Menu
What's new
By:
Filters Better Search

How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Xentrk said:
It appears to be this way, at least for pastebin files. Never had to do this with GitHub files. Maybe it is a feature of pastebin? :)
Click to expand...

Indeed perhaps I should only use GitHub.

Anyway, I knew it was a mistake to post my shonky verbose scripts :rolleyes: .....it's bad enough supporting the rubbish code without having to worry about the physical download procedure too :eek:
 
skeal said:
yes i have both cronjobs and i ran those commands and everything looks ok except IPSET_Block.configbak is still empty.
Click to expand...

Attempt to move this discussion to the more appropriate thread:oops:

So when you issue
Code: 
./IPSET_Block.sh   save

./IPSET_Block.sh   backup

despite the appropriate messages being issued, both files are truely 'empty' or is it that just the physical contents of the two files differ?

e.g. Remember to remove ': mad :' literal before running the command :rolleyes:
Code: 
l:mad:s   -lah   IPSET_Block*
 
Forget what I said! It is working ok. I guess it just didn't have anything to save for a couple hours.
I still would like to know how to capture the output of grep though for future use. I use a putty terminal to run stuff from command line. Is there a way to capture the output of "Grep"?
 
Martineau said:
Attempt to move this discussion to the more appropriate thread:oops:

So when you issue
Code: 
./IPSET_Block.sh   save

./IPSET_Block.sh   backup

despite the appropriate messages being issued, both files are truely 'empty' or is it that just the physical contents of the two files differ?

e.g. Remember to remove ': mad :' literal before running the command :rolleyes:
Code: 
l:mad:s   -lah   IPSET_Block*
Click to expand...
OK I have information in 2 files on EXT4. I have information in IPSET_Blacklist_Count and in IPSET_Block.config. I just have no information in the third file IPSET_Block.configbak it appears to be empty.
The :mad: Command you gave me I don't know where to run it from and what to input for :mad: replacement. I tried running the command at root without using : mad: but returns no file by that name. I tried this at root and at /jffs/scripts as well.
Is the problem centred around my changes in the directory section of the script I posted my changes to the script in my first post about this.
 
Last edited:
Csection said:
Forget what I said! It is working ok. I guess it just didn't have anything to save for a couple hours.
I still would like to know how to capture the output of grep though for future use. I use a putty terminal to run stuff from command line. Is there a way to capture the output of "Grep"?
Click to expand...
You can pipe the output to a file. For example, to list directory contents of /jffs/scipts for all files that end in .sh, do the following:
(sorry, this site blocks some Linux commands so I have to spell it out) Ugh. @thiggins

Code: 
"Linux directory command" /jffs/scripts | grep .sh "greater than sign without the quotes" jffs_shell_script_dir_list.txt

Using two greater than signs appends to the file contents. One greater than sign over writes the file contents.
 
Linux directory commad: ls
send output to file, over writes: >
send output to file, appends: >>
 
all day i played around hackerports script and no way to show something.....i read this thread twice and try with this commands:
https://www.snbforums.com/threads/h...et-martineau-version.38748/page-7#post-322280
https://www.snbforums.com/threads/h...et-martineau-version.38748/page-7#post-322377
https://www.snbforums.com/threads/h...et-martineau-version.38748/page-7#post-322401
https://www.snbforums.com/threads/h...et-martineau-version.38748/page-7#post-322418

and result is 1114 banned IPs but no port attempts....i try realy everything....
Code: 
ASUSWRT-Merlin RT-AC3200 380.66-beta4-g4cc25ae Fri May  5 03:01:48 UTC 2017
admin@RT-AC3200-0000:/tmp/home/root# cd /jffs/scripts
admin@RT-AC3200-0000:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 2217 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

        Summary Blacklist: 2 Successful blocks! ( 1114 IPs currently banned - 9 added since: May 6 19:24 ), Entries auto-expire after 36:00:00 hrs

(HackerPorts.sh): 2292 v2.02 Hacker Port attacks Report starting.....


