What's new

Malware Filter / bad host IPSET

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

so what did it print ? nothing ?

make sure malware-filter is loaded

iptables -L -v | grep "malware-filter"

if that returns nothing then malware-filter isnt loaded
 
i know i get questions from time to time on how to see if this filter is working or not and i finally took the time to make a simple line that shows it easily for the user.

Code:
iptables -L -v | grep "malware-filter" | awk '{print "Malware Filter Blocked: " $1 " packets", $2 " is the size of the transmission"}'

it will print something like this

Code:
Malware Filter Blocked: 0 packets 0 is the size of the transmission

one could make an alias on this and have it as a easy command
Do the stats generated by the command survive between router boots?
 
no why would it, the firmware resets all temporary settings including firewall etc

did the command work for you ?
 
no why would it, the firmware resets all temporary settings including firewall etc

did the command work for you ?
That is what I thought based on a test I just did. But wanted to confirm.

Perhaps a future version could log the stats to a file and email them out at some interval. Just a thought. Would be kind of cool though.
 
The download times are fast over my VPN connection. Plus, the fiber connection was increased and is now 220 Mbps down/50 Mbps up which helps.
Code:
/tmp/malware-filter-raw.part     100%[============================================================>] 161.80K   195KB/s   in 0.8s
/tmp/malware-filter-raw.part         [ <=>                                                         ]   2.10K  --.-KB/s   in 0s
/tmp/malware-filter-raw.part         [  <=>                                                        ]  11.38K  31.1KB/s   in 0.4s
/tmp/malware-filter-raw.part     100%[============================================================>]  15.21K  54.4KB/s   in 0.3s
/tmp/malware-filter-raw.part     100%[============================================================>]  27.60K   104KB/s   in 0.3s
/tmp/malware-filter-raw.part         [ <=>                                                         ]       0  --.-KB/s   in 0s
/tmp/malware-filter-raw.part     100%[============================================================>]     438  --.-KB/s   in 0s
 
Now that you have all of the ipset scripts posted on GitHub, I also had an idea of a script that checks the version number to see if it changed, and it so, does a wget of the new version and places it in the appropriate file.
 
Thanks for entertaining those ideas. It would really be nice features to have for all of the ipset scripts you wrote.

I do have a question. At the children's home and school I support, I use OpenDNS to filter bad sites by category such as malware. So would the malware-block script catch any malware first or would OpenDNS?
 
if your using opendns that will filter out malware on a dns level while malware-filter works on a ip level

so think of it like this malware-filter is a complementary tool for other malware stopping systems.
 
Does the top script on the page the tor node block script does it block ip's like it did before. It used to count up thousands of banned ip's. Does this feature no longer work?
 
ive updated malware-filter.list on gitlab if you want the new version just remove the old copy and it will download a new version on its own.
 
i hadnt noticed ill get around to that tnx for reporting. Removed that entry for now from the default list until i work out how to solve that.
 
Code:
get_source () {
wget -q --tries=$retries --show-progress -i $blocklist -O /tmp/malware-filter-raw.part
    awk '!/(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)/' /tmp/malware-filter-raw.part &>/dev/null
    cat /tmp/malware-filter-raw.part | grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}\/[0-9]{1,2}" | sort -u > /tmp/malware-filter-range-sorted.part
    awk '!/([0-9]{1,3}\.){3}[0-9]{1,3}\/[0-9]{1,2}/' /tmp/malware-filter-raw.part &>/dev/null
    cat /tmp/malware-filter-raw.part | grep -oE "$regexp" | sort -u > /tmp/malware-filter-sorted.part 
}

thinking of doing a big sort with this that will catch all including cidr then sort it again on cidr only then awk cidr enties from the list

so that there are 2 lists one pure ip and one cidr then do the according stuff with ipset

what do you think about that @redhat27 ?
 
Last edited:
so in an effort to provide better support ive made a little debugging tool that helps me help you :)

https://gitlab.com/swe_toast/debugtool/raw/master/debugtool.sh

it checks for dependencies and path for my scripts and then lets you review and transmit em so that you can post it to me the logs looks like this

Code:
Router Model:

ASUSWRT-Merlin RT-AC56U 380.66-alpha2 Mon Mar  6 18:13:45 UTC 2017

Entware requierment for uBlockr
/opt/bin/opkg
wget - 1.18-2
grep - 2.26-1
pixelserv-tls - V35.HZ12.Ki-1
ca-certificates - 20161130
coreutils-stat - 8.23-2

Locating uBlockr Paths
/tmp/mnt/Main/entware/etc/ublockr.cfg
/tmp/mnt/Main/entware/bin/ublockr
/tmp/mnt/Main/entware/var/cache/ublockr
/tmp/mnt/Main/entware/var/cache/ublockr/no.list
/tmp/mnt/Main/entware/var/cache/ublockr/whitelist.filter
/tmp/mnt/Main/entware/var/cache/ublockr/ipv4_hosts
/tmp/mnt/Main/entware/var/cache/ublockr/ip.list

Locating Malware-Filter Paths
/jffs/malware-filter.list
/tmp/mnt/Main/entware/bin/malware-filter

Detecting Ipset version on router
ipset v6.29, protocol version: 6

Locating Malware-Filter Paths
/jffs/privacy-filter.list
/tmp/mnt/Main/entware/bin/privacy-filter

Detecting Ipset version on router
ipset v6.29, protocol version: 6

then it prints out a address for the log
eample: https://clbin.com/dMy4P

im gonna work on it pretty hard cause this helps me see what differences there are in your envoirment and allows me to improve upon my scripts.
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top