Menu
What's new
By:
Filters Better Search

How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

HardCat said:
Not meaning to cause a ruckus here but did you mean -add-set as part of ipset not iptables? or am I confused? :confused:
Click to expand...

Confused...but I would say that wouldn't I ?? :p

Code: 
iptables -j SET -h

iptables v1.4.14

<snip>

SET target options:
 --add-set name flags
 --del-set name flags
  add/del src/dst IP/port from/to named sets,
  where flags are the comma separated list of
  'src' and 'dst' specifications.

I believe if the same command is issued on say RT-N66U etc., then iptables v1.3.8 will describe the '-j SET --add-set' in the help, but the command doesn't actually run, so the Blacklist IPSET cannot be automatically populated by the firewall rule.
 
Last edited:
Martineau said:
Confused...but I would say that wouldn't I ?? :p

Code: 
iptables -j SET -h

iptables v1.4.14

<snip>

SET target options:
 --add-set name flags
 --del-set name flags
  add/del src/dst IP/port from/to named sets,
  where flags are the comma separated list of
  'src' and 'dst' specifications.

I believe if the same command is issued on say RT-N66U etc., then iptables v1.3.8 will describe the '-j SET -add-set' in the help, but the command doesn't actually run, so the Blacklist IPSET cannot be automatically populated by the firewall rule.
Click to expand...

Interesting, when I run that command on my RT-N66U I do not get any "SET target options" listed. Hence my confusion...

But, when run on either my RT-AC87R or RT-AC3100 I do...

Must be the 2 different versions of iptables.
 
Martineau said:
I have updated my OP https://www.snbforums.com/threads/h...et-firewall-addition.16798/page-7#post-312136

There are slight functional differences in my version vs. @Adamm's i.e. Malware blocking is not included - I'll leave that to your supported Malware script(s)

The main difference is that my script exploits the IPSET v6.3 feature which allows the user to specify how long the Blacklist entries remain in the IPSET before they expire.

e.g passing the 'init' arg in the firewall-start script will instigate a search for a '.config' file to reload a previous populated Blacklist IPSET
Code: 
/jffs/scripts/IPSET_Block.sh init

however, if the following syntax is used:
Code: 
/jffs/scripts/IPSET_Block.sh init [full [hh:mm:ss]]

e.g.

IPSET_Block.sh init full 24:00:00

then when the Blacklist IPSET is created the member entries will expire after 24 hrs.
(The default hard-coded in the script is 168:00:00 hrs = 7 days)

e.g. You can see how much longer (until its timeout values reaches 0) each entry will remain in the IPSET based on its initial 86400 seconds value:
Code: 
ipset list Blacklist

Name: Blacklist
Type: hash:ip
Revision: 0
Header: family inet hashsize 4096 maxelem 65536 timeout 86400
Size in memory: 187832
References: 1
Members:
190.85.182.61 timeout 45111
118.101.215.238 timeout 44722
120.197.100.106 timeout 45112
<snip>

Also, I don't remove the DROP messages from Syslog, because I have a supplementary script that reports on the Blacklist entries:
Code: 
./HackerPorts.sh

(HackerPorts.sh): 8647 Syslog Hacker report starting.....
(HackerPorts.sh): 8647 Hacker report created '/tmp/mnt/RT-AC68U/HackerReport.txt' (Total Ports attacked: 218)

Top 10 Ports attacked:
2560 http://www.speedguide.net/port.php?port=23
460 http://www.speedguide.net/port.php?port=22
427 http://www.speedguide.net/port.php?port=5358
279 http://www.speedguide.net/port.php?port=1433
179 http://www.speedguide.net/port.php?port=2323
62 http://www.speedguide.net/port.php?port=3389
39 http://www.speedguide.net/port.php?port=2222
34 http://www.speedguide.net/port.php?port=80
33 http://www.speedguide.net/port.php?port=445
17 http://www.speedguide.net/port.php?port=3306

Last 10 attackers:
1 95.9.87.17 1433
1 94.233.198.64 23
1 94.102.49.190 27017
1 93.80.238.198 23
1 91.236.144.4 1433
1 91.197.235.10 3389
1 91.197.234.3 23500
1 91.187.14.11 23
1 91.147.23.18 23
1 90.178.194.34 23
Click to expand...
Hi,
Please does it blocks also FTP port 21?
Apreciate your answer.
Thank you so much for estire work.
 
HardCat said:
Interesting, when I run that command on my RT-N66U I do not get any "SET target options" listed. Hence my confusion...

But, when run on either my RT-AC87R or RT-AC3100 I do...

Must be the 2 different versions of iptables.
Click to expand...

I see another difference, my N66 is running @RMerlin firmware and yours is running @john9527 firmware.
 
amplatfus said:
Hi,
Please does it blocks also FTP port 21?.
Click to expand...

YES....unless the source IP address xxx.xxx.xxx.xxx is in the Whitelist IPSET (v3.xx) or both the source address and FTP port 'xxx.xxx.xxx.xxx,21' is in the WhitelistSRCPort IPSET (v4.xx)

e.g. a few days ago, Port 21 was in the top 3 most attacked ports!

Sun Apr 30 15:07:47 DST 2017 (Ports attacked Total=327)

Top 10 Ports attacked:
4227 http://www.speedguide.net/port.php?port=23 from https://dnsquery.org/ipwhois/1.10.130.63
1063 http://www.speedguide.net/port.php?port=22 from https://dnsquery.org/ipwhois/1.188.29.249
26 http://www.speedguide.net/port.php?port=21 from https://dnsquery.org/ipwhois/106.75.114.118
 
HardCat said:
I see another difference, my N66 is running @RMerlin firmware and yours is running @john9527 firmware.
Click to expand...


Well I "never"....most observant of you! ;) ...but it doesn't help the OP who is trying to run the script on his RT-AC66U.
 
Hi,

I got below error and search about it but didn't found the solution.
Code: 
(HackerPorts.sh): 5968 v2.01 Hacker Port attacks Report starting.....
***ERROR Tracking not enabled? - check 'IPSET_Block.sh init' was started
Even I have restarted the router, even I have below lines in firewall:
Code: 
ps w | grep -v grep | grep /jffs/scripts/IPSET_Block.sh || sh /jffs/scripts/IPSET_Block.sh init nolog
ps w | grep -v grep | grep /jffs/scripts/HackerPorts.sh || sh /jffs/scripts/HackerPorts.sh
I saw $TRACKING variable in the HackerPorts.sh script but do not know what to do. Please, do I have enabled Logged packets from Firmware GUI?

Many thanks in advance!
 
amplatfus said:
I got below error and search about it but didn't found the solution.
Code: 
(HackerPorts.sh): 5968 v2.01 Hacker Port attacks Report starting.....
***ERROR Tracking not enabled? - check 'IPSET_Block.sh init' was started
I have below lines in firewall:
Code: 
ps w | grep -v grep | grep /jffs/scripts/IPSET_Block.sh || sh /jffs/scripts/IPSET_Block.sh init nolog
ps w | grep -v grep | grep /jffs/scripts/HackerPorts.sh || sh /jffs/scripts/HackerPorts.sh
I saw $TRACKING variable in the HackerPorts.sh script but do not know what to do. !
Click to expand...

FFS READ THE ERROR MESSAGE :mad:

You have 'nolog' specified which means you explicitly don't want the IPSET_Block.sh script to generate any tracking 'Block IN=' messages written to Syslog!!!!!!!

So as it says in the help if you bothered to read it, if there are no tracking messages in Syslog the report will be empty so the script aborts the pointless exercise.

And also where in the help does it state that you need to call HackerPorts.sh from firewall-start ?? :rolleyes:
 
Last edited:
Martineau said:
FFS READ THE ERROR MESSAGE :mad:

You have 'nolog' specified which means you explicitly don't want the IPSET_Block.sh script to generate any tracking 'Block IN=' messages written to Syslog!!!!!!!

So as it says in the help if you bothered to read it, if there are no tracking messages in Syslog the report will be empty so the script aborts the pointless exercise.

And also where in the help does it state that you need to call HackerPorts.sh from firewall-start ?? :rolleyes:
Click to expand...
Thank you. Sorry for my superficiality.

Now, I do not know how to say :(, I search in help and in thread because I got below error
Code: 
root@rooter:/jffs/scripts# ./HackerPorts.sh
(HackerPorts.sh): 30490 v2.01 Hacker Port attacks Report starting.....
./HackerPorts.sh: line 184: May: not found
Could you please advice?
Thank you again!
Edit: please ignore this post. I pasted again the HackerPorts.sh from here https://pastebin.com/raw/LRHJih8Z and now the error disappeared.
 
Last edited:
Last edited:
amplatfus said:
root@rooter:/jffs/scripts# ./HackerPorts.sh
(HackerPorts.sh): 30490 v2.01 Hacker Port attacks Report starting.....
./HackerPorts.sh: line 184: May: not found

Edit: please ignore this post. I pasted again the HackerPorts.sh from here https://pastebin.com/raw/LRHJih8Z and now the error disappeared.
Click to expand...

OK...so which version of the script are you now running?
 
Martineau said:
<sigh> I know the location for the download.

Please answer the question and show me the output when the HackerPorts.sh script runs as it will show either v2.01 or v2.02
Click to expand...
Output is:
Code: 
(HackerPorts.sh): 9412 v2.01 Hacker Port attacks Report starting.....
Thu May 4 09:53:25 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 4 09:01:48 - May 4 09:53:25
    Top 10 Ports attacked:
    Top 10 attackers:
    Last 10 most recent attackers:
I understood. I see that I have 2 pages with the same link but with 2 versions.
Edit1: Please, should I try 2.02?
Edit2: It works with both. I do not know why it doesn't work from the begining.
Thank you!
 
