload of fw(FW does get buggerd up occasionally) is needed.
     
    Last edited: Aug 15, 2017 at 8:24 AM
  10. redhat27

    redhat27 Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    469
    No, its not an overkill. I have mine to run every 6 hours. Some of the sources tracked by the FireHOL lists are very dynamic and transient
     
  11. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    289
    Well!
    It seems to run well for me!
    Thanks!
     
  12. Supernova

    Supernova New Around Here

    Joined:
    Aug 14, 2017
    Messages:
    7
    @redhat27

    The script is great, thank you. I am curious if there's a way to validate things are working or double check I suppose?

    I think I figured it out reading through your script and then using help in the terminal

    ipset list YAMalwareBlockCIDR
     
    Last edited: Aug 15, 2017 at 9:22 PM
  13. wyliec2

    wyliec2 New Around Here

    Joined:
    Nov 21, 2016
    Messages:
    7
    Hope this isn't an ignorant question - I've been using WRTMerlin on a couple of different routers and recently installed the Ad-Blocker solution. Based on name/description I presume ad blocking is different than malware blocking? If this is correct, can both ad blocking and malware blocking be installed simultaneously?? Because of connecting to a new ISP, I have temporarily reverted back to stock ASUS firmware but will be re-installing WRTMerlin and additional software - this thread has piqued my interest.

    Can these blocking solutions be 'stacked'?? I am using an RT-AC87R router.

    Thanks for any information.
    Wyatt
     
  14. Supernova

    Supernova New Around Here

    Joined:
    Aug 14, 2017
    Messages:
    7
    Someone will correct me if I'm wrong, but they can be stacked. One is a set of firewall rules, essentially IP addresses to reject and the ad based one is a DNS host file redirect from an ads ip address to nowhere (000.000.000.000).
     
  15. redhat27

    redhat27 Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    469
    Yes, very much so. They can peacefully coexist. I use both.
     
  16. wyliec2

    wyliec2 New Around Here

    Joined:
    Nov 21, 2016
    Messages:
    7
    Thank you for the confirmation!!
     
  17. truglodite

    truglodite Occasional Visitor

    Joined:
    Jun 24, 2017
    Messages:
    30
    I just setup ya-malware on my ancient n66u, with ab-solution and 2 ovpn servers (4k certs all around), 24sec to update. That will work fine for me... thanks redhat!

    Kev
     
  18. Supernova

    Supernova New Around Here

    Joined:
    Aug 14, 2017
    Messages:
    7
    So I have an issue and I don't know if the domain is down or just unreachable or if it's ab-solution or malware blocker. I tried going to sony.co.nz and nothing loads. Sony.com loads fine, but I was curious if it was because of how the page is resolved.

    sony.co.nz points to 4942.dscb.akamaiedge.net./23.207.40.108

    I added 23.207.40.108 to the white list, but to no avail.

    Any suggestions?

    EDIT: So I turned off AB-Solution nad the site loaded and therefore I pin pointed the problem and then got the ip
    209.200.152.45 which I'll have to whitelist.
     

Share This Page