How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

Martineau · May 7, 2017

Jack Yaz said:
v2.03 installed and all working, once I remembered to change the dir variable to my path haha. Thought I'd broken it :S

Yeah, I knew I should have added a convenient command line 'dir=path_to_file' directive to at least save the user having to edit the script!..but I guess someone without your scripting skills would still 'forget' and complain

Anyway thanks for the v2.03 feedback - early days though, but no doubt silly bug reports will soon start flooding in so I might add the 'dir=' code in the imminent v2.04 release!

Jack Yaz · May 7, 2017

No worries, I'm somewhat a novice at bash, but fairly well versed in Javascript and C#, I'm pretty quick at picking things up, namely because I obsess and research and try try try again until I get something working

Thanks for the scripts, it's nice to have the security, and get a nice report out of it too!

Martineau · May 7, 2017

eclp said:
These lines are in the: /jffs/scripts/services-start:

Code:

cru a IPSET_SAVE "0 * * * * /jffs/scripts/IPSET_Block.sh save" #Every hour cru a IPSET_BACKUP "0 5 * * * /jffs/scripts/IPSET_Block.sh backup" #05:00 every day

So you have '/jffs/scripts/IPSET_Block.sh init' in '/jffs/scripts/firewall-start' ?

Martineau · May 7, 2017

Csection said:
Version 3.04 with the HackerPorts 2.02 addition!

OK, FYI IPSET_Block.sh v3.05 and HackerPorts 2.03 are available.

I have manually run the 'save' function using three different versions, and all appear to work.....

Code:

 ./IPSET_Block.sh save

(IPSET_Block.sh): 2160 v4.01 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

(IPSET_Block.sh): 2160 Saving IPSET Block rules to /tmp/mnt/RT-AC68U/IPSET_Block.config.....

 Summary Blacklist: 2838+1 Successful blocks! ( 3321 IPs currently banned - 36 added since: May 7 19:00 ), Entries auto-expire after 168:00:00 hrs

Code:

./XIPSET_Blockv3.05.sh save

(XIPSET_Blockv3.05.sh): 2395 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

(XIPSET_Blockv3.05.sh): 2395 Saving IPSET Block rules to /tmp/mnt/RT-AC68U/IPSET_Block.config.....

 Summary Blacklist: 2838 Successful blocks! ( 3357 IPs currently banned - 1 added since: May 7 19:48 ), Entries auto-expire after 168:00:00 hrs

Code:

 ./XIPSET_Blockv3.04.sh save

(XIPSET_Blockv3.04.sh): 3538 v3.04 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

(XIPSET_Blockv3.04.sh): 3538 Saving IPSET Block rules to /tmp/mnt/RT-AC68U/IPSET_Block.config.....

 Summary Blacklist: 2856 Successful blocks! ( 3366 IPs currently banned - 5 added since: May 7 20:00 ), Entries auto-expire after 168:00:00 hrs

I can't see anything that would fail...the 'save' simply issues the two ipset commands to dump both IPSETs to the $DIR directory.

If the following file is missing

Code:

$DIR/IPSET_Blacklist_Count

then this would certainly affect the report statistics.

skeal · May 7, 2017

Martineau said:
/jffs/scripts/HackerPorts.sh

v2.03 is available.

Thanks to @Xentrk , @Jack Yaz , @Csection and others for providing feed back to try and improve the reliability of the reporting.

I've rewritten the parsing code when extracting the 'Block IN=' messages from Syslog.

It appears that the '-j LOG' chain apparently may generate 'inconsistent' messages, the weird one being the random insertion of the Unicode '0xa0' character '&nbsp',so whilst it appears as a space " " it really isn't so the parsing will fail.

Now it could be that this is a side effect of extracting the test data from the forum, but either way, sometimes the script works for some and not for others, but as @Xentrk posted, it has been fine on his router, but another one he installed the script on, it just won't work.

1. Fix to include an additional check to see if the inappropriate 'nolog' directive is still being used with the 'init' call by IPSET_Block.sh, but I only scanned both firewall-start/services-start and never considerd that anyone would need to use post-mount. @Jack Yaz

2. New command args are available (see help)

all - The report will by default report on WAN attacks.
Specifying this will allow reporting on all interfaces e.g. ppp0,vlan2 etc.

wipe - If Syslog is used to record the tracking messages (rather than the Blacklist IPSET)
then once the report is created to disk, the tracking messages are erased from Syslog.

in= I have lots of archived Syslogs and to try and prove that the script genuinely works, needed to quickly point the script at a file rather than the 'live' Syslog.

