How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

Martineau · Mar 7, 2017

skeal said:
Yes please post the scripts needed to run on 380.65 I have ac68u waiting for the programming.....tia
Steve

This hacked version works on my RT-AC68U.

NOTE: Country Blocking is no longer included...you can use the latest country blocking script from the Wiki https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset#tor-and-countries-block

Full credit to member @Adamm for the original script/idea.

Thanks to @HardCat for spotting the incorrect line.

EDIT: 24/04/2017 The (too large to post in-line) current version (v3.04) is hosted here:

https://pastebin.com/zQ3KEe8P

Code:

#!/bin/sh
#================================================================================================= © 2016-2017 Martineau
# Dynamically block unsolicited access attempts using IPSETs. Useful if U have opened ports >1024 as hopefully hackers will
#             start their attempts at the more common ports e.g. 22,23 etc. so will be blocked BEFORE they reach your port!
#
#     IPSET_Block   [help|-h] | [status [full]] [reset] [delete] [ban [ip_addr]] [unban [ip_addr]] [whitelist]
#
#     IPSET_Block   status
#                   Displays the number of currently blocked I/Ps and the nmber blcoked since the last status request:
#                   e.g.     Summary Blacklist: 12345 IPs currently banned. 99 New IP's Banned.
#     IPSET_Block   status full
#                   Display the contents of IPSETs Whitelist & Blacklist - beware there could be a lot!!!
#     IPSET_Block   reset
#                   Temporarily flush the IPSET Blacklist (It will be restored @BOOT or manually using the restore cmd)
#     IPSET_Block   restore
#                   Restore the IPSETs Whitelist & Blacklist from the current saved IPSETs.
#                   (If 'delete' was used then U need to clone the 'backup' file before attempting the restore!)
#     IPSET_Block   ban 12.34.56.7
#                   Adds 12.34.56.7 to IPSET Blacklist
#     IPSET_Block   unban 12.34.56.7
#                   Removes 12.34.56.7 from IPSET Blacklist
#     IPSET_Block   delete
#                   Permanently flush the IPSET Blacklist (It cannot be restored @BOOT or using the restore cmd)
#
# /jffs/scripts/init-start
#      /usr/sbin/cru a IPSET_SAVE   "0 * * * * /jffs/scripts/IPSET_Block.sh save"    #Every hour
#      /usr/sbin/cru a IPSET_BACKUP "0 5 * * * /jffs/scripts/IPSET_Block.sh backup"  #05:00 every day
#
# /jffs/scripts/firewall-start
#      /jffs/scripts/IPSET_Block.sh init
#
# NOTE: Whitelist wil be automatically populated with local LAN subnet, but VLANs will need to be added manually e.g. 10.0.0.0/8 etc.
#
# Credit @adamm https://www.snbforums.com/threads/how-to-dynamically-ban-malicious-ips-using-ipset-firewall-addition.16798/#post-115872
# Print between line beginning with'#==' to first blank line inclusive
ShowHelp() {
 awk '/^#==/{f=1} f{print; if (!NF) exit}' $0
}
MYROUTER=$(nvram get computer_name)
if [ -d /tmp/mnt/$MYROUTER ]; then
   DIR="/tmp/mnt/"$MYROUTER
else
   DIR="/tmp"
fi
bannedips=$DIR"/IPSET_IP_Count"    # Allows display of new blocked IPs after every implied/ explicit status request
# 380.63+ for ARM routers, IPSET v6  is available...Load appropriate IPSET modules
case $(ipset -v | grep -io "v[4,6]") in
  v6)
 MATCH_SET='--match-set'; CREATE='create'; ADD='add'; DELETE='del'; SWAP='swap'; SAVE='save'; FLUSH='flush'; RESTORE='restore'
 IPHASH='hash:ip'; NETHASH='hash:net family inet'; NETHASH6='hash:net family inet6'; SETNOTFOUND='name does not exist'
 lsmod | grep "xt_set" > /dev/null 2>&1 || \
 for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
  do
   insmod $module > /dev/null 2>&1
  done
 ;;
  v4)
 MATCH_SET='--set'; CREATE='--create'; ADD='--add'; DELETE='--del'; SWAP='--swap'; SAVE='--save'; FLUSH='--flush'; RESTORE='--restore'
 IPHASH='iphash'; NETHASH='nethash'; SETNOTFOUND='Unknown set'
 lsmod | grep "ipt_set" > /dev/null 2>&1 || \
 for module in ip_set ip_set_nethash ip_set_iphash ipt_set
  do
   insmod $module
  done
 ;;
  *)
 logger -st "($(basename $0))" $$ "**ERROR** Unknown ipset version: $(ipset -v). Exiting."
 echo -e "\a"
 exit 99
 ;;
esac

