Skynet Skynet - Router Firewall & Security Enhancements

[Ebag333]

I am Trying to ban a particular ip without any success.
I am trying
sh firewall BANSINGLE=x.x.x.x
I also tried with quotes
sh firewall BANSINGLE="x.x.x.x"

The command is:

sh firewall BANSINGLE

It will then prompt you to enter an IP address. If that doesn't work, see the changes I made to the script below.


So I've been working on this, to get it working on my RT-N66U. What I have working so far works fine for manually entered blocks, but the automatic part not so much.

Where it falls down is right here:

    #iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src
    #iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src

It's complaining about -add-set, but from what I'm seeing in documentation that SHOULD be a valid command for that version of iptables.

Unfortunately, I'm no Linux guru. I've read comments about monitoring the syslog, and when a drop is read adding it to the Blacklist ipset. That wouldn't be real time blocking, unless you also reran the firewall script every time (or create a cron job to rerun it every 60 minutes or so?).

Anyway, here are the tweaks I've made to the script.

• In each of the if statements, removed the $ from the value side.
  if [ X"$@" = X"$UNBANSINGLE" ] to if [ X"$@" = X"UNBANSINGLE" ]
  
• Reordered the whitelist/blacklist/blocked countries section, and added some extra echos to troubleshoot which of the ones were failing.
• Commented out the three iptables commands for logdrop.
• I tweaked the BlacklistTotal number to -21 from -26. For some reason, with the IP blocklist empty, it showed -6 (number of non-commented lines in there, coincidence?). -20 worked fine for a while, but then it started showing 1 off between the $NEWAMOUNT and BlacklistTotal (BlacklistTotal showed 1 more than was accurate). -21 seems to work fine, but it might not be accurate until a few IPs are added (or maybe the firewall script is ran a few times?).

See the next post for the actual code.....

 

[Ebag333]

Posting the code in a separate post, to get around the character limit...

#!/bin/sh
#################################################################################################
## - 25/12/2014 ---        RT-AC66U/RT-AC56U/RT-AC68U Firewall Addition v2.5 -          #
###################################################################################################################
###                    ----- Make Sure To Edit The Following Files -----              #
### /jffs/scripts/firewall-start                     <-- Sets up cronjob/iptables rules          #
### /jffs/scripts/firewall                     <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                     <-- Banned IP List/IPSet Rules              #
###################################################################################################################

##############################
#####Commands / Variables#####
##############################
UNBANSINGLE="unban"          # <-- Remove Single IP From Blacklist
UNBANALL="unbanall"          # <-- Unbans All IPs In Blacklist
REMOVEBANS="removeall"       # <-- Remove All Entries From Blacklist
SAVEIPSET="save"             # <-- Save Blacklists to /jffs/scripts/ipset.txt
BANSINGLE="ban"              # <-- Adds Entry To Blacklist
BANCOUNTRYSINGLE="country"   # <-- Adds entire country to blacklist
BANCOUNTRYLIST="bancountry"  # <-- Bans specified countries in this file
WHITELIST="whitelist"        # <-- Add IPs from path to Whitelist
NEWLIST="new"                 # <-- Create new IPSet Blacklist
DUMPCFE="dumpcfe"              # <-- Dumps current CFE to /jffs/scripts/cfe.dump
UPDATECFE="updatecfe"         # <-- Flash CFE from /jffs/scripts/cfe.flash (reset nvram afterwards)
##############################

start_time=`date +%s`
cat /jffs/scripts/firewall | head -28

#####################################################################################################################################
# - Unban / Unbanall / Removeall / Save / Ban / Country / Bancountry / Whitelist / Hideme / Findme/ DumpCFE / UpdateCFE  / Backup - #
#####################################################################################################################################


if [ X"$@" = X"UNBANSINGLE" ]
then
    echo "Input IP Address To Unban"
    read unbannedip
    logger -t Firewall "[Unbanning And Removing $unbannedip From Blacklist] ... ... ..."
    ipset  -D Blacklist $unbannedip
    echo "`sed /$unbannedip/d /jffs/scripts/ipset.txt`" > /jffs/scripts/ipset.txt
    echo "$unbannedip Is Now Unbanned"

