How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

[Martineau]

yes, i rebooted more times.....another output....

admin@RT-AC3200-0000:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 4241 v3.04 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

        Summary Blacklist: 24 Successful blocks! ( 46 IPs currently banned - 38 added since: Apr 30 19:00 ), Entries auto-expire after 168:00:00 hrs

So clearly there is nothing wrong with my script

Unfortunately many scripts are not coded to accommodate the situation where they may be called multiple times, rather than just the once at boot time.

I do try to code my scripts to always delete any duplicate rules, but I suspect that you have a possible timing issue with firewall-start and may have to protect the script from running more than once concurrently.

NOTE: If you define a USB disk location for the $DIR variable in my IPSET_Block.sh script, it will allow the script to restore the Banned list of IPs rather than create an empty Blacklist IPSET each time you reboot.

 

[bayern1975]

So clearly there is nothing wrong with my script

Unfortunately many scripts are not coded to accommodate the situation where they may be called multiple times, rather than just the once at boot time.

I do try to code my scripts to always delete any duplicate rules, but I suspect that you have a possible timing issue with firewall-start and may have to protect the script from running more than once concurrently.

NOTE: If you define a USB disk location for the $DIR variable in my IPSET_Block.sh script, it will allow the script to restore the Banned list of IPs rather than create an empty Blacklist IPSET each time you reboot.

no, with script is nothing wrong.....the problem i think is with services-start (run via cru ).....i removed permamently and now all scripts runing just once.....btw, where and what to add on USB disk?

EDIT: rebooted now and again double writing? so it is not cru problem....

 

[skeal]

NOTE: If you define a USB disk location for the $DIR variable in my IPSET_Block.sh script, it will allow the script to restore the Banned list of IPs rather than create an empty Blacklist IPSET each time you reboot.[/QUOTE]

Can you please explain in detail how this is done please? I can read some of script but it's like another language to me. @Martineau the other guys script is not as good as yours sorry just being honest. I'm back using your improved version.
NM I found my way and it works fine.

 

[bayern1975]

IPSET_Block.sh Hacker report script:

/jffs/scripts/HackerPorts.sh

#!/bin/sh
VER="v1.01"
#======================================================================================================= © 2016-2017 Martineau, v1.01
#
# Scan Syslog and report on Hacker attempts to attack local LAN ports. (Usually scheduled 05:00 daily by '/jffs/scripts/IPSET_Block.sh')
#      (If 'nolog' arg is used for v3.0x '/jffs/scripts/IPSET_Block.sh' then this report will NOT be able to report on the attack instance messages!)
#
#      The console display report is also created to disk and allows double-clicking on the URL to help identify the port being attacked and its attacker.
#            (v4.0x of '/jffs/scripts/IPSET_Block.sh' uses an IPSET as a crude database for the attacks so this script is no longer used.)
#
#     HackerPorts   [help | -h] | [file_name_for report] [verbose]
#
#     HackerPorts
#                   Will produce a summary display of the top 10 in three categories:
#              
#                   e.g. Thu Mar 9 13:31:11 DST 2017 (Ports attacked Total=324)
#
#                              Top 10 Ports attacked:
#                          4227 http://www.speedguide.net/port.php?port=23    from  https://dnsquery.org/ipwhois/1.10.130.6
#                              <...>
#                              Top 10 attackers:
#                            3 https://dnsquery.org/ipwhois/52.174.156.242
#                              <...>
#                              Last 10 most recent attackers:
#                              https://dnsquery.org/ipwhois/146.185.239.117
#                              <...>
#
#     HackerPorts   verbose
#                   Will produce a summary display as above, but will also list ALL of the attacked ports and by whom! i.e. 324 in this example!!
#
# https://dnsquery.org/ipwhois/ is FREE but not 100% accurate?, whereas https://www.whoisxmlapi.com/ is accurate but ONLY 20 FREE IP lookups per Guest

# Print between line beginning with '#==' to first blank line inclusive
ShowHelp() {
 awk '/^#==/{f=1} f{print; if (!NF) exit}' $0
}
# Function Parse(String delimiter(s) variable_names)
Parse() {
 #
 #  Parse  "Word1,Word2|Word3" ",|" VAR1 VAR2 REST
 #    (Effectivley executes VAR1="Word1";VAR2="Word2";REST="Word3")
 
 local string IFS
 
 TEXT="$1"
 IFS="$2"
 shift 2
 read -r -- "$@" <<EOF
$TEXT
EOF
}

#==============================================Main=============================================

# Need assistance!???
if [ "$1" == "help" ] || [ "$1" == "-h" ]; then
 ShowHelp
 exit 0
fi

MYROUTER=$(nvram get computer_name)

if [ -d "/tmp/mnt/"$MYROUTER ];then
   MOUNT="/tmp/mnt/"$MYROUTER
else
   MOUNT="/tmp"
fi

if [ ! -z $1 ] && [ "$1" != "verbose" ];then
   LOGFILE=$1
else
   LOGFILE=${MOUNT}/HackerReport.txt
fi

rm $LOGFILE".tmp" 2> /dev/null
rm $LOGFILE".new" 2> /dev/null

logger -st "($(basename $0))" $$ $VER "Hacker Port attacks Syslog Report starting....."