# Need assistance!???
if [ "$1" == "help" ] || [ "$1" == "-h" ]; then
 ShowHelp
 exit 0
fi
ACTION=$1
# If the first arg is an I/P address or subnet then assume it is to be blocked.
# TBA
# status / ban / unban / reset / delete / save / ban / whitelist / backup
case $ACTION in
 status)
  echo -en "\n"
  ipset -L Blacklist | grep -vE "^[0-9]"  # Sadly 'ipset -t Blacklist' to list only the IPSET header doesn't work on Asus
  if [ ! -z $2 ];then           # Verbose if 2nd arg
   ipset -L Blacklist        | \
    grep -E "^[0-9]"       | \
    sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | \
    awk ' {printf "%15s\t", $1;}'
   echo " ";echo " "
   ipset -L Whitelist
  fi
  #logger -s -t "($(basename $0))" $$  `ipset -L`
  ;;
 ban)
  if [ -z $2 ];then
   echo "Input IP Address"
   read bannedip
  else
   bannedip=$2
  fi
  logger -st "($(basename $0))" $$  "Adding" $bannedip "to Blacklist] ... ... ..."
  ipset -q -A Blacklist $bannedip
  echo "$bannedip Is Now Banned"
  ;;
 unban)
  if [ -z $2 ]; then
   echo "Input IP Address To Unban"
   read unbannedip
  else
   unbannedip=$2
  fi
  logger -st "($(basename $0))" $$  "Unbanning and removing" $unbannedip "from Blacklist ... ... ..."
  ipset $DELETE Blacklist $unbannedip
  echo "`sed /$unbannedip/d $DIR/IPSET_Rules.txt`" > $DIR/IPSET_Rules.txt
  echo $unbannedip "Is Now Unbanned"
   ;;
 reset)
  logger -st "($(basename $0))" $$  "Temporarily Allowing ALL ("`cat $bannedips`") I/P's in Blacklist IPSET"
  NOW=$(date +"%Y%m%d-%H%M%S")    # current date and time
  mv  $DIR/IPSET_Rules.txt $DIR/IPSET_Rules.txt-$NOW   # Create restore backup
  ipset $SAVE > $DIR/IPSET_Rules.txt        # Save the current IPSETs
  ipset $FLUSH Blacklist
  rm $bannedips      # Reset counter '0'
  ;;
 delete)
  logger -st "($(basename $0))" $$  "Permanently deleting ALL ("`cat $bannedips`") I/Ps from Blacklist."
  ipset $FLUSH Blacklist
  rm $bannedips      # Reset counter '0'
  ipset $SAVE > $DIR/IPSET_Rules.txt
  ;;
 save)
  #echo "Saving Blacklists ... ... ..."
  logger -st "($(basename $0))" $$  "Saving IPSet rules to  $DIR/IPSET_Rules.txt ... ... ..."
  # Only save the IPSETs associated with this script
  ipset $SAVE Blacklist >  $DIR/IPSET_Block.txt
  ipset $SAVE Whitelist >> $DIR/IPSET_Block.txt
  ;;
 whitelist)
  echo "Input file location"      # see /jffs/configs/IPSET_Whitelist
  read WHITELISTFILE
  for IP in `cat $WHITELISTFILE`
   do
    ipset -q -A Whitelist $IP
    echo $IP
   done
  ipset $SAVE > $DIR/IPSET_Rules.txt
  ;;
 backup)
  #echo "Backing Up Current IPSet Rules"
  logger -st "($(basename $0))" $$  "Creating IPSET rule backup to "$DIR"/IPSET_Rules.bak ... ... ..."
  cp -f $DIR/IPSET_Rules.txt $DIR/IPSET_Rules.bak
  ;;
 init)
  # ....called from firewall-start?
 
