Menu
What's new
By:
Filters
Better Search

How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Csection said:
Should I go ahead and run a test with a valid ip such as 8.8.8.8 to check it out?

I found the code and here is the change you said to implement:

Code: 
if [ $? -eq 0 ];then
echo -e "\n"$unbannedip "Is Now Unbanned"$cRESET
sed -i '/$unbannedip/d' $DIR/IPSET_Block.config
fi
# if [ $? -eq 0 ];then
# echo -e "\n"$unbannedip "Is Now Unbanned"$cRESET
# fi
echo "`sed /$unbannedip/d $DIR/IPSET_Block.config`" > $DIR/IPSET_Block.config
Click to expand...

No!!!!

This is the line that that causes the damage:
Code: 
echo "`sed /$unbannedip/d $DIR/IPSET_Block.config`" > $DIR/IPSET_Block.config

and must be DELETED - and it appears you have not commented it out.

Once you have removed the line, then you can test!
 
Martineau said:
No!!!!

This is the line that that causes the damage:
Code: 
echo "`sed /$unbannedip/d $DIR/IPSET_Block.config`" > $DIR/IPSET_Block.config

and must be DELETED - and it appears you have not commented it out.

Once you have removed the line, then you can test!
Click to expand...
Ok, thanks!
I commented that line out. I'll test it in a few. Got to take the dog out right now she's bitchin.
 
Martineau said:
No!!!!

This is the line that that causes the damage:
Code: 
echo "`sed /$unbannedip/d $DIR/IPSET_Block.config`" > $DIR/IPSET_Block.config

and must be DELETED - and it appears you have not commented it out.

Once you have removed the line, then you can test!
Click to expand...
Ok!
Back from "Dog duty"!
I tested it with Google ip and it said it was unbanned and worked just fine. So I'm good to go again.
Thanks, as usual!

4.03 appears to work well for me. I have tested most of your built-in functions and I like the versatility they add. They have worked for me.

P.Sl I'm so glad you found the problem. Cause I had a similar problem when we were testing Speed Guide.
 
I have a question. First! My syslog fills up with "Accept In" msgs. from my pc to the router. I am using a static ip cause I'm on a bridge.

I have "Default message log level" set to "Notice".
Question is:
What can I set the logging level to safely that will not affect "IPSET_Block" function in order to cut down on log clutter.
 
Csection said:
I have a question. First! My syslog fills up with "Accept In" msgs. from my pc to the router. I am using a static ip cause I'm on a bridge.

I have "Default message log level" set to "Notice".
Question is:
What can I set the logging level to safely that will not affect "IPSET_Block" function in order to cut down on log clutter.
Click to expand...

IPSET_Block when used with 'init reset ipset' does not generate/require any syslog messages.

If there are no appropriate syslog 'BLOCK IN=' messages, then this only affects the HackerPorts tracking statistics reporting...the Blacklist IPSET blocking etc. will still function correctly.
 
Observation: When my router needs a firewall restart such as after QOS settings are changed, my IPSET_Block goes into tracking only mode. If I issue /jffs/scripts/IPSET_Block.sh init nolog it begins working again. Even grabs the saved blacklist so your ip count stays ok. So not a big problem but if you didn't know this could happen you would assume you are still tracking when you're not. Thanks for the outstanding script!
 
skeal said:
Observation: When my router needs a firewall restart such as after QOS settings are changed, my IPSET_Block goes into tracking only mode. If I issue /jffs/scripts/IPSET_Block.sh init nolog it begins working again. Even grabs the saved blacklist so your ip count stays ok. So not a big problem but if you didn't know this could happen you would assume you are still tracking when you're not. Thanks for the outstanding script!
Click to expand...

This is a problem for any custom script that modifies iptables etc., as the firmware clearly may arbitrarily flush the rules used by the custom script.

So the solution is to ensure that nat-start is used to call IPSET_Block.sh.
 
Martineau said:
This is a problem for any custom script that modifies iptables etc., as the firmware clearly may arbitrarily flush the rules used by the custom script.

So the solution is to ensure that nat-start is used to call IPSET_Block.sh.
Click to expand...
Excellent idea never considered it!!
 