VERBOSE=0
if [ "$( echo $@ | grep -o "verbose" | wc -w )" -eq 1 ];then
   VERBOSE=1         # List ALL report lines rather than just the summary
fi

# Extract the relevant Hacker attempt msgs (created by /jffs/scripts/IPSET_Block.sh etc.) from Syslog
grep -E "DROP IN=|Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" \
  | awk '{ print $1" " $(NF-1)}' | sort -t " " -nk 2.5n | uniq -f 1 -c \
  | sed -e 's/^[ \t]*//' | while read ITEM
 do
    Parse "$ITEM" " =" PORTCNT v2 SRC v4 PORT
    echo -e "$(printf "%5d %-45s from %s" $PORTCNT "http://www.speedguide.net/port.php?port="$PORT )" "https://dnsquery.org/ipwhois/"$SRC >> $LOGFILE.tmp
 done

TOTAL=$(wc -l ${LOGFILE}.tmp | cut -d" " -f1)

TIMESTAMP=$(date)

echo -e "\n\n"$TIMESTAMP "(Ports attacked Total="$TOTAL")" >> $LOGFILE.new # New period's report Header
logger -t "($(basename $0))" $$ "Hacker report created '"$LOGFILE"' (Total Ports attacked:" $TOTAL")" $TIMESTAMP

echo -e "\n\tTop 10 Ports attacked:" >> $LOGFILE.new
head $LOGFILE".tmp" | sort -nr       >> $LOGFILE.new

echo -e "\n\tTop 10 attackers:"      >> $LOGFILE.new
cat $LOGFILE".tmp" | uniq -f 3 -c | sort -nr | head | awk '{printf "%5d %s\n", $1, $5}' >> $LOGFILE.new

echo -e "\n\tLast 10 most recent attackers:" >> $LOGFILE.new
tail -n 10 $LOGFILE".tmp" | awk '{print "      "$4}'  >> $LOGFILE.new  # ...in chronological order last is 'most recent'

cat $LOGFILE".new" >> $LOGFILE       # Update master report with this period's attack summary

echo -e "\n\tPorts attacked:" >> $LOGFILE
cat $LOGFILE".tmp" >> $LOGFILE       # Update master report with this period's attack details

# Show report just created ...either in FULL or just the summary.
if [ "$VERBOSE" == "1" ];then        # Just the summary report or ALL report details?
 awk -v pattern="${TIMESTAMP}" ' $0 ~ pattern { matched = 1 }; matched { print }' "$LOGFILE"  # Display ALL report lines
else
 cat $LOGFILE.new          # Only display the new period's summary report
fi

echo -e

rm $LOGFILE".new" 2> /dev/null
rm $LOGFILE".tmp" 2> /dev/null

exit 0

where to set, add, which ports should be blocked?

 

[skeal]

This is an outstanding script. Works excellent. Absolutely no problems...

 

[bayern1975]

so I have hackerports.txt allways empty?

Poslano z mojega EVA-L09 z uporabo Tapatalk

 

[bayern1975]

what does this mean? script runing but every when update over cru is allways empty?

admin@RT-AC3200-0000:/tmp/home/root# cd /jffs/scripts
admin@RT-AC3200-0000:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 2944 v3.04 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
        Syslog 'Block =' messages enabled

ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist

        Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )

EDIT: it working....i forgot insert init nolog after /jffs/scripts/IPSET_Block.sh

 

[Csection]

I seem to be having an issue.
When IPSET_Block is running from services-start. It seems to run ok! It gives "xxx Successful Blocks". This does not have the "init nolog" added to the end of the script.
When the script runs at reboot time from firewall-start(Which has the "init nolog" parameter's added it says, "0 Successful Blocks" and "0 added ip's".
Why do you think this is happening?
I also wonder why the "IPSET_Block.configbak" file is only one tenth the size of the "IPSET_Block.config" file?

 

[Csection]

Sorry!
I stated this incorrectly.
I should have said this happens when "Firewall start" runs when I disconnect SSH from the router or make a change to something on the GUI that causes the firewall to reset.
It works ok at reboot.