  if [ X"`nvram get fw_log_x`" = X"drop" ]
  then
   logger -st "($(basename $0))" $$ "Correct 'logdrop' Setting Detected"
  else
   logger -st "($(basename $0))" $$  "Setting 'logdrop'....."
   nvram set fw_log_x=drop
   nvram commit
  fi
  if [ X"`nvram get fw_enable_x`" = X"1" ]
  then
   logger -st "($(basename $0))" $$ "Correct 'firewall' enabled Setting Detected."
  else
   logger -st "($(basename $0))" $$ "Setting 'enable' firewall....."
   nvram set fw_enable_x=1
   nvram commit
  fi
  logger -st "($(basename $0))" $$  " © 2016-2017 Martineau, IPSET Dynamic blocking initialisation Starting....."
  iptables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 2> /dev/null > /dev/null
  iptables -D INPUT -m set $MATCH_SET Whitelist src -j ACCEPT 2> /dev/null > /dev/null
  iptables -D INPUT -m set $MATCH_SET Blacklist src -j DROP 2> /dev/null > /dev/null
  iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src 2> /dev/null > /dev/null
  # 'init' will restore IPSETs from file  but 'init full' will re-create empty IPSETs
  if [ -s "${DIR}/IPSET_Rules.txt" ] && [ -z "$2" ]; then
   logger -st "($(basename $0))" $$  "IPSET "$DIR"/IPSET_Rules.txt found... restore starting...."
    ipset $RESTORE  < $DIR/IPSET_Rules.txt
  else
    logger -st "($(basename $0))" $$  "IPSETs: Whitelist & Blacklist being created....."
 
    ipset -q -F Whitelist
    ipset -q -F Blacklist
    ipset -q -X Whitelist
    ipset -q -X Blacklist
 
    ipset -q -N Whitelist $NETHASH
    ipset -q -N Blacklist $IPHASH
  fi
  RULENO=`iptables -nvL INPUT --line | grep "lo " | awk '{print $1}'`
  RULENO=$(($RULENO+1))
  #logger -st "($(basename $0))" $$  "**DEBUG RULENO="$RULENO
  iptables -I INPUT $RULENO -m set $MATCH_SET Blacklist src -j DROP
  iptables -I INPUT $RULENO -m set $MATCH_SET Whitelist src -j ACCEPT
  if [ "$?" -gt 0 ];then
    RC=$?
    logger -st "($(basename $0))" $$  "**ERROR** Unable to add - INPUT $MATCH_SET Whitelist RC="$RC
    echo -e "\a`iptables -nvL INPUT --line >> /tmp/syslog.log`"
  fi
  logger -st "($(basename $0))" $$  "IPSETs: 'Whitelist & Blacklist Blocking enabled"
  iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src
  ipset -q -A Whitelist `nvram get lan_ipaddr`/24
  # Remember to manually include all VLANs e.g. 10.0.0.0/8 see /jffs/configs/IPSET_Whitelist
esac
# Summary
if [ ! -s "$bannedips" ]; then
   OLDAMOUNT=0
else
   OLDAMOUNT=`cat "$bannedips"`
fi
if [ `ipset -L Blacklist | grep -vE "^[NTRHSM]" | wc -l` -gt 0 ]; then
   expr `ipset -L Blacklist | grep -vE "^[NTRHSM]" | wc -l` > $bannedips
   NEWAMOUNT=`cat $bannedips`
else
   NEWAMOUNT=0
fi
logger -st "($(basename $0))" $$  "Summary Blacklist: $OLDAMOUNT IPs currently banned. `expr $NEWAMOUNT - $OLDAMOUNT` New IP's Banned. "

skeal · Mar 7, 2017

Sorry I screwed up. Please advise where to put this code is it in init-start or firewall-start do i paste all of it in one chunk and to what locations. the original post on page 1 of this thread doesn't really help me.

skeal · Mar 7, 2017

Can you help me with what code goes where please?

Martineau · Mar 7, 2017

skeal said:
Sorry I screwed up. Please advise where to put this code is it in init-start or firewall-start do i paste all of it in one chunk and to what locations. the original post on page 1 of this thread doesn't really help me.

Follow the wiki on how to create scripts and make them executable.
https://github.com/RMerl/asuswrt-merlin/wiki

..basically cut'n'paste either into WinSCP editor or nano editor from the command line.

So I suggest you create it as /jffs/scripts/IPSET_Block.sh, and as per the help info documented in the script, you will need to update firewall-start and init-start accordingly.

skeal · Mar 8, 2017

Thank you @Martineau your help is greatly appreciated. I was able to put it together and get it working. Thanks again for your script writing skills!

octopus · Mar 11, 2017

Martineau said:
Follow the wiki on how to create scripts and make them executable.
https://github.com/RMerl/asuswrt-merlin/wiki

..basically cut'n'paste either into WinSCP editor or nano editor from the command line.

So I suggest you create it as /jffs/scripts/IPSET_Block.sh, and as per the help info documented in the script, you will need to update firewall-start and init-start accordingly.

@Martineau
Thank you for this script. I have to ask, I don't understand how blocked ip get in to "Blacklist" chain?

Martineau · Mar 11, 2017

octopus said:
@Martineau
Thank you for this script. I have to ask, I don't understand how blocked ip get in to "Blacklist" chain?

