What's new

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

It is indeed very strange.

@Csection Can you tell me a bit how you are running the latest script? From the command prompt or at startup? Did the syslog give any clues what it was doing before the lock-up?

Also, can anybody else with ipset v6.x run the latest version and let me know if it locks up or runs okay?
 
It is indeed very strange.

@Csection Can you tell me a bit how you are running the latest script? From the command prompt or at startup? Did the syslog give any clues what it was doing before the lock-up?

Also, can anybody else with ipset v6.x run the latest version and let me know if it locks up or runs okay?
I am running it from the command-line. I always try to test scripts before I put them into auto-run mode.
I cannot provide any log info cause the router locks up and has to be unplugged to restart it. Even SSH prompt is locked up.

When it reboots, it is set up to autorun ya-malware ver. 2.3 at startup which runs just fine.
 
I am running it from the command-line. I always try to test scripts before I put them into auto-run mode.
I cannot provide any log info cause the router locks up and has to be unplugged to restart it. Even SSH prompt is locked up.

When it reboots, it is set up to autorun ya-malware ver. 2.3 at startup which runs just fine.
Something to do with whitelisting of LAN IPs maybe?
 
Something to do with whitelisting of LAN IPs maybe?
Jack!
I can't tell what it's doing cause it locks up my SSH and I get locked out of everything till I reboot.
Broswer gives the "Cannot access 192.168.1.1" page.

That is why I don't implement a script until I test it first.
 
Jack!
I can't tell what it's doing cause it locks up my SSH and I get locked out of everything till I reboot.
Broswer gives the "Cannot access 192.168.1.1" page.

That is why I don't implement a script until I test it first.
I more meant did you make sure the whitelist exists and covers your LAN IPs, I can't see any changes looking at commits that changed anything other than the output messages
 
I more meant did you make sure the whitelist exists and covers your LAN IPs, I can't see any changes looking at commits that changed anything other than the output messages
Thanks again, Jack!
I'll check for the whitelist and let you know.
 
Thanks again, Jack!
I'll check for the whitelist and let you know.
You got it, Jack!
I forgot to change the location of the black/white list.
I have it setup to use USB location.
I thought of it when I was setting it up, but I forgot to change it.
Thanks, as usual!
 
Thank @Jack Yaz for honing in on the problem.

@Csection I'm curious: Do you not have /jffs at all? Because if you did, the script should have downloaded the default whitelist file in /jffs/ipset_lists/ya-malware-block.whites
 
I have all 4 level enabled and everything is running fine!!!!
 
Thank @Jack Yaz for honing in on the problem.

@Csection I'm curious: Do you not have /jffs at all? Because if you did, the script should have downloaded the default whitelist file in /jffs/ipset_lists/ya-malware-block.whites
Yes!
I have jffs, but I have the script coded to use my USB stick and it could not locate the "White list" as Jack stated, so it banned all my local ip's. I initially forgot to point at the USB.It may have been trying to create new ones in /jffs, but it locked up before it finished somehow and locked me up.
That is all I can say cause I was not able to get any logs after running it.
Thank you for the reply!
 
Thanks for the update @redhat27. Updated scripts works good on my end. I installed on one of my routers. First with level 1 to 3 enabled. Then, followed by level 4.

Code:
./ya-malware-block.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)...[128118/118441/9677] ~13s
>>> Adding data and processing rule for YAMalwareBlock1IP... ~4s
>>> Adding data and processing rule for YAMalwareBlock2IP... ~3s
>>> Adding data and processing rule for YAMalwareBlockCIDR... ~0s
>>> Cleaning up... ~0s
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (52906) and YAMalwareBlockCIDR (9677) in 20 seconds

Code:
./ya-malware-block.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)...[223365/211132/12233] ~18s
>>> Adding data and processing rule for YAMalwareBlock1IP... ~4s
>>> Adding data and processing rule for YAMalwareBlock2IP... ~4s
>>> Adding data and processing rule for YAMalwareBlock3IP... ~4s
>>> Adding data and processing rule for YAMalwareBlock4IP... ~1s
>>> Adding data and processing rule for YAMalwareBlockCIDR... ~1s
>>> Cleaning up... ~0s
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (65535) YAMalwareBlock3IP (65535) YAMalwareBlock4IP (14527) and YAMalwareBlockCIDR (12233) in 32 seconds

I will install on the other two routers later today.
 
I think my noob stupidity has it all working now. I uncommented the level #url and it looks like that everything is there. Is there a place or way to confirm the rules are add/active?
 
I think my noob stupidity has it all working now. I uncommented the level #url and it looks like that everything is there. Is there a place or way to confirm the rules are add/active?
Put this in /jffs/configs/profile.add

Code:
alias blockstats='iptables -vL | sed "2q;d"; (iptables -vL -t raw; iptables -vL) | grep "match-set"; ip6tables -vL | grep "match-set"'
Change permission to be executable e.g. chmod 755 profile.add

It will run when you start SSH session. Then, enter the command blockstats. You can see the pkts dropped.

Code:
 pkts bytes target     prot opt in     out     source               destination
    1    40 DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlock4IP src
 3011  156K DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlockCIDR src
  114  6000 DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlock3IP src
 1391 91790 DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlock2IP src
 2690  161K DROP       all  --  any    any     anywhere             anywhere             match-set YAMalwareBlock1IP src
 
Last edited:
Ok, did that, it's telling me "blockstats" is not found.
 
I am running Merlin's latest Beta, fyi. Factory reset and all that jazz... anything you'd like me to try?
 
I am running Merlin's latest Beta, fyi. Factory reset and all that jazz... anything you'd like me to try?
Sorry. It may require a reboot for the items in profile.add to take affect. You can try running it on the command line by being in the /jffs/configs directory, then typing ./profile.add

But it should be a shell only script per the wiki
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files. Double check it is executable as well.

Mine does not have the #!/bin/sh on the first line like I do with other scripts.
 
Last edited:
Sorry. It may require a reboot for the items in profile.add to take affect. You can try running it on the command line by being in the /jffs/configs directory, then typing ./profile.add

But it should be a shell only script per the wiki
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files. Double check it is executable as well.

Working on getting an EXT4 drive put together now. I thank you for your help and patience with me. I really do appreciate it and am learning quite a bit.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top