What's new

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

New version updated and working awesome. Great work on this script bud!!
 
I used the editor in Mobaxterm command line, but running dos2unix did not fix it.
Hi @Csection, I recommend checking the boxes for ASCII mode on the Advanced Sftp settings screen, as well as compression and UTF-8. I've never had an issue with dos characters..

upload_2017-6-6_20-42-18.png
 
New version updated and working awesome. Great work on this script bud!!
OK wait maybe I have a problem. Since updating my script to the latest version I seem to have a problem with IPSET_Block.sh save it hasn't successfully blocked anything since. Should I reboot or.....? Any ideas to help me thanks!
EDIT: Sorry for my stupid question. I rebooted and everything is fine.
 
Last edited:
Since updating my script to the latest version I seem to have a problem with IPSET_Block.sh
Not sure what that other script does, but I can assure you nothing changed in this script that could have an impact. Only change is the inclusion of the manual (optional) blacklist.
 
Not sure what that other script does, but I can assure you nothing changed in this script that could have an impact. Only change is the inclusion of the manual (optional) blacklist.
I run both IPSET_Block and Ya-Malware together and don't have a problem. Try using the "Init reset"(Check thread for correct syntax) option on IPSET.
 
I run both IPSET_Block and Ya-Malware together and don't have a problem. Try using the "Init reset"(Check thread for correct syntax) option on IPSET.
I have not used IPSET_Block. All I can say is nothing changed in this script that should cause a behavior change that was not there before. You can look at the commit diff in github.
 
I have some general questions.
How often do the block lists change?
Would it suffice to run this script once a day or do changes occur fairly often?
 
I have some general questions.
How often do the block lists change?
Would it suffice to run this script once a day or do changes occur fairly often?
You can check out the update frequency of each of the lists in the FireHOL site (links in post #1)
On the main page, the site says "average update frequency: 36 minutes"

Of course, you can choose to update the data as often as you choose. The whole point in having a minimalist script is to do the task of updating as quickly with the least load on the routers CPU as possible.
I think updating it at the suggested example of every 6 hours should be an acceptable solution. I do it every 6 hours myself.
 
You can check out the update frequency of each of the lists in the FireHOL site (links in post #1)
On the main page, the site says "average update frequency: 36 minutes"

Of course, you can choose to update the data as often as you choose. The whole point in having a minimalist script is to do the task of updating as quickly with the least load on the routers CPU as possible.
I think updating it at the suggested example of every 6 hours should be an acceptable solution. I do it every 6 hours myself.
Ok, thanks!
I don't read everything as I should(Bad eyes).
 
I think this is blocking https://apple.com/UK but none of the ips i checked are found in the lists. Anyone able to help?
For me, apple.com resolves to

17.178.96.59
17.142.160.59
17.172.224.47

I noticed that these IPs are not there in the YAMalware* ipsets. But I can access the https://apple.com/UK just fine.
Are you not able to ping those IPs or do a
Code:
curl -kL  https://apple.com/UK
on your router?

I have all 4 FireHOL Levels enabled, and I can assess the site.
 
I don't read everything as I should(Bad eyes).
No problem! Gave me a chance to mention the update frequency from the firehol site and the suggested run frequency on your router :)
It may benefit others.
In this thread, there is never a dumb question. If it is confusing to you, it may be confusing to others as well.
 
For me, apple.com resolves to

17.178.96.59
17.142.160.59
17.172.224.47

I noticed that these IPs are not there in the YAMalware* ipsets. But I can access the https://apple.com/UK just fine.
Are you not able to ping those IPs or do a
Code:
curl -kL  https://apple.com/UK
on your router?

I have all 4 FireHOL Levels enabled, and I can assess the site.
Router can retrieve page fine, so I'm a bit stumped as to why clients cannot access it
 
Nope. Fired up dev console and its the cdn images.apple.com timing out and failing to serve the js and css resources.
 
That version worked on Shibby Tomato Firmware 1.28.0000 MIPSR2-140 K26AC USB AIO-64K

Thank you!

it seems the included curl does not support https, which seems odd in this day but probably has a good reason:
root@unknown:/tmp/home/root# curl --version
curl 7.53.1 (mipsel-unknown-linux-gnu) libcurl/7.53.1 zlib/1.2.11
Protocols: file ftp http imap pop3 rtsp smtp tftp
Features: IPv6 Largefile libz UnixSockets

rearden


Try this variant and let me know please (on tomato firmware):

Code:
wget -O /jffs/scripts/ya-malware-block.sh https://raw.githubusercontent.com/shounak-de/misc-scripts/master/ya-malware-block-tomato.sh
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top