What's new

Malware Filter / bad host IPSET

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Rev 24 is out on Gitlab
  • Total Rewrite (tnx redhat27)
  • no more storing files beside the link list
  • CIDR support and IP Support
  • removed xargs for the moment (slower script)
Hi, I got this error on the ssh interface with rev 24

Code:
/tmp/mnt/sda1/malware-filter# ./malware-block
Please wait while this script is running, this will take awhile..
ipset v4.5: Out of range cidr `198.20.69.0/241.161.228.232' specified
Try `ipset -H' or 'ipset --help' for more information.

and this output on the syslog

Code:
 system: Malware Filter Adding ipset rules to firewall...
Apr  5 09:53:37 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 1024 to 1536
Apr  5 09:53:39 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 1536 to 2304
Apr  5 09:53:40 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 2304 to 3456
Apr  5 09:53:48 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 3456 to 5184
Apr  5 09:53:51 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 5184 to 7776
Apr  5 09:54:04 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 7776 to 11664
Apr  5 09:54:19 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 11664 to 17496
Apr  5 09:54:37 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 17496 to 26244
Apr  5 09:55:13 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 26244 to 39366
Apr  5 09:55:16 kernel: net/ipv4/netfilter/ip_set_nethash.c: nethash_retry: rehashing of set Malware-Range-Update triggered: hashsize grows from 1024 to 1536
Apr  5 09:55:16 kernel: net/ipv4/netfilter/ip_set_nethash.c: nethash_retry: rehashing of set Malware-Range-Update triggered: hashsize grows from 1024 to 2304
Apr  5 09:55:16 kernel: net/ipv4/netfilter/ip_set_nethash.c: nethash_retry: rehashing of set Malware-Range-Update triggered: hashsize grows from 2304 to 3456
Apr  5 09:55:43 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 39366 to 59049
Apr  5 09:56:04 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 59049 to 88573
Apr  5 09:57:28 system: Malware-Filter loaded 25478 unique ip addresses that will be rejected from contacting your router.
Apr  5 09:57:28 system: Malware-Filter loaded 850 unique ip ranges that will be rejected from contacting your router.

also iptables - L - n -v, The last set was the old one, but it created 2 different ones

Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           set Malware-Range-Filter src,dst
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           set Malware-Filter src,dst
    5   836 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst
 
seems to have written something to the sets, mind printing some of the output of Malware-Range-Filter
Code:
ipset -L Malware-Range-Filter
 
seems to have written something to the sets, mind printing some of the output of Malware-Range-Filter
Code:
ipset -L Malware-Range-Filter
:/tmp/mnt/sda1/malware-filter# ipset -L Malware-Range-Filter
Name: Malware-Range-Filter
Type: nethash
References: 1
Header: hashsize: 3456 probes: 4 resize: 50
Members:
49.238.64.0/18
197.159.80.0/21
204.187.248.0/22
103.16.76.0/24
206.224.160.0/19
151.212.0.0/16
203.86.252.0/22
167.224.0.0/19
209.97.128.0/18
196.196.0.0/16
188.72.96.0/24
61.11.224.0/19
45.127.36.0/22
204.187.252.0/23
198.177.176.0/22
103.232.172.0/22
192.40.29.0/24
69.169.224.0/20
165.192.0.0/16
192.67.160.0/22
185.148.128.0/22
185.11.140.0/24
153.14.0.0/16
196.240.0.0/15
159.151.0.0/16
 
well it did block ranges just like it should but the error messages well those are wierd need some time to investigate since i dont have ipset version 4, just ignore em for now since the script performs as intended.

Code:
ipset v4.5: Out of range cidr `198.20.69.0/241.161.228.232' specified

this seems to be a malformed string from some list just ignore that one.

btw reboot your router and it will drop the old rules

or better yet @shooter40sw perform this command

Code:
rm /jffs/malware-filter.list

remove your list and get a new updated list with new sources
 
Last edited:
if you remove the list on your router the malware-filter downloads em automatically again no need to put em there

btw found your issue, kinda remembered that ipset version 4 is chatty so i readded --quiet again will make it not spam the logs.

its updated at gitlab
 
if you remove the list on your router the malware-filter downloads em automatically again no need to put em there

btw found your issue, kinda remembered that ipset version 4 is chatty so i readded --quiet again will make it not spam the logs.

its updated at gitlab
Something did not work, its giving me ipset v4.5: Unknown set error
 
I got this message when running the new version:

Code:
Please wait while this script is running, this will take awhile..
ipset v6.29: Syntax error: '241.161.228.232' is invalid as number
 
lol wtf, yeah that is a valid ip adress dunno what happened there.

btw @Xentrk this version should work on DDWRT
thanks, I saw that message and will give it a try. I'll let you know the results.

Let me run it again. I noticed you have new entries in https://gitlab.com/swe_toast/malware-filter/raw/master/malware-filter.list. Maybe the script needs to populate malware-filter.list each time it runs so any updates get auto populated to /jffs/malware-filter.list.

EDIT: Updating the /jffs/malware-filter.list with the entries on GitHub link above fixed the issue
:):D:):D:)
 
Last edited:
each time would be a bad idea /jffs/ is cold storage since it not good to continually write to that storage
 
each time would be a bad idea /jffs/ is cold storage since it not good to continually write to that storage
Perhaps a reminder may be needed for users to update the /jffs/malware-filter.list file on the wiki or forum posting. The updated wiki appears to be missing the instructions on the /jffs/malware-filter.list that used to be there. For first time users, no problems since it will get created automatically. But as we see in my example, I had a prior installation.

Or, tell users to delete any previous verison of /jffs/malware-filter.list?
 
Last edited:
if you deleted the old list it should block alot more now
Yes it doubled the count!

Code:
Apr  5 11:00:54 system: Malware-Filter loaded 45292 unique ip addresses that will be rejected from contacting your router.
Apr  5 11:00:54 system: Malware-Filter loaded 850 unique ip ranges that will be rejected from contacting your router.
 
Looks like I need to stay on older version of malware-filter on DD-WRT. On DD-WRT, iptables-save command is fubar. There are posts about the issue. Even though I installed entware iptables package, it still is broken.
Code:
Can't find library for target `TRIGGER'
Apparently the entware iptables package is incomplete per zyxmon:

https://github.com/Entware-ng/Entware-ng/issues/271

This is just another reason why I have moved away from DD-WRT. I had to work some magic to get xt_set working on DD-WRT, which is not included in the DD-WRT builds.

I thank you once again for your contributions.
 
wonder if there is a way to detect ddwrt cause if its only that command that causes issues then i can make a workaround
if there is anything in motd or something, pretty hard for me to help here but i you find a sure fire way to detect it ill support it
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top