iptables -j SET -h
iptables v1.4.14
<snip>
SET target options:
--add-set name flags
--del-set name flags
add/del src/dst IP/port from/to named sets,
where flags are the comma separated list of
'src' and 'dst' specifications.
I believe if the same command is issued on say RT-N66U etc., then iptables v1.3.8 will describe the '-j SET --add-set' in the help, but the command doesn't actually run, so the Blacklist IPSET cannot be automatically populated by the firewall rule.
iptables -j SET -h
iptables v1.4.14
<snip>
SET target options:
--add-set name flags
--del-set name flags
add/del src/dst IP/port from/to named sets,
where flags are the comma separated list of
'src' and 'dst' specifications.
I believe if the same command is issued on say RT-N66U etc., then iptables v1.3.8 will describe the '-j SET -add-set' in the help, but the command doesn't actually run, so the Blacklist IPSET cannot be automatically populated by the firewall rule.
There are slight functional differences in my version vs. @Adamm's i.e. Malware blocking is not included - I'll leave that to your supported Malware script(s)
The main difference is that my script exploits the IPSET v6.3 feature which allows the user to specify how long the Blacklist entries remain in the IPSET before they expire.
e.g passing the 'init' arg in the firewall-start script will instigate a search for a '.config' file to reload a previous populated Blacklist IPSET
Code:
/jffs/scripts/IPSET_Block.sh init
however, if the following syntax is used:
Code:
/jffs/scripts/IPSET_Block.sh init [full [hh:mm:ss]]
e.g.
IPSET_Block.sh init full 24:00:00
then when the Blacklist IPSET is created the member entries will expire after 24 hrs.
(The default hard-coded in the script is 168:00:00 hrs =7 days)
e.g. You can see how much longer (until its timeout values reaches 0) each entry will remain in the IPSET based on its initial 86400 seconds value:
YES....unless the source IP address xxx.xxx.xxx.xxx is in the Whitelist IPSET (v3.xx) or both the source address and FTP port 'xxx.xxx.xxx.xxx,21' is in the WhitelistSRCPort IPSET (v4.xx)
e.g. a few days ago, Port 21 was in the top 3 most attacked ports!
Sun Apr 30 15:07:47 DST 2017 (Ports attacked Total=327)
You have 'nolog' specified which means you explicitly don't want the IPSET_Block.sh script to generate any tracking 'Block IN=' messages written to Syslog!!!!!!!
So as it says in the help if you bothered to read it, if there are no tracking messages in Syslog the report will be empty so the script aborts the pointless exercise.
And also where in the help does it state that you need to call HackerPorts.sh from firewall-start ??
You have 'nolog' specified which means you explicitly don't want the IPSET_Block.sh script to generate any tracking 'Block IN=' messages written to Syslog!!!!!!!
So as it says in the help if you bothered to read it, if there are no tracking messages in Syslog the report will be empty so the script aborts the pointless exercise.
And also where in the help does it state that you need to call HackerPorts.sh from firewall-start ??
Now, I do not know how to say , I search in help and in thread because I got below error
Code:
root@rooter:/jffs/scripts# ./HackerPorts.sh
(HackerPorts.sh): 30490 v2.01 Hacker Port attacks Report starting.....
./HackerPorts.sh: line 184: May: not found
Could you please advice?
Thank you again! Edit: please ignore this post. I pasted again the HackerPorts.sh from here https://pastebin.com/raw/LRHJih8Z and now the error disappeared.
root@rooter:/jffs/scripts# ./HackerPorts.sh
(HackerPorts.sh): 30490 v2.01 Hacker Port attacks Report starting.....
./HackerPorts.sh: line 184: May: not found
root@rooter:/jffs/scripts# ./HackerPorts.sh
(HackerPorts.sh): 30490 v2.01 Hacker Port attacks Report starting.....