 

[Martineau]

I seem to be having an issue.
When IPSET_Block is running from services-start. It seems to run ok! It gives "xxx Successful Blocks". This does not have the "init nolog" added to the end of the script.
When the script runs at reboot time from firewall-start(Which has the "init nolog" parameter's added it says, "0 Successful Blocks" and "0 added ip's".
Why do you think this is happening?
I also wonder why the "IPSET_Block.configbak" file is only one tenth the size of the "IPSET_Block.config" file?

Did you view the help function?

If you have the two cron schedules active (as detailed in the help), then the 'save' function to update IPSET_Block.config runs every hour, whilst the 'backup' function which creates the 'IPSET_Block.configbak' from the current 'IPSET_Block.config' runs every 24hrs @05:00.

So the two files will usually differ in size. Hopefully if you manually request the 'backup' function, then the two files should then match - well at least for the next few minutes until the next scheduled automated 'save' function is run.

So regarding the reporting, for most users, having the single call 'IPSET_Block.sh init' in services-start (or firewall-start) means that @boot the IPSETs are created 'empty' hence the status report will report "0 Successful Blocks" and "0 added ip's" because that is what is true.

However, If you have correctly set the $DIR variable in the script to point to a permanent USB disk where the 'IPSET_Block.config' resides, then @boot the IPSETs are restored and the script will report "0 Successful Blocks" and "xxxxxxx added ip's".

If you issue the following in a true command window such as Xshell5/Putty (but not the WinSCP console)

watch /jffs/scripts/IPSET_Block.sh

hopefully (every 2 seconds) the report counters are displayed and are eventually correctly updated?

I did hack v3.05 (as yet unpublished) of the script as I wasn't happy with one section of the v3.04 code as it contains a logic error, but I don't think anyone else running v3.04 has reported any fatal issues.

Hope this helps?

 

[Xentrk]

Sorry!
I stated this incorrectly.
I should have said this happens when "Firewall start" runs when I disconnect SSH from the router or make a change to something on the GUI that causes the firewall to reset.
It works ok at reboot.

Hi Csection, Something does not sound right. Are you saying that disconnecting from an SSH session is causing firewall-start to run? Are you toggling the SSH service on/off on the web gui? As Merlin says, any changes on this page will cause firewall to be reconfigured. https://www.snbforums.com/threads/enabling-ssh.38793/#post-320391

 

[Csection]

Hi Csection, Something does not sound right. Are you saying that disconnecting from an SSH session is causing firewall-start to run? Are you toggling the SSH service on/off on the web gui? As Merlin says, any changes on this page will cause firewall to be reconfigured. https://www.snbforums.com/threads/enabling-ssh.38793/#post-320391

Yes! That is correct. It happens when I toggle SSH on/off.
I am going to look into what we discussed(VPN). So I don't have to toggle it anymore though.

 

[Csection]

Did you view the help function?

If you have the two cron schedules active (as detailed in the help), then the 'save' function to update IPSET_Block.config runs every hour, whilst the 'backup' function which creates the 'IPSET_Block.configbak' from the current 'IPSET_Block.config' runs every 24hrs @05:00.

So the two files will usually differ in size. Hopefully if you manually request the 'backup' function, then the two files should then match - well at least for the next few minutes until the next scheduled automated 'save' function is run.

So regarding the reporting, for most users, having the single call 'IPSET_Block.sh init' in services-start (or firewall-start) means that @boot the IPSETs are created 'empty' hence the status report will report "0 Successful Blocks" and "0 added ip's" because that is what is true.

However, If you have correctly set the $DIR variable in the script to point to a permanent USB disk where the 'IPSET_Block.config' resides, then @boot the IPSETs are restored and the script will report "0 Successful Blocks" and "xxxxxxx added ip's".

If you issue the following in a true command window such as Xshell5/Putty (but not the WinSCP console)

watch /jffs/scripts/IPSET_Block.sh

hopefully (every 2 seconds) the report counters are displayed and are eventually correctly updated?

I did hack v3.05 (as yet unpublished) of the script as I wasn't happy with one section of the v3.04 code as it contains a logic error, but I don't think anyone else running v3.04 has reported any fatal issues.

Hope this helps?

Thanks for the explanation. I didn't understand what was going on.
Script does what it was meant to do!

 

[Xentrk]

Yes! That is correct. It happens when I toggle SSH on/off.
I am going to look into what we discussed(VPN). So I don't have to toggle it anymore though.

Okay, keep in mind the VPN Server is not for local access to the router thru the LAN. It is for remote access to the router when you are connected to another internet connection, say from work, a coffee shop or another country. I recommend you leave SSH on at all times LAN only though.

 

[bayern1975]

@Martineau; I have hackerport script enabled but have allways empty....is this normal?