elif [ X"$@" = X"UNBANALL" ]
then
    echo "[Unbanning All IP's] ... ... ..."
    logger -t Firewall "[Unbanning All IP's] ... ... ..."
    ipset --flush Blacklist
    ipset --flush BlockedCountries

elif [ X"$@" = X"REMOVEBANS" ]
then
    nvram set Blacklist=`expr \`ipset -L Blacklist | wc -l\` - 6`
    echo "[Deleting All `echo \`nvram get Blacklist\`` Entries From Blacklist] ... ... ..."
    logger -t Firewall "[Deleting All `echo \`nvram get Blacklist\`` Entries From Blacklist] ... ... ..."
    ipset --flush Blacklist
    ipset --flush BlockedCountries
    ipset --save > /jffs/scripts/ipset.txt

elif [ X"$@" = X"SAVEIPSET" ]
then
    echo "[Saving Blacklists] ... ... ..."
    ipset --save > /jffs/scripts/ipset.txt
    echo "`sed '/crond: USER admin/d' /tmp/syslog.log`" > /tmp/syslog.log

elif [ X"$@" = X"BANSINGLE" ]
then
    echo "Input IP Address"
    read bannedip
    logger -t Firewall "[Adding $bannedip To Blacklist] ... ... ..."
    ipset -q -A Blacklist $bannedip
    echo "$bannedip Is Now Banned"

elif [ X"$@" = X"BANCOUNTRYSINGLE" ]
then
    echo "Input Country Abbreviation"
    read country
    for IP in $(wget -q -O - http://www.ipdeny.com/ipblocks/data/countries/$country.zone)
    do
    ipset -q -A BlockedCountries $IP
    done

elif [ X"$@" = X"BANCOUNTRYLIST" ]
then
    echo "[Banning Spam Countries] ... ... ..."
    for country in pk cn in jp ru sa
    do
        for IP in $(wget -q -O - http://www.ipdeny.com/ipblocks/data/countries/$country.zone)
           do
        ipset -q -A BlockedCountries $IP
    done
    done

elif [ X"$@" = X"WHITELIST" ]
then
    echo "Input file location"
    read WHITELISTFILE
    for IP in `cat $WHITELISTFILE`
    do
    ipset -q -A Whitelist $IP
    echo $IP
    done
    ipset --save > /jffs/scripts/ipset.txt

elif [ X"$@" = X"NEWLIST" ]
then
    echo "Does The Blacklist Need To Be Downloaded? yes/no"
    read ENABLEDOWNLOAD
        if [ X"$ENABLEDOWNLOAD" = X"yes" ]; then
            echo "Input URL For IPSet Blacklist"
            read DOWNLOADURL
            wget -O /jffs/scripts/ipset2.txt $DOWNLOADURL
        fi
    echo "Input New Set Name"
    read SETNAME
    sed -i "s/Blacklist/$SETNAME/g" /jffs/scripts/ipset2.txt
    ipset -q -R  < /jffs/scripts/ipset2.txt
    echo "Successfully Added New Set"


elif [ X"$@" = X"DUMPCFE" ] && [ X"`nvram get model`" = X"RT-AC68U" ]
then
    echo "Dumping CFE"
    logger -t Firewall "[Dumping CFE] ... ... ..."
    OLDCFE="`strings /dev/mtd0 | grep model` - `strings /dev/mtd0 | grep bl_v` - `strings /dev/mtd0 | grep 0:ccode` - `strings /dev/mtd0 | grep et0macaddr` - `strings /dev/mtd0 | grep 0:macaddr` - `strings /dev/mtd0 | grep 1:macaddr` - `strings /dev/mtd0 | grep secret_code`"
    cat /dev/mtd0 > /jffs/scripts/cfe.dump
    echo "Sucessfully Dumped CFE - $OLDCFE"
    logger -t Firewall "Sucessfully Dumped CFE - $OLDCFE"