Martineau said:
This is a problem for any custom script that modifies iptables etc., as the firmware clearly may arbitrarily flush the rules used by the custom script.

So the solution is to ensure that nat-start is used to call IPSET_Block.sh.
Click to expand...
One last thing. Can I remove the call to the program from services-start? Will the script still run ok if I do?
 
My external drive went down I'm trying to recover. my IPSET_Block.sh is messed up.

services-start
Code: 
sh /jffs/scripts/IPSET_Block.sh init nolog
When I run
Code: 
sh /jffs/scripts/IPSETBlock.sh init nolog
I get this
Code: 
ASUSWRT-Merlin RT-AC68U 380.66-4 Fri May 26 21:55:15 UTC 2017
:/tmp/home/root# /jffs/scripts/IPSET_Block.sh init
nolog

   v4.03 © 2016-2017 Martineau, Dynamic IPSET Blocking.....

        IPSETs: 'Blacklist*/Whitelist*' created empty - reset!

        Summary Blacklist: 0+0 Successful blocks! ( 0 IPs currently banned - 0 added ), Entries auto-expire after 7 days 00:00:00hrs



        ***ERROR Tracking not enabled? - check '/jffs/scripts/services-start' 'IPSET_Block.sh init' is used WITHOUT 'nolog'

:/tmp/home/root# /jffs/scripts/IPSET_Block.sh init
nolog

   v4.03 © 2016-2017 Martineau, Dynamic IPSET Blocking.....

        IPSETs: 'Blacklist*/Whitelist*' created empty - reset!

        Summary Blacklist: 0+0 Successful blocks! ( 0 IPs currently banned - 0 added ), Entries auto-expire after 7 days 00:00:00hrs



        ***ERROR Tracking not enabled? - check '/jffs/scripts/services-start' 'IPSET_Block.sh init' is used WITHOUT 'nolog'

:/tmp/home/root#
Help anyone please!

EDIT: I managed to get everything except tracking it still says I don't have nolog when init is specified. The script is setup to run from services-start. Tracking is broken on my system......
EDIT: I removed nolog from the call in services-start now it works. But with block messages in syslog. Ran /jffs/scripts/IPSET_Block.sh nolog and it's all woeking. ....:)
 
Last edited:
Martineau said:
This is a problem for any custom script that modifies iptables etc., as the firmware clearly may arbitrarily flush the rules used by the custom script.

So the solution is to ensure that nat-start is used to call IPSET_Block.sh.
Click to expand...
Are you saying to put the call of the initial of IPSET_Block.sh into nat-start and where is it located? I looked for it but could not find it.
 
I can't seem to iron out this problem. I'm using the "init nolog" switch in "services-start" the script won't run without an error saying "init" used without "nolog" in "services-start".
What have I got messed up guys?

EDIT:If I remove the switch "nolog" from "services-start" and use "/jffs/scripts/IPSET_Block.sh init" at the ssh terminal and then use "/jffs/scripts/IPSET_Block.sh nolog" and things run like before. Before what? I don't know. It happened around the time I set the "nat-start" script up but it no longer exists on my router.
 
Last edited:
skeal said:
I can't seem to iron out this problem. I'm using the "init nolog" switch in "services-start" the script won't run without an error saying "init" used without "nolog" in "services-start".
What have I got messed up guys?

EDIT:If I remove the switch "nolog" from "services-start" and use "/jffs/scripts/IPSET_Block.sh init" at the ssh terminal and then use "/jffs/scripts/IPSET_Block.sh nolog" and things run like before. Before what? I don't know. It happened around the time I set the "nat-start" script up but it no longer exists on my router.
Click to expand...
A few nights ago, I saw the same thing. I can't recall what I was doing or why I was restarting the script. But I saw the same message on one of the routers.
 
Now it seems HackerPorts.sh is losing its capabilities. The script started telling me no incidents. I had to do the init and then nolog command to get it up and running again. Now it's reporting blocks again but this happened after 2 days of running with no interventions. Did I screw something up?
 
skeal said:
Now it seems HackerPorts.sh is losing its capabilities. The script started telling me no incidents. I had to do the init and then nolog command to get it up and running again. Now it's reporting blocks again but this happened after 2 days of running with no interventions. Did I screw something up?
Click to expand...

