What blocking scripts to install?

[Henrik!]

Hi all

I'm new to this firmware so forgive me if I'm asking stupid questions.
I installed the 380.67 Beta3 firmware on my AC68U (Rev. A1) with no problems and all seems to work and good performance.

I would like to install some of the blocking scripts, but do they overlap or should I just install them all ?
Primarily I want to block outside and in (Bots and other probing attacks). Second blocking for ads and malicious sites inside and out.

I have looked at these scripts:

Skynet (Block. from inside or outside or both?)
iblocklist-loader (Block. from inside or outside or both?)
AB_Solution (Ad blocking from inside)
ya-malware-block (Ad blocking from inside)

Maybe I just need Skynet and AB_Solution ?

I have a little problem finding out what actually to use, they all seem very good, but maybe they block the same things ?


Best regards
Henrik

 

[pattiri]

I'm using Skynet, AB-Solution and below QoS script;

https://www.snbforums.com/threads/s...category-unidentified-traffic-priority.36836/

I can advise these three and they are working with no problem on my router. Skynet blocks IP addresses, AB- Solution blocks domain names. So even though they block the same things they will do it with different ways so there is nothing to worry about.

 

[thelonelycoder]

AB-Solution is a pure ad-blocker. If you want that, this is the one.
All other scripts you listed are firewall scripts, mainly to block malicious attempts from the outside.
They all work well with AB, but don't install more than one firewall script.

 

[Adamm]

I have a little problem finding out what actually to use, they all seem very good, but maybe they block the same things ?

AB_Solution (Ad blocking from inside)

AB-Solution does just as the name suggests, blocks ads from hosts files downloaded. It's a different category per say to the other scripts listed and the best (only?) public adblocking script for this firmware by far.

Skynet (Block. from inside or outside or both?)

Skynet blocks both inbound and outbound connections, it adds on to the routers built in firewall functionality (SSH BFD/SPI Firewall Banning), also sourcing from known malware lists, and user defined input (accepts domains/ips/ranges/countries/custom lists etc) with extended stat reporting and a bunch of other features. I'd consider it to be more of an all in one script.

iblocklist-loader (Block. from inside or outside or both?)

As the name suggests, it sources lists from iBlocklist and blocks all inbound connections.

ya-malware-block (Ad blocking from inside)

A minimalist malware IP blocking script which blocks inbound connections.


Most of the malware scripts on this forum source from similar lists, the difference is the implementation and features.

 

[Henrik!]

Thanks for the answers. They clear things up very much.

 

[elorimer]

I use skynet and Ab-Solution. Work fine together.

I would start with Ab-solution first, and see how it goes. You are likely to find that some of the sites regularly visited by your users will be blocked, and it is relatively easy to find out which ones and then whitelist them. It is also fairly easy to find out which ads are not being blocked by inspecting the elements of the page, and then blacklist them. I use the shootersw compilation of sources to block a good midpoint between not aggressive and too aggressive.

Then, add skynet to the mix. I find this to be very aggressive, with lots of innocent IPs blocked. When I hear from someone that they can't reach a regular website, the skynet script is very efficient at figuring out if the domain is on an IP that is blocked. For some reason, for example, the official website of Notre Dame in Paris is blocked. So is my local town blog on Wordpress. But my log is still showing IPs banging on the door, so the first rule is not to allow ssh or telnet or webgui access from WAN.

EDIT: And Grand Central Terminal in NY.

 

[Henrik!]

Am now running with Skynet and AB-Solution
Started with Skynet so had to unblock a "yoyo" site to allow AB-Solution to download a file before it would work.
But works great so far

Thanks for all the comments. Helped a lot.

 

[thelonelycoder]

Am now running with Skynet and AB-Solution
Started with Skynet so had to unblock a "yoyo" site to allow AB-Solution to download a file before it would work.
But works great so far

Thanks for all the comments. Helped a lot.

AB-Solution makes sure to whitelist their download domains if one of the firewall scripts is present.
I would hope that these script writers do the same for AB. Some do but of course this only takes effect once the other script is installed.

 

[Adamm]

AB-Solution makes sure to whitelist their download domains if one of the firewall scripts is present.
I would hope that these script writers do the same for AB. Some do but of course this only takes effect once the other script is installed.

Skynet whitelists the yoyo server that's being refereed to every time the banmalware command is run, if you have a full list of other host files you download I'd be happy to add them too.

