Yet another malware block script using ipset (v4 and v6)

[who me?]

I had some time looking into wget. I suggest you reduce the number of lists in your run (perhaps take it to the extreme minimal). See if you get a different error.

@who me? let me know if this helps..

Thank you.
I have tried going to just "https://raw.githubusercontent.com/" to see if it works. It does but it forwards to "https://github.com/". Do you think reducing the number of scripts would still work?
Also, it seems that our modem's IP is under 3 blacklists, according to whatismyipaddress.com. Two are from "Sorbs", and the third one has a dead link.
I'm thinking of either waiting it out until it works again, or seeing if I can handle directly installing Firehol, or similar, and bypassing Github's website.

Thank you again.

 

[kvic]

Do you think reducing the number of scripts would still work?

I believe so and your experiment had proven that. So perhaps you can strike a balance in between..

Also, it seems that our modem's IP is under 3 blacklists, according to whatismyipaddress.com. Two are from "Sorbs", and the third one has a dead link.

I think the quality of these lists varies a lot. "modem's IP" is due to perhaps private addresses are included in some lists..

I'm thinking of either waiting it out until it works again, or seeing if I can handle directly installing Firehol, or similar, and bypassing Github's website.

Worth a try. Don't be too desperate as your default firewall rules from routers already doing a great job. IP blocking is something "good to have". Given that said I looked at OP's script years ago, it's efficient and minimal - two qualities in my book. lol

 

[who me?]

Problem solved. Github is accessible again, and JFFS is working with the script. Thank you again.

 

[Renrock]

I'm not sure if anybody still follows this thread but wanted to ask about the block list at "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_feed.ipset". (List was updated today.) I was trying to access the https://www.ossec.net/ (185.199.111.153) website for open source HIDS security and it is currently being blocked by the mentioned block list.

My understanding is that www.ossec.net host a well known host security intrusion program and not sure how it ended up on a ransomware block list. I checked the site that is responsible for list upkeep,
"https://ransomwaretracker.abuse.ch" and 185.199.111.153 is not included in their online search version. I'm guessing that http://iplists.firehol.org adds it but not sure, just thought it seemed strange. I can whitelist it and get to it but not sure it should be included in the ransomware block list.

 

[Renrock]

lol, also found Open Source IDS / IPS / NSM engine https://suricata-ids.org/(192.0.78.25) was blocked by the same block list.

 

[who me?]

I had been having strange problems with major websites for weeks. Rebooted the router again, this time not running this firewall script afterward. Suddenly those sites are working again.

 

[vibroverbus]

I had been having strange problems with major websites for weeks. Rebooted the router again, this time not running this firewall script afterward. Suddenly those sites are working again.

I don't use this script (yet at least... I found this thread because I'm looking for good scripts to run on my DD-WRT boxes...) but;

Bro, that's just par for the course for running iptables firewall scripts like this that go grab publicly curated lists. You just need to know thats part of the deal and decide how you want to handle it.

Generally your options are:

1. Hang out and ride it out, because the list maintainers usually figure this out and/or the malware from 'good sites' gets stifled (not so great if users on your network can't get to major websites constantly)
2. Use some whitelist feature to whitelist the 'good' sites (best if this is very occasionally and/or very specific sites, PITA if its more than that..)
3. Combo 1&2...
4. Figure out which specific list is causing excessive false positives and drop that list from your configuration (best if this keeps happening constantly and you can trace it to a specific list... which is often the case actually...)
5. Try another script that uses a different set of lists/levels (possibly best if you aren't comfortable with whatever mechanism required to edit the source lists... or if the script you use is dated/not maintained...)
6. Drop firewall scripts entirely (what you did and ... well... OK... if you just never want to have to deal w/ falsies again and don't care about security)

The only really bad choice is #6.

 

[who me?]

I don't use this script (yet at least... I found this thread because I'm looking for good scripts to run on my DD-WRT boxes...) but;

Bro, that's just par for the course for running iptables firewall scripts like this that go grab publicly curated lists. You just need to know thats part of the deal and decide how you want to handle it.

