1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Yet another malware block script using ipset (v4 and v6)

Discussion in 'Asuswrt-Merlin' started by redhat27, May 4, 2017.

  1. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    Thank you! Do feel free to submit a PR to contribute your changes, or fork my repo :), even though there isn't much there. That's what open source is all about. The link to my Github repo is in post #1.

    I too have an older AC66U: It hasn't given me any problems to incentivize me to upgrade it. This ya-malware-block script runs every 6 hours and that too hasn't given me any reason to change it. It works without issues, and I've left it at that all this time. To be quite frank, I haven't tinkered around with the router much in the recent months, except updating the pixelserv-tls with kvic's excellent work.
     
    kvic and c84 like this.
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. c84

    c84 Occasional Visitor

    Joined:
    May 10, 2018
    Messages:
    11
    Location:
    Europe, NO
    Thanks a lot for the answer! The AC66U works as a charm here, so I'll do the same as you. If I or a friend make any changes to your code, I'll sure mention you. Wish you the best with the family, I'd rather have kids and a wife, than all this spare time. Others say that's something I'll regret saying after I get a wife and kids, heheh. Best wishes! :)
     
  4. MasterBash

    MasterBash Regular Contributor

    Joined:
    Apr 3, 2013
    Messages:
    133
    Would this work good with the ac86u?

    Also would it make sense to use along with ab-solution and skynet?
     
  5. mrchow

    mrchow Occasional Visitor

    Joined:
    Jan 5, 2017
    Messages:
    20
    Yup

    It wouldn’t make sense to run skynet and yamalwareblock at the same time. If you install skynet after ya-malware-block, you’d receive an error since it checks if the script is installed. They share similar IPSet lists for blocking malware anyway (assuming you have malware banning enabled in skynet).


    Sent from my iPhone using Tapatalk
     
  6. c84

    c84 Occasional Visitor

    Joined:
    May 10, 2018
    Messages:
    11
    Location:
    Europe, NO
    Is there an easy way to import this into Windows? My router is no longer supported, so I had to switch back to stock(Asus 66AC, rev 1). Thanks a lot! PS! I know that there is support for xterm in windows, but not sure if this will do the trick.
     
  7. OKLY

    OKLY Occasional Visitor

    Joined:
    Sep 19, 2014
    Messages:
    26
    @redhat27 Even if there is less support for this, does it still require any updating to the script? Or it'll just work fine as long as FireHOL still maintains and updates the list of IP address?
     
  8. kvic

    kvic Part of the Furniture

    Joined:
    Aug 11, 2014
    Messages:
    2,343
    Location:
    22.4399N 114.2222E
    Exactly.

    No break no fix. Keep it simple.

    Also note that IP blacklist's primary benefit is blocking outgoing traffic to malicious sites. By that if you happen to frequently see such blocked traffic, means some of your LAN clients are possibly infected already.

    Hence, in addition, you'd better turn on anti-virus (Norton/Kaspersky/Ai-Protection/etc). These will give you a far better idea of what's going on and provides further protection.
     
  9. who me?

    who me? Occasional Visitor

    Joined:
    Apr 28, 2018
    Messages:
    16
    Location:
    California
    I tried to install the Tomato version of ya-malware-block, but ended up losing connection and doing a full reset. Are there posted step-by-step instructions for installing the Tomato version, or would someone be willing to walk me through it? The router is an Asus RT-AC56R running FreshTomato 2018.4 AIO.
    Thank you very much.
     
  10. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    @who me?
    One of the things I would check carefully is the download path for the white or black lists. If /jffs does not exist on your router, it will fail. Can you give me a top-level default directory for your router with tomato?
     
  11. who me?

    who me? Occasional Visitor

    Joined:
    Apr 28, 2018
    Messages:
    16
    Location:
    California
    Thank you for your reply. I had enabled JFFS (did not reboot after doing this) and then ran the wget script in post 295 of this thread.
    How do I get the default directory? I apologize for my noobishness.
     
