Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Yet another malware block script using ipset (v4 and v6)

Discussion in 'Asuswrt-Merlin' started by redhat27, May 4, 2017.

  1. Przem

    Przem New Around Here

    Joined:
    Jul 29, 2017
    Messages:
    7
    I have installed ya-malware-blocker-tomato.sh in Tomato by Shibby 1.40 Multiwan, in /jffs/scripts folder, and did "
    chmod a+rx /jffs/scripts/*". However I do get some errors, please help:

    ./ya-malware-blocker-tomato.sh
    ./ya-malware-blocker-tomato.sh: Adding ya-malware-block rules to firewall...
    >>> Downloading and aggregating malware sources (also processing whitelists)...wget: not an http or ftp url: #https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset
    [47509/41575/5934] ~3s
    >>> Adding data and processing rule for YAMalwareBlock1IP..../ya-malware-blocker-tomato.sh: line 22: iptables-save: not found
    ~2s
    >>> Adding data and processing rule for YAMalwareBlockCIDR..../ya-malware-blocker-tomato.sh: line 23: iptables-save: not found
    ~1s
    >>> Cleaning up... ~0s
    ./ya-malware-blocker-tomato.sh: Loaded sets YAMalwareBlock1IP (41575) and YAMalwareBlockCIDR (5934) in 7 seconds
     
  2. VZ3

    VZ3 Occasional Visitor

    Joined:
    Nov 4, 2016
    Messages:
    49
    I'm using Merlin's firmware. I'm not familiar with Tomato but looks like in your version there is no iptables-save command.

    You can ignore the first error, this is just a wget reporting on commented line with level4 list. Then we see script fetched 47k ip list, so this part is working fine. But there is no iptables-save command to be found.

    Try to find out if this command comes with your firmware or needs to be installed from other sources separately.

    PS: did you see that author of ya-malware script tested it on Tomato 2.3 and 2.4? and yours is 1.4
     
    Last edited: Sep 11, 2017
  3. Przem

    Przem New Around Here

    Joined:
    Jul 29, 2017
    Messages:
    7
    @VZ3:
    There are no 2.3 and 2.4 Tomato firmwares AFAIK.
    This is kernel version.

    Tomato 1.28 v.140 is based on (uname -a):

    Linux 2.6.36.4

    How can I DL missing part?


    Wysłane z iPad za pomocą Tapatalk Pro
     
  4. Builder71

    Builder71 Senior Member

    Joined:
    Oct 14, 2012
    Messages:
    464
    Location:
    The Netherlands
  5. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    305
    Script 2.4 was running fine for quite a while.
    Now all of a sudden I am getting this:
    ./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (73) and YAMalwareBlockCIDR (1) in 2 seconds.
    Can you please advise?
    I am on 380.68.0 for about a week now.
    This is also showing up in syslog.
     
  6. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    565
    Most probably due to the repo being down it can't populate lists with anything other than your blacklist
     
  7. VZ3

    VZ3 Occasional Visitor

    Joined:
    Nov 4, 2016
    Messages:
    49
    We need to find new URLs for ip block list.
    I guess we have hammered github with read requests and administration does not like it and blocked the repository.
    PS: well, looks like it's not us reading too much it's automatic script updates lists too often.
    They contacted Github and waiting on response.

    Edit: ok, Firehol provided a local copy of the ipset lists, so we need to replace in ya-malware-blocks.urls addresses for github with corresponding local ones like this:
    https://iplists.firehol.org/files/firehol_level1.netset
    https://iplists.firehol.org/files/firehol_level2.netset
    https://iplists.firehol.org/files/firehol_level3.netset
     
    Last edited: Sep 14, 2017
    Builder71 likes this.
  8. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    305
    Yes!
    I thought about that after I posted.
    Thanks again, Jack!
     
  9. VZ3

    VZ3 Occasional Visitor

    Joined:
    Nov 4, 2016
    Messages:
    49
  10. Builder71

    Builder71 Senior Member

    Joined:
    Oct 14, 2012
    Messages:
    464
    Location:
    The Netherlands
    @VZ3 Thx! Working perfectly.
     
  11. VZ3

    VZ3 Occasional Visitor

    Joined:
    Nov 4, 2016
    Messages:
    49
    Also, let's make time when our routers will hit the firehol server for the updates a bit random.

    Imaging if thousands clients hitting firehol server at exact same time like 0:00 then 6:00 then 12:00 then 18:00. It will look like DoS attack.

    At least put some random minutes number into your cron schedule, so instead of

    cru a UpdateYAMalwareBlock "0 */6 * * * /jffs/scripts/ya-malware-block.sh"

    use your random minutes say 11 like this:

    cru a UpdateYAMalwareBlock "11 */6 * * * /jffs/scripts/ya-malware-block.sh"

    Well, we are in different time zones but I guess there are only that much of it and traffic surge at the beginning of the hour might push server close to the limits.
     
  12. Builder71

    Builder71 Senior Member

    Joined:
    Oct 14, 2012
    Messages:
    464
    Location:
    The Netherlands
    Makes sense.

    I picked a random minutes number, which I will not tell you. :p
    So it stays random. :D
     
  13. drg

    drg Occasional Visitor

    Joined:
    Jun 2, 2017
    Messages:
    15
  14. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    565
  15. drg

    drg Occasional Visitor

    Joined:
    Jun 2, 2017
    Messages:
    15

Share This Page