AB-Solution - The Ad Blocking Solution

[Twiglets]

I seen that but Im kind of worried about adding my email and password in there. is it safe?

Many email providers support 'App Passwords' that allow you to setup separate passwords for specific apps.
I have done this for AB-Solutions.
This can be enabled/disabled as you want.
The intent is that you setup 'Two factor authentication' (2FA) as standard for your email and use 'App Passwords' for the apps that do not support 'Two factor authentication' (2FA).

FYI,
In terms of safety, if the script can be accessed to get your password, you will be having a slightly bigger problem of your router being under someone elses control and all devices connected being at risk !!!

P.S. 'App passwords' are supposed to be temporary things so they exist for short periods and can be disabled and/or changed easily. It also should make monitoring their use easier as a specific password belongs to a specific app that you control. Usage will be logged for your perusal.

 

[kfp]

Do it as I and many others do: Use a separate mail address and forward it through it to your main acxount.
Is it safe to store such info on your router? As safe as a plain text password file on your computer. As long as noone has access to it it's pretty save.

Since you brought this up, is there a reason to disable certificate checks for the curl command you use to send emails?

I understand some do use a separate/throwaway email account for this, but this is not a very safe default and I don’t see a point since the CA root store is working fine and curl can use it to do cert checks fine.

 

[Twiglets]

Since you brought this up, is there a reason to disable certificate checks for the curl command you use to send emails?

I understand some do use a separate/throwaway email account for this, but this is not a very safe default and I don’t see a point since the CA root store is working fine and curl can use it to do cert checks fine.

I seem to remember trying to get it to work without the 'disable' flag and could not get it to work no matter what I tried.
Don't know if there is a bug or simply could not get the right info/flags set on the commandline.

 

[kfp]

I seem to remember trying to get it to work without the 'disable' flag and could not get it to work no matter what I tried.
Don't know if there is a bug or simply could not get the right info/flags set on the commandline.

Hm..do you know if AB uses entware’s curl or the system’s curl?

Don’t have access to an Asus device now, can follow up later with this.

 

[Twiglets]

The curl on my router is in /usr/sbin, nothing found under entware directory structure.

The script function to create the script that sends the email is as follows:

write_send_email_file(){

if ! [ -f $abSolutionPath/$scriptsDir/$sendEmailFile ];then
cat <<-EOF > $abSolutionPath/$scriptsDir/$sendEmailFile
#!/bin/sh
# generated by $appName $appVersion
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin\$PATH

# send mail with curl
--url smtps://\$SMTP:\$PORT \\
--mail-from "\$FROM_ADDRESS" --mail-rcpt "\$TO_ADDRESS" \\
--upload-file /tmp/abmail-body \\
--ssl-reqd \\
--user "\$USERNAME:\$PASSWORD" --insecure

EOF
fi
}

 

[kfp]

The curl on my router is in /usr/sbin, nothing found under entware directory structure.

Hm, that’s weird, maybe curl simply checks the cert different when sending an email.

 

[thelonelycoder]

Hm..do you know if AB uses entware’s curl or the system’s curl?

Don’t have access to an Asus device now, can follow up later with this.

As @Twiglets code snippet shows, AB always uses system binaries, to be compatible with all firmware versions.

 

[thelonelycoder]

Since you brought this up, is there a reason to disable certificate checks for the curl command you use to send emails?

I understand some do use a separate/throwaway email account for this, but this is not a very safe default and I don’t see a point since the CA root store is working fine and curl can use it to do cert checks fine.

Read up on curl --insecure, you'll find I made the right choice.

 

[kfp]

Read up on curl --insecure, you'll find I made the right choice.

I’m familiar with it. Would you mind explaining your train of thought then? I don’t understand how ‘proceed and operate even for server connections otherwise considered insecure’ is the right choice.

 -k, --insecure

(TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure.

 

[Twiglets]

At a guess I think it is to enable some buggy versions of SSL/TLS to work, as you cannot control all the software versions that you may have to work with.

 

[zaxcom]

I originally had DNScrypt installed on my RT-AC3200 and it worked fine. I then added AB-Solution and while it appears to be working correctly I no longer see the PREROUTING Configs for port 53 in the port forwarding menu of my router. Is this correct?

UPDATE: Nevermind. After several minutes the PREROUTING came back into the list.

 

[Lffy]

Hi,

first of all: thanks for the handy script which is a very nice work!

I have a problem with pixelserv-tls. I already searched the thread for this problem, but only found a similar problem on page 51 which I think won’t help me. I installed pixelserv-tls through AB-S. I put the pixelserv-tls on 192.168.11.2 (*.1 is my router and dhcp is starting at *.100).

My problem: When I leave my house I shutdown the power strip where my modem and router are attached to. Coming home, I turn on the power strip. The modem needs some time to sync the internet. The log of my RT-AC56U shows the wan is coming up after some 3 minutes. It seems the „/opt/etc/init.d/S80pixelserv-tls“ Script just fails, because there is no wan up just yet?
After this procedure I can’t reach the statsserv-page. I need to ssh and execute the „ab-solution“ script and after that the webpage is reachable.

When I do a restart while everything is already up, pixelserv-tls is coming up just fine.

