Yet another malware block script using ipset (v4 and v6)

[Mircica]

Running the script unmodified.

iptables-save | grep -q YAMalwareBlockCIDR && echo "found"
Can't find library for match `webstr'
found

iptables -t raw -I PREROUTING -m set --set YAMalwareBlockCIDR src -j DROP
--set option deprecated, please use --match-set

 

[redhat27]

Thank you that explains quite a bit. The --set option has been deprecated in iptables 1.4.x
Since ipset 4.x is on older hardware, I had assumed that iptables would stay 1.3.x

For now, the error is harmless, and if you do not like seeing the 'webstr' library error, you can safely use the tomato version of the script. See post #1 for the link. I'll update the script to deal with the deprecated option when using iptables 1.4.x with ipset 4.x when I get some time.

Please let me know if this interim solution works for you.

 

[Mircica]

Thank you very much!
You are such a nice person.
I will stay and wait till you update the script, then I will ask you how to add telemetry blocking

 

[t0d]

Sorry for the noobish question, but how do I find out if traffic to a certain address is being blocked by this script?

Also, don't know if this was reported or not, but if there is a new line at the end of the .whites file the script does not load all of the lists

Example:

>>> Downloading and aggregating malware sources (also processing whitelists)...[0/0/0] ~12s
>>> Adding data and processing rule for YAMalwareBlock1IP... ~1s
>>> Adding data and processing rule for YAMalwareBlockCIDR... ~0s
>>> Cleaning up... ~0s
/jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (1) and YAMalwareBlockCIDR (1) in 13 seconds

 

[redhat27]

Sorry for the noobish question, but how do I find out if traffic to a certain address is being blocked by this script?

You can try to see if the IP of the TLD of your test address is in the YAMalwareBlock* ipsets by using a shell function such as this one. To get the IP you can do a nslookup or ping the domain.
If you get no response on ping, it's blocked by the iptables rule on the ipset (if it's in one of the YAMalwareBlock* ipsets)

If you do get a ping response, it's not being blocked by YAMalwareBlock. If you get a local address, you may be using DNS poisoning (for example for adblock), which is a different way of "blocking", and is not related to this script.

 

[redhat27]

I will stay and wait till you update the script, then I will ask you how to add telemetry blocking

Did the tomato version work without issues?
Microsoft Telemetry is already blocked. The first url in the ya-malware-block.urls file uses a static list of telemetry and some scanner IPs

 

[mrfrank9]

Hi,
I am using ya-malware-block.blacks to block certain IP's - working OK. Is there a way to block domains by name, ie *.UBLOCK.ME using the blacklist, or should I use something like DNSMASQ to do it?
Thanks in Advance !!!

 

[thelonelycoder]

Hi,
I am using ya-malware-block.blacks to block certain IP's - working OK. Is there a way to block domains by name, ie *.UBLOCK.ME using the blacklist, or should I use something like DNSMASQ to do it?
Thanks in Advance !!!

For in or outgoing connections?
Dnsmasq only works for outgoing DNS requests. You could add it to it with a custom config file.

 

[redhat27]

@mrfrank9 Yes, adding to what @thelonelycoder said, if you are worried about inbound connections from the domain, you should use this script (firewall).

If you are trying to block outbound connections to a particular domain for your whole LAN, you may use DNS poisoning. These are very different ways of "blocking": When you request the IP for the domain you want to block, DNS poisoning will allow you to specify a different (safe) IP instead of the domain's IP. However if you have an alternate way to resolve the IP (you know the IP or look it up some other way), then you'll still be able to connect to it. If you use iptables as this script does, then even if you know the IP, you'll be able to deny a connection (outbound or inbound)

If you do want to add all the IPs a domain resolve to the blacklist file for this script, you can use the hostip or nslookup to lookup IPs for the domain and add those IPs to the ya-malware-block.blacks file

 

[mrfrank9]

@mrfrank9 Yes, adding to what @thelonelycoder said, if you are worried about inbound connections from the domain, you should use this script (firewall).