The script ensures the 'Logged packets type=Dropped' is enabled in the Firewall->General GUI

A rule is added to the '-t filter logdrop' chain

Code:

iptables -nvL logdrop --line -t filter

Chain logdrop (9 references)
num   pkts bytes target     prot opt in     out     source               destination      
1      248 11883 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
2      248 11883 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP "
3      367 17965 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

octopus · Mar 11, 2017

Martineau said:

The script ensures the 'Logged packets type=Dropped' is enabled in the Firewall->General GUI

A rule is added to the '-t filter logdrop' chain

Code:

iptables -nvL logdrop --line -t filter
Chain logdrop (9 references)
num   pkts bytes target     prot opt in     out     source               destination      
1      248 11883 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
2      248 11883 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP "
3      367 17965 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Okey, thanks, I see it now.

Code:

iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src

octopus · Mar 13, 2017

I have run this script for a half day and have HUGE amont of "DROPIN=vlan11" in log.
Hope it subsides when the Blacklist log becomes full of IP numbers.

Code:

Chain logdrop (8 references)
num   pkts bytes target     prot opt in     out     source               destination        
1      344 17509 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
2      368 18669 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP"
3      368 18669 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Martineau · Mar 13, 2017

octopus said:
..... and have HUGE amont of "DROPIN=vlan11" in log.

Well that's an annoying nusiance isn't it!

In the script there is a block of code commented out..any idea what it would do if enabled?

Code:

#############Why destroy Syslog???#########
#echo "`sed '/DROP IN=/d' /tmp/syslog.log`" > /tmp/syslog.log
#echo "`sed '/DROP IN=/d' /tmp/syslog.log-1`" > /tmp/syslog.log-1

One of the reasons I personally don't want the Syslog to be sanitised is because I run a cron job every hour that creates a report from the "DROP IN" messages of all the blocked access attempts:

..so out of curiosity I can identify which ports are currently popular targets.

Clearly, well known ports 23 and 22 (523 and 108 attempts respectively) are not surprisingly popular targets, but why/who are 5358 and 2323 (156 and 49 attempts) ? - so the report makes it easy for me to simply click on a helpful 'live' URL description when I review the report.

The IPSET can grow very large, and I did consider exploiting the IPSET v6.4 'timeout' option to have the IPSET automatically discard entries older than say 24hours etc., but chances are they would eventually (if not the next day

) reappear in the IPSET!

octopus · Mar 14, 2017

@Martineau
"Code commented out..any idea what it would do if enabled?" Yes now when you mention that.

Code:

echo "`sed '/DROP IN=/d' /tmp/syslog.log`" > /tmp/syslog.log

I want to use this to minimise annoying log flooding. I use synlink to /mnt there my log is saved. Will this "sed" command work?

Code:

 ln -s /mnt/rt-ac68/logs/syslog.log /tmp/syslog.log

I really appreciate your all kind of scripts, is using part of it or all.

Martineau · Mar 14, 2017

octopus said:
I use synlink to /mnt there my log is saved. Will this "sed" command work?

Yes...I too have Syslog writing to a flash drive mounted on /tmp/mnt/RT-AC68U

You can prove the 'sed' command works by trying this on the command line before you edit the script!

Code:

grep "DROP IN" /tmp/syslog.log | wc -l
sed '/DROP IN=/d' /tmp/syslog.log > /tmp/syslog.log
grep "DROP IN" /tmp/syslog.log | wc -l

octopus · Mar 14, 2017

Seems to working, had to modified "DROPIN".

Code:

octopus@OCTOPUS:/tmp/home/root# grep "DROPIN" /tmp/syslog.log | wc -l
1260

After this log is deleted and started to log DROP again after first write to log from router program.

Code:

octopus@OCTOPUS:/tmp/home/root# sed '/DROPIN=/d' /tmp/syslog.log > /tmp/syslog.log

EDIT: I found what was wrong, I have my log point to /mnt. Adjusted sed to:

Code:

octopus@OCTOPUS:/tmp/home/root# sed '/DROPIN=/d' /tmp/syslog.log > /mnt/rt-ac68/logs/syslog.log

Code:

octopus@OCTOPUS:/tmp/home/root# grep "DROPIN" /tmp/syslog.log | wc -l
0

@Martineau

Martineau · Mar 14, 2017

octopus said:
Seems to working, had to modified "DROPIN".

Hmm, no idea why I have "DROP IN=", whereas you have "DROPIN=", also I don't have interface "vlan11" either.

Anyway glad you can now have the port hackers silently blocked!

octopus · Mar 14, 2017

Martineau said:
Hmm, no idea why I have "DROP IN=", whereas you have "DROPIN=", also I don't have interface "vlan11" either.
Anyway glad you can now have the port hackers silently blocked!

