Skynet Skynet - Router Firewall & Security Enhancements

[Denna]

@Adamm,

Would it be good idea to have an option that uses a timeout on the blocked addresses so the list doesn't grow too big ?

I doubt seriously someone would be foolish enough to continually use the same IP address.​

 

[Adamm]

[Check OP]

 

[Adamm]

@Adamm,

Would it be good idea to have an option that uses a timeout on the blocked addresses so the list doesn't grow too big ?

I doubt seriously someone would be foolish enough to continually use the same IP address.​

IPSet is very lightweight, in tests it can ban hundreds of thousands of IP's without any noticeable performance impact. I let mine go for months before bothering to purge it, I average about 200 new blocked IP's every hour. Been running it for 3-4 years now on this device without any issues. Good to see people still making use of it (and their own versions based on the same idea).

 

[swetoast]

@Martineau or @Adamm planning on maintaining that script ? cause if you are i could add it to the wiki

 

[Adamm]

@Martineau or @Adamm planning on maintaining that script ? cause if you are i could add it to the wiki

My version is fairly basic and modular via using IF statements so its hard to break per say, I don't think compatibility wise anything has needed to be changed majorly in the past few years since IPSet was implemented. If it were to be added to the wiki thought i'd cut out the CFE and overclocking functions as it was a multipurpose script for personal use when I first made it. I can PM you a slightly edited version if you like.

Edit;

Nevermind, updated the version posted on the previous page, not sure why I kept those parts anyway on the public version.

 

[swetoast]

What i want is for someone to upload and maintain on github

 

[takitezsdc]

hello....would you be so kind to explain exactly how this needs to be installed? I know how to use putty and login to my router using ssh....../ putty but how do i put this script into my router once i ssh in? and you also say to make all 3 code into one file? please explain? Sorry I am new to scripting.

thanks.......

PS ive read all of this post and i think you all forget that for the novice....your talking way over our heads...

 

[Adamm]

If you are concerned on access on specific ports that are NOT open, the built in FW will already block that. So I am still not very clear as to the benefit as the script is harvesting IPs that are already being dropped.

In simplest terms, this is a persistent list of known bad IP's who have actively tried to attack in whatever way that were detected this time by the built in FW. This is just a small line of defence to prevent them from successfully doing this in future. Not to mention it gives the user some very simple and efficient IP banning functionality for anything custom they would like to add/import with almost no overhead.

 

[redhat27]

@Adamm Thank you.

Maybe the script can later be changed to also include IPs that were ACCEPTed in the FW, but had no legitimate business in being allowed. For example, if an user opens his port 22 for a specific set of people (whitelisted), but wants to block login attempts from others (bots/hackers), those IPs should also go to the blacklist bucket. It would need some other ways to scan the syslog, as FW log of ACCEPTed packets may be of little help.

 

[swetoast]

So yay or nay on hosting a version at github or gitlab for that matter ?

 

[Csection]

Are those scripts strictly for the rt-68?
Can they work on an rt-3100?

 

[Xentrk]

Are those scripts strictly for the rt-68?
Can they work on an rt-3100?

Yes and Yes! See this wiki for more info on ipset...
https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset

 

[skeal]

Sorry for sounding stupid but how do I check status of @Adamm script? If there are commands what prompt are they entered at? Are the commands run from normal ssh command prompt? I just want to check status is all.

 

[skeal]

UPDATED 12/04/2017

Currently this script is only supported for ARM based routers (AC56U/AC68U) as they run a different version of IPTables

Below you will find a script that automates the process of banning/whitelisting IP's you desire. The main reason for this script was to automaticly and permanently ban IP's that show up in the routers syslog under the prefix "DROP *".

In simple terms what this script does is add a few extra IPTables rules so rather then just rejecting the request and letting it continue to portscan etc, the malicious IP in question will be forwarded to an IPSet also created by this script. IPSet is a kernel module that efficiently can block hundreds of thousands of IP's without any performance degreadion.

INSTALLATION;

Part 1

Part 2

Rember to "chmod +x" files after creating them so they can be executed.

To confirm this has worked, reboot your router and you should see "Firewall: [IP Banning Started] ... ... ..." present at the bottom of your routers syslog.

USAGE;

Usage of this script is fairly straight forward and each function is separated and described in the file provided. Each command can be executed from SSH using the syntax "firewall *commandhere*"

WHITELISTING;

By default, 192.168.1.0/24 & the value of "nvram get lan_ipaddr"/24 will be whitelisted to prevent accidentally locking yourself out from the routers GUI. Please note if you wish to whitelist other IP's the script currently is defaulted to only accept blocks of /24 from a specified file location when using the "firewall whitelist" command.