elif [ X"$@" = X"UPDATECFE" ] && [ X"`nvram get model`" = X"RT-AC68U" ]
then
    echo "Flashing new CFE"
    logger -t Firewall "[Flashing new CFE] ... ... ..."
    OLDCFE="`strings /dev/mtd0 | grep et0macaddr`  `strings /dev/mtd0 | grep 0:macaddr`  `strings /dev/mtd0 | grep 1:macaddr`  `strings /dev/mtd0 | grep secret_code`"
    NEWCFE="`strings /jffs/scripts/cfe.flash | grep et0macaddr`  `strings /jffs/scripts/cfe.flash | grep 0:macaddr`  `strings /jffs/scripts/cfe.flash | grep 1:macaddr`  `strings /jffs/scripts/cfe.flash | grep secret_code`"
        if [ X"`echo $OLDCFE`" = X"`echo $NEWCFE`" ]; then
            echo "Correct Values Detected"
            /jffs/scripts/mtd-write cfe.flash boot && status="Successfully flashed new CFE. `strings /dev/mtd0 | grep bl_v`   `strings /dev/mtd0 | grep 0:ccode`   $NEWCFE"  || status="Failed flashing new CFE"
            logger -t Firewall "$status ... ... ..."
            echo "$status"
        else
            echo "Values Missing From New CFE - Make Sure Values Are Hex'd In" && status="Values Missing From New CFE - Make Sure Values Are Hex'd In"
            echo "Old CFE - $OLDCFE"
            echo "New CFE - $NEWCFE"
            logger -t Firewall "$status ... ... ..."
        fi

else
        if [ X"`nvram get fw_enable_x`" = X"1" ]
        then
            echo "Correct Settings Detected."
        else
            echo "Enabled SPI Firewall"
            nvram set fw_enable_x=1
            nvram commit
        fi

        if [ X"`nvram get fw_log_x`" = X"drop" ]
        then
            echo "Correct Settings Detected"
        else
            echo "Enabled Firewall Logging"
            nvram set fw_log_x=drop
            nvram commit
        fi

        if [ X"`nvram get clkfreq`" != X"1200,800" ] && [ X"`nvram get model`" = X"RT-AC68U" ]
        then
            echo "Enabled Overclock - Current Clock `nvram get clkfreq`"
            nvram set clkfreq=1200,800
            nvram commit
        else
            echo "Correct Settings Detected."
        fi


    echo "`sed '/IP Banning Started/d' /tmp/syslog.log`" > /tmp/syslog.log
    echo "[IP Banning Started] ... ... ..."
    logger -t Firewall "[IP Banning Started] ... ... ..."
    ipset -q -R  < /jffs/scripts/ipset.txt

    echo "[Loading Blacklist] ... ... ..."
    ipset -q -N Blacklist iphash
    iptables -D INPUT -m set --set Blacklist src -j DROP
    iptables -I INPUT -m set --set Blacklist src -j DROP

    echo "[Loading Blocked Countries] ... ... ..."
    ipset -q -N BlockedCountries nethash
    iptables -D INPUT -m set --set BlockedCountries src -j DROP
    iptables -I INPUT -m set --set BlockedCountries src -j DROP

    echo "[Loading Whitelist] ... ... ..."
    ipset -q -N Whitelist nethash
    iptables -D INPUT -m set --set Whitelist src -j ACCEPT
    iptables -I INPUT -m set --set Whitelist src -j ACCEPT
    ipset -q -A Whitelist 192.168.1.0/24
    ipset -q -A Whitelist 192.168.0.0/24
    ipset -q -A Whitelist 192.3.148.0/24
    ipset -q -A Whitelist `nvram get lan_ipaddr`/24