Poslano z mojega EVA-L09 z uporabo Tapatalk

 

[Martineau]

@Martineau; I have hackerport script enabled but have allways empty....is this normal?

Poslano z mojega EVA-L09 z uporabo Tapatalk

YES

However, I assumed from this post

https://www.snbforums.com/threads/h...et-martineau-version.38748/page-4#post-321380

that you had finally taken the time to read the help provided by the script to realise your silly mistake?

 

[steef84]

Im trying to get this working on older mips AC66U.

Here's my ssh terminal pasted.
I downloaded the script, chmodded it, changed usb location. Initiated it. Still got errors. Any clue from here? What to do with the iptables v1.3.8: Unknown arg `--add-set' error? Do I miss something?

admin@RT-AC66U:/jffs/scripts# wget https://raw.githubusercontent.com/MartineauUK/IPSET_Block/master/IPSET_Block.sh -O /jffs/scripts/IPSET_Block.sh
--2017-05-03 20:10:44--  https://raw.githubusercontent.com/MartineauUK/IPSET_Block/master/IPSET_Block.sh
Resolving raw.githubusercontent.com... 151.101.36.133
Connecting to raw.githubusercontent.com|151.101.36.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20352 (20K) [text/plain]
Saving to: '/jffs/scripts/IPSET_Block.sh'

/jffs/scripts/IPSET_Block.sh              100%[=======================================================================================>]  19.88K  --.-KB/s   in 0.04s

2017-05-03 20:10:44 (553 KB/s) - '/jffs/scripts/IPSET_Block.sh' saved [20352/20352]

admin@RT-AC66U:/jffs/scripts# chmod +x IPSET_Block.sh
admin@RT-AC66U:/jffs/scripts# nano IPSET_Block.sh
admin@RT-AC66U:/jffs/scripts# cd /jffs/scripts
admin@RT-AC66U:/jffs/scripts# ./IPSET_Block.sh   init   nolog
(IPSET_Block.sh): 8497 v3.04 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
(IPSET_Block.sh): 8497 IPSETs: 'Blacklist/Whitelist' created EMPTY..... [init nolog]
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
(IPSET_Block.sh): 8497 Dynamic IPSET Blacklist banning enabled.

        Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )

admin@RT-AC66U:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 8621 v3.04 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

        Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )

admin@RT-AC66U:/jffs/scripts#

 

[Martineau]

IPSET_Block.sh Hacker report script:

/jffs/scripts/HackerPorts.sh

v2.03 available.

EDIT: 04/05/2017 Thanks to @amplatfus identifying issues displaying mmm ddd hh:mm formats.
EDIT: 07/05/2017 Thanks to @Jack Yaz identifying issue whenstarting IPSET_Block.sh from post=mount rather than firewall start/services=start.

https://www.snbforums.com/threads/h...et-martineau-version.38748/page-3#post-321129

1. The script now attempts to advise implementers why the script may seemingly report 'nothing' based on the use of an inappropriate directive 'nolog' during the installation of my IPSET_Block.sh script.

2. The script now reports on both the number of unique ports attacked and the number of physical attacks in the current period.

3. You can now pass the parameter 'num=xx' to override the script default 'num=10' to alter how many items are displayed. (see help)

(NOTE: IPSET_Block.sh v3.05 is available https://pastebin.com/zQ3KEe8P which now calls this new version of the script but the release is primarily a seemingly futile attempt to provide support for older firmware.)

i.e. If you are running IPSET_Block v3.04, simply add the following to the end of the IPSET_Block.sh script to conveniently have IPSET_Block.sh display both status reports (no need to have two cron schedules)

if [ -f /jffs/scripts/HackerPorts.sh ]; then
    /jffs/scripts/HackerPorts.sh num=3      # Requires HackerPorts v2.xx
fi
exit 0

 

[Martineau]

Im trying to get this working on older mips AC66U.
What to do with the iptables v1.3.8: Unknown arg `--add-set' error? Do I miss something?

I posted an updated version specifically to try and provide support for older firmware/MIPs hardware.

IPSET_Block.sh v3.05 https://pastebin.com/zQ3KEe8P

but I suspect that 'iptables v1.3.8' - whilst the help shows that '-add-set' should be supported, isn't actually compiled/available?

 

[HardCat]

I posted an updated version specifically to try and provide support for older firmware/MIPs hardware.

IPSET_Block.sh v3.05 https://pastebin.com/zQ3KEe8P

but I suspect that 'iptables v1.3.8' - whilst the help shows that '-add-set' should be supported, isn't actually compiled/available?

Not meaning to cause a ruckus here but did you mean -add-set as part of ipset not iptables? or am I confused?