Yet another malware block script using ipset (v4 and v6)

[VZ3]

After using this script for a bit longer than a day - I feel lonely...

No more scrip-kiddies from all over the world trying to brute-force me . Before it was like 10 - 30 different IP's.

Looks like quality of block lists by FireHOL is really good. So far I have no false positives (using default levels 1, 2 and 3). And thanks to redhat27 for bringing this goodness to us.

From my point of view this way of blocking pesky IPs is better and more flexible than geofencing entire countries.

Peace and tranquility! .

Update:

Found false positives which is pretty important for households with Nintendo Switch and kids. It' s block of IPs somehow connected with Nintendo's parental control. If you care you should add it into /jffs/ipset_lists/ya-malware-block.whites.

216.239.32.21
216.239.34.21
216.239.36.21
216.239.38.21

or use grep regex for all 4 IPs like this:

^216\.239\.3[2468]\.21

 

[redhat27]

Update:

Found false positives which is pretty important for households with Nintendo Switch and kids. It' s block of IPs somehow connected with Nintendo's parental control. If you care you should add it into /jffs/ipset_lists/ya-malware-block.whites.

216.239.32.21
216.239.34.21
216.239.36.21
216.239.38.21

or use grep regex for all 4 IPs like this:

^216\.239\.3[2468]\.21

Added a commit to include the regex. Will affect those who will install the script new or delete their existing ya-malware-block.whites file.

 

[smunro622]

after reading thru 20 pages i am guessing if i see this i did it correctly....

wget --no-check-certificate -O /jffs/scripts/ya-malware-block.sh https://raw.githubusercontent.com/sh
ounak-de/misc-scripts/master/ya-malware-block.sh
--2017-08-12 19:20:48-- https://raw.githubusercontent.com/shounak-de/misc-scripts/master/ya-malware-block.sh
Resolving raw.githubusercontent.com... 151.101.184.133
Connecting to raw.githubusercontent.com|151.101.184.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4248 (4.1K) [text/plain]
Saving to: '/jffs/scripts/ya-malware-block.sh'

/jffs/scripts/ya-malware-blo 100%[===============================================>] 4.15K --.-KB/s in 0.001s

2017-08-12 19:20:49 (5.57 MB/s) - '/jffs/scripts/ya-malware-block.sh' saved [4248/4248]

admin@ASUS:/# chmod +x /jffs/scripts/ya-malware-block.sh
admin@ASUS:/# cru a UpdateYAMalwareBlock "0 */6 * * * /jffs/scripts/ya-malware-block.sh"
admin@ASUS:/#
admin@ASUS:/#
admin@ASUS:/# /jffs/scripts/ya-malware-block.sh
/jffs/scripts/ya-malware-block.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)...[78157/71469/6688] ~3s
>>> Adding data and processing rule for YAMalwareBlock1IP... ~5s
>>> Adding data and processing rule for YAMalwareBlock2IP... ~1s
>>> Adding data and processing rule for YAMalwareBlockCIDR... ~1s
>>> Cleaning up... ~0s
/jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (5934) and YAMalwareBlockCIDR (6688) in 12 seconds
admin@ASUS:/# /jffs/ipset_lists/ya-malware-block.url_list
-sh: /jffs/ipset_lists/ya-malware-block.url_list: not found
admin@ASUS:/# wget --no-check-certificate -q -O- "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master
/fi
> rehol_level3.netset" | wc -l
0
admin@ASUS:/# /jffs/ipset_lists/ya-malware-block.url_list
admin@ASUS:/#

 

[redhat27]

No need to read through 20 pages
I try to keep post #1 updated with all the current details.

admin@ASUS:/# /jffs/ipset_lists/ya-malware-block.url_list
-sh: /jffs/ipset_lists/ya-malware-block.url_list: not found
admin@ASUS:/# wget --no-check-certificate -q -O- "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master
/fi
> rehol_level3.netset" | wc -l
0
admin@ASUS:/# /jffs/ipset_lists/ya-malware-block.url_list
admin@ASUS:/#

The above is not necessary

 

[smunro622]

No need to read through 20 pages
I try to keep post #1 updated with all the current details.

The above is not necessary

Thanks...I am running an AC 3200 with faily paid open dns. Looking to try other scripts soon. I need to find how to schedule them.

