Hi,
My name is Nick, and I'm terribly aware it may be a bit worrisome for me to hand out a script and some information as my very first post here, but I read/lurk here a lot, and didn't feel comfortable sticking this on Merlin's github wiki (though he is welcome to take it). Hope this is helpful, and let me know if there are better methods for implementing this on our beautiful ASUS routers.
For the record, this was only tested on an RT-AC68U, but I don't see any reason why this wouldn't work on any Merlin'd Asus router. Cheers!
Using badips.com's blacklists with iptables
Credits: Merlin; badips.com; www.timokorthals.de; anyone who did anything with linux ever.
More info here: http://www.badips.com/
The original script found here: http://www.timokorthals.de/?p=334
Why you would want to do this: To maybe reduce some malicious network traffic to your router and stop questionable IPs from brute-forcing their way into your router.
I modified this script in a couple areas to change the location of the iptables binary and make sure the script runs in the /jffs/scripts folder (not necessarily needed). I also had iptables delete the list after flushing, because otherwise I experienced some nonfatal errors during the script's run. Copy and paste this script into a file named badips.sh
I saved the file as badips.sh and for the purposes of the tutorial, I'm using that as the name of the script above. Enable JFFS if you haven't yet and make sure it's working before you continue. You will need to transfer this to /jffs/scripts somehow (I used scp). I also found it necessary to run these commands and fix something wrong with the hex code in the script after copying it from my computer to the router. Methinks it had something to do with using either notepad++ or the copying text from a browser to notepad++. Anyways, run this:
You should reference this script in one of the startup scripts (I suggest firewall-start) by adding this command to it:
If you're curious, start the command, then run
If you want the script to update iptables daily, run this command:
This will run the script every day at 10am (the time when I will most likely not be at home using the internet).
To make this effectively persistent and work across router reboots:
Create an 'init-start' script or add the line to it (don't forget to shebang init-start with #!/bin/bash)
If it already exists, you can do this by running
type this out:
and save it. chmod then runs and makes the script executable.
The reason you want to run this with init-start is because crontabs resides in memory and is essentially empty whenever the router reboots.
I've tested this over a couple reboots, and my script runs when the router reboots, and every day at 10am.
Running
Hope this helps some of you get a good working and updating firewall and stop random ips from trying to SSH into your router.
My name is Nick, and I'm terribly aware it may be a bit worrisome for me to hand out a script and some information as my very first post here, but I read/lurk here a lot, and didn't feel comfortable sticking this on Merlin's github wiki (though he is welcome to take it). Hope this is helpful, and let me know if there are better methods for implementing this on our beautiful ASUS routers.
For the record, this was only tested on an RT-AC68U, but I don't see any reason why this wouldn't work on any Merlin'd Asus router. Cheers!
Using badips.com's blacklists with iptables
Credits: Merlin; badips.com; www.timokorthals.de; anyone who did anything with linux ever.
More info here: http://www.badips.com/
The original script found here: http://www.timokorthals.de/?p=334
Why you would want to do this: To maybe reduce some malicious network traffic to your router and stop questionable IPs from brute-forcing their way into your router.
I modified this script in a couple areas to change the location of the iptables binary and make sure the script runs in the /jffs/scripts folder (not necessarily needed). I also had iptables delete the list after flushing, because otherwise I experienced some nonfatal errors during the script's run. Copy and paste this script into a file named badips.sh
____
I saved the file as badips.sh and for the purposes of the tutorial, I'm using that as the name of the script above. Enable JFFS if you haven't yet and make sure it's working before you continue. You will need to transfer this to /jffs/scripts somehow (I used scp). I also found it necessary to run these commands and fix something wrong with the hex code in the script after copying it from my computer to the router. Methinks it had something to do with using either notepad++ or the copying text from a browser to notepad++. Anyways, run this:
You should reference this script in one of the startup scripts (I suggest firewall-start) by adding this command to it:
If you're curious, start the command, then run
and watch the CPU usage. My RT-AC68U jumped up to ~20% CPU usage for maybe two minutes while it was adding the iptables. YMMV.
If you want the script to update iptables daily, run this command:
This will run the script every day at 10am (the time when I will most likely not be at home using the internet).
To make this effectively persistent and work across router reboots:
Create an 'init-start' script or add the line to it (don't forget to shebang init-start with #!/bin/bash)
If it already exists, you can do this by running
Otherwise run
type this out:
and save it. chmod then runs and makes the script executable.
The reason you want to run this with init-start is because crontabs resides in memory and is essentially empty whenever the router reboots.
I've tested this over a couple reboots, and my script runs when the router reboots, and every day at 10am.
Running
will give you a list of ips that iptables is dropping packets from. It will be a long list. You can also check in on the system log in the router's UI to get information about packets being dropped
Hope this helps some of you get a good working and updating firewall and stop random ips from trying to SSH into your router.
Last edited:
