Yet another malware block script using ipset (v4 and v6)

[thelonelycoder]

Sorry. It may require a reboot for the items in profile.add to take affect. You can try running it on the command line by being in the /jffs/configs directory, then typing ./profile.add

But it should be a shell only script per the wiki
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files. Double check it is executable as well.

Mine does not have the #!/bin/sh on the first line like I do with other scripts.

Scripts in the /jffs/configs/ folder don't need to be set as executable nor do they need a shebang (just to make this clear).
They just add to the config files and are not scripts that run commands.
This is different for the /jffs/scripts/ folder where you place scripts that run either their own code or add/replace by way of shell commands.
Don't confuse users.

 

[johnathonm]

e

Sorry. It may require a reboot for the items in profile.add to take affect. You can try running it on the command line by being in the /jffs/configs directory, then typing ./profile.add

But it should be a shell only script per the wiki
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files. Double check it is executable as well.

Mine does not have the #!/bin/sh on the first line like I do with other scripts.

Sweet... that worked for changing the cache-size. Can I give you a hug now?

 

[Xentrk]

Scripts in the /jffs/configs/ folder don't need to be set as executable nor do they need a shebang (just to make this clear).
They just add to the config files and are not scripts that run commands.
This is different for the /jffs/scripts/ folder where you place scripts that run either their own code or add/replace by way of shell commands.
Don't confuse users.

Thanks for clarifying. It was many moons ago I had last touched this file or did anything with it.

I reread the wiki (made more sense with the second pass) and see including an example of profile.add would be helpful. I wiill see what I can do to motivate myself to make it happen.

 

[skeal]

@redhat27 Can you tell me simply if you can exempt a single ip address on your network from ya-malware-block protection? Sort of like dmz.

 

[redhat27]

@redhat27 Can you tell me simply if you can exempt a single ip address on your network from ya-malware-block protection? Sort of like dmz.

I don't know of a straightforward way. Have you actually tried putting that IP in DMZ? Others can chime in if they know.
I would question why you'd want to do this... Is it one particular device getting blocked all too often? It's easy to whitelist...

 

[skeal]

I don't know of a straightforward way. Have you actually tried putting that IP in DMZ? Others can chime in if they know.
I would question why you'd want to do this... Is it one particular device getting blocked all too often? It's easy to whitelist...

Thanks! I have a Linux media box I would like to get more use of. Seems a lot of my stream sources may be blocked I was hoping to test. However when I connect the box to my cell phone hot spot boom everything works like it should.....do you follow me?

I'm willing to accept the fact that I'm better off with the protection I'm just trying to figure this out.

 

[redhat27]

Thanks! I have a Linux media box I would like to get more use of. Seems a lot of my stream sources may be blocked I was hoping to test. However when I connect the box to my cell phone hot spot boom everything works like it should.....do you follow me?

I'm willing to accept the fact that I'm better off with the protection I'm just trying to figure this out.

This is what I use to whitelist... I ping the blocked source (lets say xyz.com/whatever is blocked) I'll ping xyz.com and get the IP (there will be no responses as its blocked, just knowing the IP is good enough to unblock). Just append that IP to /jffs/ipset_lists/ya-malware-block.whites and re-run the ya-malware-block.sh script. It should be unblocked immediately after that.

 

[skeal]

This is what I use to whitelist... I ping the blocked source (lets say xyz.com/whatever is blocked) I'll ping xyz.com and get the IP (there will be no responses as its blocked, just knowing the IP is good enough to unblock). Just append that IP to /jffs/ipset_lists/ya-malware-block.whites and re-run the ya-malware-block.sh script. It should be unblocked immediately after that.

Speaking about the router where is a good place to find or what is a good way to check for connections made and refused by the router? Sys log shows nothing but would dropped packet logging or inbound packet dropping shed some light on the needed info to unblock??

 

[redhat27]

You can enable firewall logging of DROPped packets. In addition you need to change the ya-malware-block.sh script in two places (search for the text DROP and replace it with logdrop). Reboot to take effect. Be aware that it will add volume to the syslog where each packet dropped will be logged.

 

[skeal]

You can enable firewall logging of DROPped packets. In addition you need to change the ya-malware-block.sh script in two places (search for the text DROP and replace it with logdrop). Reboot to take effect. Be aware that it will add volume to the syslog where each packet dropped will be logged.

Thank you exactly what I need I can engage to track and then disable thank you again!!!!

 

[Xentrk]

Thank you exactly what I need I can engage to track and then disable thank you again!!!!

The MatchIP utility has been very helpful for me in trying to figure out what ipset list is blocking certain sites. Write up on this wiki:

https://github.com/RMerl/asuswrt-me...t-installation-instructions#iblocklist-loader

 

[skeal]

The MatchIP utility has been very helpful for me in trying to figure out what ipset list is blocking certain sites. Write up on this wiki:

https://github.com/RMerl/asuswrt-me...t-installation-instructions#iblocklist-loader

I'll have to white list this address i'm blocked........lol

 

[Xentrk]

I'll have to white list this address i'm blocked........lol

Yep, I had to do the same thing last night. I tried to access GitHub.com and got a blank page. I used MatchIP to find out where it was blocked. I recently expanded ya-malware-filter to include the fourth list. That is what did it.

 

[Builder71]

Installed.
Much appreciated!

Jul 26 21:32:44 Firewall: ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (36671) and YAMalwareBlockCIDR (6156) in 36 seconds

 

[skeal]

The MatchIP utility has been very helpful for me in trying to figure out what ipset list is blocking certain sites. Write up on this wiki:

https://github.com/RMerl/asuswrt-me...t-installation-instructions#iblocklist-loader

Thanks for the tip! This little script is excellent just what a guy running these blocking scripts needs!! Works just like you say!
Do we know who wrote this?

 

[Jack Yaz]

Thanks for the tip! This little script is excellent just what a guy running these blocking scripts needs!! Works just like you say!
Do we know who wrote this?

Pretty sure it was @redhat27

 

[skeal]

Pretty sure it was @redhat27

Thanks I want to give credit to his work on my signature! Thanks again my learned colleagues!!

 

[redhat27]

Pretty sure it was @redhat27

And thank you for that nice write-up! @VZ3 just posted a way to make it better (no entware needed)

 

[Jack Yaz]

And thank you for that nice write-up! @VZ3 just posted a way to make it better (no entware needed)

Oh yeah I forgot I put on wiki lol. I'll update it with @VZ3's improvement, unless it's already done by time i get to it later!

 

[VZ3]

After using this script for a bit longer than a day - I feel lonely...

No more scrip-kiddies from all over the world trying to brute-force me . Before it was like 10 - 30 different IP's.

Looks like quality of block lists by FireHOL is really good. So far I have no false positives (using default levels 1, 2 and 3). And thanks to redhat27 for bringing this goodness to us.

From my point of view this way of blocking pesky IPs is better and more flexible than geofencing entire countries.

Peace and tranquility! .