If you are trying to block outbound connections to a particular domain for your whole LAN, you may use DNS poisoning. These are very different ways of "blocking": When you request the IP for the domain you want to block, DNS poisoning will allow you to specify a different (safe) IP instead of the domain's IP. However if you have an alternate way to resolve the IP (you know the IP or look it up some other way), then you'll still be able to connect to it. If you use iptables as this script does, then even if you know the IP, you'll be able to deny a connection (outbound or inbound)

If you do want to add all the IPs a domain resolve to the blacklist file for this script, you can use the hostip or nslookup to lookup IPs for the domain and add those IPs to the ya-malware-block.blacks file

Thanks!
I have an appliance that i want to stop taking upgrades and the company uses several domains through a distribution service.
Might be a tad tedious to find and add all those IPs to the black list so - I'm going to try DNSMASQ first and see how well it works, assuming that my device can't update if it is unable to respond back to the mother-ship. The config file already has some entries, so should be easy (or lazy) for me to add a few more!

mrfrank9

 

[redhat27]

Do not know if this would be a valid option for you, but you can easily block a device's access to the internet from the web UI. If you need a more fine grained approach, @Martineau has an excellent script for that.

 

[mrfrank9]

redhat27,
Unfortunately, this device (Smart TV) needs to access the internet. It does look like that script could be modified to only block the sites I have listed once I do nslookup on all the domain sites.

For sure I really need to do more learnin' on iptables...

thanks for pointing to the thread lots of good info and references!

mrfrank9

 

[jorn]

I'm baffled. My RT-AC87 (385_5b2) tosses me "/jffs/scripts/ya-malware-block.sh: No space left on device" when the gui reports "62.00 / 62.75 MB" for jffs.

 

[Adamm]

I'm baffled. My RT-AC87 (385_5b2) tosses me "/jffs/scripts/ya-malware-block.sh: No space left on device" when the gui reports "62.00 / 62.75 MB" for jffs.

Redhat has been inactive for around 7 months, you are unfortunately unlikely to find support here. Unfortunate as he was a pretty smart guy, we used to bounce ideas off each-other frequently.

 

[john9527]

No space left on device" when the gui reports "62.00 / 62.75 MB" for jffs.

That's used space.....62 used out of 62.75 seems pretty full to me

 

[c84]

Sad to hear Redhat is gone, this was pretty smart. Is there any use of the script? I think Skynet is overkill for my needs and there are so many sites that disable access with any adblock so I can just forget that part. The country blocking is overkill as well. Think I only need to stop m$ calling home, dunno what else would be calling home. AC-66U

I wasn't a noob back in the days with ip-chains, but ip-tables are different. Remember I even ran gfx version SNMP for fun. This was back in 2001.

Would love to contribute, but dunno where to begin. None the less unsure if I'll switch till DD-WRT since the AC-66U is no longer is supported.

 

[redhat27]

Sad to hear Redhat is gone

Not gone gone... Just gone dormant

 

[redhat27]

@jorn Like @john9527 said, your /jffs mount is pretty full. Maybe free up some space?

 

[redhat27]

Redhat has been inactive for around 7 months, you are unfortunately unlikely to find support here. Unfortunate as he was a pretty smart guy, we used to bounce ideas off each-other frequently.

My new job (and my family) is keeping me quite occupied Besides, there hasn't been much interest lately, so I didn't log in much.

 

[c84]

My new job (and my family) is keeping me quite occupied Besides, there hasn't been much interest lately, so I didn't log in much.

Well nice to see you drop by, even tough I haven't been here for long. Well, family first, then the rest! You have my favorite Distro icon and name. RH 5.0 was the first Linux Distro I ran then Slackware 7 off my first server.

I'd like to pick up on this, but I have lack of knowledge since at my time I was using ipchains. Do you have the script updated on github or is it on the first thread? I just noticed that my router(AC66U) is older than I thought, but as we said: "One mans trash is anothers Linux server".

I don't know where to start or pickup since I don't have a "crowd".