Malware Filter / bad host IPSET

[swetoast]

sure thing

 

[swetoast]

So everyone using this script should update to the latest version and tnx @octopus for the pointers

 

[kanetaker]

So this is my cleanup feel free to go thru it and suggest improvements and please change on the wiki and not just post to this thread.

also added a link for mirai blocklist on the wiki

#!/bin/sh

# Original script by swetoast. Updates by Neurophile & Octopus.

# SET CONFIG
path=/opt/var/cache/malware-filter  #path for malware filter files
# END CONFIG

# SET VARIBLES
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`
# END VARIBLES

#Load ipset modules

ipset -v | grep -i "v4" > /dev/null 2>&1
if [ $? -eq 0 ]; then
     # old ipset
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     # new ipset
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

#Different routers got different iptables syntax
case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'
;;
mips)
    MATCH_SET='--set'
;;
esac

# Get lists
get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list
ipset --destroy malware-filter > /dev/null 2>&1 # destroy the old rules to get new ones.

# Create ip set
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
  ipset -N malware-filter iphash
fi

# Apply iptables rule
iptables-save | grep malware-filter > /dev/null 2>&1 || \
  iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j DROP
}

run_ipset
exit $?

admin@RT-AC68U-F000:/jffs/scripts# sh -x firewall-start
+ path=/opt/var/cache/malware-filter
+ echo \b([0-9]{1,3}\.){3}[0-9]{1,3}\b
+ regexp=\b([0-9]{1,3}\.){3}[0-9]{1,3}\b
+ ipset -v
+ grep -i v4
+ [ 1 -eq 0 ]
+ ipsetv=6
+ lsmod
+ grep xt_set
+ uname -m
+ MATCH_SET=--match-set
+ run_ipset
+ get_list
+ mkdir -p /opt/var/cache/malware-filter
+ wget -q --show-progress -i /opt/var/cache/malware-filter/malware-filter.list -O /opt/var/cache/malware-filter/malware-list.pre
/opt/var/cache/malw 100%[=====================>] 159.60K 224KB/s in 0.7s
/opt/var/cache/malw [ <=> ] 2.34K --.-KB/s in 0.001s
/opt/var/cache/malw [ <=> ] 10.47K --.-KB/s in 0.04s
/opt/var/cache/malw 100%[=====================>] 17.00K 112KB/s in 0.2s
/opt/var/cache/malw 100%[=====================>] 195.49K 194KB/s in 1.0s
+ cat /opt/var/cache/malware-filter/malware-list.pre
+ grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b
+ sort -u
+ ipset --destroy malware-filter
+ ipset --swap malware-filter malware-filter
+ grep -E Unknown set|The set with the given name does not exist
+ [ != ]
+ iptables-save
+ grep malware-filter
+ exit 0

 

[swetoast]

ipset --list

post the output of that instead and use the one on the wiki.

 

[kanetaker]

admin@RT-AC68U-F000:/jffs/scripts# ipset --list
Name: malware-filter
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8248
References: 1
Members:

 

[swetoast]

and iptables -L should show malware-filter in it

 

[kanetaker]

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere match-set malware-filter src,dst
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere

 

[swetoast]

So its working

 

[kanetaker]

thanks!!!! change the script in the tutorial for that people can use it https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset#malware-filter

 

[swetoast]

not me thats the OP so i cant change anything

 

[kanetaker]

mmm ok, i'm going to probe the script on my wdr4300 with LEDE openwrt with ipset 6.30, if the scripts working fine, i'll tell you something

 

[kanetaker]

Can works both the dnscrypt and this script for secure the connection to malware attacks?

 

[spalife]

The new script is much more streamlined and thanks a lot
for all your efforts.

Only thing missing is the addition to the iptables,
without which we will end up creating an empty malware-filter iphash set.

The Malware Filter section of the wiki needs to include the
addition of the below (which was available in earlier script, missing
after current re-working maybe a cut and paste issue i guess)

####
for IP in $(cat $path/malware-filter.txt)
do
ipset -A malware-filter $IP > /dev/null 2>&1
done
####

Thanks again for a great script....much appreciate

 

[spalife]

I would do a simple test as below after the script finishes execution
such as

Test 1)
ipset -T malware-filter "Insert here any IP from the MALWARE_FILTER.LIST Sites"
example :
prompt> ipset -T malware-filter 107.128.192.44
107.128.192.44 is in set malware-filter.

Test 2)
ping "INSERT HERE MALWARE IP TO CHECK PING failure"

Example
prompt>
ping 107.128.192.44
PING 107.128.192.44 (107.128.192.44): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

Something which is interesting happening is
when you ping the malware ip's from outside the router
i.e., from your pc/mac etc., the ping fails.

But when you ping the same malware ip from within your router shell
i.e., after login in with ssh, the ping succeeds.

Any thoughts?

 

[Neurophile]

Something which is interesting happening is
when you ping the malware ip's from outside the router
i.e., from your pc/mac etc., the ping fails.

But when you ping the same malware ip from within your router shell
i.e., after login in with ssh, the ping succeeds.

That is because the rule is applied to chain FORWARD. If you want to block traffic originating in the router itself you need to add a rule to chain OUTPUT.

 

[Nutz2U2]

So its working

Hi to All,

Yes finally with the help and wiki update I have following scripts working:-

Malware, Country Block, W10 Snooping, Tor Nodes .....

Thanking to you All for the interest and hard work .

Now IF peerguardian script will work - I will start 2017 on a HIGH and HIGHER note .

 

[Nutz2U2]

Hi to All,

The Peerguardian V3 script still has these errors:-

insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists
insmod: 'ip_set_iptreemap.ko': module not found
insmod: 'ipt_set.ko': module not found
ipset v6.29: Error in line 1: Syntax error: typename 'iptreemap' is unknown

Log is showing:-
Dec 28 18:25:03: PeerGuardian rules
Dec 28 18:25:03: Loading ipset modules
Dec 28 18:25:03: Create the BluetackLevel1 (primary) if does not exists
Dec 28 18:25:03: Destroy this transient set just in case
Dec 28 18:25:04: Load the latest rule(s)
Dec 28 18:25:06: exiting Peerguarding rules

Does anyone (swetoast, Neurophile, Octopus) maybe plan to have a tinker with these scripts ???

 

[swetoast]

@Nutz2U2 Meeh peerguarian is pretty useless imho but i can take a look at it if its important too ya
@spalife i knew i missed something, nice catch !! shirt happens when you script when you got the flu gonna take a look at it when im feeling better

 

[swetoast]

Feel free to try this

#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
path=/opt/var/cache/malware-filter              # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
;;
mips)
    MATCH_SET='--set'                       # Value for Mips Routers
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list
ipset --destroy malware-filter > /dev/null 2>&1         # Delete the filter so it doesnt clash with the update

if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
        ipset -N malware-filter iphash
        while [ $((--i)) -ge 0 ]; do
                ipset --add temp_ipset $(cat $path/malware-filter.txt)
        done
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?

 

[spalife]

That is because the rule is applied to chain FORWARD. If you want to block traffic originating in the router itself you need to add a rule to chain OUTPUT.

Ah...indeed....thanks for the clarification