Menu
What's new
By:
Filters Better Search

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Ok!
I d/led ver. 1.4 and ran it from the command line.
I got numerous errors!
Line 27: hash ip not found
line 29 : hash ip not found
line 31 : hash net not found
ipset v6.29: Missing second mandatory argument to command create
BusyBox v1.25.1 (2017-02-03 00:20:23 E
./ya-malware-block.sh: line 34: (^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^0.)|(^169\.254\.): not found

ST) multi-call binary.
Can you please help with this?
I have ver. 1.2 running just fine.
 
Jack Yaz said:
Love the ip finder, https://pentest-tools.com wouldn't load, its in YAMalwareBlock2IP! Now I need to read documentation on how to whitelist.
Click to expand...
ya-malware-block script does not have whitelisting. If you want to whitelist pentest-tools.com, add it to the WHITELIST_DOMAINS_FILE that is referenced in the iblocklist-loader script, and make sure the blocklist-loader script is run right after the ya-malware-block script
 
tonysamson said:
Hi all,

Pardon my ignorance. Hope you can help enlighten me on this subject.

How is a "malware block script" any different with the Firewall option in the Asus Router?
Click to expand...
The firewall in your asus router needs to be enabled to have any firewall scripts to work. Asus firewall by default will only provide a basic security (just like enabling firewall on a windows machine, for example) and not against any specific malware/ransomware/cracker/bots/scanners/etc. source.

The ya-malware-block script matches an attempted connection (to or from your router) against a large set of identified malware sources (several hundreds of thousands). A lot of the sources in this script is sourced from the firehol site.
 
Gitsum said:
So what happens when a blacklisted site is blocked? Is there a warning page or just an error?
Click to expand...
If you are using a browser to connect to a malware source, you'll time out. To immediately fail without timeout, the firewall rule needs to REJECT the connection (it currently DROPs it)
 
Csection said:
Ok!
I d/led ver. 1.4 and ran it from the command line.
I got numerous errors!
Line 27: hash ip not found
line 29 : hash ip not found
line 31 : hash net not found
ipset v6.29: Missing second mandatory argument to command create
BusyBox v1.25.1 (2017-02-03 00:20:23 E
./ya-malware-block.sh: line 34: (^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^0.)|(^169\.254\.): not found

ST) multi-call binary.
Can you please help with this?
I have ver. 1.2 running just fine.
Click to expand...
Not sure what is going on there. Can you re-download the script as per OP? Anybody else have these errors?
 
redhat27 said:
Not sure what is going on there. Can you re-download the script as per OP? Anybody else have these errors?
Click to expand...
I got it. It was scripts errors. Though when I run it. It hangs and does not complete. It says, "Firewall: ./ya-malware-block.sh: Adding malware-block rules to firewall...", but it hangs there. Been running for half an hour now...
 
I rebooted and let the ya-malware script run from services-start. Here is what it did:
Firewall: /jffs/scripts/ya-malware-block.sh: Adding malware-block rules to firewall...
May 14 13:41:27 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (0), YAMalwareBlock2IP (0) and YAMalwareBlockCIDR (0) in 5 seconds.
Please advise!
 
Ok!
I re-d/led the script with the wget. I think it is ok now!
Here is the output from the run:
Adding malware-block rules to firewall...
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (37933), YAMalwareBlock2IP (0) and YAMalwareBlockCIDR (867) in 8 seconds
Sorry for all the hasle! I was trying to save the original script in case there were any problems.
 
redhat27 said:
ya-malware-block script does not have whitelisting. If you want to whitelist pentest-tools.com, add it to the WHITELIST_DOMAINS_FILE that is referenced in the iblocklist-loader script, and make sure the blocklist-loader script is run right after the ya-malware-block script
Click to expand...
Yeah did that, and adjusted cron too so ya-malware doesnt inject itself above again!
 
Csection said:
I was trying to save the original script in case there were any problems.
Click to expand...

No need to save the original script. You can always get it from git history. Also looks like you have the old sources. Please delete /jffs/ipset_lists/ya-malware-block.url_list and re-run

Read a bit from post #90 if it hangs again.
 
redhat27 said:
No need to save the original script. You can always get it from git history. Also looks like you have the old sources. Please delete /jffs/ipset_lists/ya-malware-block.url_list and re-run

Read a bit from post #90 if it hangs again.
Click to expand...
Yep!
That worked!
Here is the output from that :
./ya-malware-block.sh: Adding malware-block rules to firewall...
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535), YAMalwareBlock2IP (39753) and YAMalwareBlockCIDR (5217) in 11 seconds
 
I noticed with the new code i no longer get a readout on how many ips got caught by the script when i run blockstats.

