How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

[Martineau]

Should I go ahead and run a test with a valid ip such as 8.8.8.8 to check it out?

I found the code and here is the change you said to implement:

if [ $? -eq 0 ];then
echo -e "\n"$unbannedip "Is Now Unbanned"$cRESET
sed -i '/$unbannedip/d' $DIR/IPSET_Block.config
fi
# if [ $? -eq 0 ];then
# echo -e "\n"$unbannedip "Is Now Unbanned"$cRESET
# fi
echo "`sed /$unbannedip/d $DIR/IPSET_Block.config`" > $DIR/IPSET_Block.config

No!!!!

This is the line that that causes the damage:

echo "`sed /$unbannedip/d $DIR/IPSET_Block.config`" > $DIR/IPSET_Block.config

and must be DELETED - and it appears you have not commented it out.

Once you have removed the line, then you can test!

 

[Csection]

No!!!!

This is the line that that causes the damage:

echo "`sed /$unbannedip/d $DIR/IPSET_Block.config`" > $DIR/IPSET_Block.config

and must be DELETED - and it appears you have not commented it out.

Once you have removed the line, then you can test!

Ok, thanks!
I commented that line out. I'll test it in a few. Got to take the dog out right now she's bitchin.

 

[Csection]

No!!!!

This is the line that that causes the damage:

echo "`sed /$unbannedip/d $DIR/IPSET_Block.config`" > $DIR/IPSET_Block.config

and must be DELETED - and it appears you have not commented it out.

Once you have removed the line, then you can test!

Ok!
Back from "Dog duty"!
I tested it with Google ip and it said it was unbanned and worked just fine. So I'm good to go again.
Thanks, as usual!

4.03 appears to work well for me. I have tested most of your built-in functions and I like the versatility they add. They have worked for me.

P.Sl I'm so glad you found the problem. Cause I had a similar problem when we were testing Speed Guide.

 

[Csection]

I have a question. First! My syslog fills up with "Accept In" msgs. from my pc to the router. I am using a static ip cause I'm on a bridge.

I have "Default message log level" set to "Notice".
Question is:
What can I set the logging level to safely that will not affect "IPSET_Block" function in order to cut down on log clutter.

 

[Martineau]

I have a question. First! My syslog fills up with "Accept In" msgs. from my pc to the router. I am using a static ip cause I'm on a bridge.

I have "Default message log level" set to "Notice".
Question is:
What can I set the logging level to safely that will not affect "IPSET_Block" function in order to cut down on log clutter.

IPSET_Block when used with 'init reset ipset' does not generate/require any syslog messages.

If there are no appropriate syslog 'BLOCK IN=' messages, then this only affects the HackerPorts tracking statistics reporting...the Blacklist IPSET blocking etc. will still function correctly.

 

[skeal]

Observation: When my router needs a firewall restart such as after QOS settings are changed, my IPSET_Block goes into tracking only mode. If I issue /jffs/scripts/IPSET_Block.sh init nolog it begins working again. Even grabs the saved blacklist so your ip count stays ok. So not a big problem but if you didn't know this could happen you would assume you are still tracking when you're not. Thanks for the outstanding script!

 

[Martineau]

Observation: When my router needs a firewall restart such as after QOS settings are changed, my IPSET_Block goes into tracking only mode. If I issue /jffs/scripts/IPSET_Block.sh init nolog it begins working again. Even grabs the saved blacklist so your ip count stays ok. So not a big problem but if you didn't know this could happen you would assume you are still tracking when you're not. Thanks for the outstanding script!

This is a problem for any custom script that modifies iptables etc., as the firmware clearly may arbitrarily flush the rules used by the custom script.

So the solution is to ensure that nat-start is used to call IPSET_Block.sh.

 

[skeal]

This is a problem for any custom script that modifies iptables etc., as the firmware clearly may arbitrarily flush the rules used by the custom script.

So the solution is to ensure that nat-start is used to call IPSET_Block.sh.

Excellent idea never considered it!!

 

[skeal]

This is a problem for any custom script that modifies iptables etc., as the firmware clearly may arbitrarily flush the rules used by the custom script.