3. GRE report. These '-j LOG' messages contain no target 'DPT=' clause which caused the parsing to fail dismally given that this is a critical field that I explicitly need to use as a delimiter.

These attempts are now also reported, so perhaps IPSET_Block.sh deserves brownie-points! - or not!

The general reporting info has also been tweaked to give better feedback, along with some additional cosmetic fluff!.

No doubt it is riddled with bugs, but that is the price I pay for not requesting a lengthy beta testing programme.

Caveat Emptor!

I have a maybe stupid question. I installed HackerPorts.sh it all works but I'm wondering about the "kernel : Block IN=vlan2 OUT= Mac=blah blah blah" messages in my webui syslog. Is this something that is necessary or....?

eclp · May 7, 2017

I went through this guide: https://github.com/RMerl/asuswrt-me...on-instructions#dynamically-ban-malicious-ips
Restart Router:

Code:

Aug  1 02:02:02 (IPSET_Block.sh): 2098 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
Aug  1 02:02:03 (IPSET_Block.sh): 2098 IPSETs: 'Blacklist/Whitelist' created EMPTY..... [init ]
Aug  1 02:02:04 (IPSET_Block.sh): 2098 Dynamic IPSET Blacklist banning enabled.
Aug  1 02:02:04 (IPSET_Block.sh): 2098 Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )
Aug  1 02:02:06 kernel: Block IN=eth0 OUT= MAC=14:dd:a9:cb:0d:f0:04:02:1f:f7:b5:16:08:00 SRC=17.188.135.186 DST=192.168.2.100 LEN=105 TOS=0x00 PREC=0x00 TTL=50 ID=12037 DF PROTO=TCP SPT=5223 DPT=52138 SEQ=4256776857 ACK=4153990114 WINDOW=264 RES=0x00 ACK PSH URGP=0 OPT (0101080A6ABBACBF313DBB5B) MARK=0x8053005e
Aug  1 02:02:07 kernel: Block IN=eth0 OUT= MAC=14:dd:a9:cb:0d:f0:04:02:1f:f7:b5:16:08:00 SRC=40.77.229.71 DST=192.168.2.100 LEN=274 TOS=0x00 PREC=0x00 TTL=113 ID=1348 DF PROTO=TCP SPT=443 DPT=64515 SEQ=2673240956 ACK=1376455354 WINDOW=7212 RES=0x00 ACK PSH URGP=0
Aug  1 02:02:07 kernel: Block IN=eth0 OUT= MAC=01:00:5e:00:00:01:04:02:1f:f7:b5:16:08:00 SRC=192.168.2.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Aug  1 02:03:09 kernel: Block IN=eth0 OUT= MAC=14:dd:a9:cb:0d:f0:04:02:1f:f7:b5:16:08:00 SRC=169.55.69

Martineau · May 7, 2017

skeal said:
I have a maybe stupid question. I installed HackerPorts.sh it all works but I'm wondering about the "kernel : Block IN=vlan2 OUT= Mac=blah blah blah" messages in my webui syslog. Is this something that is necessary or....?

Well it depends if VLAN2 is actually your WAN interface and of course the target Port (DPT) and destination address (DST=) will also have a bearing on the severity of 'concern' etc.

Martineau · May 7, 2017

eclp said:

I went through this guide: https://github.com/RMerl/asuswrt-me...on-instructions#dynamically-ban-malicious-ips
Restart Router:

Code:

Aug  1 02:02:02 (IPSET_Block.sh): 2098 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
Aug  1 02:02:03 (IPSET_Block.sh): 2098 IPSETs: 'Blacklist/Whitelist' created EMPTY..... [init ]
Aug  1 02:02:04 (IPSET_Block.sh): 2098 Dynamic IPSET Blacklist banning enabled.
Aug  1 02:02:04 (IPSET_Block.sh): 2098 Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )

If you don't have a USB attached or haven't edited the script to set the $DIR variable to point to a directory on the USB drive, then when the router boots, it will be unable to restore the previous Blacklist IPSET (which could have contained 1000s of banned IP addresses), so will have to start populating the Blacklist IPSET from scratch.

skeal · May 7, 2017

Martineau said:
Well it depends if VLAN2 is actually your WAN interface and of course the target Port (DPT) and destination address (DST=) will also have a bearing on the severity of 'concern' etc.