Is there any solution how I can fix this, so that I don't need to ssh after power on my devices? Thanks!

 

[martinr]

Hi,

first of all: thanks for the handy script which is a very nice work!

I have a problem with pixelserv-tls. I already searched the thread for this problem, but only found a similar problem on page 51 which I think won’t help me. I installed pixelserv-tls through AB-S. I put the pixelserv-tls on 192.168.11.2 (*.1 is my router and dhcp is starting at *.100).

My problem: When I leave my house I shutdown the power strip where my modem and router are attached to. Coming home, I turn on the power strip. The modem needs some time to sync the internet. The log of my RT-AC56U shows the wan is coming up after some 3 minutes. It seems the „/opt/etc/init.d/S80pixelserv-tls“ Script just fails, because there is no wan up just yet?
After this procedure I can’t reach the statsserv-page. I need to ssh and execute the „ab-solution“ script and after that the webpage is reachable.

When I do a restart while everything is already up, pixelserv-tls is coming up just fine.

Is there any solution how I can fix this, so that I don't need to ssh after power on my devices? Thanks!

Have you tried swithching the router off when you turn the power strip off, then, when you later turn the power strip on, wait until the modem is fully up and Internet connected before switching the router back on?

And welcome to the forum.

 

[Lffy]

Have you tried swithching the router off when you turn the power strip off, then, when you later turn the power strip on, wait until the modem is fully up and Internet connected before switching the router back on?

And welcome to the forum.

Thank you. That's what I don't want to do. I just turn off the power strip and all my devices are powered off. I don't want to turn off the router seperatly, because I can't reach it so easily.

 

[ysbledmh]

Hi team,I install in today,but..

 

[punkinduster]

I don't want to turn off the router seperatly, because I can't reach it so easily.

Have you considered something like a wireless remote outlet? I bought a 5 button version by Etekcity for my IP cameras. It comes with 5 separate outlets that you can plug your stuff into and instead of pulling the plugs from 5 different cameras everyday I just push a few buttons. It can be programmed to push only one button for all 5 outlets if you desire. They also sell just individuals if you only want one.

 

[thelonelycoder]

My problem: When I leave my house I shutdown the power strip where my modem and router are attached to. Coming home, I turn on the power strip. The modem needs some time to sync the internet. The log of my RT-AC56U shows the wan is coming up after some 3 minutes. It seems the „/opt/etc/init.d/S80pixelserv-tls“ Script just fails, because there is no wan up just yet?
After this procedure I can’t reach the statsserv-page. I need to ssh and execute the „ab-solution“ script and after that the webpage is reachable.

When I do a restart while everything is already up, pixelserv-tls is coming up just fine.

Is there any solution how I can fix this, so that I don't need to ssh after power on my devices? Thanks!

There is a quick fix for you:
Edit the TIMEOUT variable in /opt/etc/init.d/S80pixelserv-tls from
TIMEOUT=18
to something significantly higher. This is seconds, so 120 will give you 2 minutes before timeout.

Keep in mind that AB-Solution rewrites S80pixelserv-tls whenever you change a setting in AB that involves pixelserv-tls.
For a permanent change of that timeout setting edit line 810 of pixelserv-tls.add in the /adblocking/addon/ directory where AB is installed.

 

[thelonelycoder]

Hi team,I install in today,but..

This does not check the firmware version but it checks if some service is listening on port 80. Run

netstat -tuln | grep ":80 " | grep -q '0\.0\.0\.0:80 '

in a terminal. If it returns nothing, run this:

netstat -tuln | grep ":80 "

Post the output.

 

[kfp]

At a guess I think it is to enable some buggy versions of SSL/TLS to work, as you cannot control all the software versions that you may have to work with.

I doubt that’s the reason, as that is an extremely. I’m sure people that will encounter TLS errors are in the minority, and a saner approach would be making ‘--insecure’ optional so we maintain the flexibility while the majority of users are protected by safer defaults.

As it stands right now, all users of AB-Solution using email notifications can have their connection man-in-the-middle’d and credentials stolen and emails intercepted. Even inspecting logs would not yield a hint of an attack. If the --insecure option was not used, curl would’ve aborted the connection and no credentials given up to a rogue server.

So @thelonelycoder I implore you to give us an explanation why you’ve chosen to use the --insecure option? You’ve made it clear that this is intentional, I just want to know your rational behind the decision.

 

[Lffy]

There is a quick fix for you:
Edit the TIMEOUT variable in /opt/etc/init.d/S80pixelserv-tls from
TIMEOUT=18
to something significantly higher. This is seconds, so 120 will give you 2 minutes before timeout.

Keep in mind that AB-Solution rewrites S80pixelserv-tls whenever you change a setting in AB that involves pixelserv-tls.
For a permanent change of that timeout setting edit line 810 of pixelserv-tls.add in the /adblocking/addon/ directory where AB is installed.

Tested it and it works. Thank you very much. I thought about setting the timeout higher before, but from the post on page 51 it sounded like it would be bad for whatever reasons.
The "pixelserv-tls.add" determines how "S80pixelserv-tls" looks like, e.g. sets the timeout? So in the future I need to keep an eye at the "pixelserv-tls.add" for the right timeout?