What's new

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Ok!
I d/led ver. 1.4 and ran it from the command line.
I got numerous errors!
Line 27: hash ip not found
line 29 : hash ip not found
line 31 : hash net not found
ipset v6.29: Missing second mandatory argument to command create
BusyBox v1.25.1 (2017-02-03 00:20:23 E
./ya-malware-block.sh: line 34: (^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^0.)|(^169\.254\.): not found

ST) multi-call binary.
Can you please help with this?
I have ver. 1.2 running just fine.
 
Love the ip finder, https://pentest-tools.com wouldn't load, its in YAMalwareBlock2IP! Now I need to read documentation on how to whitelist.
ya-malware-block script does not have whitelisting. If you want to whitelist pentest-tools.com, add it to the WHITELIST_DOMAINS_FILE that is referenced in the iblocklist-loader script, and make sure the blocklist-loader script is run right after the ya-malware-block script
 
Hi all,

Pardon my ignorance. Hope you can help enlighten me on this subject.

How is a "malware block script" any different with the Firewall option in the Asus Router?
The firewall in your asus router needs to be enabled to have any firewall scripts to work. Asus firewall by default will only provide a basic security (just like enabling firewall on a windows machine, for example) and not against any specific malware/ransomware/cracker/bots/scanners/etc. source.

The ya-malware-block script matches an attempted connection (to or from your router) against a large set of identified malware sources (several hundreds of thousands). A lot of the sources in this script is sourced from the firehol site.
 
So what happens when a blacklisted site is blocked? Is there a warning page or just an error?
If you are using a browser to connect to a malware source, you'll time out. To immediately fail without timeout, the firewall rule needs to REJECT the connection (it currently DROPs it)
 
Ok!
I d/led ver. 1.4 and ran it from the command line.
I got numerous errors!
Line 27: hash ip not found
line 29 : hash ip not found
line 31 : hash net not found
ipset v6.29: Missing second mandatory argument to command create
BusyBox v1.25.1 (2017-02-03 00:20:23 E
./ya-malware-block.sh: line 34: (^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^0.)|(^169\.254\.): not found

ST) multi-call binary.
Can you please help with this?
I have ver. 1.2 running just fine.
Not sure what is going on there. Can you re-download the script as per OP? Anybody else have these errors?
 
Not sure what is going on there. Can you re-download the script as per OP? Anybody else have these errors?
I got it. It was scripts errors. Though when I run it. It hangs and does not complete. It says, "Firewall: ./ya-malware-block.sh: Adding malware-block rules to firewall...", but it hangs there. Been running for half an hour now...
 
I rebooted and let the ya-malware script run from services-start. Here is what it did:
Firewall: /jffs/scripts/ya-malware-block.sh: Adding malware-block rules to firewall...
May 14 13:41:27 Firewall: /jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (0), YAMalwareBlock2IP (0) and YAMalwareBlockCIDR (0) in 5 seconds.
Please advise!
 
Ok!
I re-d/led the script with the wget. I think it is ok now!
Here is the output from the run:
Adding malware-block rules to firewall...
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (37933), YAMalwareBlock2IP (0) and YAMalwareBlockCIDR (867) in 8 seconds
Sorry for all the hasle! I was trying to save the original script in case there were any problems.
 
ya-malware-block script does not have whitelisting. If you want to whitelist pentest-tools.com, add it to the WHITELIST_DOMAINS_FILE that is referenced in the iblocklist-loader script, and make sure the blocklist-loader script is run right after the ya-malware-block script
Yeah did that, and adjusted cron too so ya-malware doesnt inject itself above again!
 
I was trying to save the original script in case there were any problems.

No need to save the original script. You can always get it from git history. Also looks like you have the old sources. Please delete /jffs/ipset_lists/ya-malware-block.url_list and re-run

Read a bit from post #90 if it hangs again.
 
No need to save the original script. You can always get it from git history. Also looks like you have the old sources. Please delete /jffs/ipset_lists/ya-malware-block.url_list and re-run

Read a bit from post #90 if it hangs again.
Yep!
That worked!
Here is the output from that :
./ya-malware-block.sh: Adding malware-block rules to firewall...
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535), YAMalwareBlock2IP (39753) and YAMalwareBlockCIDR (5217) in 11 seconds
 
I noticed with the new code i no longer get a readout on how many ips got caught by the script when i run blockstats.

Code:
@RT-AC5300:/jffs/scripts# blockstats
    0     0 DROP       all  --  any    any     anywhere             anywhere             match-set CustomBlock src
  161  8027 DROP       all  --  any    any     anywhere             anywhere             match-set BlockedCountries src
    0     0 DROP       all  --  any    any     anywhere             anywhere             match-set TorNodes src
  895 89220 REJECT     all  --  any    any     anywhere             anywhere             match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
  140  7924 DROP       all  --  any    any     anywhere             anywhere             match-set MicrosoftSpyServers dst

In ver 1.1 it included the names of this filter with a count.
 
I noticed with the new code i no longer get a readout on how many ips got caught by the script when i run blockstats.

Code:
@RT-AC5300:/jffs/scripts# blockstats
    0     0 DROP       all  --  any    any     anywhere             anywhere             match-set CustomBlock src
  161  8027 DROP       all  --  any    any     anywhere             anywhere             match-set BlockedCountries src
    0     0 DROP       all  --  any    any     anywhere             anywhere             match-set TorNodes src
  895 89220 REJECT     all  --  any    any     anywhere             anywhere             match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
  140  7924 DROP       all  --  any    any     anywhere             anywhere             match-set MicrosoftSpyServers dst

In ver 1.1 it included the names of this filter with a count.
Its due to the raw table, i added an updated function to the wiki, though i suspect it won't show the non-raw entries. I'll test it out later
 
Its due to the raw table, i added an updated function to the wiki, though i suspect it won't show the non-raw entries. I'll test it out later
Thanks What in the url to the wiki for this?
 
I was most of the way there, didn't know how to combine the 2!
I came up with something different that did work but reverted to @redhat27 s code because I liked the format better. I am new to this and most of this is still Greek to me but i am learning.

What I came up with was:

Code:
alias blockstats='iptables -L -v | grep "match-set"; ip6tables -L -v | grep "match-set"; iptables -vL -t raw | grep "match-set"'

Thanks Guys.
 
Version 1.5 out there. Main changes:
  • Rewrote the script mainly catering to the FireHOL Level1 thru Level4 (there is an extra ipset in there that will almost always be empty unless you enable Level4)
  • Made the script more concise (no change functionality wise) OCD on smallest possible script :eek:
You need to delete the /jffs/ipset_lists/ya-malware-block.url_list list to get the latest.

I've re-written the post #1, please give it a read if possible
 
I followed the reinstall instructions and ran the script from the command line. I got 0 for YAMalwareBlock3IP though.
Code:
a-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535), YAMalwareBlock2IP (10237), YAMalwareBlock3IP (0) and YAMalwareBlockCIDR (8786) in 11 seconds
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top