Yes confirmed vlan2 is my WAN port. Is this logging normal to have? It only occurred since enabling and using HackerPorts.sh
This all makes sense now!! I got this. Thanks for the explanation.

Martineau · May 7, 2017

skeal said:
Yes confirmed vlan2 is my WAN port. Is this logging normal to have? It only occurred since enabling and using HackerPorts.sh

Honestly what a question/acusation! - almost enough to convince me to do a 'Swetoast' and shut up shop and take my goodies with me.

So your question is not so much about the actual attackers, but the fact that my script HackerPorts.sh can only provide useful info because IPSET_Block.sh tediously writes 'noise' aka it's tracking messages to Syslog?

Well as described in the help (or read the code) you will see that HackerPorts.sh v2.03 now has the 'wipe' directive which, when specified, erases these tediously annoying 'Block IN=' messages (once they are processed) from Syslog and archived to file 'HackerReport.txt'

So you could schedule HackerPorts to run every hour with the 'wipe' directive or simply remove IPSET_Block.sh and HackerPorts.sh - your call.

However, as described in the help, IPSET_Block.sh v4.xx actually logs the SRC= and DPT= tracking data to the BlacklistTRK IPSET which, if it exists, is used in preference by HackerPorts v2.02/3 for its reporting.

Regards,

skeal · May 7, 2017

Martineau said:
Honestly what a question/acusation! - almost enough to convince me to do a 'Swetoast' and shut up shop and take my goodies with me.

So your question is not so much about the actual attackers, but the fact that my script HackerPorts.sh can only provide useful info because IPSET_Block.sh tediously writes 'noise' aka it's tracking messages to Syslog?

Well as described in the help (or read the code) you will see that HackerPorts.sh v2.03 now has the 'wipe' directive which, when specified, erases these tediously annoying 'Block IN=' messages (once they are processed) from Syslog and archived to file 'HackerReport.txt'

So you could schedule HackerPorts to run every hour with the 'wipe' directive or simply remove IPSET_Block.sh and HackerPorts.sh - your call.

However, as described in the help, IPSET_Block.sh v4.xx actually logs the SRC= and DPT= tracking data to the BlacklistTRK IPSET which, if it exists, is used in preference by HackerPorts v2.02/3 for its reporting.

Regards,

Sorry I had no intentions of blaming your script I was just wondering since it was the last change I made if this sort of thing was normal. I realize now that the question as you say was not worded right and I apologize for that. I think this script and your others are fantastic. I'm just no where near as talented as you are. I was trying to ask a general question not blame your script for my routers interpretation of it. Again I'm sorry if you are offended please don't pack up and leave on account of my stupid question.

Xentrk · May 8, 2017

Thankyou @Martineau!!!!!

The updated version of the report works. I have to use the all option (.e.g. /HackerPorts.sh all)or else no data gets reported.

Code:

1007 records scanned from Syslog ('/tmp/syslog.log')

08 May 12:55:02: # Unique Ports attacked via ANY interface: 93 (out of 464 attempts) tracked via SYSLOG, May 8 01:36:21 - May 8 12:55:01

        Top 10 Ports attacked:
  150 http://www.speedguide.net/port.php?port=23    e.g.  https://dnsquery.org/ipwhois/103.206.61.250
   71 http://www.speedguide.net/port.php?port=12644 e.g.  https://dnsquery.org/ipwhois/100.126.10.63
   32 http://www.speedguide.net/port.php?port=22    e.g.  https://dnsquery.org/ipwhois/103.20.29.185
   21 http://www.speedguide.net/port.php?port=14834 e.g.  https://dnsquery.org/ipwhois/1.20.232.199
   15 http://www.speedguide.net/port.php?port=8080  e.g.  https://dnsquery.org/ipwhois/108.247.206.54
   15 http://www.speedguide.net/port.php?port=21    e.g.  https://dnsquery.org/ipwhois/118.172.14.193
   14 http://www.speedguide.net/port.php?port=5060  e.g.  https://dnsquery.org/ipwhois/195.154.51.23
    8 http://www.speedguide.net/port.php?port=81    e.g.  https://dnsquery.org/ipwhois/112.120.16.208
    8 http://www.speedguide.net/port.php?port=1433  e.g.  https://dnsquery.org/ipwhois/113.10.197.140
    7 http://www.speedguide.net/port.php?port=445   e.g.  https://dnsquery.org/ipwhois/108.61.191.182

