What's new

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Added a version on the top.
Hi, I am new to creating and using scipts but would like the opurtunitty to use your malware script.

Is it possible for you to lead me in the right dirrection on where or how I could use your script from a newbies point of view? For example you mentioned /jffs/scripts/init-start, but I don't know how to even create that with the commands. I basically just know how to use SSH to enter Merlins WRT command line.

David
 
Also does the below need to be updated to account for your new script? (found on wiki). I don't know what changes would be needed. At a guess YAMalwareBlockCIDR and YAMalwareBlockIP need adding to the MicrosoftSpyServers line?

Code:
# Reinstate the ipset rules if they have been created already
[ "$(uname -m)" = "mips" ] && MATCH_SET='--set' || MATCH_SET='--match-set'
for ipSet in $(ipset -L | sed -n '/^Name:/s/^.* //p'); do
  case $ipSet in
    AcceptList) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j ACCEPT;;
    TorNodes|BlockedCountries|CustomBlock) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j DROP;;
    MicrosoftSpyServers) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet dst -j DROP;;
    *) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
  esac
done
 
How does one make this run on boot? firewall-start?
You'd typically want to run this periodically. The reason being some or most of the malicious IP list is very dynamic and change frequently. An example of the opposite is country ip lists, that are generally static in nature. If however, you'd want to run it just once at boot, you can call the script from services-start

Also does the below need to be updated to account for your new script?
That is also something I wrote in the wiki :) back on march 13th, but yes, if you want to tailor the block rules. Otherwise, it would use the default:
Code:
*) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
which would also work for this case.
 
Hi, I am new to creating and using scipts but would like the opurtunitty to use your malware script.

Is it possible for you to lead me in the right dirrection on where or how I could use your script from a newbies point of view? For example you mentioned /jffs/scripts/init-start, but I don't know how to even create that with the commands. I basically just know how to use SSH to enter Merlins WRT command line.

David
Have you prepared the /jffs for use with scripts from the UI?
If yes, just create a file /jffs/scripts/init-start with these lines:
Code:
#!/bin/sh
cru a UpdateYAMalwareBlock   "0       */6     *       *       *  /jffs/scripts/ya-malware-block.sh"
Then follow the script installation commands on the OP
Remember to make all your scripts executable with:
chmod +x, for example chmod +x /jffs/scripts/*
then reboot your router. You should be set :)
 
I'd like it to kick in on router boot then cru will handle updates every 6 hours
I have this line in /jffs/scripts/firewall-start
Code:
sh /jffs/scripts/ya-malware-block.sh
But you can place it in post-mount or services-start if you prefer that.
Be sure to have the shebang at top and set it executable.
 
Here's my firewall-start now
Code:
#!/bin/sh

# Load malware blocks
sh /jffs/scripts/ya-malware-block.sh

# Load ipset malicious IP blocking
sh /jffs/scripts/IPSET_Block.sh init

# Load ipset filter rules
sh /jffs/scripts/create-ipset-lists.sh

# Reinstate the ipset rules if they have been created already
[ "$(uname -m)" = "mips" ] && MATCH_SET='--set' || MATCH_SET='--match-set'
for ipSet in $(ipset -L | sed -n '/^Name:/s/^.* //p'); do
  case $ipSet in
    AcceptList) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j ACCEPT;;
    TorNodes|BlockedCountries|CustomBlock) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j DROP;;
    MicrosoftSpyServers) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet dst -j DROP;;
    *) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
  esac
done
 
I'd personally move this:
Code:
# Load malware blocks
sh /jffs/scripts/ya-malware-block.sh

# Load ipset malicious IP blocking
sh /jffs/scripts/IPSET_Block.sh init

# Load ipset filter rules
sh /jffs/scripts/create-ipset-lists.s
to services-start

The reason being that firewall-start is event driven, and can be called multiple times by the router.
 
Oh, I just used firewall-start as the wiki said to! What advantage would services-start give?
 
I'll release an update of the relevant AB-Solution addon file to auto-whitelist the domains used by this script as soon as time permits.
 
Oh, I just used firewall-start as the wiki said to! What advantage would services-start give?
Just added the reason in the edit. :)
services-start ensures that the scripts are called just once at boot time.

Edit: I'll update the wiki to mention services-start
 
I'll release an update of the relevant AB-Solution addon file to auto-whitelist the domains used by this script as soon as time permits.
Thank you, but right now its able to fetch all of them just fine. I am using shooter40sw blocking list with AB. Not sure if using a bigger hosts list will block them or not.
 
Thank you, but right now its able to fetch all of them just fine. I am using shooter40sw blocking list with AB. Not sure if using a bigger hosts list will block them or not.
Some legitimate domains are occasionally added to StephenBlack hosts file, that's why.
Can't have users complain in my threads that AB is hostile towards other scripts...
 
BTW, this hurts my eyes:
cru a UpdateYAMalwareBlock "0 */6 * * * /jffs/scripts/ya-malware

One space is all it needs to separate the timing:
cru a UpdateYAMalwareBlock "0 */6 * * * /jffs/scripts/ya-malware-block.sh"
 
this hurts my eyes
:D
This is what I have:
Code:
admin@RT-AC66R-D700:/jffs/scripts# cru l
0       4       15      */3     *  /sbin/reboot #ScheduledReboot#
0       */3     *       *       *  /usr/sbin/ntpclient -s -h pool.ntp.org #SyncTime#
0       0       *       *       *  /jffs/scripts/rotate-sys-dns-web-logs.sh #RotateStandardLogs#
29,59   *       *       *       *  /jffs/scripts/update-custom-blocklist.sh #UpdateCustomBlockList#
0       */6     *       *       *  /jffs/scripts/ya-malware-block.sh #UpdateYAMalwareBlock#
*       *       *       *       *  /jffs/scripts/check-syslog.sh #CheckSyslogSize#
00 2 * * Wed /tmp/mnt/NAS/adblocking/addon/update-hosts.add cronjob #UpdateHosts#
20 5 * * * /tmp/mnt/NAS/adblocking/addon/rotate-logs.add #RotateLogs#
30 1 * * Wed /tmp/mnt/NAS/adblocking/scripts/weekly-log-stats.sh #WeeklyStats#
I have the spaces lined up to read better ;)

Edit: But I agree the spaces is just what I had copy pasted from my init-start. Multiple spaces are not at all necessary. I just use it to align mine with other entries.
 
Last edited:
Hi, I am new to creating and using scipts but would like the opurtunitty to use your malware script.

Is it possible for you to lead me in the right dirrection on where or how I could use your script from a newbies point of view? For example you mentioned /jffs/scripts/init-start, but I don't know how to even create that with the commands. I basically just know how to use SSH to enter Merlins WRT command line.

David
Most people use a client software installed on their Laptop or PC to access the Linux command line or have a gui interface to it. Putty, WinSCP and MobaXterm are a few. Some of these tools have editors built into it. You can google to find out more.

vi editor and nano editor come with Merlin FW. You can use these editors from the command lines.

This will help you with enabling jffs partition
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files
In summary, go to the section in Administration -> System called Persistent JFFS2 partition
Choose Yes for this option: Format JFFS partition at next boot Yes No
Choose Yes for this option:Enable JFFS custom scripts and configs Yes No

Now, reboot. See next post to enable SSH access
 
The same screen as above, set up as follows. You can now ssh into the router using one of the gui client tools I listed previously.

upload_2017-5-6_12-28-53.png
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top