Sat May 6 19:41:13 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May  6 18:41:08 - May  6 19:41:13


        Top 3 Ports attacked:

        Top 3 attackers:

        Last 3 most recent attackers:

admin@RT-AC3200-0000:/jffs/scripts#

and what about writing every banned IP in syslog? i know that can solved with nolog but then hackerports not working?
Code: 
May  6 20:00:48 disk_monitor: Got SIGALRM...
May  6 20:01:26 kernel: Block IN=ppp0 OUT= MAC= SRC=45.63.11.122 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=55116 DPT=80 SEQ=3527089618 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
May  6 20:01:37 kernel: Block IN=ppp0 OUT= MAC= SRC=122.114.212.22 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=25895 PROTO=TCP SPT=55461 DPT=1433 SEQ=408813031 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
May  6 20:03:26 kernel: Block IN=ppp0 OUT= MAC= SRC=191.249.137.58 DST=0.0.0.0 LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=60417 PROTO=TCP SPT=58963 DPT=23 SEQ=3243089241 ACK=0 WINDOW=62531 RES=0x00 SYN URGP=0 OPT (0204058C)
May  6 20:04:09 kernel: Block IN=ppp0 OUT= MAC= SRC=114.200.84.200 DST=0.0.0.0 LEN=122 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=44242 DPT=1900 LEN=102
May  6 20:04:11 kernel: Block IN=ppp0 OUT= MAC= SRC=121.101.245.16 DST=0.0.0.0 LEN=122 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=46461 DPT=1900 LEN=102
May  6 20:04:36 kernel: Block IN=ppp0 OUT= MAC= SRC=203.195.210.236 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=60114 PROTO=TCP SPT=54088 DPT=23 SEQ=1365604252 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
May  6 20:04:46 kernel: Block IN=ppp0 OUT= MAC= SRC=122.114.241.252 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=41763 PROTO=TCP SPT=57408 DPT=1433 SEQ=3173989347 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
May  6 20:05:22 kernel: Block IN=ppp0 OUT= MAC= SRC=220.211.125.33 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=11120 PROTO=TCP SPT=47028 DPT=22 SEQ=3243089241 ACK=0 WINDOW=36214 RES=0x00 SYN URGP=0
May  6 20:06:48 kernel: Block IN=ppp0 OUT= MAC= SRC=121.12.190.1 DST=0.0.0.0 LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=29640 PROTO=TCP SPT=56417 DPT=23 SEQ=3243089241 ACK=0 WINDOW=52849 RES=0x00 SYN URGP=0 OPT (020405A0)
May  6 20:07:33 kernel: Block IN=ppp0 OUT= MAC= SRC=185.35.62.64 DST=0.0.0.0 LEN=36 TOS=0x00 PREC=0x00 TTL=249 ID=54321 PROTO=UDP SPT=60405 DPT=19 LEN=16
May  6 20:10:13 kernel: Block IN=ppp0 OUT= MAC= SRC=78.183.173.171 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=51918 PROTO=TCP SPT=57461 DPT=23 SEQ=3243089241 ACK=0 WINDOW=59516 RES=0x00 SYN URGP=0
May  6 20:10:18 kernel: Block IN=ppp0 OUT= MAC= SRC=5.62.174.123 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=18227 PROTO=TCP SPT=15497 DPT=7547 SEQ=50470 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0
May  6 20:10:20 kernel: Block IN=ppp0 OUT= MAC= SRC=5.239.65.227 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=14490 PROTO=TCP SPT=43188 DPT=7547 SEQ=35164 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0
May  6 20:11:00 kernel: Block IN=ppp0 OUT= MAC= SRC=114.69.186.201 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=10305 PROTO=TCP SPT=26599 DPT=23 SEQ=3243089241 ACK=0 WINDOW=28654 RES=0x00 SYN URGP=0
May  6 20:13:13 kernel: Block IN=ppp0 OUT= MAC= SRC=221.122.67.245 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=1291 PROTO=TCP SPT=44500 DPT=23 SEQ=3770062917 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
