How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

[Xentrk]

Hi @Martineau, I hope all is good.

All three routers are now displaying the following message when I run HackerPorts.sh:

***Warning IPSET Blocking is in Tracking ONLY mode!

This is a new message. Following is a snip from verbose output leading up to the message:

Spoiler: Verbose Code Output

rrexit off
noglob off
ignoreeof off
interactive off
monitor off
noexec off
stdin off
xtrace on
verbose off
noclobber off
allexport off
notify off
nounset off
vi off
pipefail off
+ VER=v2.06
+ ANSIColours
+ cRESET=\e[0m
+ cBLA=\e[30m
+ cRED=\e[31m
+ cGRE=\e[32m
+ cYEL=\e[33m
+ cBLU=\e[34m
+ cMAG=\e[35m
+ cCYA=\e[36m
+ cGRA=\e[37m
+ cNO=\e[39m
+ cBGRA=\e[90m
+ cBRED=\e[91m
+ cBGRE=\e[92m
+ cBYEL=\e[93m
+ cBBLU=\e[94m
+ cBMAG=\e[95m
+ cBCYA=\e[96m
+ cBWHT=\e[97m
+ cRED_=\e[41m
+ cGRE_=\e[42m
+ aBOLD=\e[1m
+ aDIM=\e[2m
+ aUNDER=\e[4m
+ aBLINK=\e[5m
+ aREVERSE=\e[7m
+ Get_WAN_IF_Name
+ local IF_NAME=
+ nvram get wan0_gw_ifname
+ [ ppp0 != ]
+ nvram get wan0_gw_ifname
+ local IF_NAME=ppp0
+ nvram get pppoe_ifname
+ [ ! -z ]
+ echo ppp0
+ WAN_IF=ppp0
+ echo -e \e[97m
+ [ all == help ]
+ [ all == -h ]
+ nvram get computer_name
+ MYROUTER=RT-AC88U-XYZ
+ [ -d /tmp/mnt/RT-AC88U-XYZ ]
+ MOUNT=/tmp/mnt/RT-AC88U-XYZ
+ SYSLOG=/tmp/syslog.log
+ echo all
+ grep -o in=
+ wc -w
+ [ 0 -eq 1 ]
+ echo all
+ sed -n /[[:space:]]syslog[[:space:]]/p
+ [ -z ]
+ Tracking_Enabled
+ local STATUS=0
+ local FN=
+ grep -iE /jffs/scripts/IPSET_Block\.sh /jffs/scripts/firewall-start
+ grep -vE ^\#
+ [ ! -z ]
+ grep -iE /jffs/scripts/IPSET_Block\.sh /jffs/scripts/services-start
+ grep -vE ^\#
+ [ ! -z sh /jffs/scripts/IPSET_Block.sh init nolog
cru a IPSET_SAVE "0 * * * * /jffs/scripts/IPSET_Block.sh save" #Every hour
cru a IPSET_BACKUP "0 5 * * * /jffs/scripts/IPSET_Block.sh backup" #05:00 every day ]
+ grep -iE /jffs/scripts/IPSET_Block\.sh.*nolog /jffs/scripts/services-start
+ [ -z sh /jffs/scripts/IPSET_Block.sh init nolog ]
+ FN=/jffs/scripts/services-start
+ ipset list BlacklistTRK
+ [ 0 -eq 0 ]
+ STATUS=2
+ echo 2,/jffs/scripts/services-start
+ Parse 2,/jffs/scripts/services-start , TRACKING FN
+ local string IFS
+ TEXT=2,/jffs/scripts/services-start
+ IFS=,
+ shift 2
+ read -r -- TRACKING FN
+ [ 2 == 0 ]
+ [ ! -f /tmp/syslog.log ]
+ [ ! -z all ]
+ [ all != verbose ]
+ echo all
+ grep -o status
+ [ -z ]
+ echo all
+ grep -oE syslog|noipset
+ [ -z ]
+ echo all
+ grep -o num=
+ [ -z ]
+ echo all
+ grep -o all
+ [ -z all ]
+ LOGFILE=/tmp/mnt/RT-AC88U-XYZ/HackerReport.txt
+ Delete_TempFiles
+ rm /tmp/mnt/RT-AC88U-XYZ/HackerReport.txt.tmp
+ rm /tmp/mnt/RT-AC88U-XYZ/HackerReport.txt.new
+ return 0
+ ipset -v
+ grep -o v[4,6]
+ MATCH_SET=--match-set
+ LIST=list
+ CREATE=create
+ SAVE=save
+ RESTORE=restore
+ FLUSH=flush
+ DESTROY=destroy
+ ADD=add
+ SWAP=swap
+ IPHASH=hash:ip
+ NETHASH=hash:net
+ SETNOTFOUND=name does not exist
+ TIMEOUT=timeout
+ lsmod
+ grep -q xt_set
+ basename ./HackerPorts.sh
+ logger -t (HackerPorts.sh) 16532 v2.06 © 2016-2017 Martineau,Hacker Port attacks Report.....
+ echo -e v2.06 \e[4m© 2016-2017 Martineau\e[0m, Hacker Port attacks Report.....
v2.06 © 2016-2017 Martineau, Hacker Port attacks Report.....
+ ipset list Blacklist
+ wc -l
+ [ 765 -eq 0 ]
+ VERBOSE=0
+ echo all
+ grep -o verbose
+ wc -w
+ [ 0 -eq 1 ]
+ TOPX=10
+ echo all
+ grep -o num=
+ wc -w
+ [ 0 -eq 1 ]
+ which uniq
+ [ -z /usr/bin/uniq ]
+ REC_CNT=0
+ GRE_CNT=0
+ nvram get wan0_ifname
+ IFNAME=eth0
+ IIFXT='eth0'
+ ALL_IFTXT=
+ DIG=0
+ LISTED=
+ echo all
+ grep -o dig
+ wc -w
+ [ 0 -eq 1 ]
+ cru l
+ grep IPSET_resume
+ [ ! -z ]
+ iptables -nvL INPUT
+ grep -E DROP.*Blacklist
+ [ -z ]
+ echo -e \e[41m\e[5m\a\n\n\t***Warning IPSET Blocking is in Tracking ONLY mode!\n\e[0m

