Menu
What's new
By:
Filters Better Search

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@redhat27:
Thank you VERY MUCH! The script does not show any errors in Tomato logs neither when run via SSH.
Is there other simple way to check if its working?

P.
 
You can use next command to monitor malware packets been dropped

iptables -vL -t raw

If you see chain pkts counter goes up that means your firewall is doing it's thing.
 
thanks for this as i've been wondering if it was possible to do it!
/jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (53445) and YAMalwareBlockCIDR (5811) in 11 seconds

RT-AC68U here on a gigabit fibre connection. I'll see if any of my regular sites break and then play around with the whitelist mentioned on page 1!
cheers
peter
 
Last edited:
moooooooo said:
thanks for this as i've been wondering if it was possible to do it!
/jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (53445) and YAMalwareBlockCIDR (5811) in 11 seconds

RT-AC68U here on a gigabit fibre connection. I'll see if any of my regular sites break and then play around with the whitelist mentioned on page 1!
cheers
peter
Click to expand...

Have a look at post #420.
You can make the script even better by implementing what's mentioned there.
(Put the code in between the "esac" and "startTS" command to the ya-malware-block.sh script.)

I hope @redhat27 will add this, but he seems to be offline quite a lot.
 
Last edited:
Builder71 said:
Have a look at post #420.
You can make the script even better by implementing what's mentioned there.
(Put the code in between the "esac" and "startTS" command to the ya-malware-block.sh script.)

I hope @redhat27 will add this, but he seems to be offline quite a lot.
Click to expand...

Version 2.5 (just uploaded in github) will take care of the issue of removing older ipsets and rules if they are no longer needed.
 
Thx!

Also read your Git comment.
To make sure I understand it correct.

I don't change my ya-malware-block.urls file at all.
It's just the active urls in it make I often go up and down around 65k.
Simply because the content changes a bit grabbed from the urls.

Does your change account for that?
 
Builder71 said:
I don't change my ya-malware-block.urls file at all.
Click to expand...
Apologies, I had misunderstood. Regardless, this version should take care of it. Thanks for pushing me to do it. BTW: I should post a similar fix to your other gihub issue soon (create-ipset-lists.sh)

Builder71 said:
Does your change account for that?
Click to expand...
Yes, and just to test it, you can edit the /jffs/ipset_lists/ya-malware-block.urls file and uncomment the level4 url, run it (it creates few more ipsets) check the iptable rules and ipsets, and then comment it back and run it again. You should see the older ipsets and iptables rules removed.
 
Last edited:
redhat27 said:
Apologies, I had misunderstood. Regardless, this version should take care of it. Thanks for pushing me to do it. BTW: I should post a similar fix to your other gihub issue soon (create-ipset-lists.sh)


Yes, and just to test it, you can edit the /jffs/ipset_lists/ya-malware-block.urls file and uncomment the level4 url, run it (it creates few more ipsets) check the iptable rules and ipsets, and then comment it back and run it again. You should see the older ipsets and iptables rules removed.
Click to expand...

Tested as you suggested and works like a charm. :D

Just want to make sure the script isn't looking at the ya-malware-block.urls file being edited or something like that.
Because, in my case, that file is always the same and not the issue here.

As a script noob I can't understand how you fixed it because the script is just too complicated for me. :oops:
Hence my question.
 
No, it's not looking at .urls being edited :)

I've added some new lists to the .urls file in github. These are not included in FireHOL levels 1 through 4:

Counts are as of the time of writing this post and will vary over time:
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset (68255 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms1.netset (2565 subnets, 5268567 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms3.netset (1146 subnets, 30151694 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bds_atif.ipset (5022 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_bots.ipset (143 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_ssh.ipset (11261 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_strongips.ipset (104 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dyndns_ponmocup.ipset (163 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_block.netset (1980 subnets, 24411811 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_botcc.ipset (728 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_compromised.ipset (1801 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_exp.ipset (314 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_hjk.ipset (57 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_mmt.ipset (1136 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_feed.ipset (5216 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_locky_ps.ipset (3 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/taichung.ipset (10694 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/urandomusto_ssh.ipset (410 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/urandomusto_telnet.ipset (445 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/uscert_hidden_cobra.ipset (627 unique IPs)
Users of this script can update their ya-malware-block.urls file from the GitHub version if they choose to include these additional lists
 
redhat27 said:
No, it's not looking at .urls being edited :)

I've added some new lists to the .urls file in github. These are not included in FireHOL levels 1 through 4:

Counts are as of the time of writing this post and will vary over time:
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset (68255 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms1.netset (2565 subnets, 5268567 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms3.netset (1146 subnets, 30151694 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bds_atif.ipset (5022 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_bots.ipset (143 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_ssh.ipset (11261 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_strongips.ipset (104 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dyndns_ponmocup.ipset (163 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_block.netset (1980 subnets, 24411811 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_botcc.ipset (728 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_compromised.ipset (1801 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_exp.ipset (314 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_hjk.ipset (57 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_mmt.ipset (1136 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_feed.ipset (5216 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_locky_ps.ipset (3 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/taichung.ipset (10694 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/urandomusto_ssh.ipset (410 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/urandomusto_telnet.ipset (445 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/uscert_hidden_cobra.ipset (627 unique IPs)
Users of this script can update their ya-malware-block.urls file from the GitHub version if they choose to include these additional lists
Click to expand...
Should these new lists be just appended to the bottom of the .url file.
I have already updated to 2.5.
 