May  6 20:15:43 kernel: Block IN=ppp0 OUT= MAC= SRC=123.207.37.42 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=60462 PROTO=TCP SPT=50286 DPT=23 SEQ=824144224 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
May  6 20:15:50 kernel: Block IN=ppp0 OUT= MAC= SRC=186.62.150.74 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=2322 PROTO=TCP SPT=13468 DPT=22 SEQ=3243089241 ACK=0 WINDOW=5304 RES=0x00 SYN URGP=0
May  6 20:16:17 kernel: Block IN=ppp0 OUT= MAC= SRC=45.55.13.84 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=54321 PROTO=TCP SPT=40058 DPT=119 SEQ=2633202365 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
May  6 20:18:14 kernel: Block IN=ppp0 OUT= MAC= SRC=95.252.125.211 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=9404 PROTO=TCP SPT=6582 DPT=7547 SEQ=51924 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0
May  6 20:19:37 kernel: Block IN=ppp0 OUT= MAC= SRC=180.213.12.141 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=22409 PROTO=TCP SPT=18713 DPT=22 SEQ=3243089241 ACK=0 WINDOW=35323 RES=0x00 SYN URGP=0
May  6 20:20:34 pixelserv[3159]: ad3.adfarm1.adition.com _.adfarm1.adition.com missing
May  6 20:20:34 pixelserv[3160]: ad3.adfarm1.adition.com _.adfarm1.adition.com missing
May  6 20:20:34 pixelserv[1134]: cert _.adfarm1.adition.com generated and saved
May  6 20:21:02 kernel: Block IN=ppp0 OUT= MAC= SRC=23.254.166.195 DST=0.0.0.0 LEN=40 TOS=0x08 PREC=0x00 TTL=243 ID=57471 PROTO=TCP SPT=53699 DPT=1433 SEQ=1586526399 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
May  6 20:21:50 kernel: Block IN=ppp0 OUT= MAC= SRC=223.240.5.58 DST=0.0.0.0 LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=30042 PROTO=TCP SPT=62562 DPT=2222 SEQ=3243089241 ACK=0 WINDOW=59978 RES=0x00 SYN URGP=0 OPT (020405B4)
May  6 20:22:28 kernel: Block IN=ppp0 OUT= MAC= SRC=218.5.160.58 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=7630 PROTO=TCP SPT=36441 DPT=23 SEQ=3243089241 ACK=0 WINDOW=40009 RES=0x00 SYN URGP=0
May  6 20:23:21 kernel: Block IN=ppp0 OUT= MAC= SRC=165.228.155.136 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=35941 PROTO=TCP SPT=50362 DPT=23 SEQ=3243089241 ACK=0 WINDOW=64386 RES=0x00 SYN URGP=0
May  6 20:24:51 kernel: Block IN=ppp0 OUT= MAC= SRC=5.88.141.102 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=51330 PROTO=TCP SPT=62190 DPT=23 SEQ=3243089241 ACK=0 WINDOW=52694 RES=0x00 SYN URGP=0
May  6 20:24:59 kernel: Block IN=ppp0 OUT= MAC= SRC=106.75.72.167 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=64399 PROTO=TCP SPT=58914 DPT=1080 SEQ=2457363182 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
May  6 20:25:40 kernel: Block IN=ppp0 OUT= MAC= SRC=119.126.89.46 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=7629 PROTO=TCP SPT=35467 DPT=1433 SEQ=412583181 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
May  6 20:26:25 kernel: Block IN=ppp0 OUT= MAC= SRC=201.175.64.213 DST=0.0.0.0 LEN=40 TOS=0x08 PREC=0x00 TTL=49 ID=29151 PROTO=TCP SPT=1326 DPT=23 SEQ=3243089241 ACK=0 WINDOW=13086 RES=0x00 SYN URGP=0
May  6 20:26:31 kernel: Block IN=ppp0 OUT= MAC= SRC=77.72.83.5 DST=0.0.0.0 LEN=40 TOS=0x08 PREC=0x00 TTL=243 ID=27745 PROTO=TCP SPT=53862 DPT=3392 SEQ=3970301048 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
May  6 20:26:55 kernel: Block IN=ppp0 OUT= MAC= SRC=190.140.197.252 DST=0.0.0.0 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=52234 PROTO=TCP SPT=36980 DPT=23 SEQ=3243089241 ACK=0 WINDOW=33380 RES=0x00 SYN URGP=0
May  6 20:27:09 kernel: Block IN=ppp0 OUT= MAC= SRC=77.252.241.229 DST=0.0.0.0 LEN=44 TOS=0x00 PREC=0x00 TTL=54 ID=64222 PROTO=TCP SPT=56516 DPT=23 SEQ=3243089241 ACK=0 WINDOW=34452 RES=0x00 SYN URGP=0 OPT (0204058A)
 