IPSET_Block.sh will report real-time statistics from the iptables.

HackerPorts.sh will report historical statistics from either IPSET BlacklistTRK and/or Syslog 'Block IN' messages.

If IPSET BlacklistTRK is empty (or doesn't exist) or there are no Syslog 'Block IN' messages then HackerPorts.sh cannot report any statistics.

If the iptables rules that are required by IPSET_Block.sh/HackerPorts.sh have been flushed/deleted (by say the TrendMicro DPI engine) then if there is no call to './IPSET_Block.sh init' in /jffs/scripts/nat-start then the scripts will be broken.

e.g. if HackerPorts.sh issues:
Code: 
***Warning IPSET Blocking is in Tracking ONLY mode!

then this is because the blocking INPUT iptables rule no longer exists and the following command will return nothing.
Code: 
iptables -nvL INPUT | grep -E "DROP.*Blacklist"

 1968  175K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src

If the above rule no longer exists then './IPSET_Block.sh init' will reinstate the necessary iptables rules, but you will need to debug yourself how/why the INPUT 'match-set Blacklist src' rule went missing.
 
Last edited:
Martineau said:
IPSET_Block.sh will report real-time statistics from the iptables.

HackerPorts.sh will report historical statistics from either IPSET BlacklistTRK and/or Syslog 'Block IN' messages.

If IPSET BlacklistTRK is empty (or doesn't exist) or there are no Syslog 'Block IN' messages then HackerPorts.sh cannot report any statistics.

If the iptables rules that are required by IPSET_Block.sh/HackerPorts.sh have been flushed/deleted (by say the TrendMicro DPI engine) then if there is no call to './IPSET_Block.sh init' in /jffs/scripts/nat-start then the scripts will be broken.

e.g. if HackerPorts.sh issues:
Code: 
***Warning IPSET Blocking is in Tracking ONLY mode!

then this is because the blocking INPUT iptables rule no longer exists and the following command will return nothing.
Code: 
iptables -nvL INPUT | grep -E "DROP.*Blacklist"

 1968  175K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src

If the above rule no longer exists then './IPSET_Block.sh init' will reinstate the necessary iptables rules, but you will need to debug yourself how/why the INPUT 'match-set Blacklist src' rule went missing.
Click to expand...
Ok I ran the command below
Code: 
iptables -nvL INPUT | grep -E "DROP.*Blacklist"
The return was
Code: 
51  2511 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src
I'm not sure I understand what you are saying. I am not really good with these scripts. But you are right there could be a conflict with another script. I want to continue using this script but have no idea how to isolate what could be wrong. Anybody out there want to help me it would be appreciated.
EDIT: I have none of the listed directories. I cannot find the file "ipset" I don't know what $List means I don't have a BlacklistTRK or Blacklist or Whitelist. I cannot find them on my external drive or local directories. If I create them will it work and if so where do I create them?
 
Last edited:
Hi Martineau,
First of all, I would like thank you for your script! I'm using it for months, and it is working like a charm. My only difficulty was to whitelist some false positive bans. For example, some features of Facebook (video posts, pictures) was blocked on all of my Android devices right after I installed this script on my router. Finally I figured out how to whitelist every FB related IPs.
I'm using script version 3.05, but I would like ask for a link to newest 4.x version. I know it is still in beta, but soo hard to read my router's syslog because of many blocking entries at the moment. I know there is a 'nolog' option in 3.05, but I would like to use HackerPorts script as well, and I need a log to be able to check when a false positive ban may occurs.
I thank you in advance for your reply.
 
Runcajsz said:
Hi
I'm using script version 3.05, but I would like ask for a link to newest 4.x version.
Click to expand...

Sent temporary link to v4.03/v2.06
 
You must log in or register to reply here.

Similar threads

N
Ipset not working
Replies
0
Views
2K
Nikecow
N
Similar threads
Thread starter Title Forum Replies Date
devhell How I can dynamically manage VPN director rules list by CLI Asuswrt-Merlin 0

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 975 (members: 35, guests: 940)
Top