output from iptables -nvL INPUT

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1227 54137 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set BlockedCountries src
    1    76 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set TorNodes src
   16  1785 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
   10   354 logdrop    icmp --  ppp0   *       0.0.0.0/0            0.0.0.0/0            icmptype 8
  444 31354 SECURITY_PROTECT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
  132  5480 SECURITY_PROTECT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 23
1389K 1468M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
15500  901K logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
31908 3569K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
 389K   88M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmp !type 8
 1043 61463 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0

I did a ./IPSET_Block.sh init reset and the warning message went away.

Perhaps the script needed to be recycled/rebooted? I will repeat the steps on the others unless you have other things you would like me to try.

Regards, Xen

 

[skeal]

Anybody know where BlacklistTRK is supposed to be located? Can I add manually?

 

[Martineau]

Hi @Martineau, I hope all is good.

All three routers are now displaying the following message when I run HackerPorts.sh:

***Warning IPSET Blocking is in Tracking ONLY mode!

This is a new message. Following is a snip from verbose output leading up to the message:

+ iptables -nvL INPUT
+ grep -E DROP.*Blacklist
+ [ -z  ]
+ echo -e \e[41m\e[5m\a\n\n\t***Warning IPSET Blocking is in Tracking ONLY mode!\n\e[0m

I did a ./IPSET_Block.sh init reset and the warning message went away.

Perhaps the script needed to be recycled/rebooted? I will repeat the steps on the others unless you have other things you would like me to try.

Regards, Xen

Sigh ....

As explained in https://www.snbforums.com/threads/h...t-martineau-version.38748/page-18#post-331132

that you marked as having read? the reason for the message is explained.

 

[Xentrk]

Sigh ....

As explained in https://www.snbforums.com/threads/h...t-martineau-version.38748/page-18#post-331132

that you marked as having read? the reason for the message is explained.