OTHER FUNCTIONS;




Other features of this script include being able to ban IP ranges of entire countries which is useful to ban countries with lots of malicious spam IP's. Using the "firewall country" command you can specify specific countries by inputting their two letter abbreviation and by using the "firewall bancountry" command you will ban the pre-determined countries from personal experience (pk cn in jp ru sa)


I am open to any suggestions for modifying this script as this version is specifically for the community as there have been lots of requests for this type of functionality. Please note this script will only work on RMerlin based firmwares with JFFS enabled. Hope others can put it to good use

I tried the above command at ssh prompt.....firewall whitelist and it fails says firewall: not found . Can you help me please?

Edit: I tried using the command ipset list Blacklist and it works gives me a big list of IP's is this verification that the script is running?

 

[Adamm]

I tried the above command at ssh prompt.....firewall whitelist and it fails says firewall: not found . Can you help me please?

Edit: I tried using the command ipset list Blacklist and it works gives me a big list of IP's is this verification that the script is running?

cd /jffs/scripts
./firewall *command*

You need to be in the current directory for it to execute, if you have entware installed you can make a symlink from the bin folder so it can be executed from anywhere

The syslog in the router GUI should also give you hourly updates on how many IP's are banned (and freshly banned)

 

[skeal]

cd /jffs/scripts
./firewall *command*

You need to be in the current directory for it to execute, if you have entware installed you can make a symlink from the bin folder so it can be executed from anywhere

The syslog in the router GUI should also give you hourly updates on how many IP's are banned (and freshly banned)

I don't get the hourly updates in my log and when I run the command ./firewall it says a file can not be inserted because it already exists then displays stats like it's just starting. Any ideas?

 

[Adamm]

Please copy the exact output.


EDIT;

That's just lsmod trying to load a kernel module that's already loaded. You can ignore that error, ill silence it in future.

Running the script by its-self wont prompt you for input, you have to specify the command when executing. For example..

sh /jffs/scripts/firewall save

"unban" # <-- Remove Single IP From Blacklist
"unbanall" # <-- Unbans All IPs In Blacklist
"removeall" # <-- Remove All Entries From Blacklist
"save" # <-- Save Blacklists to /jffs/scripts/ipset.txt
"ban" # <-- Adds Entry To Blacklist
"country" # <-- Adds entire country to blacklist
"bancountry" # <-- Bans specified countries in this file
"banmalware" # <-- Bans various malware domains
"whitelist" # <-- Add IPs from path to Whitelist
"new" # <-- Create new IPSet Blacklist

Also, the hourly update in your log should look like the following (if you setup the "/jffs/scripts/firewall-start" script as shown)

Apr 15 18:00:02 Firewall: [Complete] 22798 IPs currently banned. 50 New IP's Banned. 22797 Banned Overall [2s]

 

[skeal]

Please copy the exact output.


EDIT;

That's just lsmod trying to load a kernel module that's already loaded. You can ignore that error, ill silence it in future.

Running the script by its-self wont prompt you for input, you have to specify the command when executing. For example..

sh /jffs/scripts/firewall save

Also, the hourly update in your log should look like the following (if you setup the "/jffs/scripts/firewall-start" script as shown)

The output is as follows:


@Lil_Kitty:/jffs/scripts# ./firewall
#!/bin/sh
#################################################################################################
## - 12/04/2017 --- RT-AC56U/RT-AC68U Firewall Addition By Adamm v2.9 - #
###################################################################################################################
### ----- Make Sure To Edit The Following Files ----- #
### /jffs/scripts/firewall-start <-- Sets up cronjob/iptables rules #
### /jffs/scripts/firewall <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt <-- Banned IP List/IPSet Rules #
###################################################################################################################
##############################
### Commands ###
##############################
UNBANSINGLE="unban" # <-- Remove Single IP From Blacklist
UNBANALL="unbanall" # <-- Unbans All IPs In Blacklist
REMOVEBANS="removeall" # <-- Remove All Entries From Blacklist
SAVEIPSET="save" # <-- Save Blacklists to /jffs/scripts/ipset.txt
BANSINGLE="ban" # <-- Adds Entry To Blacklist
BANCOUNTRYSINGLE="country" # <-- Adds entire country to blacklist
BANCOUNTRYLIST="bancountry" # <-- Bans specified countries in this file
BANMALWARE="banmalware" # <-- Bans various malware domains
WHITELIST="whitelist" # <-- Add IPs from path to Whitelist
NEWLIST="new" # <-- Create new IPSet Blacklist
##############################
Correct Settings Detected.
Correct Settings Detected
[IP Banning Started] ... ... ...
insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/xt_set.ko': File exists
[Complete] 4 IPs currently banned. 3 New IP's Banned. 43076 Banned Overall [1s]
@Lil_Kitty:/jffs/scripts#



Any ideas?

Edit: I changed the permissions on the ipset.txt in jffs/scripts to writable and I can do a ./firewall save now successfully.

 

[Adamm]

That output is perfectly normal and the script is running as it should, what are you trying todo specifically?

 

[skeal]

That output is perfectly normal and the script is running as it should, what are you trying todo specifically?

Trying to figure out why I don't get hourly updates?