redhat27
Very Senior Member
It is expected unless you enable Level4. See my earlier post
Yet another malware block script using ipset (v4 and v6)
- Thread starter redhat27
- Start date
-
- Tags
- bruteforce ipset malware ransomware
Adamm
Part of the Furniture
Yeah its not needed. Packets being blocked sourcing from those IP's is all you need.
Kim Puleston
Regular Contributor
Quick questions.
How do you select which level you are wanting to use ? Also I wanted to add the updater script to my Init-start but I have no Init-Start file in my JFFS/Scripts location do I first need to creat a Init-Start File and add the updater script to it ?
Cheers.
How do you select which level you are wanting to use ? Also I wanted to add the updater script to my Init-start but I have no Init-Start file in my JFFS/Scripts location do I first need to creat a Init-Start File and add the updater script to it ?
Cheers.
steelskinz
Regular Contributor
I reinstall the script since i was on previous version, delete the .url_list before all was smooth :
Loaded sets YAMalwareBlock1IP (65535), YAMalwareBlock2IP (65536), YAMalwareBlock3IP (30978) and YAMalwareBlockCIDR (8731) in 30 seconds
Problem is i added some extra set of ipsets and even if i reload the script the result is as above as it doesn't work properly.
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_emd.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_ats.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_exp.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_fsa.ipset
etc
Loaded sets YAMalwareBlock1IP (65535), YAMalwareBlock2IP (65536), YAMalwareBlock3IP (30978) and YAMalwareBlockCIDR (8731) in 30 seconds
Problem is i added some extra set of ipsets and even if i reload the script the result is as above as it doesn't work properly.
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_emd.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_ats.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_exp.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_fsa.ipset
etc
redhat27
Very Senior Member
That is dst on the FORWARD chain of filter table
redhat27
Very Senior Member
The default is Level1 thru Level3 blocking. Level4 is disabled by default as it has a lot of false positives. You can choose to block even less. Just remove what you want blocked or not blocked from the
/jffs/ipset_lists/ya-malware-block.url_list file. This file is not redownloaded on each run of the script, and allows for manual editing. If you want the default sources, then just delete this file, and the script will download the default one from github.
Also, I would advise to run this at the end of services-start (for a one time run) or better yet, schedule this in cron as the sources are dynamic. See OP for details.
redhat27
Very Senior Member
All of the FireHOL lists are already aggregated. See their site for details as to what each of their Levels block. The OP has a link to each level
Kim Puleston
Regular Contributor
That is great thanks, all set up now and I have this as a cron job in Init-start for the future
Here is to better security
redhat27
Very Senior Member
Note: I forgot to mention that you can do both too (both in services-start and in cron) That way you are covered in the time interval your router has booted and cron has not run yet. A lot of us here keep rebooting our routers often as they try new stuffThat is great thanks, all set up now and I have this as a cron job in Init-start for the future
, so it may be more appropriate for them, actually.EDIT: Updated the OP again to clarify some of the questions you had.
Last edited:
If redhat27 read your mind correctly, your intended change will be redundant. lol
Jack Yaz raises a good point though. I don't see how your script blocks outgoing traffic as you advertised in post #1. In your tests, it actually blocks? I think you need one more line in the for loop with "--match-set ... dst"
redhat27
Very Senior Member
It really does.
It really does.
I don't see it but I guess you've to twist the meaning of "block" a bit...
redhat27
Very Senior Member
admin@RT-AC66R-D700:/tmp/home/root# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=58 time=23.019 ms
64 bytes from 8.8.8.8: seq=1 ttl=58 time=22.858 ms
64 bytes from 8.8.8.8: seq=2 ttl=58 time=23.938 ms
64 bytes from 8.8.8.8: seq=3 ttl=58 time=22.553 ms
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 22.553/23.092/23.938 ms
admin@RT-AC66R-D700:/tmp/home/root# ipset -N Test iphash
admin@RT-AC66R-D700:/tmp/home/root# ipset -A Test 8.8.8.8
admin@RT-AC66R-D700:/tmp/home/root# iptables -t raw -I PREROUTING -m set --set Test src -j DROP
admin@RT-AC66R-D700:/tmp/home/root# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
--- 8.8.8.8 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss
admin@RT-AC66R-D700:/tmp/home/root# ipset -X Test
ipset v4.5: Set is in use, operation not permitted
admin@RT-AC66R-D700:/tmp/home/root# iptables -t raw -D PREROUTING -m set --set Test src -j DROP
admin@RT-AC66R-D700:/tmp/home/root# ipset -X Test
admin@RT-AC66R-D700:/tmp/home/root#
redhat27
Very Senior Member
I see what you mean. It blocks on the echo receive bitMy verdict still holds
thelonelycoder
Part of the Furniture
That's correct, it blocks pgl.yoyo.org, for example, one of the hosts file providers.
redhat27
Very Senior Member
Oops, sorry about that
. Need to add a note to AB users to whitelist that domainSimilar threads
Similar threads
Similar threads
-
-
Transfer files to another device (raspi) in the same network
- Started by slytho
- Replies: 3
-
Allow admin web GUI access on another interface (tailscale0)
- Started by mr8
- Replies: 0
-
-