Last edited:
Martineau said:
Please provide the output of the diagnostic commands:
Code: 
grep -E "Block.*" /tmp/syslog.log | wc -l

grep -E "Block.*" /tmp/syslog.log | tail

grep    "Block IN" | tail | sed -e 's/.*SRC=\(.*\)SEQ.*/\1/'
Click to expand...
I tried to produce output from those commands as log1.txt, log2.txt, log3.txt but I only get log1.txt = 0
log2.txt is empty and log3.txt with the "Block IN" hangs and does not complete.
 
The below, in combination with your script, seem to cause a lockout in internet connectivity for clients, but not the router. I've removed the reloading script and everything is hunky dory from a reboot. I have no idea why they're fighting each other!

Code: 
# Reinstate the ipset rules if they have been created already
[ "$(uname -m)" = "mips" ] && MATCH_SET='--set' || MATCH_SET='--match-set'
for ipSet in $(ipset -L | sed -n '/^Name:/s/^.* //p'); do
  case $ipSet in
    AcceptList) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j ACCEPT;;
    TorNodes|BlockedCountries|CustomBlock) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j DROP;;
    MicrosoftSpyServers) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet dst -j DROP;;
    *) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
  esac
done
 
Also, found a problem with HackerPorts, that where I've moved the init call to postmount (to ensure USB is available prior to loading), it thinks there's no logging. I figured I could either add a grep statement to check post-mount, in addition to firewall-start and services-start, or be lazy and change the variable from 0 to 1. I chose the latter, but hackerports coughs up reports now!
 
Jack Yaz said:
Also, found a problem with HackerPorts, that where I've moved the init call to postmount (to ensure USB is available prior to loading), it thinks there's no logging. I figured I could either add a grep statement to check post-mount, in addition to firewall-start and services-start, or be lazy and change the variable from 0 to 1. I chose the latter, but hackerports coughs up reports now!
Click to expand...
Can you elaborate on the variable change from 0 to 1? Where in the code or how the script is called from the command line? Thank you. After testing on a second router after enabling USB drive for the script, the report also does not produce output,on this router and the other one I enabled the USB drive on the other day. Would like to try your change to see if it fixes it.
 
Sorry, using the HackerPort script from here: https://pastebin.com/LRHJih8Z

This function
Code: 
Tracking_Enabled () {

# Try and determine if Port tracking is enabled - either via Syslog or IPSET

    local STATUS=0                                    # 0-DISABLED,1-Syslog,2-IPSET,3-Both
    local FN=

    if [ ! -z "$(grep -iE "/jffs/scripts/IPSET_Block\.sh" /jffs/scripts/firewall-start | grep -vE "^\#")" ];then
        if [ -z "$(grep -iE "/jffs/scripts/IPSET_Block\.sh.*nolog" /jffs/scripts/firewall-start)" ];then
            STATUS=1                                # Yes Syslog i.e. 'nolog' wasn't specified
        else
            FN="/jffs/scripts/firewall-start"
        fi
    else
        if [ ! -z "$(grep -iE "/jffs/scripts/IPSET_Block\.sh" /jffs/scripts/services-start)" ];then
            if [ -z "$(grep -iE "/jffs/scripts/IPSET_Block\.sh.*nolog" /jffs/scripts/services-start)" ];then
                STATUS=1                            # Yes Syslog i.e. 'nolog' wasn't specified
            else
                FN="/jffs/scripts/services-start"
            fi
        fi
    fi
   
    if [ "$(ipset list BlacklistTRK 2> /dev/null | wc -l)" -gt 0 ]; then
        STATUS=$(($STATUS+2))                        # Yes - IPSET
    fi
   
    echo $STATUS","$FN

}

I changed local STATUS=0 to local STATUS=1
(near top of function)

