Menu
What's new
By:
Filters Better Search

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I have installed ya-malware-blocker-tomato.sh in Tomato by Shibby 1.40 Multiwan, in /jffs/scripts folder, and did "
chmod a+rx /jffs/scripts/*". However I do get some errors, please help:

./ya-malware-blocker-tomato.sh
./ya-malware-blocker-tomato.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)...wget: not an http or ftp url: #https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset
[47509/41575/5934] ~3s
>>> Adding data and processing rule for YAMalwareBlock1IP..../ya-malware-blocker-tomato.sh: line 22: iptables-save: not found
~2s
>>> Adding data and processing rule for YAMalwareBlockCIDR..../ya-malware-blocker-tomato.sh: line 23: iptables-save: not found
~1s
>>> Cleaning up... ~0s
./ya-malware-blocker-tomato.sh: Loaded sets YAMalwareBlock1IP (41575) and YAMalwareBlockCIDR (5934) in 7 seconds
 
Przem said:
I have installed ya-malware-blocker-tomato.sh in Tomato by Shibby 1.40 Multiwan, in /jffs/scripts folder, and did "
chmod a+rx /jffs/scripts/*". However I do get some errors, please help:

./ya-malware-blocker-tomato.sh
./ya-malware-blocker-tomato.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)...wget: not an http or ftp url: #https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset
[47509/41575/5934] ~3s
>>> Adding data and processing rule for YAMalwareBlock1IP..../ya-malware-blocker-tomato.sh: line 22: iptables-save: not found
~2s
>>> Adding data and processing rule for YAMalwareBlockCIDR..../ya-malware-blocker-tomato.sh: line 23: iptables-save: not found
~1s
>>> Cleaning up... ~0s
./ya-malware-blocker-tomato.sh: Loaded sets YAMalwareBlock1IP (41575) and YAMalwareBlockCIDR (5934) in 7 seconds
Click to expand...

I'm using Merlin's firmware. I'm not familiar with Tomato but looks like in your version there is no iptables-save command.

You can ignore the first error, this is just a wget reporting on commented line with level4 list. Then we see script fetched 47k ip list, so this part is working fine. But there is no iptables-save command to be found.

Try to find out if this command comes with your firmware or needs to be installed from other sources separately.

PS: did you see that author of ya-malware script tested it on Tomato 2.3 and 2.4? and yours is 1.4
 
Last edited:
VZ3 said:
(...) did you see that author of ya-malware script tested it on Tomato 2.3 and 2.4? and yours is 1.4
Click to expand...

@VZ3:
There are no 2.3 and 2.4 Tomato firmwares AFAIK.
This is kernel version.

Tomato 1.28 v.140 is based on (uname -a):

Linux 2.6.36.4

How can I DL missing part?


Wysłane z iPad za pomocą Tapatalk Pro
 
Script 2.4 was running fine for quite a while.
Now all of a sudden I am getting this:
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (73) and YAMalwareBlockCIDR (1) in 2 seconds.
Can you please advise?
I am on 380.68.0 for about a week now.
This is also showing up in syslog.
 
Most probably due to the repo being down it can't populate lists with anything other than your blacklist
Csection said:
Script 2.4 was running fine for quite a while.
Now all of a sudden I am getting this:
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (73) and YAMalwareBlockCIDR (1) in 2 seconds.
Can you please advise?
I am on 380.68.0 for about a week now.
This is also showing up in syslog.[/QUOTE
Click to expand...
 
Builder71 said:
This doesn't help. :(

https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset

All give "404: Not Found"

Repository is disabled. :eek:
https://github.com/firehol/blocklist-ipsets/commits/master/firehol_level1.netset
Click to expand...

We need to find new URLs for ip block list.
I guess we have hammered github with read requests and administration does not like it and blocked the repository.
PS: well, looks like it's not us reading too much it's automatic script updates lists too often.
They contacted Github and waiting on response.

Edit: ok, Firehol provided a local copy of the ipset lists, so we need to replace in ya-malware-blocks.urls addresses for github with corresponding local ones like this:
https://iplists.firehol.org/files/firehol_level1.netset
https://iplists.firehol.org/files/firehol_level2.netset
https://iplists.firehol.org/files/firehol_level3.netset
 
Last edited:
Also, let's make time when our routers will hit the firehol server for the updates a bit random.

Imaging if thousands clients hitting firehol server at exact same time like 0:00 then 6:00 then 12:00 then 18:00. It will look like DoS attack.

At least put some random minutes number into your cron schedule, so instead of

cru a UpdateYAMalwareBlock "0 */6 * * * /jffs/scripts/ya-malware-block.sh"

use your random minutes say 11 like this:

cru a UpdateYAMalwareBlock "11 */6 * * * /jffs/scripts/ya-malware-block.sh"

Well, we are in different time zones but I guess there are only that much of it and traffic surge at the beginning of the hour might push server close to the limits.
 