  12. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    You do need a "apply" after enabling jffs. Not sure if a reboot is needed for tomato. @HRearden did confirm it worked for him on #320
    I would try doing the install from the command line (ssh/telnet session) as detailed on post #1, after creating a /jffs/scripts directory
     
  13. who me?

    who me? Occasional Visitor

    Joined:
    Apr 28, 2018
    Messages:
    16
    Location:
    California
    It looks like jffs is the problem.
    Formatting jffs gives an error at the end, saying to check the logs for more information. The same exact error appears in the log with no other details.

    I created the /jffs/scripts directory, followed the instructions in post 1 and edited the "wget" url for the Tomato version. Progress went to 100 instantly. Running the "chmod" code got this:
    chmod: /jffs/scripts/ya-malware-block-tomato.sh: No such file or directory

    There doesn't seem to be any trouble with logging bandwidth on a USB stick. What would I need to do to run the script from the USB stick instead of jffs?
    Thank you again.
     
    Last edited: Oct 29, 2018
  14. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    @who me? Please change the storage locations to a valid locations on your usb stick on lines 5,6,7 in the script
     
  15. who me?

    who me? Occasional Visitor

    Joined:
    Apr 28, 2018
    Messages:
    16
    Location:
    California
    Done, including the edits to lines 5,6 and 7. Thank you very much.
    Script run time was 38 seconds.
     
    Last edited: Nov 7, 2018
  16. kvic

    kvic Part of the Furniture

    Joined:
    Aug 11, 2014
    Messages:
    2,343
    Location:
    22.4399N 114.2222E
    Not bad! :D
     
  17. who me?

    who me? Occasional Visitor

    Joined:
    Apr 28, 2018
    Messages:
    16
    Location:
    California
    JFFS seems to work after all. I made a mistake in the script filename (see post 492) :oops:. The script is in /jffs/scripts (checked with vi), but running it with "/jffs/scripts/ya-malware-block.sh" gets this:
    [email protected]:/tmp/home/root# /jffs/scripts/ya-malware-block.sh
    /jffs/scripts/ya-malware-block.sh: Adding ya-malware-block rules to firewall...
    >>> Downloading and aggregating malware sources (also processing whitelists)...wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: not an http or ftp url: #https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    wget: bad address 'raw.githubusercontent.com'
    ^Z[1]+ Stopped /jffs/scripts/ya-malware-block.sh
    [email protected]:/tmp/home/root#

    I didn't know how long it would have kept going, so I used Ctrl-Z to stop it.
    I tried copying and pasting "https://raw.githubusercontent.com/shounak-de/misc-scripts/master/" into a web browser, and got this: "400: Invalid request".

    Same problem now with the USB stick, which was working before.
     
    Last edited: Nov 8, 2018
  18. kvic

    kvic Part of the Furniture

    Joined:
    Aug 11, 2014
    Messages:
    2,343
    Location:
    22.4399N 114.2222E
    "wget: bad address" error has to do with DNS servers (e.g. dnsmasq, unbound etc). Check what your system use and how it's configured. Test independently with another tool such as "nslookup" on raw.githubusercontent.com.

    It could be simply a config error in your DNS servers. Or perhaps your upstream DNS servers are blocking GitHub's domains..unlikely but possible.
     
  19. who me?

    who me? Occasional Visitor

    Joined:
    Apr 28, 2018
    Messages:
    16
    Location:
    California
    Thank you. Changing DNS servers didn't help. Here's the result from nslookup (Mac version).

    nslookup raw.githubusercontent.com
    Server: 192.168.1.1
    Address: 192.168.1.1#53

    Non-authoritative answer:
    raw.githubusercontent.com canonical name = github.map.fastly.net.
    Name: github.map.fastly.net
    Address: 151.101.0.133
    Name: github.map.fastly.net
    Address: 151.101.64.133
    Name: github.map.fastly.net
    Address: 151.101.128.133
    Name: github.map.fastly.net
    Address: 151.101.192.133
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!