My post-mount looks like this, change your mount path as appropriate. I could add a grep for post-mount to give to RMartineau, will give it a go later, forcing 1 for the variable seems to work, since the following if/grep commands don't update it due to using post-mount

Code: 
#!/bin/sh

# Set Entware symlink once entware partition is mounted
if [ "$1" = "/tmp/mnt/entware" ] ; then
  ln -nsf $1/entware /tmp/opt
fi

# Load Malicious IP blocking rules once ipset partition is mounted
if [ "$1" = "/tmp/mnt/ipset" ] ; then
sh /jffs/scripts/IPSET_Block.sh init
fi
 
Last edited:
Jack Yaz said:
Sorry, using the HackerPort script from here: https://pastebin.com/LRHJih8Z

This function
Code: 
Tracking_Enabled () {

# Try and determine if Port tracking is enabled - either via Syslog or IPSET

    local STATUS=0                                    # 0-DISABLED,1-Syslog,2-IPSET,3-Both
    local FN=

    if [ ! -z "$(grep -iE "/jffs/scripts/IPSET_Block\.sh" /jffs/scripts/firewall-start | grep -vE "^\#")" ];then
        if [ -z "$(grep -iE "/jffs/scripts/IPSET_Block\.sh.*nolog" /jffs/scripts/firewall-start)" ];then
            STATUS=1                                # Yes Syslog i.e. 'nolog' wasn't specified
        else
            FN="/jffs/scripts/firewall-start"
        fi
    else
        if [ ! -z "$(grep -iE "/jffs/scripts/IPSET_Block\.sh" /jffs/scripts/services-start)" ];then
            if [ -z "$(grep -iE "/jffs/scripts/IPSET_Block\.sh.*nolog" /jffs/scripts/services-start)" ];then
                STATUS=1                            # Yes Syslog i.e. 'nolog' wasn't specified
            else
                FN="/jffs/scripts/services-start"
            fi
        fi
    fi
 
    if [ "$(ipset list BlacklistTRK 2> /dev/null | wc -l)" -gt 0 ]; then
        STATUS=$(($STATUS+2))                        # Yes - IPSET
    fi
 
    echo $STATUS","$FN

}

I changed local STATUS=0 to local STATUS=1
(near top of function)

My post-mount looks like this, change your mount path as appropriate. I could add a grep for post-mount to give to RMartineau, will give it a go later, forcing 1 for the variable seems to work, since the following if/grep commands don't update it due to using post-mount

Code: 
#!/bin/sh

# Set Entware symlink once entware partition is mounted
if [ "$1" = "/tmp/mnt/entware" ] ; then
  ln -nsf $1/entware /tmp/opt
fi

# Load Malicious IP blocking rules once ipset partition is mounted
if [ "$1" = "/tmp/mnt/ipset" ] ; then
sh /jffs/scripts/IPSET_Block.sh init
fi
Click to expand...
Thanks for the reply.. So, the if, then else is not checking for IPSET_Block.sh being called from post-mount. So that may be why setting it to 1 worked for you. It did not work for me. I found that this line will return 3 entries because I also have the two cru command lines in services-start in addition to the sh /jffs/scripts/IPSET_Block.sh init:

Code: 
grep -iE "/jffs/scripts/IPSET_Block\.sh" /jffs/scripts/services-start

As a result, it may not be setting STATUS appropriately. I went back to v1.01 (thankfully it is still on the thread as I did not have a backup) and it worked okay. I think I am on to something with the status. But I am checking out for the night now and will pick it up tomorrow. Zzzzzz
 
Ok makes sense!

Out of interest, would this script cause problems with dropbox on my PC? Can't tell if their sync service is having problems or if it's IP Set!
 
skeal said:
OK I have information in 2 files on EXT4. I have information in IPSET_Blacklist_Count and in IPSET_Block.config. I just have no information in the third file IPSET_Block.configbak it appears to be empty.
The :mad: Command you gave me I don't know where to run it from and what to input for :mad: replacement. I tried running the command at root without using : mad: but returns no file by that name. I tried this at root and at /jffs/scripts as well.
Is the problem centred around my changes in the directory section of the script I posted my changes to the script in my first post about this.
Click to expand...
Got it all sorted! Everything works well. I removed the volume disc check pre-mount now it works like a charm.
 
