How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

[Martineau]

The below, in combination with your script, seem to cause a lockout in internet connectivity for clients, but not the router. I've removed the reloading script and everything is hunky dory from a reboot. I have no idea why they're fighting each other!

Neither do I.

The logic I use to insert the '-j Blacklist' firewall rule is simply look for the existing 'DROP/logdrop' rules, clone them, and insert the duplicate rule immediately preceding the original. Perhaps my left-field 'wholly original' idea is fatally flawed?

So in theory, the packet was to be DROP'd / logdrop'd anyway?

 

[Martineau]

I tried to produce output from those commands as log1.txt, log2.txt, log3.txt but I only get log1.txt = 0
log2.txt is empty and log3.txt with the "Block IN" hangs and does not complete.

Apologies, the third command is missing the /tmp/syslog.log argument as used in the first command.

Anyway the first command should only return 1 line which it did, but the '0' is bad news, so effectively prempts the next two as redundant anyway.

So the question remains why there are no expected Syslog messages available to HackerPorts.sh - assuming of course that you have run 'IPSET_Blocker.sh init'.

Anyway v2.03 is available with even more internal checks to aid diagnostics for others where they do have 'Block IN' messages in Syslog, but the actual extraction of the two 'SRC=' and 'DPT=' values is randomly failing.

 

[Martineau]

Forget what I said! It is working ok. I guess it just didn't have anything to save for a couple hours.

Yeah, it could be that there is very little to dynamically ban on your system, but it doesn't mean to say that HackerPorts.sh v2.02 is 100% reliable.

 

[eclp]

Please help ...

...@RT-AC87U:/tmp/home/root# /jffs/scripts/IPSET_Block.sh
(IPSET_Block.sh): 7596 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
        Syslog 'Block =' messages enabled

ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist

        Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )

 

[Martineau]

Please help ...

...@RT-AC87U:/tmp/home/root# /jffs/scripts/IPSET_Block.sh
(IPSET_Block.sh): 7596 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
        Syslog 'Block =' messages enabled

ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist

        Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )

What happens if you issue

./IPSET_Block.sh   init   reset

./IPSET_Block.sh

What model of router? MIPS or ARM and firmware version?

 

[eclp]

...@RT-AC87U:/tmp/home/root# ./IPSET_Block.sh   init   reset
-sh: ./IPSET_Block.sh: not found
...@RT-AC87U:/tmp/home/root#
...@RT-AC87U:/tmp/home/root# ./IPSET_Block.sh
-sh: ./IPSET_Block.sh: not found

ARM
RT-AC87U with 380.66 beta 4

 

[Martineau]

...@RT-AC87U:/tmp/home/root# ./IPSET_Block.sh   init   reset
-sh: ./IPSET_Block.sh: not found
...@RT-AC87U:/tmp/home/root#
...@RT-AC87U:/tmp/home/root# ./IPSET_Block.sh
-sh: ./IPSET_Block.sh: not found

ARM
RT-AC87U with 380.66 beta 4

When starting the script manually, to use the ./IPSET_Block.sh syntax you need to be in the /jffs/scripts folder!

cd /jffs/scripts

./IPSET_Block.sh   init   reset

./IPSET_Block.sh

 

[eclp]

...@RT-AC87U:/tmp/home/root# cd /jffs/scripts
...@RT-AC87U:/jffs/scripts# ./IPSET_Block.sh   init   reset
(IPSET_Block.sh): 13349 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
iptables: No chain/target/match by that name.
(IPSET_Block.sh): 13349 IPSETs: 'Blacklist/Whitelist' created EMPTY..... [init reset]
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
(IPSET_Block.sh): 13349 Dynamic IPSET Blacklist banning enabled.

        Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added ), Entries auto-expire after 168:00:00 hrs

 

[Martineau]

...@RT-AC87U:/tmp/home/root# cd /jffs/scripts
...@RT-AC87U:/jffs/scripts# ./IPSET_Block.sh   init   reset
(IPSET_Block.sh): 13349 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
iptables: No chain/target/match by that name.
(IPSET_Block.sh): 13349 IPSETs: 'Blacklist/Whitelist' created EMPTY..... [init reset]
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
(IPSET_Block.sh): 13349 Dynamic IPSET Blacklist banning enabled.

        Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added ), Entries auto-expire after 168:00:00 hrs

and if you now issue:

iptables --line -nvL | grep list


./IPSET_Block.sh

 

[eclp]

...@RT-AC87U:/jffs/scripts# iptables --line -nvL | grep list
4        0     0 Blacklist  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
8        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Whitelist src
9        1    36 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src
13       1    36 Blacklist  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src
5        0     0 Blacklist  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
7        0     0 Blacklist  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID
Chain Blacklist (4 references)
1        1    36 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
...@RT-AC87U:/jffs/scripts#
...@RT-AC87U:/jffs/scripts#
...@RT-AC87U:/jffs/scripts# ./IPSET_Block.sh

 

[Martineau]

...@RT-AC87U:/jffs/scripts# ./IPSET_Block.sh

So there is still no further output from the above command?

If the following command only shows 1 rule

iptables --line -nvL Blacklist

then please enter

iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options

wait 5 mins then issue

./IPSET_Block.sh

 

[Jack Yaz]

I'll check in the morning. I also have Dropbox sync on my PC.

Seems some IPs got blocked but it's stable now. I don't know why dropbox was hitting me on 443 anyway! I know it syncs via but they shouldn't be initiating a connection back to me surely?

 

[Jack Yaz]

OK, v2.03 includes a hack to accommodate the starting of IPSET_Block.sh from post-mount, but I am still undecided about setting an appropriate NVRAM variable, but if I should inadvertently trigger the Yellow Exclamation mark indicating NVRAM 'shortage' then it may not be worth the grief!

I used post-mount because my hdd is slow to load, and rather run the race for firewall-start or services-start before the ipset partition is up, i thhought post-mount made sense!

 

[eclp]

@Martineau really many thanks for your help, Sir! Does it run so correctly?

ASUSWRT-Merlin RT-AC87U 380.66-beta4-g4cc25ae Fri May  5 03:01:22 UTC 2017
...@RT-AC87U:/tmp/home/root# iptables --line -nvL Blacklist
Chain Blacklist (4 references)
num   pkts bytes target     prot opt in     out     source               destination
1        8  2501 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
2        8  2501 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "Block "
...@RT-AC87U:/tmp/home/root# iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --
log-tcp-options --log-ip-options
...@RT-AC87U:/tmp/home/root# cd /jffs/scripts
...@RT-AC87U:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 28962 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

        Summary Blacklist: 70 Successful blocks! ( 2 IPs currently banned - 6 added since: May 7 18:44 ), Entries auto-expire after 168:00:00 hrs

...@RT-AC87U:/jffs/scripts#

 

[Martineau]

...@RT-AC87U:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 28962 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

        Summary Blacklist: 70 Successful blocks! ( 2 IPs currently banned - 6 added since: May 7 18:44 ), Entries auto-expire after 168:00:00 hrs

...@RT-AC87U:/jffs/scripts#

It does look as if it is correctly working!

If you have not already added '/jffs/scripts/IPSET_Block.sh init' to automatically start when the router reboots, then you will need to add the command to say /jffs/scripts/services-start.

 

[Csection]

Yeah, it could be that there is very little to dynamically ban on your system, but it doesn't mean to say that HackerPorts.sh v2.02 is 100% reliable.

Thank you for the reply!
The script seems to work if left alone on cron schedule, but the "Hourly" run of "Save" gives "0 successfly blocked ip's" and at the end it says the "Banned" ip's are all expired!

 

[Martineau]

Thank you for the reply!
The script seems to work if left alone on cron schedule, but the "Hourly" run of "Save" gives "0 successfly blocked ip's" and at the end it says the "Banned" ip's are all expired!

Which version are you running?

 

[Jack Yaz]

v2.03 installed and all working, once I remembered to change the dir variable to my path haha. Thought I'd broken it :S

 

[eclp]

These lines are in the: /jffs/scripts/services-start:

cru a IPSET_SAVE   "0 * * * * /jffs/scripts/IPSET_Block.sh save"    #Every hour
cru a IPSET_BACKUP "0 5 * * * /jffs/scripts/IPSET_Block.sh backup"  #05:00 every day

 

[Csection]

Which version are you running?

Version 3.04 with the HackerPorts 2.02 addition!