1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Yet another malware block script using ipset (v4 and v6)

Discussion in 'Asuswrt-Merlin' started by redhat27, May 4, 2017.

  1. Mircica

    Mircica New Around Here

    Joined:
    Nov 3, 2017
    Messages:
    5
    Running the script unmodified.

    iptables-save | grep -q YAMalwareBlockCIDR && echo "found"
    Can't find library for match `webstr'
    found

    iptables -t raw -I PREROUTING -m set --set YAMalwareBlockCIDR src -j DROP
    --set option deprecated, please use --match-set
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    Thank you that explains quite a bit. The --set option has been deprecated in iptables 1.4.x
    Since ipset 4.x is on older hardware, I had assumed that iptables would stay 1.3.x

    For now, the error is harmless, and if you do not like seeing the 'webstr' library error, you can safely use the tomato version of the script. See post #1 for the link. I'll update the script to deal with the deprecated option when using iptables 1.4.x with ipset 4.x when I get some time.

    Please let me know if this interim solution works for you.
     
  4. Mircica

    Mircica New Around Here

    Joined:
    Nov 3, 2017
    Messages:
    5
    Thank you very much!
    You are such a nice person.
    I will stay and wait till you update the script, then I will ask you how to add telemetry blocking :)
     
  5. t0d

    t0d New Around Here

    Joined:
    Oct 24, 2017
    Messages:
    1
    Sorry for the noobish question, but how do I find out if traffic to a certain address is being blocked by this script?

    Also, don't know if this was reported or not, but if there is a new line at the end of the .whites file the script does not load all of the lists

    Example:
    Code:
    >>> Downloading and aggregating malware sources (also processing whitelists)...[0/0/0] ~12s
    >>> Adding data and processing rule for YAMalwareBlock1IP... ~1s
    >>> Adding data and processing rule for YAMalwareBlockCIDR... ~0s
    >>> Cleaning up... ~0s
    /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (1) and YAMalwareBlockCIDR (1) in 13 seconds
     
    Last edited: Nov 10, 2017
  6. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    You can try to see if the IP of the TLD of your test address is in the YAMalwareBlock* ipsets by using a shell function such as this one. To get the IP you can do a nslookup or ping the domain.
    If you get no response on ping, it's blocked by the iptables rule on the ipset (if it's in one of the YAMalwareBlock* ipsets)

    If you do get a ping response, it's not being blocked by YAMalwareBlock. If you get a local address, you may be using DNS poisoning (for example for adblock), which is a different way of "blocking", and is not related to this script.
     
  7. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    Did the tomato version work without issues?
    Microsoft Telemetry is already blocked. The first url in the ya-malware-block.urls file uses a static list of telemetry and some scanner IPs
     
  8. mrfrank9

    mrfrank9 New Around Here

    Joined:
    Jan 12, 2017
    Messages:
    3
    Hi,
    I am using ya-malware-block.blacks to block certain IP's - working OK. Is there a way to block domains by name, ie *.UBLOCK.ME using the blacklist, or should I use something like DNSMASQ to do it?
    Thanks in Advance !!!
     
  9. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    4,623
    Location:
    Switzerland
    For in or outgoing connections?
    Dnsmasq only works for outgoing DNS requests. You could add it to it with a custom config file.
     
  10. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    @mrfrank9 Yes, adding to what @thelonelycoder said, if you are worried about inbound connections from the domain, you should use this script (firewall).

    If you are trying to block outbound connections to a particular domain for your whole LAN, you may use DNS poisoning. These are very different ways of "blocking": When you request the IP for the domain you want to block, DNS poisoning will allow you to specify a different (safe) IP instead of the domain's IP. However if you have an alternate way to resolve the IP (you know the IP or look it up some other way), then you'll still be able to connect to it. If you use iptables as this script does, then even if you know the IP, you'll be able to deny a connection (outbound or inbound)

    If you do want to add all the IPs a domain resolve to the blacklist file for this script, you can use the hostip or nslookup to lookup IPs for the domain and add those IPs to the ya-malware-block.blacks file
     
  11. mrfrank9

    mrfrank9 New Around Here

    Joined:
    Jan 12, 2017
    Messages:
    3
    Thanks!
    I have an appliance that i want to stop taking upgrades and the company uses several domains through a distribution service.
    Might be a tad tedious to find and add all those IPs to the black list so - I'm going to try DNSMASQ first and see how well it works, assuming that my device can't update if it is unable to respond back to the mother-ship. The config file already has some entries, so should be easy (or lazy) for me to add a few more!

    mrfrank9
     
  12. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    Do not know if this would be a valid option for you, but you can easily block a device's access to the internet from the web UI. If you need a more fine grained approach, @Martineau has an excellent script for that.
     
  13. mrfrank9

    mrfrank9 New Around Here

    Joined:
    Jan 12, 2017
    Messages:
    3
    redhat27,
    Unfortunately, this device (Smart TV) needs to access the internet. It does look like that script could be modified to only block the sites I have listed once I do nslookup on all the domain sites.

    For sure I really need to do more learnin' on iptables...

    thanks for pointing to the thread lots of good info and references!

    mrfrank9
     
  14. jorn

    jorn New Around Here

    Joined:
    Oct 13, 2014
    Messages:
    1
    Location:
    Minneapolis
    I'm baffled. My RT-AC87 (385_5b2) tosses me "/jffs/scripts/ya-malware-block.sh: No space left on device" when the gui reports "62.00 / 62.75 MB" for jffs.
     
  15. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    1,682
    Redhat has been inactive for around 7 months, you are unfortunately unlikely to find support here. Unfortunate as he was a pretty smart guy, we used to bounce ideas off each-other frequently.
     
  16. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,777
    Location:
    United States
    That's used space.....62 used out of 62.75 seems pretty full to me :)
     
  17. c84

    c84 Occasional Visitor

    Joined:
    May 10, 2018
    Messages:
    11
    Location:
    Europe, NO
    Sad to hear Redhat is gone, this was pretty smart. Is there any use of the script? I think Skynet is overkill for my needs and there are so many sites that disable access with any adblock so I can just forget that part. The country blocking is overkill as well. Think I only need to stop m$ calling home, dunno what else would be calling home. AC-66U

    I wasn't a noob back in the days with ip-chains, but ip-tables are different. Remember I even ran gfx version SNMP for fun. This was back in 2001.

    Would love to contribute, but dunno where to begin. None the less unsure if I'll switch till DD-WRT since the AC-66U is no longer is supported.
     
  18. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    Not gone gone... Just gone dormant ;)
     
    HuskyHerder and c84 like this.
  19. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    @jorn Like @john9527 said, your /jffs mount is pretty full. Maybe free up some space?
     
  20. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    My new job (and my family) is keeping me quite occupied :oops: Besides, there hasn't been much interest lately, so I didn't log in much.
     
  21. c84

    c84 Occasional Visitor

    Joined:
    May 10, 2018
    Messages:
    11
    Location:
    Europe, NO
    Well nice to see you drop by, even tough I haven't been here for long. Well, family first, then the rest! You have my favorite Distro icon and name. RH 5.0 was the first Linux Distro I ran then Slackware 7 off my first server.

    I'd like to pick up on this, but I have lack of knowledge since at my time I was using ipchains. Do you have the script updated on github or is it on the first thread? I just noticed that my router(AC66U) is older than I thought, but as we said: "One mans trash is anothers Linux server".

    I don't know where to start or pickup since I don't have a "crowd".
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!