I don't know why we have different DROP but I use IPTV internet vlan11.
Well it only working until new data writing to log.
"After this log is deleted and started to log DROP again after first write to log from router program."
@Martineau

Xentrk · Apr 12, 2017

Thank you @Martineau for the revised script.

I installed it last night at the two routers I have at home and the router at the school. I don't have any attempts for the two home routers. But at the school, the following was generated in the past 12 hours:

Code:

(IPSET_Block.sh): 26779 Summary Blacklist: 300 IPs currently banned. 15 New IP's Banned.

Code:

 pkts bytes target     prot opt in     out     source               destination
     0     0 ACCEPT     all  --  any    any     anywhere             anywhere             match-set Whitelist src
 1162 70396 DROP       all  --  any    any     anywhere             anywhere             match-set Blacklist src

Martineau · Apr 12, 2017

swetoast said:
@Martineau or @Adamm planning on maintaining that script ? cause if you are i could add it to the wiki

I have updated my OP https://www.snbforums.com/threads/h...et-firewall-addition.16798/page-7#post-312136

There are slight functional differences in my version vs. @Adamm's i.e. Malware blocking is not included - I'll leave that to your supported Malware script(s)

The main difference is that my script exploits the IPSET v6.3 feature which allows the user to specify how long the Blacklist entries remain in the IPSET before they expire.

e.g passing the 'init' arg in the firewall-start script will instigate a search for a '.config' file to reload a previous populated Blacklist IPSET

Code:

/jffs/scripts/IPSET_Block.sh init

however, if the following syntax is used:

Code:

/jffs/scripts/IPSET_Block.sh init [full [hh:mm:ss]]

e.g.

IPSET_Block.sh init full 24:00:00

then when the Blacklist IPSET is created the member entries will expire after 24 hrs.
(The default hard-coded in the script is 168:00:00 hrs = 7 days)

e.g. You can see how much longer (until its timeout values reaches 0) each entry will remain in the IPSET based on its initial 86400 seconds value:

Code:

ipset list Blacklist

Name: Blacklist
Type: hash:ip
Revision: 0
Header: family inet hashsize 4096 maxelem 65536 timeout 86400
Size in memory: 187832
References: 1
Members:
190.85.182.61 timeout 45111
118.101.215.238 timeout 44722
120.197.100.106 timeout 45112
<snip>

Also, I don't remove the DROP messages from Syslog, because I have a supplementary script that reports on the Blacklist entries:

Code:

./HackerPorts.sh

(HackerPorts.sh): 8647 Syslog Hacker report starting.....
(HackerPorts.sh): 8647 Hacker report created '/tmp/mnt/RT-AC68U/HackerReport.txt' (Total Ports attacked: 218)

Denna · Apr 12, 2017

@Martineau,

I like the timeout feature. Genius !

If someone could spoof an IP address of a legitimate destination and that address end up in a blocklist, wouldn't that be a form of DoS ?

The timeout feature partially protects against that.

redhat27 · Apr 12, 2017

Martineau said:

The script ensures the 'Logged packets type=Dropped' is enabled in the Firewall->General GUI

A rule is added to the '-t filter logdrop' chain

Code:

iptables -nvL logdrop --line -t filter

Chain logdrop (9 references)
num   pkts bytes target     prot opt in     out     source               destination     
1      248 11883 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
2      248 11883 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP "
3      367 17965 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Hello... First post in this thread. Interesting read. So I trying to understand the purpose of the script better. Is it that the script looks at the syslog for packets already being dropped by the firewall and puts them in a blacklist ipset. So what is the benefit gained? The new rule would have a target of DROP as opposed to logdrop and won't show in the firewall log. Other than that, what is the benefit gained?

Xentrk · Apr 12, 2017

takitezsdc said:
hello....would you be so kind to explain exactly how this needs to be installed? ...

For @Martineau version, the script goes in /jffs/scripts/IPSET_Block.sh. Make sure it is executable:
chmod 755 IPSET_Block.sh

In the /jffs/scripts/init-start

Code:

/usr/sbin/cru a IPSET_SAVE   "0 * * * * /jffs/scripts/IPSET_Block.sh save"    #Every hour
/usr/sbin/cru a IPSET_BACKUP "0 5 * * * /jffs/scripts/IPSET_Block.sh backup"  #05:00 every day

In /jffs/scripts/firewall-start

Code:

/jffs/scripts/IPSET_Block.sh init

To get help:

Code:

cd /jffs/scripts
./IPSET_Block.sh help

How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Senior Member

Very Senior Member

Part of the Furniture

Similar threads

Similar threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest