Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Yet another malware block script using ipset (v4 and v6)

Discussion in 'Asuswrt-Merlin' started by redhat27, May 4, 2017.

  1. Przem

    Przem New Around Here

    Joined:
    Jul 29, 2017
    Messages:
    9
    I have installed ya-malware-blocker-tomato.sh in Tomato by Shibby 1.40 Multiwan, in /jffs/scripts folder, and did "
    chmod a+rx /jffs/scripts/*". However I do get some errors, please help:

    ./ya-malware-blocker-tomato.sh
    ./ya-malware-blocker-tomato.sh: Adding ya-malware-block rules to firewall...
    >>> Downloading and aggregating malware sources (also processing whitelists)...wget: not an http or ftp url: #https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset
    [47509/41575/5934] ~3s
    >>> Adding data and processing rule for YAMalwareBlock1IP..../ya-malware-blocker-tomato.sh: line 22: iptables-save: not found
    ~2s
    >>> Adding data and processing rule for YAMalwareBlockCIDR..../ya-malware-blocker-tomato.sh: line 23: iptables-save: not found
    ~1s
    >>> Cleaning up... ~0s
    ./ya-malware-blocker-tomato.sh: Loaded sets YAMalwareBlock1IP (41575) and YAMalwareBlockCIDR (5934) in 7 seconds
     
  2. VZ3

    VZ3 Regular Contributor

    Joined:
    Nov 4, 2016
    Messages:
    52
    I'm using Merlin's firmware. I'm not familiar with Tomato but looks like in your version there is no iptables-save command.

    You can ignore the first error, this is just a wget reporting on commented line with level4 list. Then we see script fetched 47k ip list, so this part is working fine. But there is no iptables-save command to be found.

    Try to find out if this command comes with your firmware or needs to be installed from other sources separately.

    PS: did you see that author of ya-malware script tested it on Tomato 2.3 and 2.4? and yours is 1.4
     
    Last edited: Sep 11, 2017
  3. Przem

    Przem New Around Here

    Joined:
    Jul 29, 2017
    Messages:
    9
    @VZ3:
    There are no 2.3 and 2.4 Tomato firmwares AFAIK.
    This is kernel version.

    Tomato 1.28 v.140 is based on (uname -a):

    Linux 2.6.36.4

    How can I DL missing part?


    Wysłane z iPad za pomocą Tapatalk Pro
     
  4. Builder71

    Builder71 Senior Member

    Joined:
    Oct 14, 2012
    Messages:
    490
    Location:
    The Netherlands
  5. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    317
    Script 2.4 was running fine for quite a while.
    Now all of a sudden I am getting this:
    ./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (73) and YAMalwareBlockCIDR (1) in 2 seconds.
    Can you please advise?
    I am on 380.68.0 for about a week now.
    This is also showing up in syslog.
     
  6. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    656
    Most probably due to the repo being down it can't populate lists with anything other than your blacklist
     
  7. VZ3

    VZ3 Regular Contributor

    Joined:
    Nov 4, 2016
    Messages:
    52
    We need to find new URLs for ip block list.
    I guess we have hammered github with read requests and administration does not like it and blocked the repository.
    PS: well, looks like it's not us reading too much it's automatic script updates lists too often.
    They contacted Github and waiting on response.

    Edit: ok, Firehol provided a local copy of the ipset lists, so we need to replace in ya-malware-blocks.urls addresses for github with corresponding local ones like this:
    https://iplists.firehol.org/files/firehol_level1.netset
    https://iplists.firehol.org/files/firehol_level2.netset
    https://iplists.firehol.org/files/firehol_level3.netset
     
    Last edited: Sep 14, 2017
    hervon and Builder71 like this.
  8. Csection

    Csection Senior Member

    Joined:
    Oct 20, 2016
    Messages:
    317
    Yes!
    I thought about that after I posted.
    Thanks again, Jack!
     
  9. VZ3

    VZ3 Regular Contributor

    Joined:
    Nov 4, 2016
    Messages:
    52
  10. Builder71

    Builder71 Senior Member

    Joined:
    Oct 14, 2012
    Messages:
    490
    Location:
    The Netherlands
    @VZ3 Thx! Working perfectly.
     
  11. VZ3

    VZ3 Regular Contributor

    Joined:
    Nov 4, 2016
    Messages:
    52
    Also, let's make time when our routers will hit the firehol server for the updates a bit random.

    Imaging if thousands clients hitting firehol server at exact same time like 0:00 then 6:00 then 12:00 then 18:00. It will look like DoS attack.

    At least put some random minutes number into your cron schedule, so instead of

    cru a UpdateYAMalwareBlock "0 */6 * * * /jffs/scripts/ya-malware-block.sh"

    use your random minutes say 11 like this:

    cru a UpdateYAMalwareBlock "11 */6 * * * /jffs/scripts/ya-malware-block.sh"

    Well, we are in different time zones but I guess there are only that much of it and traffic surge at the beginning of the hour might push server close to the limits.
     
  12. Builder71

    Builder71 Senior Member

    Joined:
    Oct 14, 2012
    Messages:
    490
    Location:
    The Netherlands
    Makes sense.

    I picked a random minutes number, which I will not tell you. :p
    So it stays random. :D
     
  13. drg

    drg Occasional Visitor

    Joined:
    Jun 2, 2017
    Messages:
    15
  14. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    656
  15. drg

    drg Occasional Visitor

    Joined:
    Jun 2, 2017
    Messages:
    15
  16. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    501
    I'm sorry for my long absence :(

    @Builder71 Appreciate your effort in removing unused sets, I'll take a look when I get some time. I believe like @VZ3 pointed out, this may not be of much concern
    @Jack Yaz and @VZ3 Thanks as always for helping out
    @Przem I believe you should be able to substitute "iptables -t raw -L" instead of "iptables-save" I have edited the tomato version to reflect this. Can you test it if possible and let me know if that helped?

    I apologize again on my sporadic presence lately.
     
    hervon likes this.
  17. Builder71

    Builder71 Senior Member

    Joined:
    Oct 14, 2012
    Messages:
    490
    Location:
    The Netherlands
    No problem. Welcome back.
    It was almost time for a "Where the hell is redhat27?" thread. :D
     
    thelonelycoder likes this.
  18. Teknition

    Teknition Occasional Visitor

    Joined:
    Jun 8, 2017
    Messages:
    10
    I am using the ASUS firewall + this Malware script. I have a few IP cameras that I have manually blocked outside network access to both within the camera (Foscam settings) and on the router (network services filter). For the router, I entered the IP address of the camera (static), then blocked ports 1 through something like 65000. I turned on the firewall logging, and see lots of DROPs from my cameras, but this one seems to have snuck through:

    Oct 4 16:18:54 kernel: ACCEPT IN=br0 OUT=eth0 SRC=192.168.1.XXX DST=211.115.194.21 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=4492 DF PROTO=UDP SPT=60013 DPT=123 LEN=56

    I typed in the destination IP address into an IP search website and it came up with some network in Korea, possibly the "Korea Network Information Center." Should I be worried about this? Is this possibly just the camera trying to get an updated date/time stamp?
     
  19. VZ3

    VZ3 Regular Contributor

    Joined:
    Nov 4, 2016
    Messages:
    52
    For the Foscam cameras - they like to keep "heart bit" thingy for the cloud services, kinda thing Foscam using for it's application in order to connect through their hosted server. And it's impossible to turn it off through Foscam UI.

    Sure thing to block this shady behavior is to not specify gateway in IP camera static address set.

    PS: I have contacted Foscam regarding my camera, explain them the same problem and they send me a non-official patch which stopped that heart bit.
     
  20. Teknition

    Teknition Occasional Visitor

    Joined:
    Jun 8, 2017
    Messages:
    10
    Thanks for the info. I thought that the network service filter in Merlin would help block, but I had also tried parental controls and typing in a fake gateway. However, those last two options caused my camera viewing app on my phone to stop working, so I had to turn those off. I use OWLR on my iPhone, after using OpenVPN to get into my home network.
     

Share This Page