        Top 10 attackers:
    1 https://dnsquery.org/ipwhois/103.206.61.250
    1 https://dnsquery.org/ipwhois/100.126.10.63
    1 https://dnsquery.org/ipwhois/103.20.29.185
    1 https://dnsquery.org/ipwhois/1.20.232.199
    1 https://dnsquery.org/ipwhois/108.247.206.54
    1 https://dnsquery.org/ipwhois/118.172.14.193
    1 https://dnsquery.org/ipwhois/195.154.51.23
    1 https://dnsquery.org/ipwhois/112.120.16.208
    1 https://dnsquery.org/ipwhois/113.10.197.140
    1 https://dnsquery.org/ipwhois/108.61.191.182

        Last 10 most recent attackers:
      https://dnsquery.org/ipwhois/23.3.98.17
      https://dnsquery.org/ipwhois/107.170.71.85
      https://dnsquery.org/ipwhois/63.251.252.12
      https://dnsquery.org/ipwhois/23.7.47.225
      https://dnsquery.org/ipwhois/146.20.133.75
      https://dnsquery.org/ipwhois/107.178.247.57
      https://dnsquery.org/ipwhois/124.120.35.74
      https://dnsquery.org/ipwhois/23.67.1.104
      https://dnsquery.org/ipwhois/106.10.136.49
      https://dnsquery.org/ipwhois/92.42.106.175

Martineau · May 8, 2017

Xentrk said:

Thankyou @Martineau!!!!!

The updated version of the report works. I have to use the all option (.e.g. /HackerPorts.sh all)or else no data gets reported.

Code:

1007 records scanned from Syslog ('/tmp/syslog.log')

08 May 12:55:02: # Unique Ports attacked via ANY interface: 93 (out of 464 attempts) tracked via SYSLOG, May 8 01:36:21 - May 8 12:55:01

        Top 10 Ports attacked:
  150 http://www.speedguide.net/port.php?port=23    e.g.  https://dnsquery.org/ipwhois/103.206.61.250
   71 http://www.speedguide.net/port.php?port=12644 e.g.  https://dnsquery.org/ipwhois/100.126.10.63
   32 http://www.speedguide.net/port.php?port=22    e.g.  https://dnsquery.org/ipwhois/103.20.29.185
   21 http://www.speedguide.net/port.php?port=14834 e.g.  https://dnsquery.org/ipwhois/1.20.232.199

Thanks for the feedback.

HackerPorts v2.03 lazily uses this contenious NVRAM varible to identify the WAN

Code:

nvram get wan0_ifname

and by default the script will use this as its filter.

When the new 'all' parameter is used, then the filter is removed.

As usual, there is always a 'useful' feature (aka bloat

) that could be added....

e.g. if the 'all' parameter is detected, then perhaps the script should report the output of the following command:

Code:

grep "Block IN" /tmp/syslog.log | tail | grep -oE "IN=.*DPT=[0-9]+" | awk '{a[$1]++;}END{for (i in a)print i, a[i];}'

If you could post the output of the two commands this would be most helpful.

P.S. Hopefully the new parsing code is actually identifying the ports correctly.

Not sure if you could confirm that there are indeed records (still) in Syslog for the 'obscure' ports 12644/14834 that appear to be reported?...I do hope they are not the 'ID=' value extracted in error.

bayern1975 · May 8, 2017

i think my WAN is ppp0, so Hackerports script listening on eth0 and don`t get any results...

