Yet another malware block script using ipset (v4 and v6)

[David1973]

Added a version on the top.

Hi, I am new to creating and using scipts but would like the opurtunitty to use your malware script.

Is it possible for you to lead me in the right dirrection on where or how I could use your script from a newbies point of view? For example you mentioned /jffs/scripts/init-start, but I don't know how to even create that with the commands. I basically just know how to use SSH to enter Merlins WRT command line.

David

 

[Jack Yaz]

How does one make this run on boot? firewall-start?

 

[Jack Yaz]

Also does the below need to be updated to account for your new script? (found on wiki). I don't know what changes would be needed. At a guess YAMalwareBlockCIDR and YAMalwareBlockIP need adding to the MicrosoftSpyServers line?

# Reinstate the ipset rules if they have been created already
[ "$(uname -m)" = "mips" ] && MATCH_SET='--set' || MATCH_SET='--match-set'
for ipSet in $(ipset -L | sed -n '/^Name:/s/^.* //p'); do
  case $ipSet in
    AcceptList) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j ACCEPT;;
    TorNodes|BlockedCountries|CustomBlock) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j DROP;;
    MicrosoftSpyServers) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet dst -j DROP;;
    *) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
  esac
done

 

[redhat27]

How does one make this run on boot? firewall-start?

You'd typically want to run this periodically. The reason being some or most of the malicious IP list is very dynamic and change frequently. An example of the opposite is country ip lists, that are generally static in nature. If however, you'd want to run it just once at boot, you can call the script from services-start

Also does the below need to be updated to account for your new script?

That is also something I wrote in the wiki back on march 13th, but yes, if you want to tailor the block rules. Otherwise, it would use the default:

*) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;

which would also work for this case.

 

[redhat27]

Hi, I am new to creating and using scipts but would like the opurtunitty to use your malware script.

Is it possible for you to lead me in the right dirrection on where or how I could use your script from a newbies point of view? For example you mentioned /jffs/scripts/init-start, but I don't know how to even create that with the commands. I basically just know how to use SSH to enter Merlins WRT command line.

David

Have you prepared the /jffs for use with scripts from the UI?
If yes, just create a file /jffs/scripts/init-start with these lines:

#!/bin/sh
cru a UpdateYAMalwareBlock   "0       */6     *       *       *  /jffs/scripts/ya-malware-block.sh"

Then follow the script installation commands on the OP
Remember to make all your scripts executable with:
chmod +x, for example chmod +x /jffs/scripts/*
then reboot your router. You should be set

 

[Jack Yaz]

I'd like it to kick in on router boot then cru will handle updates every 6 hours

 

[thelonelycoder]

I'd like it to kick in on router boot then cru will handle updates every 6 hours

I have this line in /jffs/scripts/firewall-start

sh /jffs/scripts/ya-malware-block.sh

But you can place it in post-mount or services-start if you prefer that.
Be sure to have the shebang at top and set it executable.

 

[Jack Yaz]

Here's my firewall-start now

#!/bin/sh

# Load malware blocks
sh /jffs/scripts/ya-malware-block.sh

# Load ipset malicious IP blocking
sh /jffs/scripts/IPSET_Block.sh init

# Load ipset filter rules
sh /jffs/scripts/create-ipset-lists.sh

# Reinstate the ipset rules if they have been created already
[ "$(uname -m)" = "mips" ] && MATCH_SET='--set' || MATCH_SET='--match-set'
for ipSet in $(ipset -L | sed -n '/^Name:/s/^.* //p'); do
  case $ipSet in
    AcceptList) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j ACCEPT;;
    TorNodes|BlockedCountries|CustomBlock) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j DROP;;
    MicrosoftSpyServers) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet dst -j DROP;;
    *) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
  esac
done

 

[redhat27]

I'd personally move this:

# Load malware blocks
sh /jffs/scripts/ya-malware-block.sh

# Load ipset malicious IP blocking
sh /jffs/scripts/IPSET_Block.sh init

# Load ipset filter rules
sh /jffs/scripts/create-ipset-lists.s

to services-start

The reason being that firewall-start is event driven, and can be called multiple times by the router.

 

[Jack Yaz]

Oh, I just used firewall-start as the wiki said to! What advantage would services-start give?

 

[thelonelycoder]

I'll release an update of the relevant AB-Solution addon file to auto-whitelist the domains used by this script as soon as time permits.

 

[redhat27]

Oh, I just used firewall-start as the wiki said to! What advantage would services-start give?

Just added the reason in the edit.
services-start ensures that the scripts are called just once at boot time.

Edit: I'll update the wiki to mention services-start

 

[redhat27]

I'll release an update of the relevant AB-Solution addon file to auto-whitelist the domains used by this script as soon as time permits.

Thank you, but right now its able to fetch all of them just fine. I am using shooter40sw blocking list with AB. Not sure if using a bigger hosts list will block them or not.

 

[thelonelycoder]

Thank you, but right now its able to fetch all of them just fine. I am using shooter40sw blocking list with AB. Not sure if using a bigger hosts list will block them or not.

Some legitimate domains are occasionally added to StephenBlack hosts file, that's why.
Can't have users complain in my threads that AB is hostile towards other scripts...

 

[Jack Yaz]

I've moved the 3 script calls to services-start, and left the reload in firewall-start

 

[thelonelycoder]

BTW, this hurts my eyes:
cru a UpdateYAMalwareBlock "0 */6 * * * /jffs/scripts/ya-malware

One space is all it needs to separate the timing:
cru a UpdateYAMalwareBlock "0 */6 * * * /jffs/scripts/ya-malware-block.sh"

 

[redhat27]

this hurts my eyes

This is what I have:

admin@RT-AC66R-D700:/jffs/scripts# cru l
0       4       15      */3     *  /sbin/reboot #ScheduledReboot#
0       */3     *       *       *  /usr/sbin/ntpclient -s -h pool.ntp.org #SyncTime#
0       0       *       *       *  /jffs/scripts/rotate-sys-dns-web-logs.sh #RotateStandardLogs#
29,59   *       *       *       *  /jffs/scripts/update-custom-blocklist.sh #UpdateCustomBlockList#
0       */6     *       *       *  /jffs/scripts/ya-malware-block.sh #UpdateYAMalwareBlock#
*       *       *       *       *  /jffs/scripts/check-syslog.sh #CheckSyslogSize#
00 2 * * Wed /tmp/mnt/NAS/adblocking/addon/update-hosts.add cronjob #UpdateHosts#
20 5 * * * /tmp/mnt/NAS/adblocking/addon/rotate-logs.add #RotateLogs#
30 1 * * Wed /tmp/mnt/NAS/adblocking/scripts/weekly-log-stats.sh #WeeklyStats#

I have the spaces lined up to read better

Edit: But I agree the spaces is just what I had copy pasted from my init-start. Multiple spaces are not at all necessary. I just use it to align mine with other entries.

 

[Jack Yaz]

Not sure if just me, but this seems to break dns-crypt?

 

[Xentrk]

Hi, I am new to creating and using scipts but would like the opurtunitty to use your malware script.

Is it possible for you to lead me in the right dirrection on where or how I could use your script from a newbies point of view? For example you mentioned /jffs/scripts/init-start, but I don't know how to even create that with the commands. I basically just know how to use SSH to enter Merlins WRT command line.

David

Most people use a client software installed on their Laptop or PC to access the Linux command line or have a gui interface to it. Putty, WinSCP and MobaXterm are a few. Some of these tools have editors built into it. You can google to find out more.

vi editor and nano editor come with Merlin FW. You can use these editors from the command lines.

This will help you with enabling jffs partition
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files
In summary, go to the section in Administration -> System called Persistent JFFS2 partition
Choose Yes for this option: Format JFFS partition at next boot Yes No
Choose Yes for this option:Enable JFFS custom scripts and configs Yes No

Now, reboot. See next post to enable SSH access

 

[Xentrk]

The same screen as above, set up as follows. You can now ssh into the router using one of the gui client tools I listed previously.