So the solution is to ensure that nat-start is used to call IPSET_Block.sh.

One last thing. Can I remove the call to the program from services-start? Will the script still run ok if I do?

 

[skeal]

My external drive went down I'm trying to recover. my IPSET_Block.sh is messed up.

services-start

sh /jffs/scripts/IPSET_Block.sh init nolog

When I run

sh /jffs/scripts/IPSETBlock.sh init nolog

I get this

ASUSWRT-Merlin RT-AC68U 380.66-4 Fri May 26 21:55:15 UTC 2017
:/tmp/home/root# /jffs/scripts/IPSET_Block.sh init
nolog

   v4.03 © 2016-2017 Martineau, Dynamic IPSET Blocking.....

        IPSETs: 'Blacklist*/Whitelist*' created empty - reset!

        Summary Blacklist: 0+0 Successful blocks! ( 0 IPs currently banned - 0 added ), Entries auto-expire after 7 days 00:00:00hrs



        ***ERROR Tracking not enabled? - check '/jffs/scripts/services-start' 'IPSET_Block.sh init' is used WITHOUT 'nolog'

:/tmp/home/root# /jffs/scripts/IPSET_Block.sh init
nolog

   v4.03 © 2016-2017 Martineau, Dynamic IPSET Blocking.....

        IPSETs: 'Blacklist*/Whitelist*' created empty - reset!

        Summary Blacklist: 0+0 Successful blocks! ( 0 IPs currently banned - 0 added ), Entries auto-expire after 7 days 00:00:00hrs



        ***ERROR Tracking not enabled? - check '/jffs/scripts/services-start' 'IPSET_Block.sh init' is used WITHOUT 'nolog'

:/tmp/home/root#

Help anyone please!

EDIT: I managed to get everything except tracking it still says I don't have nolog when init is specified. The script is setup to run from services-start. Tracking is broken on my system......
EDIT: I removed nolog from the call in services-start now it works. But with block messages in syslog. Ran /jffs/scripts/IPSET_Block.sh nolog and it's all woeking. ....

 

[Csection]

This is a problem for any custom script that modifies iptables etc., as the firmware clearly may arbitrarily flush the rules used by the custom script.

So the solution is to ensure that nat-start is used to call IPSET_Block.sh.

Are you saying to put the call of the initial of IPSET_Block.sh into nat-start and where is it located? I looked for it but could not find it.

 

[Xentrk]

Are you saying to put the call of the initial of IPSET_Block.sh into nat-start and where is it located? I looked for it but could not find it.

Hi C,
You will need to create the file yourself in /jffs/scripts folder. https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

Make sure you give it a #!/bin/sh in the first line and make it executable e.g. chmod 755 nat-start.

 

[Csection]

Hi C,
You will need to create the file yourself in /jffs/scripts folder. https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

Make sure you give it a #!/bin/sh in the first line and make it executable e.g. chmod 755 nat-start.

As always!Thanks for that!

 

[skeal]

I can't seem to iron out this problem. I'm using the "init nolog" switch in "services-start" the script won't run without an error saying "init" used without "nolog" in "services-start".
What have I got messed up guys?

EDIT:If I remove the switch "nolog" from "services-start" and use "/jffs/scripts/IPSET_Block.sh init" at the ssh terminal and then use "/jffs/scripts/IPSET_Block.sh nolog" and things run like before. Before what? I don't know. It happened around the time I set the "nat-start" script up but it no longer exists on my router.

 

[Xentrk]

I can't seem to iron out this problem. I'm using the "init nolog" switch in "services-start" the script won't run without an error saying "init" used without "nolog" in "services-start".
What have I got messed up guys?

EDIT:If I remove the switch "nolog" from "services-start" and use "/jffs/scripts/IPSET_Block.sh init" at the ssh terminal and then use "/jffs/scripts/IPSET_Block.sh nolog" and things run like before. Before what? I don't know. It happened around the time I set the "nat-start" script up but it no longer exists on my router.

A few nights ago, I saw the same thing. I can't recall what I was doing or why I was restarting the script. But I saw the same message on one of the routers.