Code:

May  8 09:42:32 kernel: Block IN=ppp0 OUT= MAC= SRC=171.78.227.46 DST=xxx.xxx.xxx.xxx LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=19920 PROTO=TCP SPT=13240 DPT=23 SEQ=3243089241 ACK=0 WINDOW=10400 RES=0x00 SYN URGP=0 OPT (02040550)
May  8 09:42:33 kernel: Block IN=ppp0 OUT= MAC= SRC=104.25.235.15 DST=xxx.xxx.xxx.xxx LEN=86 TOS=0x00 PREC=0x00 TTL=61 ID=31352 DF PROTO=TCP SPT=443 DPT=6158 SEQ=2920770264 ACK=1149656329 WINDOW=144 RES=0x00 ACK PSH URGP=0

Code:

admin@RT-AC3200-0000:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 2805 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

        Summary Blacklist: 0 Successful blocks! ( 1406 IPs currently banned - 4 added since: May 8 09:16 ), Entries auto-expire after 36:00:00 hrs

(HackerPorts.sh): 2880 v2.03 Hacker Port attacks Report.....

Scanning /tmp/syslog.log for 'eth0' violations, please wait.....

1755 records scanned from Syslog ('/tmp/syslog.log')


08 May 09:17:11: # Unique Ports attacked via 'eth0': 0 (out of 0 attempts) tracked via SYSLOG, May 7 19:00:02 - May 8 09:17:11

if i manually put ./HackerPorts.sh all in terminal then i got results....

Code:

admin@RT-AC3200-0000:/jffs/scripts# ./HackerPorts.sh all
(HackerPorts.sh): 3024 v2.03 Hacker Port attacks Report.....

Scanning /tmp/syslog.log for ANY interface violations, please wait.....

1759 records scanned from Syslog ('/tmp/syslog.log')


08 May 09:17:42: # Unique Ports attacked via ANY interface: 23 (out of 83 attempts) tracked via SYSLOG, May 7 19:00:02 - May 8 09:17:41


        Top 10 Ports attacked:
   42 http://www.speedguide.net/port.php?port=23    e.g.  https://dnsquery.org/ipwhois/101.26.5.178
    7 http://www.speedguide.net/port.php?port=22    e.g.  https://dnsquery.org/ipwhois/112.193.245.117
    5 http://www.speedguide.net/port.php?port=1433  e.g.  https://dnsquery.org/ipwhois/124.127.198.19
    3 http://www.speedguide.net/port.php?port=8080  e.g.  https://dnsquery.org/ipwhois/45.55.12.36
    3 http://www.speedguide.net/port.php?port=7547  e.g.  https://dnsquery.org/ipwhois/111.65.184.9
    2 http://www.speedguide.net/port.php?port=9529  e.g.  https://dnsquery.org/ipwhois/45.55.13.9
    2 http://www.speedguide.net/port.php?port=81    e.g.  https://dnsquery.org/ipwhois/112.162.151.186
    2 http://www.speedguide.net/port.php?port=5060  e.g.  https://dnsquery.org/ipwhois/51.15.8.65
    2 http://www.speedguide.net/port.php?port=2323  e.g.  https://dnsquery.org/ipwhois/189.114.191.147
    2 http://www.speedguide.net/port.php?port=2222  e.g.  https://dnsquery.org/ipwhois/122.190.148.209

so my question is what and where something changes in script to listening on ppp0 ?

Code:

admin@RT-AC3200-0000:/jffs/scripts# nvram get wan0_ifname
eth0

admin@RT-AC3200-0000:/jffs/scripts# grep "Block IN" /tmp/syslog.log | tail | gre
p -oE "IN=.*DPT=[0-9]+" | awk '{a[$1]++;}END{for (i in a)print i, a[i];}'
IN=ppp0 10

Xentrk · May 8, 2017

Martineau said:
Thanks for the feedback.

HackerPorts v2.03 lazily uses this contenious NVRAM varible to identify the WAN

Code:

nvram get wan0_ifname

and by default the script will use this as its filter.

When the new 'all' parameter is used, then the filter is removed.

As usual, there is always a 'useful' feature (aka bloat ) that could be added....

e.g. if the 'all' parameter is detected, then perhaps the script should report the output of the following command:

Code:

grep "Block IN" /tmp/syslog.log | tail | grep -oE "IN=.*DPT=[0-9]+" | awk '{a[$1]++;}END{for (i in a)print i, a[i];}'

If you could post the output of the two commands this would be most helpful.