Generally your options are:

1. Hang out and ride it out, because the list maintainers usually figure this out and/or the malware from 'good sites' gets stifled (not so great if users on your network can't get to major websites constantly)
2. Use some whitelist feature to whitelist the 'good' sites (best if this is very occasionally and/or very specific sites, PITA if its more than that..)
3. Combo 1&2...
4. Figure out which specific list is causing excessive false positives and drop that list from your configuration (best if this keeps happening constantly and you can trace it to a specific list... which is often the case actually...)
5. Try another script that uses a different set of lists/levels (possibly best if you aren't comfortable with whatever mechanism required to edit the source lists... or if the script you use is dated/not maintained...)
6. Drop firewall scripts entirely (what you did and ... well... OK... if you just never want to have to deal w/ falsies again and don't care about security)

The only really bad choice is #6.

Thank you. I'm new at this, and at using vi (Nano keeps giving an error). Will work on 2 though 5.
For now, I'll reboot the router before going to sites that shouldn't be blocked, then re-launch the script when I'm done. Thanks again.

 

[vibroverbus]

Yeah vi is always fun to learn (re-learn). Could be way worse, could be emacs. HA! Reminds me of a party I was at in Cambridge years ago when I blithely told my poor layman non-programmer-non-geek friend "hey you should probably use vi instead of emacs if you have to work at a UX command line and only have to do basic stuff..." Thereby unleashing the unholy geekrant anger torrent from hell, because, turns out the party host was literally president of the worldwide.emacs.jihadii.institute or whatever it is. He didn't actually throw me out of the party, but, that was probably only because he was an MIT braniac and not really that physically violent.

Those emacs people are eeeeeeffffed up man. [10 minutes later deluged in hacks/threats/doxxed/false law enforcement reports/IRS audits]

 

[ihoman202]

As if we don't have enough already

Here is yet another malware blocking script that uses ipset (v4 and v6). So why put up another one?

• Over 650 Million unique IPs blocked
  
• Simpler (minimalist script with only 26 lines (which includes a couple of blank lines and comment lines)
  
• Quicker (about 20 secs typical runtime with default lists depending on CPU load, processing power and bandwidth)
• Less CPU cycles for your router to load the lists (kinda saying the same thing as above)
• Entware not required (Can run without extended packages or external storage)
• Only one single preprocess file created in /tmp (that is removed right afterward)
• Also supports both ipset v4 and ipset v6
• Overcomes ipset-v4 limitation to handle more than 64k elements by splitting into multiple sets.
• Can also be run in cru
• You can manually whitelist specific IPs
• Starting with version 2.3, you can manually blacklist discrete IPs and/or CIDR ranges in addition to the lists defined in the urls file.
• Blocks on the PREROUTING chain of the iptables raw table (affects both traffic initiated by malware sources and also traffic initiated inside your LAN trying to connect to malware destinations)
• Works on other firmwares (Tomato by Shibby, for example). Script here.

As much as I love this script - I need to ask for help - I could be missing something on your documentation but half of the internet doesn't work - had to remove it - can I just use level 1 or do I have no choice but levels 1 through 4 - I see your comment says that you can choose an option - how does one choose the options. Sorry for the question if it's already answered

 

[thelonelycoder]

As much as I love this script - I need to ask for help - I could be missing something on your documentation but half of the internet doesn't work - had to remove it - can I just use level 1 or do I have no choice but levels 1 through 4 - I see your comment says that you can choose an option - how does one choose the options. Sorry for the question if it's already answered

This script has not been updated for a while. Have you looked at Skynet which is very well maintained.
https://www.snbforums.com/threads/release-skynet-router-firewall-security-enhancements.16798/

 

[Wishmaster1965]

This script has not been updated for a while. Have you looked at Skynet which is very well maintained.
https://www.snbforums.com/threads/release-skynet-router-firewall-security-enhancements.16798/

So question I have is, does skynet pull the same lists as this solution ?

 

[thelonelycoder]

So question I have is, does skynet pull the same lists as this solution ?

You can configure Skynet what lists to use.