How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

[bayern1975]

Try starting IPSET_Block.sh manually:

cd /jffs/scripts
./IPSET_Block.sh   init   reset

Can you please provide the output from these 4 commands:

iptables --line -nvL Blacklist

iptables --line -nvL logdrop

iptables --line -nvL INPUT | grep Blacklist

nvram get wan0_ifname

Do you get any data when you issue the following command: ?

grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log

i get this from your commands:

ASUSWRT-Merlin RT-AC3200 380.66-beta3-geb129ac Mon May  1 04:24:55 UTC 2017
admin@RT-AC3200-0000:/tmp/home/root# iptables --line -nvL Blacklist
iptables: No chain/target/match by that name.

admin@RT-AC3200-0000:/tmp/home/root# iptables --line -nvL logdrop
Chain logdrop (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP "
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

admin@RT-AC3200-0000:/tmp/home/root# iptables --line -nvL INPUT | grep Blacklist

admin@RT-AC3200-0000:/tmp/home/root# nvram get wan0_ifname
eth0

admin@RT-AC3200-0000:/tmp/home/root# grep -E "[DROP IN=|Block IN=]$(nvram get wa
n0_ifname)" /tmp/syslog.log
May  4 14:50:30 kernel: device eth0 left promiscuous mode
May  4 14:50:30 kernel: device eth0 entered promiscuous mode
Aug  1 02:00:12 kernel: eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 7.14.43.40 (r527781)
Aug  1 02:00:12 kernel: device eth0 entered promiscuous mode
Aug  1 02:00:23 pppd[570]: Connected to 00:30:88:19:c5:61 via interface eth0
Aug  1 02:00:23 pppd[570]: Connect: ppp0 <--> eth0
May  4 14:57:43 kernel: device eth0 left promiscuous mode
May  4 14:57:43 kernel: device eth0 entered promiscuous mode
Aug  1 02:00:12 kernel: device eth0 entered promiscuous mode
Aug  1 02:00:23 pppd[570]: Connected to 00:30:88:19:c5:61 via interface eth0
Aug  1 02:00:23 pppd[570]: Connect: ppp0 <--> eth0
May  4 15:12:46 kernel: device eth0 left promiscuous mode
May  4 15:12:46 kernel: device eth0 entered promiscuous mode
Aug  1 02:00:12 kernel: device eth0 entered promiscuous mode
Aug  1 02:00:22 pppd[570]: Connected to 00:30:88:19:c5:61 via interface eth0
Aug  1 02:00:22 pppd[570]: Connect: ppp0 <--> eth0
May  4 15:41:13 kernel: device eth0 left promiscuous mode
May  4 15:41:13 kernel: device eth0 entered promiscuous mode
Aug  1 02:00:12 kernel: eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 7.14.43.40 (r527781)
Aug  1 02:00:12 kernel: device eth0 entered promiscuous mode
Aug  1 02:00:22 pppd[571]: Connected to 00:30:88:19:c5:61 via interface eth0
Aug  1 02:00:22 pppd[571]: Connect: ppp0 <--> eth0
May  4 15:55:41 kernel: device eth0 left promiscuous mode
May  4 15:55:41 kernel: device eth0 entered promiscuous mode
Aug  1 02:00:12 kernel: eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 7.14.43.40 (r527781)
Aug  1 02:00:12 kernel: device eth0 entered promiscuous mode
Aug  1 02:00:22 pppd[571]: Connected to 00:30:88:19:c5:61 via interface eth0
Aug  1 02:00:22 pppd[571]: Connect: ppp0 <--> eth0
admin@RT-AC3200-0000:/tmp/home/root#

 

[Martineau]

i get this from your commands:

ASUSWRT-Merlin RT-AC3200 380.66-beta3-geb129ac Mon May  1 04:24:55 UTC 2017
admin@RT-AC3200-0000:/tmp/home/root# iptables --line -nvL Blacklist
iptables: No chain/target/match by that name.

Did you restart IPSET_Block.sh manually:

cd /jffs/scripts
./IPSET_Block.sh   init   reset

before issuing the diagnostic commands?

 

[bayern1975]

ok, solved....script working again....why is hackereport file still empty if script block some IP addresses? i realy do not understand this part? and this file for blocked IP is in tmp/....so if i reboot router then lost all blocked IP and everything goes from begining?

admin@RT-AC3200-0000:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 10158 v3.05 ▒ 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

        Summary Blacklist: 4 Successful blocks! ( 18 IPs currently banned - 15 added since: May 4 16:44 ), Entries auto-expire after 168:00:00 hrs

(HackerPorts.sh): 10233 v2.02 Hacker Port attacks Report starting.....


Thu May 4 16:52:46 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May  4 16:31:49 - May  4 16:52:45


        Top 3 Ports attacked:

        Top 3 attackers:

        Last 3 most recent attackers:

admin@RT-AC3200-0000:/jffs/scripts#

 

[Martineau]

ok, solved....script working again....why is hackereport file still empty if script block some IP addresses?

That is why I asked you to run the diagnostic commands. You will need to run them again.

this file for blocked IP is in tmp/....so if i reboot router then lost all blocked IP and everything goes from beginning?

Yes, so if you read the thread I have already explained to another user that you should update the script to ensure the hourly 'save' function will write to a persistent file that is available immediately after the reboot.

https://www.snbforums.com/threads/h...et-martineau-version.38748/page-3#post-320379

Here is the help.....

#     IPSET_Block   init
#                   If 'IPSET_Block.config' exists it will be used to restore IPSETs Blacklist and Whitelist,
#                      otherwise the IPSETs are created empty - same as if 'init reset' was specified to override the auto-restore

So if you have a USB disk mounted you will need to edit the script to change the $DIR variable:

################################################Customise for local use #############################################
if [ -d  "/tmp/mnt/"$MYROUTER ];then
    DIR="/tmp/mnt/"$MYROUTER    # <== USB Location of IPSET save/restore configuration
else
    DIR="/tmp"                  #  NOTE: /TMP isn't permanent! ;-) but allows testing of save/restore
fi

 

[bayern1975]

That is why I asked you to run the diagnostic commands. You will need to run them again.



Yes, so if you read the thread I have already explained to another user that you should update the script to ensure the hourly 'save' function will write to a persistent file that is available immediately after the reboot.

https://www.snbforums.com/threads/h...et-martineau-version.38748/page-3#post-320379

Here is the help.....

#     IPSET_Block   init
#                   If 'IPSET_Block.config' exists it will be used to restore IPSETs Blacklist and Whitelist,
#                      otherwise the IPSETs are created empty - same as if 'init reset' was specified to override the auto-restore

So if you have a USB disk mounted you will need to edit the script to change the $DIR variable:

################################################Customise for local use #############################################
if [ -d  "/tmp/mnt/"$MYROUTER ];then
    DIR="/tmp/mnt/"$MYROUTER    # <== USB Location of IPSET save/restore configuration
else
    DIR="/tmp"                  #  NOTE: /TMP isn't permanent! ;-) but allows testing of save/restore
fi

so if i set like this should be work?
################################################Customise for local use #############################################
if [ -d "/tmp/mnt/sda1/IPSET ];then
DIR="/tmp/mnt/sda1/IPSET # <== USB Location of IPSET save/restore configuration
else
DIR="/tmp" # NOTE: /TMP isn't permanent! ;-) but allows testing of save/restore
fi

 

[Martineau]

so if i set like this should be work?
################################################Customise for local use #############################################
if [ -d "/tmp/mnt/sda1/IPSET ];then
DIR="/tmp/mnt/sda1/IPSET # <== USB Location of IPSET save/restore configuration
else
DIR="/tmp" # NOTE: /TMP isn't permanent! ;-) but allows testing of save/restore
fi

Yes.

So when you create the IPSET directory simply run

./IPSET_Block.sh   save

and the IPSET restore file '$DIR/IPSET_Block.config' should be created to be used each time the following is run @boot.

./IPSET_Block.sh   init

NOTE: I still need the output of the diagnostic commands to try and establish why HackerPorts.sh seemingly still fails for you in your environment.

 

[bayern1975]

yes, hackerports.sh still fails, empty file, statistics everytime......

 

[Martineau]

yes, hackerports.sh still fails, empty file, statistics everytime......

OK, since you clearly can't be bothered to provide diagnostics, may I politely request you remove all of my scripts from your system.

I am afraid I am no longer able/willing to provide you with ANY further support.

Good luck.

 

[skeal]

This script is awesome man and we'll supported!!

 

[swetoast]

OK, since you clearly can't be bothered to provide diagnostics, may I politely request you remove all of my scripts from your system.

I am afraid I am no longer able/willing to provide you with ANY further support.

Good luck.

i see you got tired of helping the same user as i did

 

[bayern1975]

OK, since you clearly can't be bothered to provide diagnostics, may I politely request you remove all of my scripts from your system.

I am afraid I am no longer able/willing to provide you with ANY further support.

Good luck.

i removed as you suggested....i can live without it.....thanks for helping me anyway.....

 

[bayern1975]

i see you got tired of helping the same user as i did

yes, but your scripts now working.....

 

[Xentrk]

I finally got around to reformatting and repartitioning my USB drive that has entware and absolution on it so I can have a FAT32 partition for the IPSET_Block.sh script to save to. I was not able to label it to use the computer name using the Mini Tool Partition Wizard utility. The last two characters were getting truncated from a copy/paste. So I looked online and it appears there is an 11 character limit on label names for FAT partitions. So RT-AC88U-1234 (13 characters) for a label name was not going to work. As a result, I labeled the FAT32 partition RT-AC88U and changed the script to use the nvram parameter "model" instead of "computer_name".

MYROUTER=$(nvram get computer_name)

changed to

MYROUTER=$(nvram get model)

Thank you @Martineau for a great script and the support you provide.

 

[swetoast]

fat32 ? why not ext4 ?

 

[Xentrk]

fat32 ? why not ext4 ?

I may have made an incorrect assumption that it needed to be a fat format. @Martineau can clarify. If I recall earlier, another person was using the USB drive they have the NVRAM Backup and Restore Utility installed on, and that one needs to formatted as (I originally thought FAT or FAT32, but I just checked the insructions) NTFS. So I goofed. I need to make it NTFS. Before doing so, I guess @Martineau can clarify what format to use.

Edit: So I did goof up! looking online some more, 32 characters appear to be the limit for NTFS. So I changed my format to NTFS and changed the code back to as it was to use computer_name nvram parameter. HackerReport.txt is alive and well on the partition!

 

[swetoast]

tend to use ext4 with arm devices not a huge fan of the older ext version but each to his own, the main thing if it works for ya then it works.

 

[Jack Yaz]

Apologies if this has been covered and I missed it, can I run this on the inbuilt JFFS partition, or should I be using a USB drive? If so, how?

 

[Xentrk]

Apologies if this has been covered and I missed it, can I run this on the inbuilt JFFS partition, or should I be using a USB drive? If so, how?

You install it on /jffs partition. The script is placed in the /jffs/scripts folder. Look at the comments section of the script for the install info or read through the posts. The use of the USB is optional. It saves off information in the blacklist so the information survives a router reboot.

 

[Jack Yaz]

You install it on /jffs partition. The script is placed in the /jffs/scripts folder. Look at the comments section of the script for the install info or read through the posts. The use of the USB is optional. It saves off information in the blacklist so the information survives a router reboot.

Ok I'll do that. Only got my Asus a week ago and don't want to wear the flash too quickly!

 

[Jack Yaz]

ANother stupid question, on the wiki, it mentions:

# Reinstate the ipset rules if they have been created already
[ "$(uname -m)" = "mips" ] && MATCH_SET='--set' || MATCH_SET='--match-set'
for ipSet in $(ipset -L | sed -n '/^Name:/s/^.* //p'); do
  case $ipSet in
    AcceptList) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j ACCEPT;;
    TorNodes|BlockedCountries|CustomBlock) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j DROP;;
    MicrosoftSpyServers) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet dst -j DROP;;
    *) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
  esac
done

Is it a good idea to use this as a matter of course, in case I change anything in the UI?