    #iptables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options  > /dev/null 2>&1
    #iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src
    #iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src

    echo "`sed '/DROP IN=/d' /tmp/syslog.log`" > /tmp/syslog.log
    echo "`sed '/DROP IN=/d' /tmp/syslog.log-1`" > /tmp/syslog.log-1

fi

###############
# - Logging - #
###############
OLDAMOUNT=`nvram get Blacklist`
nvram set Blacklist=`expr \`ipset -L Blacklist | wc -l\` - 6 `
NEWAMOUNT=`nvram get Blacklist`
#nvram set BlacklistTotal=`expr \`ipset -L | wc -l\` - 21`
start_time=$(expr `date +%s` - $start_time)
echo "[Complete] $NEWAMOUNT IPs currently banned. `expr $NEWAMOUNT - $OLDAMOUNT` New IP's Banned. `nvram get BlacklistTotal` Banned Overall [`echo $start_time`s]"
logger -t Firewall "[Complete] $NEWAMOUNT IPs currently banned. `expr $NEWAMOUNT - $OLDAMOUNT` New IP's Banned. `nvram get BlacklistTotal` Banned Overall [`echo $start_time`s]"

 

[fryedchikin]

The Whitelist rule needs to come before the Blacklist rule otherwise its essentially useless. The intent of the Whitelist is to always allow access from those addresses, even if something should trigger them getting added to the Blacklist.

 

[Ebag333]

The Whitelist rule needs to come before the Blacklist rule otherwise its essentially useless. The intent of the Whitelist is to always allow access from those addresses, even if something should trigger them getting added to the Blacklist.

And by "before" you really mean "after"?

Makes sense. The original script had the cleanup done in reverse order of the insert.

 

[fryedchikin]

lol..yeah, I was thinking order of execution. "After" in the actual script would also be correct

 

[majeedun]

Can this be modified to be run on XVortex RMerlin for R7000? Can I just comment the lines about CFE backup and flash (since I didn't flash modified CFE and chose to stay on Netgear). I have a very stable working version 380.57 and I want to try this script. Thanks

 

[octopus]

Can this be modified to be run on XVortex RMerlin for R7000? Can I just comment the lines about CFE backup and flash (since I didn't flash modified CFE and chose to stay on Netgear). I have a very stable working version 380.57 and I want to try this script. Thanks

Sorry but Netgear R7000 isnt supported by RMerlins fork.
Support here: http://www.linksysinfo.org/index.php?threads/asuswrt-merlin-on-netgear-r7000.71108/
Supported devices are ASUS:
* RT-N66U
* RT-AC66U
* RT-AC56U
* RT-AC68U
* RT-AC68P
* RT-AC87U
* RT-AC3200
* RT-AC88U
* RT-AC3100
* RT-AC5300

 

[majeedun]

Sorry but Netgear R7000 isnt supported by RMerlins fork.
Support here: http://www.linksysinfo.org/index.php?threads/asuswrt-merlin-on-netgear-r7000.71108/
Supported devices are ASUS:
* RT-N66U
* RT-AC66U
* RT-AC56U
* RT-AC68U
* RT-AC68P
* RT-AC87U
* RT-AC3200
* RT-AC88U
* RT-AC3100
* RT-AC5300

Thank you

 

[Ebag333]

Can this be modified to be run on XVortex RMerlin for R7000? Can I just comment the lines about CFE backup and flash (since I didn't flash modified CFE and chose to stay on Netgear). I have a very stable working version 380.57 and I want to try this script. Thanks

The script mostly uses ipset and iptable. Assuming you have a place for the script to live (like jffs), and a way to run it, there's no reason you couldn't come up with a way to do it. How much of an adaptation that'd be, I have no idea.

 

[Poopiepants]

Ebag333

I copied your script and now it's working for me now.
I think the original script might be broken, perhaps after some updates to the router software?
I will monitor and check to make sure the country and single bans are working properly.

How do you check the logs to see what parts of the script are failing?
The regular log button inside the router gui?

Thanks for all your help!

 

[Ebag333]

I copied your script and now it's working for me now.
I think the original script might be broken, perhaps after some updates to the router software?
I will monitor and check to make sure the country and single bans are working properly.

How do you check the logs to see what parts of the script are failing?
The regular log button inside the router gui?

Thanks for all your help!

I don't know the original script was broken, but I suspect a few parts didn't work quite right. Since it's a different version of iptables and ipset, it's hard to say.

If you have ssh setup, you can run the script or individual commands manually. You may need to add some additional debug logging to the script, but any errors should kick out.