P.S. Hopefully the new parsing code is actually identifying the ports correctly.
Not sure if you could confirm that there are indeed records (still) in Syslog for the 'obscure' ports 12644/14834 that appear to be reported?...I do hope they are not the 'ID=' value extracted in error.

Here is the output:

Code:

#nvram get wan0_ifname
eth0

#grep "Block IN" /tmp/syslog.log | tail | grep -oE "IN=.*DPT=[0-9]+" | awk '{a[$1]++;}END{for
(i in a)print i, a[i];}'
IN=ppp0 10

Xentrk · May 8, 2017

Martineau said:
Thanks for the feedback.

P.S. Hopefully the new parsing code is actually identifying the ports correctly.
Not sure if you could confirm that there are indeed records (still) in Syslog for the 'obscure' ports 12644/14834 that appear to be reported?...I do hope they are not the 'ID=' value extracted in error.

Here are examples from the system log file:

Code:

May  7 18:23:42 kernel: Block IN=ppp0 OUT= MAC= SRC=213.143.94.71 DST=180.183.155.168 LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=17114 PROTO=UDP SPT=61566 DPT=12644 LEN=111
May  7 18:23:42 kernel: DROP IN=ppp0 OUT= MAC= SRC=213.143.94.71 DST=180.183.155.168 LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=17114 PROTO=UDP SPT=61566 DPT=12644 LEN=111

May  7 18:20:51 kernel: Block IN=ppp0 OUT= MAC= SRC=171.96.224.103 DST=180.183.155.168 LEN=131 TOS=0x00 PREC=0x00 TTL=114 ID=3039 PROTO=UDP SPT=25843 DPT=14834 LEN=111
May  7 18:20:51 kernel: DROP IN=ppp0 OUT= MAC= SRC=171.96.224.103 DST=180.183.155.168 LEN=131 TOS=0x00 PREC=0x00 TTL=114 ID=3039 PROTO=UDP SPT=25843 DPT=14834 LEN=111
May  7 18:20:53 kernel: Block IN=ppp0 OUT= MAC= SRC=49.228.230.230 DST=180.183.155.168 LEN=131 TOS=0x00 PREC=0x00 TTL=117 ID=5071 PROTO=UDP SPT=53124 DPT=14834 LEN=111
May  7 18:20:53 kernel: DROP IN=ppp0 OUT= MAC= SRC=49.228.230.230 DST=180.183.155.168 LEN=131 TOS=0x00 PREC=0x00 TTL=117 ID=5071 PROTO=UDP SPT=53124 DPT=14834 LEN=111

Martineau · May 8, 2017

Xentrk said:

Here is the output:

Code:

#nvram get wan0_ifname
eth0

#grep "Block IN" /tmp/syslog.log | tail | grep -oE "IN=.*DPT=[0-9]+" | awk '{a[$1]++;}END{for
(i in a)print i, a[i];}'
IN=ppp0 10

So that confirms why you need to use the 'all' directive.

Presumably 'ppp0' is indeed your physical WAN interface?

Does this return anything? EDIT: Typo

Code:

ip addr | grep @

Hopefully the Blacklist chain rules are correct:

Code:

iptables --line -nvL INPUT
iptables --line -nvL FORWARD

Martineau · May 8, 2017

Xentrk said:
Here are examples from the system log file:

Code:

May 7 18:23:42 kernel: Block IN=ppp0 OUT= MAC= SRC=213.143.94.71 DST=180.183.155.168 LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=17114 PROTO=UDP SPT=61566 DPT=12644 LEN=111

OK thanks...so ID=17114 but I do correctly extract DPT=12644.

So sadly the current URL to give a clue what/why on earth port 12644 would be of interest can't provide any enlightening revelation.

Martineau · May 8, 2017

bayern1975 said:
i think my WAN is ppp0, so Hackerports script listening on eth0 and don`t get any results...

https://www.snbforums.com/threads/h...t-martineau-version.38748/page-11#post-323105

Jack Yaz · May 8, 2017

Martineau said:
View attachment 9244

Tbh if people asking for help had an inkling of self-support. If HackerPorts.sh all is giving you the result, as @Martineau says it removes the eth0 filter, then surely go to the bit of IPSet where it calls HackerPorts and add the all parameter to the call?

Or am I way off course on this?

How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Senior Member

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Very Senior Member

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Similar threads

Similar threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest