Yet another malware block script using ipset (v4 and v6)

[redhat27]

Course that is what makes this forum so much fun. Right?

Sure

 

[Csection]

Sure

You and Xentrk and Jack have been very helpful and I appreciate it!

 

[skeal]

New version updated and working awesome. Great work on this script bud!!

 

[Xentrk]

I used the editor in Mobaxterm command line, but running dos2unix did not fix it.

Hi @Csection, I recommend checking the boxes for ASCII mode on the Advanced Sftp settings screen, as well as compression and UTF-8. I've never had an issue with dos characters..

 

[skeal]

New version updated and working awesome. Great work on this script bud!!

OK wait maybe I have a problem. Since updating my script to the latest version I seem to have a problem with IPSET_Block.sh save it hasn't successfully blocked anything since. Should I reboot or.....? Any ideas to help me thanks!
EDIT: Sorry for my stupid question. I rebooted and everything is fine.

 

[redhat27]

Since updating my script to the latest version I seem to have a problem with IPSET_Block.sh

Not sure what that other script does, but I can assure you nothing changed in this script that could have an impact. Only change is the inclusion of the manual (optional) blacklist.

 

[Csection]

Not sure what that other script does, but I can assure you nothing changed in this script that could have an impact. Only change is the inclusion of the manual (optional) blacklist.

I run both IPSET_Block and Ya-Malware together and don't have a problem. Try using the "Init reset"(Check thread for correct syntax) option on IPSET.

 

[redhat27]

I run both IPSET_Block and Ya-Malware together and don't have a problem. Try using the "Init reset"(Check thread for correct syntax) option on IPSET.

I have not used IPSET_Block. All I can say is nothing changed in this script that should cause a behavior change that was not there before. You can look at the commit diff in github.

 

[Csection]

I have some general questions.
How often do the block lists change?
Would it suffice to run this script once a day or do changes occur fairly often?

 

[redhat27]

I have some general questions.
How often do the block lists change?
Would it suffice to run this script once a day or do changes occur fairly often?

You can check out the update frequency of each of the lists in the FireHOL site (links in post #1)
On the main page, the site says "average update frequency: 36 minutes"

Of course, you can choose to update the data as often as you choose. The whole point in having a minimalist script is to do the task of updating as quickly with the least load on the routers CPU as possible.
I think updating it at the suggested example of every 6 hours should be an acceptable solution. I do it every 6 hours myself.

 

[Csection]

You can check out the update frequency of each of the lists in the FireHOL site (links in post #1)
On the main page, the site says "average update frequency: 36 minutes"

Of course, you can choose to update the data as often as you choose. The whole point in having a minimalist script is to do the task of updating as quickly with the least load on the routers CPU as possible.
I think updating it at the suggested example of every 6 hours should be an acceptable solution. I do it every 6 hours myself.

Ok, thanks!
I don't read everything as I should(Bad eyes).

 

[Jack Yaz]

I think this is blocking https://apple.com/UK but none of the ips i checked are found in the lists. Anyone able to help?

 

[redhat27]

I think this is blocking https://apple.com/UK but none of the ips i checked are found in the lists. Anyone able to help?

For me, apple.com resolves to

17.178.96.59
17.142.160.59
17.172.224.47

I noticed that these IPs are not there in the YAMalware* ipsets. But I can access the https://apple.com/UK just fine.
Are you not able to ping those IPs or do a

curl -kL  https://apple.com/UK

on your router?

I have all 4 FireHOL Levels enabled, and I can assess the site.

 

[redhat27]

I don't read everything as I should(Bad eyes).

No problem! Gave me a chance to mention the update frequency from the firehol site and the suggested run frequency on your router
It may benefit others.
In this thread, there is never a dumb question. If it is confusing to you, it may be confusing to others as well.

 

[Jack Yaz]

For me, apple.com resolves to

17.178.96.59
17.142.160.59
17.172.224.47

I noticed that these IPs are not there in the YAMalware* ipsets. But I can access the https://apple.com/UK just fine.
Are you not able to ping those IPs or do a

curl -kL  https://apple.com/UK

on your router?

I have all 4 FireHOL Levels enabled, and I can assess the site.

Router can retrieve page fine, so I'm a bit stumped as to why clients cannot access it

 

[redhat27]

Router can retrieve page fine, so I'm a bit stumped as to why clients cannot access it

Try a lowercase uk

 

[Jack Yaz]

Nope. Fired up dev console and its the cdn images.apple.com timing out and failing to serve the js and css resources.

 

[redhat27]

Nope. Fired up dev console and its the cdn images.apple.com timing out and failing to serve the js and css resources.

Hmm, not sure what's going on with your setup. Its loading just fine for me

 

[Jack Yaz]

This explains it... Virgin media failing to route to akamai cdn. Useless isp is useless.

https://community.virginmedia.com/t5/Gaming-Support/PSN-Auto-Sign-In-Problems/m-p/3442898

 

[HRearden]

That version worked on Shibby Tomato Firmware 1.28.0000 MIPSR2-140 K26AC USB AIO-64K

Thank you!

it seems the included curl does not support https, which seems odd in this day but probably has a good reason:
root@unknown:/tmp/home/root# curl --version
curl 7.53.1 (mipsel-unknown-linux-gnu) libcurl/7.53.1 zlib/1.2.11
Protocols: file ftp http imap pop3 rtsp smtp tftp
Features: IPv6 Largefile libz UnixSockets

rearden

Try this variant and let me know please (on tomato firmware):

wget -O /jffs/scripts/ya-malware-block.sh https://raw.githubusercontent.com/shounak-de/misc-scripts/master/ya-malware-block-tomato.sh