./HackerPorts.sh: line 184: May: not found
Edit: please ignore this post. I pasted again the HackerPorts.sh from here https://pastebin.com/raw/LRHJih8Z and now the error disappeared.
(HackerPorts.sh): 9412 v2.01 Hacker Port attacks Report starting.....
Thu May 4 09:53:25 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 4 09:01:48 - May 4 09:53:25
Top 10 Ports attacked:
Top 10 attackers:
Last 10 most recent attackers:
I understood. I see that I have 2 pages with the same link but with 2 versions.
Edit1: Please, should I try 2.02? Edit2: It works with both. I do not know why it doesn't work from the begining.
Thank you!
Thank you for taking the time to provide the feedback.
Unfortunately if the first download was indeed corrupt, then I simply panicked assuming that extracting the timestamp of the first and last record from Syslog was failing.
No matter, v2.02 is now the latest official version available for download so if anyone already downloaded v2.01 then there is no compelling reason to upgrade!
(HackerPorts.sh): 9412 v2.01 Hacker Port attacks Report starting.....
Thu May 4 09:53:25 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 4 09:01:48 - May 4 09:53:25
Top 10 Ports attacked:
Top 10 attackers:
Last 10 most recent attackers:
I understood. I see that I have 2 pages with the same link but with 2 versions.
Edit1: Please, should I try 2.02? Edit2: It works with both. I do not know why it doesn't work from the begining.
Thank you!
May 4 14:59:58 (HackerPorts.sh): 1757 v2.02 Hacker Port attacks Report starting.....
May 4 14:59:58 (HackerPorts.sh): 1757 Hacker report created '/tmp/HackerReport.txt' - Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 4 06:00:01 - May 4 14:59:58
May 4 15:00:04 crond[519]: time disparity of 925259 minutes detected
Code:
admin@RT-AC3200-0000:/tmp/home/root# cd /jffs/scripts
admin@RT-AC3200-0000:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 8140 v3.05 ▒ 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Syslog 'Block =' messages enabled
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )
(HackerPorts.sh): 8198 v2.02 Hacker Port attacks Report starting.....
Thu May 4 15:34:41 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 4 06:00:01 - May 4 15:34:41
Top 3 Ports attacked:
Top 3 attackers:
Last 3 most recent attackers:
i think it is not working in my case....probably i have to change something bu t not know what and where?
So!
Is it ok if I get this
HackerPorts.sh): 31795 v2.02 Hacker Port attacks Report starting.....
May 4 09:25:19 (HackerPorts.sh): 31795 v2.02 ***ERROR Tracking not enabled? - check '/jffs/scripts/firewall-start' 'IPSET_Block.sh init' was started?
Or should I change something?
So!
Is it ok if I get this
HackerPorts.sh): 31795 v2.02 Hacker Port attacks Report starting.....
May 4 09:25:19 (HackerPorts.sh): 31795 v2.02 ***ERROR Tracking not enabled? - check '/jffs/scripts/firewall-start' 'IPSET_Block.sh init' was started?
Or should I change something?
May 4 14:59:58 (HackerPorts.sh): 1757 v2.02 Hacker Port attacks Report starting.....
May 4 14:59:58 (HackerPorts.sh): 1757 Hacker report created '/tmp/HackerReport.txt' - Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 4 06:00:01 - May 4 14:59:58
May 4 15:00:04 crond[519]: time disparity of 925259 minutes detected
Code:
admin@RT-AC3200-0000:/tmp/home/root# cd /jffs/scripts
admin@RT-AC3200-0000:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 8140 v3.05 ▒ 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Syslog 'Block =' messages enabled
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )
(HackerPorts.sh): 8198 v2.02 Hacker Port attacks Report starting.....
Thu May 4 15:34:41 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 4 06:00:01 - May 4 15:34:41
Top 3 Ports attacked:
Top 3 attackers:
Last 3 most recent attackers:
i think it is not working in my case....probably i have to change something bu t not know what and where?
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.