Code: 
@RT-AC5300:/jffs/scripts# blockstats
    0     0 DROP       all  --  any    any     anywhere             anywhere             match-set CustomBlock src
  161  8027 DROP       all  --  any    any     anywhere             anywhere             match-set BlockedCountries src
    0     0 DROP       all  --  any    any     anywhere             anywhere             match-set TorNodes src
  895 89220 REJECT     all  --  any    any     anywhere             anywhere             match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
  140  7924 DROP       all  --  any    any     anywhere             anywhere             match-set MicrosoftSpyServers dst

In ver 1.1 it included the names of this filter with a count.
 
mikelees2 said:
I noticed with the new code i no longer get a readout on how many ips got caught by the script when i run blockstats.

Code: 
@RT-AC5300:/jffs/scripts# blockstats
    0     0 DROP       all  --  any    any     anywhere             anywhere             match-set CustomBlock src
  161  8027 DROP       all  --  any    any     anywhere             anywhere             match-set BlockedCountries src
    0     0 DROP       all  --  any    any     anywhere             anywhere             match-set TorNodes src
  895 89220 REJECT     all  --  any    any     anywhere             anywhere             match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
  140  7924 DROP       all  --  any    any     anywhere             anywhere             match-set MicrosoftSpyServers dst

In ver 1.1 it included the names of this filter with a count.
Click to expand...
Its due to the raw table, i added an updated function to the wiki, though i suspect it won't show the non-raw entries. I'll test it out later
 
Jack Yaz said:
Its due to the raw table, i added an updated function to the wiki, though i suspect it won't show the non-raw entries. I'll test it out later
Click to expand...
Thanks What in the url to the wiki for this?
 
Jack Yaz said:
I was most of the way there, didn't know how to combine the 2!
Click to expand...
I came up with something different that did work but reverted to @redhat27 s code because I liked the format better. I am new to this and most of this is still Greek to me but i am learning.

What I came up with was:

Code: 
alias blockstats='iptables -L -v | grep "match-set"; ip6tables -L -v | grep "match-set"; iptables -vL -t raw | grep "match-set"'

Thanks Guys.
 
Version 1.5 out there. Main changes:
  • Rewrote the script mainly catering to the FireHOL Level1 thru Level4 (there is an extra ipset in there that will almost always be empty unless you enable Level4)
  • Made the script more concise (no change functionality wise) OCD on smallest possible script :eek:
You need to delete the /jffs/ipset_lists/ya-malware-block.url_list list to get the latest.

I've re-written the post #1, please give it a read if possible
 
I followed the reinstall instructions and ran the script from the command line. I got 0 for YAMalwareBlock3IP though.
Code: 
a-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535), YAMalwareBlock2IP (10237), YAMalwareBlock3IP (0) and YAMalwareBlockCIDR (8786) in 11 seconds
 
You must log in or register to reply here.

Similar threads

A
Helt needed with the yet another antimalware script for the Asus wrt.
Replies
4
Views
839
amnesia
A
MON@H Rasta
Tutorial Using TOR to unblock sites blocked by ISP on [Fork] Asuswrt-Merlin 374 LTS
Replies
14
Views
4K
Vas99
V
mkaand
Tutorial [TUTORIAL] Domain (Policy) based routing with ipset and dnsmaq
Replies
4
Views
5K
mkaand
mkaand
redhat27
iblocklist.com generic ipset loader for ipset v6 and v4
12 13 14
Replies
272
Views
41K
Lynoad
L
N
Using ipset revisited
2
Replies
21
Views
7K
Veldkornet
Veldkornet
Similar threads
Thread starter Title Forum Replies Date
P Using Avahi to cast to a PyChromeCast on another subnet Asuswrt-Merlin 4
S Transfer files to another device (raspi) in the same network Asuswrt-Merlin 3
M Allow admin web GUI access on another interface (tailscale0) Asuswrt-Merlin 0
S Another DNS Director clarification Asuswrt-Merlin 1
Smokindog Might be ready to give AiMesh another look Asuswrt-Merlin 8

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 832 (members: 28, guests: 804)
Top