Jack Yaz said:
Ok makes sense!

Out of interest, would this script cause problems with dropbox on my PC? Can't tell if their sync service is having problems or if it's IP Set!
Click to expand...
I'll check in the morning. I also have Dropbox sync on my PC.
 
/jffs/scripts/HackerPorts.sh

v2.03 is available.

Thanks to @Xentrk , @Jack Yaz , @Csection and others for providing feed back to try and improve the reliability of the reporting.

I've rewritten the parsing code when extracting the 'Block IN=' messages from Syslog.

It appears that the '-j LOG' chain apparently may generate 'inconsistent' messages, the weird one being the random insertion of the Unicode '0xa0' character '&nbsp',so whilst it appears as a space " " it really isn't so the parsing will fail.

Now it could be that this is a side effect of extracting the test data from the forum, but either way, sometimes the script works for some and not for others, but as @Xentrk posted, it has been fine on his router, but another one he installed the script on, it just won't work.

1. Fix to include an additional check to see if the inappropriate 'nolog' directive is still being used with the 'init' call by IPSET_Block.sh, but I only scanned both firewall-start/services-start and never considerd that anyone would need to use post-mount. @Jack Yaz

2. New command args are available (see help)

all - The report will by default report on WAN attacks.
Specifying this will allow reporting on all interfaces e.g. ppp0,vlan2 etc.

wipe - If Syslog is used to record the tracking messages (rather than the Blacklist IPSET)
then once the report is created to disk, the tracking messages are erased from Syslog.

in= I have lots of archived Syslogs and to try and prove that the script genuinely works, needed to quickly point the script at a file rather than the 'live' Syslog.

3. GRE report. These '-j LOG' messages contain no target 'DPT=' clause which caused the parsing to fail dismally given that this is a critical field that I explicitly need to use as a delimiter.

These attempts are now also reported, so perhaps IPSET_Block.sh deserves brownie-points! - or not!


The general reporting info has also been tweaked to give better feedback, along with some additional cosmetic fluff!.

No doubt it is riddled with bugs, but that is the price I pay for not requesting a lengthy beta testing programme.

Caveat Emptor! :D
 
Last edited:
Jack Yaz said:
Also, found a problem with HackerPorts, that where I've moved the init call to postmount (to ensure USB is available prior to loading), it thinks there's no logging. I figured I could either add a grep statement to check post-mount, in addition to firewall-start and services-start, or be lazy and change the variable from 0 to 1. I chose the latter, but hackerports coughs up reports now!
Click to expand...

OK, v2.03 includes a hack to accommodate the starting of IPSET_Block.sh from post-mount, but I am still undecided about setting an appropriate NVRAM variable, but if I should inadvertently trigger the Yellow Exclamation mark indicating NVRAM 'shortage' then it may not be worth the grief! :oops:
 
Last edited:
skeal said:
Got it all sorted! Everything works well. I removed the volume disc check pre-mount now it works like a charm.
Click to expand...

Good to hear! :D
 
Xentrk said:
Thanks for the reply.. So, the if, then else is not checking for IPSET_Block.sh being called from post-mount. So that may be why setting it to 1 worked for you. It did not work for me. I found that this line will return 3 entries because I also have the two cru command lines in services-start in addition to the sh /jffs/scripts/IPSET_Block.sh init:

Code: 
grep -iE "/jffs/scripts/IPSET_Block\.sh" /jffs/scripts/services-start

As a result, it may not be setting STATUS appropriately. I went back to v1.01 (thankfully it is still on the thread as I did not have a backup) and it worked okay. I think I am on to something with the status. But I am checking out for the night now and will pick it up tomorrow. Zzzzzz
Click to expand...

v2.03 is available...if you are brave enough! :p

Enjoy your nap.
 
You must log in or register to reply here.

Similar threads

N
Ipset not working
Replies
0
Views
2K
Nikecow
N
Similar threads
Thread starter Title Forum Replies Date
devhell How I can dynamically manage VPN director rules list by CLI Asuswrt-Merlin 0

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 944 (members: 26, guests: 918)
Top