Csection said:
Should these new lists be just appended to the bottom of the .url file.
I have already updated to 2.5.
Click to expand...
You can simply replace your .urls file. Let the script redownload it on the next run:
Code: 
rm /jffs/ipset_lists/ya-malware-block.urls
or download it yourself:
Code: 
wget --no-check-certificate -O /jffs/ipset_lists/ya-malware-block.urls https://raw.githubusercontent.com/shounak-de/misc-scripts/master/ya-malware-block.urls

Uncomment Level4 if you want
 
Version 2.5 is working great! :)

Also deleted ya-malware-block.urls to get the new one.
A lot of new urls!
I was still using the below urls because of the recent GitHub drama. ;)
https://iplists.firehol.org/files/firehol_level1.netset
https://iplists.firehol.org/files/firehol_level2.netset
https://iplists.firehol.org/files/firehol_level3.netset
https://iplists.firehol.org/files/firehol_level4.netset

Is it OK if we use Git now?

In the new ya-malware-block.urls file a lot is active. (No # sign in front.)
What about false positives?
Run into that before and then the family goes :mad:. :D
 
I would tend to be an optimist and think that GitHub incident to be a one-off. Let's see if that recurs.
Regarding false positives, I think if a site gets blocked, or something stops working, it should be fairly easy to whitelist: Just ping the domain to verify its blocked, and if it is, then just add that IP to the .whites file and rerun the script. A family typically has a handful of favourite sites (at least mine does) and I've whitelisted what I've seen blocked (I have Level4 active)
 
Need some help

I am having this

/jffs/scripts/ya-malware-block.sh
/jffs/scripts/ya-malware-block.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)...[87619/80687/6932] ~18s
>>> Adding data and processing rule for YAMalwareBlock1IP...Can't find library for match `webstr'
~4s
>>> Adding data and processing rule for YAMalwareBlock2IP...Can't find library for match `webstr'
~1s
>>> Adding data and processing rule for YAMalwareBlockCIDR...Can't find library for match `webstr'
~1s
>>> Cleaning up... ~0s
/jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (15152) and YAMalwareBlockCIDR (6932) in 24 seconds


but this shows right

iptables -vL -t raw
Chain PREROUTING (policy ACCEPT 223K packets, 185M bytes)
pkts bytes target prot opt in out source destination
63 3507 DROP all -- any any anywhere anywhere match-set YAMalwareBlockCIDR src
126 5967 DROP all -- any any anywhere anywhere match-set YAMalwareBlock2IP src
194 11880 DROP all -- any any anywhere anywhere match-set YAMalwareBlock1IP src

Chain OUTPUT (policy ACCEPT 16415 packets, 4212K bytes)
pkts bytes target prot opt in out source destination

Any idea?
 
Mircica said:
ASUS RT-AC66U, ASUSWRT Merlin 380 68 4
Click to expand...
Thank you. Can you post the output of these?
Code: 
ipset --version
iptables --version
Also, do you get the 'webstr' library error on each run of the script, or just the first time?
 
ipset --version
ipset v4.5, protocol version 4.
Kernel module protocol version 4.

iptables --version
iptables v1.4.21

each time
 
Mircica said:
ipset --version
ipset v4.5, protocol version 4.
Kernel module protocol version 4.

iptables --version
iptables v1.4.21

each time
Click to expand...
Sorry for the late reply. I'm assuming that you are running the script unmodified. Let me know if that is not the case.

Do you get any output when you issue these commands:
Code: 
iptables-save | grep -q YAMalwareBlockCIDR && echo "found"

iptables -t raw -I PREROUTING -m set --set YAMalwareBlockCIDR src -j DROP
 
You must log in or register to reply here.

Similar threads

A
Helt needed with the yet another antimalware script for the Asus wrt.
Replies
4
Views
535
amnesia
A
MON@H Rasta
Tutorial Using TOR to unblock sites blocked by ISP on [Fork] Asuswrt-Merlin 374 LTS
Replies
14
Views
4K
Vas99
V
mkaand
Tutorial [TUTORIAL] Domain (Policy) based routing with ipset and dnsmaq
Replies
4
Views
4K
mkaand
mkaand
P
IPSET rule keeps disappearing on AC68U
Replies
4
Views
784
peraburek
P
Diamond67
Problem with USB Flash Drive containing Swap File and Entware, no Swap File found after cold boot
2
Replies
25
Views
4K
Diamond67
Diamond67
Similar threads
Thread starter Title Forum Replies Date
D Yet another question about VLANs (any HowTo recommended?) Asuswrt-Merlin 24
S Transfer files to another device (raspi) in the same network Asuswrt-Merlin 3
M Allow admin web GUI access on another interface (tailscale0) Asuswrt-Merlin 0
S Another DNS Director clarification Asuswrt-Merlin 1
Smokindog Might be ready to give AiMesh another look Asuswrt-Merlin 8
D Connecting to internet via another router Asuswrt-Merlin 10
Swistheater Malware /jffs/updater script. Asuswrt-Merlin 167

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 869 (members: 18, guests: 851)
Top