Okay, I have egg on face. Thanks for the reminder. Too many other things going on with a windows 10 laptop issue and a windows server 2008 R2 issue I am trying to resolve that it got pushed aside to the area of the brain called the parking lot.

 

[Martineau]

Okay, I have egg on face. Thanks for the reminder. Too many other things going on with a windows 10 laptop issue and a windows server 2008 R2 issue I am trying to resolve that it got pushed aside to the area of the brain called the parking lot.

Ahh good old Microsoft....Win 10 is still 'officially banned' on our work laptops!

 

[Martineau]

Anybody know where BlacklistTRK is supposed to be located? Can I add manually?

Sigh....

Read the help then issue

./IPSET_Block.sh   init   reset   ipset

./IPSET_Block.sh   restore

./IPSET_Block.sh   nolog

 

[Xentrk]

@Martineau,

A nice to have feature on the report would be list the timestamp of the hack attempt. I looked at the ipset man page and don't see a timestamp option. Is this something you have looked into?

 

[Martineau]

@Martineau,

A nice to have feature on the report would be list the timestamp of the hack attempt. I looked at the ipset man page and don't see a timestamp option. Is this something you have looked into?

When only using the BlacklistTRK IPSET for tracking (rather than the Syslog 'BLOCK IN=' messages) then unfortunately there is no available timestamp so this is the penalty sacrifice for invisible tracking i.e. a clean/uncluttered Syslog.

Basically as I schedule 'IPSET_Block.sh save' every hour, it will also call HackerPorts.sh to create HackerReport.txt so you may be able to deduce from HackerReport.txt in which hour the first attempt occurred.

With this limitation in mind, I have implemented (in v2.07) 'rrdtool' as an alternative to manually running HackerPorts.sh on the command line.

The graphical reporting of trends could be useful, with my current graph based on a 1 hour interval. (NOTE: the drop in the green line is when I rebooted yesterday and again earlier today - hence the Hits count was reset).

P.S. To be honest I'm not sure if knowing precisely when the hack attempt occurred is actually useful? - apart from perhaps possibly confirming that most hack attempts occur during your local 'night-time' hours?

 

[Csection]

@Martineau !
I have a request.
When the "Summary blacklist:" runs on IPSET_Block. It has a green background and white letters.
I cannot see the white letters in the box. Is it possible to change the letters color from white to say black in that msg. box for visibility?
The red box with white letters shows up just fine!
Sorry! I should have stated that I do a "cat" of Hacker Report to see this.

 

[Martineau]

@Martineau !
When the "Summary blacklist:" runs on IPSET_Block. It has a green background and white letters.
I cannot see the white letters in the box. Is it possible to change the letters color from white to say black in that msg. box for visibility?
The red box with white letters shows up just fine!
Sorry! I should have stated that I do a "cat" of Hacker Report to see this.

Try changing IPSET_Block.sh LINE 476

\e[42m$HITS Successful blocks!

change to

\e[30;48;5;82m$HITS Successful blocks!

If this garish choice isn't to your liking then you may pick one that suits:

see https://en.wikipedia.org/wiki/ANSI_escape_code

and if you scroll to the bottom of the article you will see the colours and their ANSI escape sequences.

 

[Csection]

Try changing IPSET_Block.sh LINE 476

\e[42m$HITS Successful blocks!

change to

\e[30;48;5;82m$HITS Successful blocks!

If this garish choice isn't to your liking then you may pick one that suits:

see https://en.wikipedia.org/wiki/ANSI_escape_code

and if you scroll to the bottom of the article you will see the colours and their ANSI escape sequences.

On line 476. I have NOLog=1
I can't locate the code you refer to.

 

[Martineau]

On line 476. I have NOLog=1
I can't locate the code you refer to.

So which version of IPSET_Block.sh do you have?

Why not search in IPSET_Block.sh for the text

HITS Successful blocks

and replace the ANSI colour codes on that line?

 

[Csection]

So which version of IPSET_Block.sh do you have?

Why not search in IPSET_Block.sh for the text

HITS Successful blocks

and replace the ANSI colour codes on that line?

