Yet another malware block script using ipset (v4 and v6)

[Adamm]

Since new flavours of those block scripts seem to be trendy lately...

Any of you considered implementing it at the RPDB level? Might possibly be more efficient than iptables...

/ # ip route add prohibit 4.2.2.2
/ # ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
ping: sendto: Network is unreachable

(runs away to hide)

From what I've read IPSet is more suited for these types of Blacklists;

Null routing, just like iptables drop rules, denies any remote system to establish (SYN) a connection. The difference is that with null routing traffic is still(!) received: your system just can't send anything (SYN,ACK) back, while iptables is more fine grained and explicitly drops that traffic.

Although for performance gains I have been testing using the "raw" table, that way the packets are handled sooner, without the need to go though conntrack+mangle+nat+routing.

 

[RMerlin]

From what I've read IPSet is more suited for these types of Blacklists;

I was thinking more for people wanting to block outbound connections (for instance those wanting to block Microsoft telemetry and such). For inbound traffic, the firewall remains indeed the best location to drop unwanted traffic.

 

[redhat27]

inbound traffic, the firewall remains indeed the best location to drop unwanted traffic

Yes, and I agree this script should also block inbound traffic.

With that, I'd like to mention that a new version of the script is now available in github, like I mentioned in #56.

• Remove the existing list (rm /jffs/ipset_lists/ya-malware-block.url_list) change the path if you've changed the default store location, of course.
• Get the latest script as mentioned in the OP

Half the time of this script processing is in aggregating the sources in the different url lists and eliminating duplicates. If running a faster script (in about half the time) is important to you, then I've made available an alternate script that does not eliminate duplicates. Runs much faster with the same sets, but will have some duplicate sources in the lists created. This does not affect the intended functionality in any way. Your call you use whichever one you like.

In my RT-AC66R router, running the updated script takes ~42 seconds, and the alternate script about ~20 seconds. Both block ~112k unique IPs and ~5k unique ranges.

EDIT: I'd recommend a reboot after installing the new script. I'm recommending this as the ipset names have changed and unless you'd want to manually delete the iptable rules and the corresponding ipsets, a reboot is much cleaner.

 

[redhat27]

I've updated the OP with the changes this latest update brings. Also included this:

Blocks on both INPUT chain (traffic initiated by malware sources) and on FORWARD chain (traffic initiated inside your LAN trying to connect to malware destinations)

 

[bayern1975]

i remove old script and data and install new one.....this is what i see in syslog....is this ok?

May  9 19:45:08 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65536), YAMalwareBlock2IP (41066) and YAMalwareBlockCIDR (5278) in 16 seconds

 

[redhat27]

That is okay... Wow! you have one fast router!

 

[Jack Yaz]

That is okay... Wow! you have one fast router!

87U in same time

 

[Tuscon Bailey]

87U in same time

Dunno if this is good to know, but I also have 16s time with my 68u. I think this is good. Consistent. Small diff in ipsets loaded.

May 9 21:30:00 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65536), YAMalwareBlock2IP (40781) and YAMalwareBlockCIDR (5188) in 16 seconds

 

[redhat27]

Always good to know, thanks for sharing . You guys make me feel I need to upgrade my router very soon

Note: These numbers are expected to change over time (on each run) That is the whole idea of running the script periodically to get the updated malware sources.

 

[eclp]

Why are only few IPs blocked with me?

May 10 08:45:40 Firewall: /jffs/scripts/ya-malware-block.sh: Adding malware-block rules to firewall...
May 10 08:45:45 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (2703), YAMalwareBlock2IP (1) and YAMalwareBlockCIDR (1) in 5 seconds

 

[thelonelycoder]

Why are only few IPs blocked with me?

May 10 08:45:40 Firewall: /jffs/scripts/ya-malware-block.sh: Adding malware-block rules to firewall...
May 10 08:45:45 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (2703), YAMalwareBlock2IP (1) and YAMalwareBlockCIDR (1) in 5 seconds

Check if the domains are not blocked by AB. If so, I'll release an update immediately.