 

[skeal]

Now it seems HackerPorts.sh is losing its capabilities. The script started telling me no incidents. I had to do the init and then nolog command to get it up and running again. Now it's reporting blocks again but this happened after 2 days of running with no interventions. Did I screw something up?

 

[Martineau]

Now it seems HackerPorts.sh is losing its capabilities. The script started telling me no incidents. I had to do the init and then nolog command to get it up and running again. Now it's reporting blocks again but this happened after 2 days of running with no interventions. Did I screw something up?

IPSET_Block.sh will report real-time statistics from the iptables.

HackerPorts.sh will report historical statistics from either IPSET BlacklistTRK and/or Syslog 'Block IN' messages.

If IPSET BlacklistTRK is empty (or doesn't exist) or there are no Syslog 'Block IN' messages then HackerPorts.sh cannot report any statistics.

If the iptables rules that are required by IPSET_Block.sh/HackerPorts.sh have been flushed/deleted (by say the TrendMicro DPI engine) then if there is no call to './IPSET_Block.sh init' in /jffs/scripts/nat-start then the scripts will be broken.

e.g. if HackerPorts.sh issues:

***Warning IPSET Blocking is in Tracking ONLY mode!

then this is because the blocking INPUT iptables rule no longer exists and the following command will return nothing.

iptables -nvL INPUT | grep -E "DROP.*Blacklist"

 1968  175K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src

If the above rule no longer exists then './IPSET_Block.sh init' will reinstate the necessary iptables rules, but you will need to debug yourself how/why the INPUT 'match-set Blacklist src' rule went missing.

 

[skeal]

IPSET_Block.sh will report real-time statistics from the iptables.

HackerPorts.sh will report historical statistics from either IPSET BlacklistTRK and/or Syslog 'Block IN' messages.

If IPSET BlacklistTRK is empty (or doesn't exist) or there are no Syslog 'Block IN' messages then HackerPorts.sh cannot report any statistics.

If the iptables rules that are required by IPSET_Block.sh/HackerPorts.sh have been flushed/deleted (by say the TrendMicro DPI engine) then if there is no call to './IPSET_Block.sh init' in /jffs/scripts/nat-start then the scripts will be broken.

e.g. if HackerPorts.sh issues:

***Warning IPSET Blocking is in Tracking ONLY mode!

then this is because the blocking INPUT iptables rule no longer exists and the following command will return nothing.

iptables -nvL INPUT | grep -E "DROP.*Blacklist"

 1968  175K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src

If the above rule no longer exists then './IPSET_Block.sh init' will reinstate the necessary iptables rules, but you will need to debug yourself how/why the INPUT 'match-set Blacklist src' rule went missing.

Ok I ran the command below

iptables -nvL INPUT | grep -E "DROP.*Blacklist"

The return was

51  2511 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src

I'm not sure I understand what you are saying. I am not really good with these scripts. But you are right there could be a conflict with another script. I want to continue using this script but have no idea how to isolate what could be wrong. Anybody out there want to help me it would be appreciated.
EDIT: I have none of the listed directories. I cannot find the file "ipset" I don't know what $List means I don't have a BlacklistTRK or Blacklist or Whitelist. I cannot find them on my external drive or local directories. If I create them will it work and if so where do I create them?

 

[Runcajsz]

Hi Martineau,
First of all, I would like thank you for your script! I'm using it for months, and it is working like a charm. My only difficulty was to whitelist some false positive bans. For example, some features of Facebook (video posts, pictures) was blocked on all of my Android devices right after I installed this script on my router. Finally I figured out how to whitelist every FB related IPs.
I'm using script version 3.05, but I would like ask for a link to newest 4.x version. I know it is still in beta, but soo hard to read my router's syslog because of many blocking entries at the moment. I know there is a 'nolog' option in 3.05, but I would like to use HackerPorts script as well, and I need a log to be able to check when a false positive ban may occurs.
I thank you in advance for your reply.

 

[Martineau]

Hi
I'm using script version 3.05, but I would like ask for a link to newest 4.x version.

Sent temporary link to v4.03/v2.06