Malware Filter / bad host IPSET

[swetoast]

Rev 24 is out on Gitlab

• Total Rewrite (tnx redhat27)
• no more storing files beside the link list
• CIDR support and IP Support
• removed xargs for the moment (slower script)

 

[shooter40sw]

Rev 24 is out on Gitlab

• Total Rewrite (tnx redhat27)
• no more storing files beside the link list
• CIDR support and IP Support
• removed xargs for the moment (slower script)

Hi, I got this error on the ssh interface with rev 24

/tmp/mnt/sda1/malware-filter# ./malware-block
Please wait while this script is running, this will take awhile..
ipset v4.5: Out of range cidr `198.20.69.0/241.161.228.232' specified
Try `ipset -H' or 'ipset --help' for more information.

and this output on the syslog

 system: Malware Filter Adding ipset rules to firewall...
Apr  5 09:53:37 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 1024 to 1536
Apr  5 09:53:39 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 1536 to 2304
Apr  5 09:53:40 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 2304 to 3456
Apr  5 09:53:48 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 3456 to 5184
Apr  5 09:53:51 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 5184 to 7776
Apr  5 09:54:04 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 7776 to 11664
Apr  5 09:54:19 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 11664 to 17496
Apr  5 09:54:37 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 17496 to 26244
Apr  5 09:55:13 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 26244 to 39366
Apr  5 09:55:16 kernel: net/ipv4/netfilter/ip_set_nethash.c: nethash_retry: rehashing of set Malware-Range-Update triggered: hashsize grows from 1024 to 1536
Apr  5 09:55:16 kernel: net/ipv4/netfilter/ip_set_nethash.c: nethash_retry: rehashing of set Malware-Range-Update triggered: hashsize grows from 1024 to 2304
Apr  5 09:55:16 kernel: net/ipv4/netfilter/ip_set_nethash.c: nethash_retry: rehashing of set Malware-Range-Update triggered: hashsize grows from 2304 to 3456
Apr  5 09:55:43 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 39366 to 59049
Apr  5 09:56:04 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 59049 to 88573
Apr  5 09:57:28 system: Malware-Filter loaded 25478 unique ip addresses that will be rejected from contacting your router.
Apr  5 09:57:28 system: Malware-Filter loaded 850 unique ip ranges that will be rejected from contacting your router.

also iptables - L - n -v, The last set was the old one, but it created 2 different ones

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           set Malware-Range-Filter src,dst
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           set Malware-Filter src,dst
    5   836 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst

 

[swetoast]

seems to have written something to the sets, mind printing some of the output of Malware-Range-Filter

ipset -L Malware-Range-Filter

 

[shooter40sw]

seems to have written something to the sets, mind printing some of the output of Malware-Range-Filter

ipset -L Malware-Range-Filter

:/tmp/mnt/sda1/malware-filter# ipset -L Malware-Range-Filter
Name: Malware-Range-Filter
Type: nethash
References: 1
Header: hashsize: 3456 probes: 4 resize: 50
Members:
49.238.64.0/18
197.159.80.0/21
204.187.248.0/22
103.16.76.0/24
206.224.160.0/19
151.212.0.0/16
203.86.252.0/22
167.224.0.0/19
209.97.128.0/18
196.196.0.0/16
188.72.96.0/24
61.11.224.0/19
45.127.36.0/22
204.187.252.0/23
198.177.176.0/22
103.232.172.0/22
192.40.29.0/24
69.169.224.0/20
165.192.0.0/16
192.67.160.0/22
185.148.128.0/22
185.11.140.0/24
153.14.0.0/16
196.240.0.0/15
159.151.0.0/16

 

[swetoast]

well it did block ranges just like it should but the error messages well those are wierd need some time to investigate since i dont have ipset version 4, just ignore em for now since the script performs as intended.

ipset v4.5: Out of range cidr `198.20.69.0/241.161.228.232' specified

this seems to be a malformed string from some list just ignore that one.

btw reboot your router and it will drop the old rules

or better yet @shooter40sw perform this command

rm /jffs/malware-filter.list

remove your list and get a new updated list with new sources

 

[shooter40sw]

Sorry but where are the lists? I cant find them

 

[swetoast]

if you remove the list on your router the malware-filter downloads em automatically again no need to put em there

btw found your issue, kinda remembered that ipset version 4 is chatty so i readded --quiet again will make it not spam the logs.

its updated at gitlab

 

[shooter40sw]

if you remove the list on your router the malware-filter downloads em automatically again no need to put em there

btw found your issue, kinda remembered that ipset version 4 is chatty so i readded --quiet again will make it not spam the logs.

its updated at gitlab

Something did not work, its giving me ipset v4.5: Unknown set error

 

[swetoast]

try again changed again on github

 

[shooter40sw]

Great now its working! Thanks

 

[swetoast]

if you deleted the old list it should block alot more now

 

[Xentrk]

I got this message when running the new version:

Please wait while this script is running, this will take awhile..
ipset v6.29: Syntax error: '241.161.228.232' is invalid as number

 

[swetoast]

lol wtf, yeah that is a valid ip adress dunno what happened there.

btw @Xentrk this version should work on DDWRT

 

[Xentrk]

lol wtf, yeah that is a valid ip adress dunno what happened there.

btw @Xentrk this version should work on DDWRT

thanks, I saw that message and will give it a try. I'll let you know the results.

Let me run it again. I noticed you have new entries in https://gitlab.com/swe_toast/malware-filter/raw/master/malware-filter.list. Maybe the script needs to populate malware-filter.list each time it runs so any updates get auto populated to /jffs/malware-filter.list.

EDIT: Updating the /jffs/malware-filter.list with the entries on GitHub link above fixed the issue

 

[swetoast]

each time would be a bad idea /jffs/ is cold storage since it not good to continually write to that storage

 

[Xentrk]

each time would be a bad idea /jffs/ is cold storage since it not good to continually write to that storage

Perhaps a reminder may be needed for users to update the /jffs/malware-filter.list file on the wiki or forum posting. The updated wiki appears to be missing the instructions on the /jffs/malware-filter.list that used to be there. For first time users, no problems since it will get created automatically. But as we see in my example, I had a prior installation.

Or, tell users to delete any previous verison of /jffs/malware-filter.list?

 

[swetoast]

i have in this thread

Code:
rm /jffs/malware-filter.list

 

[shooter40sw]

if you deleted the old list it should block alot more now

Yes it doubled the count!

Apr  5 11:00:54 system: Malware-Filter loaded 45292 unique ip addresses that will be rejected from contacting your router.
Apr  5 11:00:54 system: Malware-Filter loaded 850 unique ip ranges that will be rejected from contacting your router.

 

[Xentrk]

Looks like I need to stay on older version of malware-filter on DD-WRT. On DD-WRT, iptables-save command is fubar. There are posts about the issue. Even though I installed entware iptables package, it still is broken.

Can't find library for target `TRIGGER'

Apparently the entware iptables package is incomplete per zyxmon:

https://github.com/Entware-ng/Entware-ng/issues/271

This is just another reason why I have moved away from DD-WRT. I had to work some magic to get xt_set working on DD-WRT, which is not included in the DD-WRT builds.

I thank you once again for your contributions.

 

[swetoast]

wonder if there is a way to detect ddwrt cause if its only that command that causes issues then i can make a workaround
if there is anything in motd or something, pretty hard for me to help here but i you find a sure fire way to detect it ill support it