Edit, I see no domains, only IP's in the lists.
Nothing to do with AB then.

 

[bayern1975]

Why are only few IPs blocked with me?

May 10 08:45:40 Firewall: /jffs/scripts/ya-malware-block.sh: Adding malware-block rules to firewall...
May 10 08:45:45 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (2703), YAMalwareBlock2IP (1) and YAMalwareBlockCIDR (1) in 5 seconds

did you remove all old files and old script? i removed all old files then reboot router then install new one and again reboot router.....

 

[eclp]

Thank you for your answers!
There are no other scripts, everything has been deleted, only AB-Solution.
(The router I have several times restarted.)

 

[redhat27]

@eclp Can you post: cat /jffs/ipset_lists/ya-malware-block.url_list

 

[eclp]

ASUSWRT-Merlin RT-AC87U 380.66-beta5-g2f48b2c Mon May  8 02:08:05 UTC 2017
...@RT-AC87U:/tmp/home/root# cat /jffs/ipset_lists/ya-malware-block.url_list
http://sanyalnet-cloud-vps.freeddns.org/mirai-ips.txt
http://www.abuseat.org/iotcc.txt
https://raw.githubusercontent.com/shounak-de/misc-scripts/master/telemetry_and_scanners.txt
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/feodo.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/palevo.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslbl.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/zeus_badips.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bambenek_c2.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_drop.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_edrop.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dshield.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/maxmind_proxy_fraud.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cybercrime.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms1.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms3.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dyndns_ponmocup.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malc0de.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_rw.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_cryptowall_ps.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_locky_ps.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_block.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_compromised.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_botcc.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_bots.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_ssh.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_strongips.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ciarmy.ipset
...@RT-AC87U:/tmp/home/root#

Thanks ...

 

[shooter40sw]

Thanks! @redhat27 very fast now there are input and forward chain, I thought that it was going to be very slow on my router but not the case.
I question; Im using country and tor script, any way so I can just include TOR in this script so I can just use one script? so I have al these malware plus TOR... in My case country block is not so relevant but it does block a lot of packets.
Thanks again

ya-malware-block.sh: Adding malware-block rules to firewall...
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535), YAMalwareBlock2IP (37513) and YAMalwareBlockCIDR (5036) in 32 seconds

 

[redhat27]

@eclp Your sources file looks okay. Is this happening on every run? can you post: grep ya-malware-block /tmp/syslog.log

If that low count is on every run, can you see if you are able to debug a bit for me:

• Remove the text rm /tmp/ya-malware-block.sources line 33 of the script
• Then run the script manually
• Then run
  

  wc -l /tmp/ya-malware-block.sources
  rm /tmp/ya-malware-block.sources

• Get the script from github again

It may give some insight as to what is going on

 

[eclp]

@redhat27 Thank you for your support as well as the great script!

After automatic load it works:

May 10 18:00:01 Firewall: /jffs/scripts/ya-malware-block.sh: Adding malware-block rules to firewall...
May 10 18:00:16 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65536), YAMalwareBlock2IP (39358) and YAMalwareBlockCIDR (5009) in 15 seconds

 

[redhat27]

any way so I can just include TOR

@shooter40sw This is precisely the use case for the iblocklist-loader script. Tor and other proxies are maintained there. I would recommend use of that. See OP on that thread. You would use BLOCKLIST_INDEXES="10" for tor and other anonymizers.

I think mixing in other categories that are not specifically malware should not be this script. See post #53

 

[redhat27]

There is a version 1.3 in github now. Only the main script changed, not the sources list.
Changelog for 1.3:
[1] Using the PREROUTING chain of the raw table instead of INPUT and FORWARD chains of the filter table. Thanks @Adamm for suggestion
[2] Corrected the count of the ipset (need to subtract 7 for ipset-v6 and 6 for ipset-v4 to get correct list counts)

Please wget as per OP to get the script

EDIT: Please reboot the router for the changes to take effect. The block is on a different place, and ideally we would not want the older iptables rule to still be in place. If you want, you can manually delete them too (if you do not want to reboot)