Makes sense.

I picked a random minutes number, which I will not tell you. :p
So it stays random. :D
 
I'm sorry for my long absence :(

@Builder71 Appreciate your effort in removing unused sets, I'll take a look when I get some time. I believe like @VZ3 pointed out, this may not be of much concern
@Jack Yaz and @VZ3 Thanks as always for helping out
@Przem I believe you should be able to substitute "iptables -t raw -L" instead of "iptables-save" I have edited the tomato version to reflect this. Can you test it if possible and let me know if that helped?

I apologize again on my sporadic presence lately.
 
I am using the ASUS firewall + this Malware script. I have a few IP cameras that I have manually blocked outside network access to both within the camera (Foscam settings) and on the router (network services filter). For the router, I entered the IP address of the camera (static), then blocked ports 1 through something like 65000. I turned on the firewall logging, and see lots of DROPs from my cameras, but this one seems to have snuck through:

Oct 4 16:18:54 kernel: ACCEPT IN=br0 OUT=eth0 SRC=192.168.1.XXX DST=211.115.194.21 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=4492 DF PROTO=UDP SPT=60013 DPT=123 LEN=56

I typed in the destination IP address into an IP search website and it came up with some network in Korea, possibly the "Korea Network Information Center." Should I be worried about this? Is this possibly just the camera trying to get an updated date/time stamp?
 
Teknition said:
I am using the ASUS firewall + this Malware script. I have a few IP cameras that I have manually blocked outside network access to both within the camera (Foscam settings) and on the router (network services filter). For the router, I entered the IP address of the camera (static), then blocked ports 1 through something like 65000. I turned on the firewall logging, and see lots of DROPs from my cameras, but this one seems to have snuck through:

Oct 4 16:18:54 kernel: ACCEPT IN=br0 OUT=eth0 SRC=192.168.1.XXX DST=211.115.194.21 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=4492 DF PROTO=UDP SPT=60013 DPT=123 LEN=56

I typed in the destination IP address into an IP search website and it came up with some network in Korea, possibly the "Korea Network Information Center." Should I be worried about this? Is this possibly just the camera trying to get an updated date/time stamp?
Click to expand...

For the Foscam cameras - they like to keep "heart bit" thingy for the cloud services, kinda thing Foscam using for it's application in order to connect through their hosted server. And it's impossible to turn it off through Foscam UI.

Sure thing to block this shady behavior is to not specify gateway in IP camera static address set.

PS: I have contacted Foscam regarding my camera, explain them the same problem and they send me a non-official patch which stopped that heart bit.
 
VZ3 said:
For the Foscam cameras - they like to keep "heart bit" thingy for the cloud services, kinda thing Foscam using for it's application in order to connect through their hosted server. And it's impossible to turn it off through Foscam UI.

Sure thing to block this shady behavior is to not specify gateway in IP camera static address set.

PS: I have contacted Foscam regarding my camera, explain them the same problem and they send me a non-official patch which stopped that heart bit.
Click to expand...
Thanks for the info. I thought that the network service filter in Merlin would help block, but I had also tried parental controls and typing in a fake gateway. However, those last two options caused my camera viewing app on my phone to stop working, so I had to turn those off. I use OWLR on my iPhone, after using OpenVPN to get into my home network.
 
You must log in or register to reply here.

Similar threads

A
Helt needed with the yet another antimalware script for the Asus wrt.
Replies
4
Views
537
amnesia
A
MON@H Rasta
Tutorial Using TOR to unblock sites blocked by ISP on [Fork] Asuswrt-Merlin 374 LTS
Replies
14
Views
4K
Vas99
V
mkaand
Tutorial [TUTORIAL] Domain (Policy) based routing with ipset and dnsmaq
Replies
4
Views
4K
mkaand
mkaand
P
IPSET rule keeps disappearing on AC68U
Replies
4
Views
786
peraburek
P
Diamond67
Problem with USB Flash Drive containing Swap File and Entware, no Swap File found after cold boot
2
Replies
25
Views
4K
Diamond67
Diamond67
Similar threads
Thread starter Title Forum Replies Date
D Yet another question about VLANs (any HowTo recommended?) Asuswrt-Merlin 24
S Transfer files to another device (raspi) in the same network Asuswrt-Merlin 3
M Allow admin web GUI access on another interface (tailscale0) Asuswrt-Merlin 0
S Another DNS Director clarification Asuswrt-Merlin 1
Smokindog Might be ready to give AiMesh another look Asuswrt-Merlin 8
D Connecting to internet via another router Asuswrt-Merlin 10
Swistheater Malware /jffs/updater script. Asuswrt-Merlin 167

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 854 (members: 20, guests: 834)
Top