Last edited:
amplatfus said:
Edit1: Please, should I try 2.02?
Edit2: It works with both. I do not know why it doesn't work from the beginning.
Click to expand...

Thank you for taking the time to provide the feedback.

Unfortunately if the first download was indeed corrupt, then I simply panicked assuming that extracting the timestamp of the first and last record from Syslog was failing.

No matter, v2.02 is now the latest official version available for download so if anyone already downloaded v2.01 then there is no compelling reason to upgrade! :D
 
amplatfus said:
Output is:
Code: 
(HackerPorts.sh): 9412 v2.01 Hacker Port attacks Report starting.....
Thu May 4 09:53:25 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 4 09:01:48 - May 4 09:53:25
    Top 10 Ports attacked:
    Top 10 attackers:
    Last 10 most recent attackers:
I understood. I see that I have 2 pages with the same link but with 2 versions.
Edit1: Please, should I try 2.02?
Edit2: It works with both. I do not know why it doesn't work from the begining.
Thank you!
Click to expand...

my syslog have this:
Code: 
May  4 14:59:58 (HackerPorts.sh): 1757 v2.02 Hacker Port attacks Report starting.....
May  4 14:59:58 (HackerPorts.sh): 1757 Hacker report created '/tmp/HackerReport.txt' - Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May  4 06:00:01 - May  4 14:59:58
May  4 15:00:04 crond[519]: time disparity of 925259 minutes detected

Code: 
admin@RT-AC3200-0000:/tmp/home/root# cd /jffs/scripts
admin@RT-AC3200-0000:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 8140 v3.05 ▒ 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
        Syslog 'Block =' messages enabled

ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist

        Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )

(HackerPorts.sh): 8198 v2.02 Hacker Port attacks Report starting.....


Thu May 4 15:34:41 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May  4 06:00:01 - May  4 15:34:41


        Top 3 Ports attacked:

        Top 3 attackers:

        Last 3 most recent attackers:

i think it is not working in my case....probably i have to change something bu t not know what and where?
 
Last edited:
So!
Is it ok if I get this
HackerPorts.sh): 31795 v2.02 Hacker Port attacks Report starting.....
May 4 09:25:19 (HackerPorts.sh): 31795 v2.02 ***ERROR Tracking not enabled? - check '/jffs/scripts/firewall-start' 'IPSET_Block.sh init' was started?
Or should I change something?
 
bayern1975 said:
i think it is not working in my case....probably i have to change something bu t not know what and where?
Click to expand...

Try starting IPSET_Block.sh manually:
Code: 
cd /jffs/scripts
./IPSET_Block.sh   init   reset

Can you please provide the output from these 4 commands:
Code: 
iptables --line -nvL Blacklist

iptables --line -nvL logdrop

iptables --line -nvL INPUT | grep Blacklist

nvram get wan0_ifname

Do you get any data when you issue the following command: ?
Code: 
grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log
 
Last edited:
bayern1975 said:
my syslog have this:
Code: 
May  4 14:59:58 (HackerPorts.sh): 1757 v2.02 Hacker Port attacks Report starting.....
May  4 14:59:58 (HackerPorts.sh): 1757 Hacker report created '/tmp/HackerReport.txt' - Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May  4 06:00:01 - May  4 14:59:58
May  4 15:00:04 crond[519]: time disparity of 925259 minutes detected

Code: 
admin@RT-AC3200-0000:/tmp/home/root# cd /jffs/scripts
admin@RT-AC3200-0000:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 8140 v3.05 ▒ 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
        Syslog 'Block =' messages enabled

ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist

        Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )

(HackerPorts.sh): 8198 v2.02 Hacker Port attacks Report starting.....


Thu May 4 15:34:41 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May  4 06:00:01 - May  4 15:34:41


        Top 3 Ports attacked:

        Top 3 attackers:

        Last 3 most recent attackers:

i think it is not working in my case....probably i have to change something bu t not know what and where?
Click to expand...

You don't have the init option when running the script. To run the script as intended, place this in /jffs/firewall-start and reboot the router:

Code: 
/jffs/scripts/IPSET_Block.sh init nolog

For the /jffs/scripts/HackerPorts.sh to work and report output, you need to remove the nolog option.

Edit: What Martineau said here :) https://www.snbforums.com/threads/h...et-martineau-version.38748/page-5#post-322085
 
You must log in or register to reply here.

Similar threads

N
Ipset not working
Replies
0
Views
2K
Nikecow
N
Similar threads
Thread starter Title Forum Replies Date
devhell How I can dynamically manage VPN director rules list by CLI Asuswrt-Merlin 0

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 804 (members: 27, guests: 777)
Top