What's new

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Since new flavours of those block scripts seem to be trendy lately... :p

Any of you considered implementing it at the RPDB level? Might possibly be more efficient than iptables...

Code:
/ # ip route add prohibit 4.2.2.2
/ # ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
ping: sendto: Network is unreachable

(runs away to hide)


From what I've read IPSet is more suited for these types of Blacklists;

Null routing, just like iptables drop rules, denies any remote system to establish (SYN) a connection. The difference is that with null routing traffic is still(!) received: your system just can't send anything (SYN,ACK) back, while iptables is more fine grained and explicitly drops that traffic.

Although for performance gains I have been testing using the "raw" table, that way the packets are handled sooner, without the need to go though conntrack+mangle+nat+routing.

YkwUi.png
 
From what I've read IPSet is more suited for these types of Blacklists;

I was thinking more for people wanting to block outbound connections (for instance those wanting to block Microsoft telemetry and such). For inbound traffic, the firewall remains indeed the best location to drop unwanted traffic.
 
inbound traffic, the firewall remains indeed the best location to drop unwanted traffic
Yes, and I agree this script should also block inbound traffic.

With that, I'd like to mention that a new version of the script is now available in github, like I mentioned in #56.
  • Remove the existing list (rm /jffs/ipset_lists/ya-malware-block.url_list) change the path if you've changed the default store location, of course.
  • Get the latest script as mentioned in the OP
Half the time of this script processing is in aggregating the sources in the different url lists and eliminating duplicates. If running a faster script (in about half the time) is important to you, then I've made available an alternate script that does not eliminate duplicates. Runs much faster with the same sets, but will have some duplicate sources in the lists created. This does not affect the intended functionality in any way. Your call you use whichever one you like.

In my RT-AC66R router, running the updated script takes ~42 seconds, and the alternate script about ~20 seconds. Both block ~112k unique IPs and ~5k unique ranges.

EDIT: I'd recommend a reboot after installing the new script. I'm recommending this as the ipset names have changed and unless you'd want to manually delete the iptable rules and the corresponding ipsets, a reboot is much cleaner.
 
Last edited:
I've updated the OP with the changes this latest update brings. Also included this:

Blocks on both INPUT chain (traffic initiated by malware sources) and on FORWARD chain (traffic initiated inside your LAN trying to connect to malware destinations)
 
i remove old script and data and install new one.....this is what i see in syslog....is this ok?
Code:
May  9 19:45:08 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65536), YAMalwareBlock2IP (41066) and YAMalwareBlockCIDR (5278) in 16 seconds
 
87U in same time :D

Dunno if this is good to know, but I also have 16s time with my 68u. I think this is good. Consistent. Small diff in ipsets loaded.

May 9 21:30:00 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65536), YAMalwareBlock2IP (40781) and YAMalwareBlockCIDR (5188) in 16 seconds
 
Always good to know, thanks for sharing :). You guys make me feel I need to upgrade my router very soon :(

Note: These numbers are expected to change over time (on each run) That is the whole idea of running the script periodically to get the updated malware sources.
 
Why are only few IPs blocked with me?
Code:
May 10 08:45:40 Firewall: /jffs/scripts/ya-malware-block.sh: Adding malware-block rules to firewall...
May 10 08:45:45 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (2703), YAMalwareBlock2IP (1) and YAMalwareBlockCIDR (1) in 5 seconds
 
Why are only few IPs blocked with me?
Code:
May 10 08:45:40 Firewall: /jffs/scripts/ya-malware-block.sh: Adding malware-block rules to firewall...
May 10 08:45:45 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (2703), YAMalwareBlock2IP (1) and YAMalwareBlockCIDR (1) in 5 seconds
Check if the domains are not blocked by AB. If so, I'll release an update immediately.

Edit, I see no domains, only IP's in the lists.
Nothing to do with AB then.
 
Last edited:
Why are only few IPs blocked with me?
Code:
May 10 08:45:40 Firewall: /jffs/scripts/ya-malware-block.sh: Adding malware-block rules to firewall...
May 10 08:45:45 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (2703), YAMalwareBlock2IP (1) and YAMalwareBlockCIDR (1) in 5 seconds
did you remove all old files and old script? i removed all old files then reboot router then install new one and again reboot router.....
 
Thank you for your answers!
There are no other scripts, everything has been deleted, only AB-Solution.
(The router I have several times restarted.)
 
Code:
ASUSWRT-Merlin RT-AC87U 380.66-beta5-g2f48b2c Mon May  8 02:08:05 UTC 2017
...@RT-AC87U:/tmp/home/root# cat /jffs/ipset_lists/ya-malware-block.url_list
http://sanyalnet-cloud-vps.freeddns.org/mirai-ips.txt
http://www.abuseat.org/iotcc.txt
https://raw.githubusercontent.com/shounak-de/misc-scripts/master/telemetry_and_scanners.txt
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/feodo.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/palevo.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslbl.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/zeus_badips.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bambenek_c2.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_drop.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_edrop.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dshield.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/maxmind_proxy_fraud.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cybercrime.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms1.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms3.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dyndns_ponmocup.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malc0de.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_rw.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_cryptowall_ps.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_locky_ps.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_block.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_compromised.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_botcc.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_bots.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_ssh.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_strongips.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ciarmy.ipset
...@RT-AC87U:/tmp/home/root#
Thanks ...
 
Thanks! @redhat27 very fast now there are input and forward chain, I thought that it was going to be very slow on my router but not the case.
I question; Im using country and tor script, any way so I can just include TOR in this script so I can just use one script? so I have al these malware plus TOR... in My case country block is not so relevant but it does block a lot of packets.
Thanks again

Code:
ya-malware-block.sh: Adding malware-block rules to firewall...
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535), YAMalwareBlock2IP (37513) and YAMalwareBlockCIDR (5036) in 32 seconds
 
@eclp Your sources file looks okay. Is this happening on every run? can you post: grep ya-malware-block /tmp/syslog.log

If that low count is on every run, can you see if you are able to debug a bit for me:
  • Remove the text rm /tmp/ya-malware-block.sources line 33 of the script
  • Then run the script manually
  • Then run
    Code:
    wc -l /tmp/ya-malware-block.sources
    rm /tmp/ya-malware-block.sources
  • Get the script from github again
It may give some insight as to what is going on
 
@redhat27 Thank you for your support as well as the great script! :)

:eek: After automatic load it works:
Code:
May 10 18:00:01 Firewall: /jffs/scripts/ya-malware-block.sh: Adding malware-block rules to firewall...
May 10 18:00:16 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65536), YAMalwareBlock2IP (39358) and YAMalwareBlockCIDR (5009) in 15 seconds
 
There is a version 1.3 in github now. Only the main script changed, not the sources list.
Changelog for 1.3:
[1] Using the PREROUTING chain of the raw table instead of INPUT and FORWARD chains of the filter table. Thanks @Adamm for suggestion
[2] Corrected the count of the ipset (need to subtract 7 for ipset-v6 and 6 for ipset-v4 to get correct list counts)

Please wget as per OP to get the script

EDIT: Please reboot the router for the changes to take effect. The block is on a different place, and ideally we would not want the older iptables rule to still be in place. If you want, you can manually delete them too (if you do not want to reboot)
 
Last edited:

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top