Yet another malware block script using ipset (v4 and v6)

[NeoDragon]

@skeal Just looked at your signature. Not sure where you got that "Country Block by sobored04" I think the idea orinally was implemented by @ryzhov_al back in March 22 2013. It has since been passed around by a few scripters and yours truly was the last maintainer of it.

Just an FYI

Works like a charm now.

/jffs/scripts/ya-malware-block.sh
/jffs/scripts/ya-malware-block.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)... ~3s
>>> Adding data and processing rule for YAMalwareBlock1IP... ~6s
>>> Adding data and processing rule for YAMalwareBlock2IP... ~1s
>>> Adding data and processing rule for YAMalwareBlockCIDR... ~1s
>>> Cleaning up... ~0s
/jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65536) YAMalwareBlock2IP (2345) and YAMalwareBlockCIDR (8898) in 11 seconds

 

[drg]

Hi,

There is a way to manually ban an IP if is not in FireHOL database ?

Thanks!

 

[skeal]

Hi,

There is a way to manually ban an IP if is not in FireHOL database ?

Thanks!

Yes there are white and Blacklist files in the install directory. Earlier posts in this thread deal with that specific issue.

 

[drg]

Yes there are white and Blacklist files in the install directory. Earlier posts in this thread deal with that specific issue.

In ipset_lists directory you mean ? I can only see the "ya-malware-block.urls" and "ya-malware-block.whites" files.
Can I put individual IPs in ".urls" file ?

Thanks

 

[skeal]

In ipset_lists directory you mean ? I can only see the "ya-malware-block.urls" and "ya-malware-block.whites" files.
Can I put individual IPs in ".urls" file ?

Thanks

First make sure you have the latest script version 2.2 then run the script and it should create the files you are looking for. From there look at the format the list uses. I'm not totally sure but I think it is ip based. So no urls.

 

[drg]

First make sure you have the latest script version 2.2 then run the script and it should create the files you are looking for. From there look at the format the list uses. I'm not totally sure but I think it is ip based. So no urls.

Already did that , it worked flawless, compiled in 15s on my AC66U. on the "ipset_lists" dir there are the 2 files - one with the URLs from where to pull the IP list and the other one where I suppose to add my whitelisted custom IPs. I was asking about another file or something, where to add my custom blacklist IPs.

Also, as a newcomer - Thank you @redhat27, and every one actually, for these very well made scripts. I am not into scripting and it helped me very much to achieve what I wanted when I first bought the Router.

 

[skeal]

Already did that , it worked flawless, compiled in 15s on my AC66U. on the "ipset_lists" dir there are the 2 files - one with the URLs from where to pull the IP list and the other one where I suppose to add my whitelisted custom IPs. I was asking about another file or something, where to add my custom blacklist IPs.

Also, as a newcomer - Thank you @redhat27, and every one actually, for these very well made scripts. I am not into scripting and it helped me very much to achieve what I wanted when I first bought the Router.

You should have three files in that directory "ipset_lists" one is ya-malware-block.url_list also ya-malware-block.urls as well you should have ya-malware-block.whites. you should likely use the ya-malware-block.urls.

 

[drg]

You should have three files in that directory "ipset_lists" one is ya-malware-block.url_list also ya-malware-block.urls as well you should have ya-malware-block.whites. you should likely use the ya-malware-block.urls.

This one "ya-malware-block.url_list"... I don't have it :|
Are you sure you can manually ban an IP apart from those downloaded from FireHOL?
There is no reference in the .sh script about a 3rd file where you can add IPs yourself

 

[skeal]

This one "ya-malware-block.url_list"... I don't have it :|
Are you sure you can manually ban an IP apart from those downloaded from FireHOL?
There is no reference in the .sh script about a 3rd file where you can add IPs yourself

It would seem that you may be right. In that individual ip blocking may not be included in this script. Maybe try using one of the ipset blocking scripts they allow what you are asking for.

 

[redhat27]

There is a way to manually ban an IP if is not in FireHOL database

The way to do it now would be to have the manual blacklists on a file hosted on the net. Then reference that files' url in the ya-malware-block.urls file.

I can easily implement a /jffs/ipset_lists/ya-malwareblock.blacks in the next version (not there yet, but coming shortly) where you can add your own discrete IPs or CIDR ranges that will be included in the blocking

This one "ya-malware-block.url_list"... I don't have it :|

@drg and @skeal See post #178. The ya-malware-block.url_list was a file used in the older versions. It is now used as the ya-malware-block.urls file. Please delete the .url_list file if you have it.

It would seem that you may be right. In that individual ip blocking may not be included in this script.

Watch for it in the next version coming soon

 

[drg]

The way to do it now would be to have the manual blacklists on a file hosted on the net. Then reference that files' url in the ya-malware-block.urls file.

I can easily implement a /jffs/ipset_lists/ya-malwareblock.blacks in the next version (not there yet, but coming shortly) where you can add your own discrete IPs or CIDR ranges that will be included in the blocking


@drg and @skeal See post #178. The ya-malware-block.url_list was a file used in the older versions. It is now used as the ya-malware-block.urls file. Please delete the .url_list file if you have it.


Watch for it in the next version coming soon

Sounds great... really looking forward to see the next version.

In the meantime I have already discovered another script - from where I've taken the custom blacklist part, modified to block the IPs in PREROUTING and enabled it as another separate script.
Of course is better to have one script for everything, hope it helps to develop it easier

# Block traffic from custom block list [IPv4 only]
if [ -e $IPSET_LISTS_DIR/custom-block.lst ]; then
  if $(ipset $SWAP CustomBlock CustomBlock 2>&1 | grep -q "$SETNOTFOUND"); then
    ipset $CREATE CustomBlock $IPHASH
    [ $? -eq 0 ] && entryCount=0
    for IP in $(cat $IPSET_LISTS_DIR/custom-block.lst); do
      ipset $ADD CustomBlock $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
    logger -t Firewall "$0: Added CustomBlock list ($entryCount entries)"
  fi
  iptables-save | grep -q CustomBlock || iptables -t raw -I PREROUTING -m set $MATCH_SET CustomBlock src -j DROP
fi

 

[skeal]

Way over my pay grade man! Sorry I can't help.

 

[redhat27]

I have already discovered another script

Yes, this is one of the other scripts that I maintain. You can also check out the iblocklist-loader. That has several options, and also blocks on PREROUTING.

 

[drg]

Yes, this is one of the other scripts that I maintain. You can also check out the iblocklist-loader. That has several options, and also blocks on PREROUTING.

I saw that one too on the forum, but I didn't wanted to have to many filter scripts scrambling my router , and it was too complicated for me to understand and keep track of... I was already confused at first with all the possibilities I had to secure the firewall... took me all day to get used to it all.

Also, I found some other code, on different topic, that I am using now to copy the syslog at the end of the day, on a USB flash. I then use grep by "IN=ppp0" in order to find missing malicious IPs and manually add them.
For this I enabled "log packets = accepted".

#!/bin/sh
SOURCE=/tmp/syslog.log    # original source of the syslog
SYSLOG=/tmp/mnt/kingston/Syslog/syslog.log
NOW=$(date +"%Y%m%d-%H%M%S")   # current date and time

# copy last day syslog at 23:59 via cron
cp $SOURCE $SYSLOG-$NOW
rm $SOURCE

Hope this idea will help others too

 

[drg]

Way over my pay grade man! Sorry I can't help.

It's ok, no problem, thank you for your support

 

[redhat27]

Version 2.3 is up:

Changelog:

• Now supports addition of custom blacklists
• It is an optional file (script runs just fine without the custom blacklist)
• You can add discrete IPs and/or CIDR ranges in the custom blacklist
• The custom blacklist supports line comments, but not inline comments. Sample here. Data in that sample file are just test data demonstrating usage/syntax. Please don't use that file as is!

I will update post #1 with these details soon

 

[redhat27]

Also, I found some other code, on different topic, that I am using now to copy the syslog at the end of the day, on a USB flash. I then use grep by "IN=ppp0" in order to find missing malicious IPs and manually add them.

I do something similar. I have several open ports that I need to keep open. Just be careful you do not blacklist yourself.

 

[drg]

I do something similar. I have several open ports that I need to keep open. Just be careful you do not block yourself.

I have a Synology NAS with port forwarding, so I got a lot of port attempts on them.

I know, you are right... I am taking the IP and check it online to see is not from my Service Provider, or any IP I am using when I am not at home... I have to test my vigilance longer though... it's my first day having this. Already updated your filtering script and it worked very well... Really really appreciate

 

[redhat27]

FYI all using this script: I've updated post #1 with the details of the latest changes.

 

[Badlandz]

Version 2.3 is up:

Changelog:

• Now supports addition of custom blacklists
• It is an optional file (script runs just fine without the custom blacklist)
• You can add discrete IPs and/or CIDR ranges in the custom blacklist
• The custom blacklist supports line comments, but not inline comments. Sample here. Data in that sample file are just test data demonstrating usage/syntax. Please don't use that file as is!

I will update post #1 with these details soon

Not seeing the blacklist file @ /jffs/ipset_lists/ya-malware-block.blacks

You mention this is optional. Do we add this file manually?

Nice script btw.