 

[Csection]

I have a question.
Since changing USB drives to update to nvram-save 25a. My black, white and url files are not updating.
Here is the code:
#!/bin/sh
# Author: redhat27, Version 2.4
# snbforums thread: https://www.snbforums.com/threads/yet-another-malware-block-script-using-ipset-v4-and-v6.38935/

URLList=/mnt/ASUS/ipset_lists/ya-malware-block.urls # Change to an appropriate download location if needed (This file h$
WhiteList=/mnt/ASUS/ipset_lists/ya-malware-block.whites # Change to an appropriate download location if needed (This fi$
BlackList=/mnt/ASUS/ipset_lists/ya-malware-block.blacks # Change to an appropriate location if needed (This file is opt$
GitURLBase=https://raw.githubusercontent.com/shounak-de/misc-scripts/master/

What seems to be the problem with updating?
Program seems to run fine!

 

[Supernova]

Thanks for the script. Subscribing to thread for updates.

 

[redhat27]

What seems to be the problem with updating?

These files (ya-malware-block.urls, ya-malware-block.whites, ya-malware-block.blacks) do not update unless they are missing. This is expected and not related to nvram-save 25a.
These files normally reside on /jffs/ipset_lists/ directory, and has a one-time creation when the script runs for the first time. The user can then manually modify those to their choosing (if desired) Subsequent run of the script does not auto-update those files (that will be counter-intuitive and overwrite user changes!)

Your installation and use is good, nothing is wrong.

Thanks for the script. Subscribing to thread for updates.

You're very welcome!

 

[Csection]

Thanks for the reply!
I just wanted to be sure it was ok.
I did delete a few and re-run just to be sure but it was still ok. So I'm glad it is working as it should.
It is set to run every 8 hrs. Maybe over-kill, but I don't want any malware as I have children using network and my daughter working from home.
Thanks again RH27 for checking on this!

P.S. I have had some issues with USB sticks using NTFS. I do this so I can run John's script which is a "Life-saver" in cases where problems occur and a reload of fw(FW does get buggerd up occasionally) is needed.

 

[redhat27]

Maybe over-kill

No, its not an overkill. I have mine to run every 6 hours. Some of the sources tracked by the FireHOL lists are very dynamic and transient

 

[Csection]

No, its not an overkill. I have mine to run every 6 hours. Some of the sources tracked by the FireHOL lists are very dynamic and transient

Well!
It seems to run well for me!
Thanks!

 

[Supernova]

@redhat27

The script is great, thank you. I am curious if there's a way to validate things are working or double check I suppose?

I think I figured it out reading through your script and then using help in the terminal

ipset list YAMalwareBlockCIDR

 

[wyliec2]

Hope this isn't an ignorant question - I've been using WRTMerlin on a couple of different routers and recently installed the Ad-Blocker solution. Based on name/description I presume ad blocking is different than malware blocking? If this is correct, can both ad blocking and malware blocking be installed simultaneously?? Because of connecting to a new ISP, I have temporarily reverted back to stock ASUS firmware but will be re-installing WRTMerlin and additional software - this thread has piqued my interest.

Can these blocking solutions be 'stacked'?? I am using an RT-AC87R router.

Thanks for any information.
Wyatt

 

[Supernova]

Someone will correct me if I'm wrong, but they can be stacked. One is a set of firewall rules, essentially IP addresses to reject and the ad based one is a DNS host file redirect from an ads ip address to nowhere (000.000.000.000).

 

[redhat27]

I presume ad blocking is different than malware blocking? If this is correct, can both ad blocking and malware blocking be installed simultaneously?

Yes, very much so. They can peacefully coexist. I use both.

 

[wyliec2]

Yes, very much so. They can peacefully coexist. I use both.

Thank you for the confirmation!!

 

[truglodite]

I just setup ya-malware on my ancient n66u, with ab-solution and 2 ovpn servers (4k certs all around), 24sec to update. That will work fine for me... thanks redhat!

Kev

 

[Supernova]

So I have an issue and I don't know if the domain is down or just unreachable or if it's ab-solution or malware blocker. I tried going to sony.co.nz and nothing loads. Sony.com loads fine, but I was curious if it was because of how the page is resolved.

sony.co.nz points to 4942.dscb.akamaiedge.net./23.207.40.108

I added 23.207.40.108 to the white list, but to no avail.

Any suggestions?

EDIT: So I turned off AB-Solution nad the site loaded and therefore I pin pointed the problem and then got the ip
209.200.152.45 which I'll have to whitelist.

 

[redhat27]

@Supernova An easy way to tell whether its AB-Solution or an ipset block: ping the IP or host
AB-Solution blocking will return 0.0.0.0 or your pixelserv IP (if you have it configured/running)
ipset blocking will behave differently (either 100% packet loss (most common, esp on router) or request timed out or host unreacheable)

 

[Supernova]

Thanks... I had to turn pixelserv off in order to figure out the offending url and why a site wouldn't work properly. It was a website that used s3-ap-southeast-2.amazonaws.com for its stylesheet. The only way to tell was to make an educated guess when looking at the page source.

I should probably be posting this in the ad-block forum.