 

[thelonelycoder]

Skynet whitelists the yoyo server that's being refereed to every time the banmalware command is run, if you have a full list of other host files you download I'd be happy to add them too.

At the moment, this is a temp file generated during the update of the blocking file and removed once it's done the job.
But I could write it to a persistent path location, to be renewed once a week. Somewhere accessible for all scripts would be good so all can use it.
/jffs/shared-AB-whitelist
or something? One domain per line.

 

[Adamm]

At the moment, this is a temp file generated during the update of the blocking file and removed once it's done the job.
But I could write it to a persistent path location, to be renewed once a week. Somewhere accessible for all scripts would be good so all can use it.
/jffs/shared-AB-whitelist
or something? One domain per line.

That would be perfect, will add the changes on my end for whenever you push it.

 

[thelonelycoder]

That would be perfect, will add the changes on my end for whenever you push it.

That will be with the release of AB-Solution 3.8.2 which is still in beta testing. So it will be a little while.

So it's set then, I'll place and update weekly /jffs/shared-AB-whitelist for all other script writers to include as a whitelist.
Please do not add or append to this file, make your own in the same format for me to use if you have a whitelist (domains only, one per line).
Then let me know so I can include it in my script.

This file could be included as such:

if [ -f "/jffs/shared-*-whitelist" ] ; then
....
fi

(code not tested, should work tough with the wildcard)

 

[Henrik!]

Skynet whitelists the yoyo server that's being refereed to every time the banmalware command is run, if you have a full list of other host files you download I'd be happy to add them too.

Yeah, I can see in your code that you whitelist 213.230.210.230, if ab-solution.sh is present. However I had setup Skynet first, and then ab-solution.sh was not present.
So when I tried to install ab-solution the ip was still blocked, and had to unban it manually.

So it's a matter of what is installed first.

 

[Adamm]

That will be with the release of AB-Solution 3.8.2 which is still in beta testing. So it will be a little while.

No worries, I've pushed the new code for whenever your update comes out of beta. Will remove the legacy code when it does.

Domain_Lookup () {
        nslookup "$1" | grep -woE '([0-9]{1,3}\.){3}[0-9]{1,3}' | awk 'NR>2'
}


        if [ -f "/jffs/shared-AB-whitelist" ]; then
            while IFS= read -r domain; do
                for ip in $(Domain_Lookup "$domain"); do
                    ipset -q -A Whitelist "$ip"
                    ipset -q -D Blacklist "$ip"
                done
            done </jffs/shared-AB-whitelist
        fi

 

[thelonelycoder]

Pinging @redhat27, @Martineau to read above for whitelisting domains.
Thanks.

 

[Henrik!]

Have you thought about when people install the different scripts in different order ?
I have not looked at the other scripts code, but in Adamm's post he only whitelist if the shared-AB_whitelist is present.
But if people install Ab-Solution AFTER Skynet then the ip's will still be blocked.

 

[thelonelycoder]

Have you thought about when people install the different scripts in different order ?
I have not looked at the other scripts code, but in Adamm's post he only whitelist if the shared-AB_whitelist is present.
But if people install Ab-Solution AFTER Skynet then the ip's will still be blocked.

It's a cat and mouse game. It will sort itself out once both are installed and both had their scheduled update.
AB runs it's update once per week, others dayly or even more.
I see no problem with that, since you can run all the scripts manually.
In AB this is the u option that will do this once 3.8.2 is out.

 

[thelonelycoder]

No worries, I've pushed the new code for whenever your update comes out of beta. Will remove the legacy code when it does.

One afterthought, please only read uncommented lines, this way I can add an explanatory header to the file.

 

[Adamm]

One afterthought, please only read uncommented lines, this way I can add an explanatory header to the file.

Done.

        if [ -f "/jffs/shared-AB-whitelist" ]; then
            grep -vF "#" /jffs/shared-AB-whitelist | while IFS= read -r domain; do
                for ip in $(Domain_Lookup "$domain"); do
                    ipset -q -A Whitelist "$ip"
                    ipset -q -D Blacklist "$ip"
                done
            done
        fi

 

[elorimer]

Adamm, while you are at it, in would be nice to have a link in root, the way ab-s does. So when I putty in I can do "sh firewall etc,etc" instead of sh /jffs/scripts/firewall etc etc.

I've added it myself.