I'm on ver. 4.03. I found the HITS, but I really don't know what to change.
code reads:
TEXT=$cRESET"Summary Blacklist: $cGRE_${IHITS}+$FHITS Successful blocks!$cRESET ( $cRED_$OLDAMOUNT IPs currentl$
TEXT2="Summary Blacklist: $HITS Successful blocks! ( $OLDAMOUNT IPs currently banned - $DELTA $UP_DOWN $INTERVA$

 

[Martineau]

I'm on ver. 4.03. I found the HITS, but I really don't know what to change.
code reads:
TEXT=$cRESET"Summary Blacklist: $cGRE_${IHITS}+$FHITS Successful blocks!$cRESET ( $cRED_$OLDAMOUNT IPs currentl$

Ah! OK..I forgot that you are one of the few using v4.xx (rather than v3.05), and I defined the routine AnsiColours to make it easier to see in the script which colours are in use rather than the cryptic ANSI escape sequences.

So for v4.03

Change in the line above

$cGRE_

(GREen background, rather than $cGRE GREen foreground text) to

\e[30;48;5;82m

P.S. Which terminal client are you using? PuTTY/Xshell5,MobaXterm etc?

 

[Csection]

Ah! OK..I forgot that you are one of the few using v4.xx (rather than v3.05), and I defined the routine AnsiColours to make it easier to see in the script which colours are in use rather than the cryptic ANSI escape sequences.

So for v4.03

Change in the line above

$cGRE_

(GREen background, rather than $cGRE GREen foreground text) to

\e[30;48;5;82m

P.S. Which terminal client are you using? PuTTY/Xshell5,MobaXterm etc?

I am using Putty.
I changed that code, but now Hacker Report doesn't show any boxes at all! Neither green or red. None of them show up.

 

[Csection]

I am using Putty.
I changed that code, but now Hacker Report doesn't show any boxes at all! Neither green or red. None of them show up.

I may not have made myself clear enough of what I wanted to do.
I only wanted to change the text color in the green box to say maybe black so it was more visible than the white lettering that was default for that box.
Thank you for the help you have given me though!

 

[Martineau]

I may not have made myself clear enough of what I wanted to do.
I only wanted to change the text color in the green box to say maybe black so it was more visible than the white lettering that was default for that box.
Thank you for the help you have given me though!

I changed the line as follows:

TEXT=$cRESET"Summary Blacklist: \e[30;48;5;82m${IHITS}+$FHITS Successful blocks!$cRESET ( $cRED_$OLDAMOUNT IPs currently banned - $DELTA $UP_DOWN$cRESET $INTERVAL)"

and here is the before/after image. And given the text being blurred is irrelevant, it clearly shows the dramatic change from White-on-DarkGreen to Black-on-BrightGreen

I changed that code, but now Hacker Report doesn't show any boxes at all! Neither green or red. None of them show up.

No idea what you actually typed nor edited.

So as it is more worthwhile to teach someone than do it for them, I gave you the Wiki page to allow you to enter your desired colour for the text.

 

[Csection]

I changed the line as follows:

TEXT=$cRESET"Summary Blacklist: \e[30;48;5;82m${IHITS}+$FHITS Successful blocks!$cRESET ( $cRED_$OLDAMOUNT IPs currently banned - $DELTA $UP_DOWN$cRESET $INTERVAL)"

and here is the before/after image. And given the text being blurred is irrelevant, it clearly shows the dramatic change from White-on-DarkGreen to Black-on-BrightGreen

View attachment 9756



No idea what you actually typed nor edited.

So as it is more worthwhile to teach someone than do it for them, I gave you the Wiki page to allow you to enter your desired colour for the text.

Thank you so much!
That is exactly what I was referring to.

 

[Csection]

Thank you so much!
That is exactly what I was referring to.

I changed the line as you suggested and it works fantastically!
Thank you so much!
I can now read the text in that green box.
God bless!
P.S. Script is working great. It flushes old ip's as they get old and the permanently banned ones are saved as well.

 

[Martineau]

I changed the line as you suggested and it works fantastically!
I can now read the text in that green box.

No problem, although I'm not sure if there are subtle variations in the way that Xshell5 vs. PuTTY actually renders the colours on screen.