What's new

How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

When I ran the "Grep" it produce the number 31303.
It is the 74k that my question is referring about.
<sigh>

What is the value reported by the iptables command output?
 
When I ran the "Grep" it produce the number 31303.
It is the 74k that my question is referring about.
Did you run the other command as per the referenced post?
Code:
iptables --line -nvL INPUT | grep -E "set.*Blacklist|^num"
 
Did you run the other command as per the referenced post?
Code:
iptables --line -nvL INPUT | grep -E "set.*Blacklist|^num"
No! I didn't see it. Thanks Jack as usual.
Output of that is :
admin@RT-AC3100-0000:/jffs/scripts# iptables --line -nvL INPUT | grep -E "set.*Blacklist|^num"
num pkts bytes target prot opt in out source destination
9 37 2143 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Blacklist src
admin@RT-AC3100-0000:/jffs/scripts#
I'm not sure how to interpret that though.
 
No! I didn't see it. Thanks Jack as usual.
Output of that is :
admin@RT-AC3100-0000:/jffs/scripts# iptables --line -nvL INPUT | grep -E "set.*Blacklist|^num"
num pkts bytes target prot opt in out source destination
9 37 2143 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Blacklist src
admin@RT-AC3100-0000:/jffs/scripts#
I'm not sure how to interpret that though.
That's only showing 37 packets, hm, try
Code:
iptables --line -nvL FORWARD | grep -E "set.*Blacklist|^num"
 
That's only showing 37 packets, hm, try
Code:
iptables --line -nvL FORWARD | grep -E "set.*Blacklist|^num"
admin@RT-AC3100-0000:/jffs/scripts# iptables --line -nvL FORWARD | grep -E "set.*Blacklist|^num"
num pkts bytes target prot opt in out source destination
56 0 0 XHits all -- eth0 * 0.0.0.0/0 0.0.0.0/0 match-set Blacklist src
admin@RT-AC3100-0000:/jffs/scripts#
 
admin@RT-AC3100-0000:/jffs/scripts# iptables --line -nvL FORWARD | grep -E "set.*Blacklist|^num"
num pkts bytes target prot opt in out source destination
56 0 0 XHits all -- eth0 * 0.0.0.0/0 0.0.0.0/0 match-set Blacklist src
admin@RT-AC3100-0000:/jffs/scripts#
Hm, that's not verifying either. Have you recently rebooted between the 71k figure and now?
 
Hi
Thanks for your scripts !
I can find IPSET_Block v3.05 with HackerPorts v2.03, but apparently they are not the latest versions, i can't find v4.X with V2.06 or more. Can you provide links or update first post ?

Thanks
 
Last edited:
Hi All,

Have the Asus RT-AC87U with Firmware:380.68_4
Script version :
(IPSET_Block.sh): 20974 v3.04 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

Name: Blacklist
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 604800
Size in memory: 4092
References: 0
Number of entries: 75
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Syslog 'Block =' messages enabled


Summary Blacklist: 0 Successful blocks! ( 75 IPs currently banned - 0 added since: Oct 8 19:11 ), Entries auto-expire after 168:00:00 hrs

But it's writing nothing to my iptables, when i list them it is showing no banned ip's.

Do i need the new beta version to get it running ?
 
Hi. Please, how can I add 162.x.0.0/16 range to whitelist? Thank you in advance.
Code:
nslookup: can't resolve '162.x.0.0/16'
 
Hi
You can set whitelist when it's already started (with sh /jffs/scripts/IPSET_Block.sh init reset nolog for example) with :
sh /jffs/scripts/IPSET_Block.sh unban 162.x.0.0/16 whitelist (just replace x with your value)
 
Last edited:
./IPSET_Block.sh init
(IPSET_Block.sh): 31870 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
(IPSET_Block.sh): 31870 IPSET restore from '/tmp/mnt/RouterDrive/IPSET/IPSET_Block.config' starting.....
ipset v6.32: The set with the given name does not exist
iptables v1.4.15: Set Blacklist doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.15: Set Blacklist doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.15: Set Blacklist doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
(IPSET_Block.sh): 31870 Dynamic IPSET Blacklist banning enabled.
ipset v6.32: The set with the given name does not exist
ipset v6.32: The set with the given name does not exist

Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )

(HackerPorts.sh): 32021 v2.03 Hacker Port attacks Report.....

***ERROR IPSET Blacklist does not exist! - Please run 'IPSET_Block.sh init'



Please help using v3.05 and v2.03 of HackerPorts. I could not find the latest version after going through everything in threads.
 
Hi,

Please, do you know if HackerPorts works well with Cloudflare?

Thank you!
 
So I suggest you create it as /jffs/scripts/IPSET_Block.sh, and as per the help info documented in the script, you will need to update firewall-start and init-start accordingly.

I followed these steps:
Create the ipset_block.sh.
"chmod +x" the script.
Edit the firewall-start, adding this line:
"sh /jffs/scripts/firewall start hackerports=/jffs/scripts/ipset_block.sh #hackerports" (Underneath the Skynet line)

Edit the init-start, adding this line:
"/jffs/scripts/ipset_block.sh init-start"

Then executed init-start: "sh init-start".


Now, this resulted in the following to appear:
(ipset_block.sh): 23088 v3.05 © 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Syslog 'Block =' messages enabled
ipset v6.32: The set with the given name does not exist
ipset v6.32: The set with the given name does not exist
Summary Blacklist: 0 Successful blocks! ( 0 IPs currently banned - 0 added )

I assume I missed something?
I'm running Merlin 384.8_2, with Skynet, Stubby and Deversion. On a RT-AC5300.

Thanks in advance!
 
I followed these steps:
Create the ipset_block.sh.
"chmod +x" the script.
Edit the firewall-start, adding this line:
"sh /jffs/scripts/firewall start hackerports=/jffs/scripts/ipset_block.sh #hackerports" (Underneath the Skynet line)

Edit the init-start, adding this line:
"/jffs/scripts/ipset_block.sh init-start"

Then executed init-start: "sh init-start".


Now, this resulted in the following to appear:


I assume I missed something?
I'm running Merlin 384.8_2, with Skynet, Stubby and Deversion. On a RT-AC5300.

Thanks in advance!
Skynet supercedes a lot of this script - you don't need both.
 
I thought so, but I'm not sure if Skynet starts blocking IP's (be it for a week) when they start making attempts at accessing multiple ports.
 
I thought so, but I'm not sure if Skynet starts blocking IP's (be it for a week) when they start making attempts at accessing multiple ports.
I'm not sure on the ins and outs - I think it used to, but it was discontinued as it caused more problems than it solved. @Adamm would be the one to ask :)
 
Similar threads
Thread starter Title Forum Replies Date
devhell How I can dynamically manage VPN director rules list by CLI Asuswrt-Merlin 0

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top