 

[Poopiepants]

After a night of testing it looks like there are still some issues.
The singlebanip is not working properly.
It's not banning IP's I add but if I use the command ipset -A Blacklist 69.162.124.228 it states it's already there.
It does say it added the IP but it still passes through the traffic.
Telnet port (23) is being forwarded to my workstation.
Could it be that it forwards port 23 first and doesn't bother blocking traffic?


The one change, if I had the knowledge would be to switch from ipdeny to ipblocklist for countries and other lists.
Ipdeny seems to be missing a lot ranges from China and it would be nice to use other lists not specifically related to countries.
Iblocklist has some really good pay lists that are only 10.00 a year, that are related to spam, bots, malware, exploits etc.

I also use on my pc peerblock with Ipblocklist, so I see what countries are failing with ipdeny.

Thanks for all your fine work, it has made my life easier.

 

[Ebag333]

After a night of testing it looks like there are still some issues.
The singlebanip is not working properly.
It's not banning IP's I add but if I use the command ipset -A Blacklist 69.162.124.228 it states it's already there.
It does say it added the IP but it still passes through the traffic.
Telnet port (23) is being forwarded to my workstation.
Could it be that it forwards port 23 first and doesn't bother blocking traffic?

What is the exact command you're using? Banning a single IP works fine for me, I haven't messed with banning countries at all.

What router are you using this on?

The one change, if I had the knowledge would be to switch from ipdeny to ipblocklist for countries and other lists.

Country bans will never be perfect. Lists will lag behind the actual changes, plus there are plenty of ways to mask what country you are coming from. I have no plans to use country bans personally.

 

[sfx2000]

The problem with scripts like this is they are reactive and static - and can't respond quickly to new threats unless someone is watching logs and updating the scripts for new hosts...

Fail2Ban would be nice, but since it runs in Python, and as such, has a lot of overhead attached to it, isn't a good embedded option - however...

sshguard looks interesting, as it's C based as a small binary, and despite it's name, can support other ports and services - and plays well with iptables...

http://www.sshguard.net

 

[peraburek]

@sfx2000 your idea with sshguard is cool!

does anybody know how Enable SSH Brute Force Protection actually works, blocking IP that has tried to logon 20 times in 20 minutes???

 

[Martineau]

@sfx2000 your idea with sshguard is cool!

does anybody know how Enable SSH Brute Force Protection actually works, blocking IP that has tried to logon 20 times in 20 minutes???

I believe the Firewall code uses this statement for SSH Brute Force Protection to populate the iptables SSHBFP Chain:

fprintf(fp, "-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j %s\n", logdrop);

 

[Poopiepants]

To ban Ip's I have used both
sh firewall BANSINGLE
then Ip address
and it accepts the command and adds it to the list.

I also manually tried:
ipset -q -A Blacklist 123.123.123.123
It tells me it is already in the blacklist.

I still see traffic from that ip address coming through on the workstation that has port 23 forwarded to it.

Thanks for the help.

 

[Poopiepants]

Peraburek

Here is my nat-start script for brute force protection for telnet, you should be able to re-arrange it.


#!/bin/sh
logger "firewall" "Applying nat-start rules"
iptables -N TELNETBFP -t nat
iptables -A TELNETBFP -t nat -m recent --set --name TELNET --rsource
iptables -A TELNETBFP -t nat -m recent --update --seconds 7200 --hitcount 5 --name TELNET --rsource -j RETURN
iptables -A TELNETBFP -t nat -p tcp --dport 23 -m state --state NEW -j DNAT --to-destination 192.168.1.57:23
iptables -I VSERVER -t nat -i eth0 -p tcp --dport 23 -m state --state NEW -j TELNETBFP

 

[Poopiepants]

The IP ban seems to have just started working magically.
I am not going to complain.
Thanks for all the help!

 

[sfx2000]

Here is my nat-start script for brute force protection for telnet, you should be able to re-arrange it.

Telnet shouldn't be exposed to the outside world - very insecure - better to run Dropbear or OpenSSH, which are far better for remote shells...