What's new

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Sorry. It may require a reboot for the items in profile.add to take affect. You can try running it on the command line by being in the /jffs/configs directory, then typing ./profile.add

But it should be a shell only script per the wiki
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files. Double check it is executable as well.

Mine does not have the #!/bin/sh on the first line like I do with other scripts.
Scripts in the /jffs/configs/ folder don't need to be set as executable nor do they need a shebang (just to make this clear).
They just add to the config files and are not scripts that run commands.
This is different for the /jffs/scripts/ folder where you place scripts that run either their own code or add/replace by way of shell commands.
Don't confuse users.
 
Sorry. It may require a reboot for the items in profile.add to take affect. You can try running it on the command line by being in the /jffs/configs directory, then typing ./profile.add

But it should be a shell only script per the wiki
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files. Double check it is executable as well.

Mine does not have the #!/bin/sh on the first line like I do with other scripts.

Sweet... that worked for changing the cache-size. Can I give you a hug now?
 
Scripts in the /jffs/configs/ folder don't need to be set as executable nor do they need a shebang (just to make this clear).
They just add to the config files and are not scripts that run commands.
This is different for the /jffs/scripts/ folder where you place scripts that run either their own code or add/replace by way of shell commands.
Don't confuse users.
Thanks for clarifying. It was many moons ago I had last touched this file or did anything with it.

I reread the wiki (made more sense with the second pass) and see including an example of profile.add would be helpful. I wiill see what I can do to motivate myself to make it happen.:rolleyes:
 
Last edited:
@redhat27 Can you tell me simply if you can exempt a single ip address on your network from ya-malware-block protection? Sort of like dmz.
 
@redhat27 Can you tell me simply if you can exempt a single ip address on your network from ya-malware-block protection? Sort of like dmz.

I don't know of a straightforward way. Have you actually tried putting that IP in DMZ? Others can chime in if they know.
I would question why you'd want to do this... Is it one particular device getting blocked all too often? It's easy to whitelist...
 
I don't know of a straightforward way. Have you actually tried putting that IP in DMZ? Others can chime in if they know.
I would question why you'd want to do this... Is it one particular device getting blocked all too often? It's easy to whitelist...
Thanks! I have a Linux media box I would like to get more use of. Seems a lot of my stream sources may be blocked I was hoping to test. However when I connect the box to my cell phone hot spot boom everything works like it should.....do you follow me?

I'm willing to accept the fact that I'm better off with the protection I'm just trying to figure this out.
 
Thanks! I have a Linux media box I would like to get more use of. Seems a lot of my stream sources may be blocked I was hoping to test. However when I connect the box to my cell phone hot spot boom everything works like it should.....do you follow me?

I'm willing to accept the fact that I'm better off with the protection I'm just trying to figure this out.
This is what I use to whitelist... I ping the blocked source (lets say xyz.com/whatever is blocked) I'll ping xyz.com and get the IP (there will be no responses as its blocked, just knowing the IP is good enough to unblock). Just append that IP to /jffs/ipset_lists/ya-malware-block.whites and re-run the ya-malware-block.sh script. It should be unblocked immediately after that.
 
This is what I use to whitelist... I ping the blocked source (lets say xyz.com/whatever is blocked) I'll ping xyz.com and get the IP (there will be no responses as its blocked, just knowing the IP is good enough to unblock). Just append that IP to /jffs/ipset_lists/ya-malware-block.whites and re-run the ya-malware-block.sh script. It should be unblocked immediately after that.
Speaking about the router where is a good place to find or what is a good way to check for connections made and refused by the router? Sys log shows nothing but would dropped packet logging or inbound packet dropping shed some light on the needed info to unblock??
 
You can enable firewall logging of DROPped packets. In addition you need to change the ya-malware-block.sh script in two places (search for the text DROP and replace it with logdrop). Reboot to take effect. Be aware that it will add volume to the syslog where each packet dropped will be logged.
 
You can enable firewall logging of DROPped packets. In addition you need to change the ya-malware-block.sh script in two places (search for the text DROP and replace it with logdrop). Reboot to take effect. Be aware that it will add volume to the syslog where each packet dropped will be logged.
Thank you exactly what I need I can engage to track and then disable thank you again!!!!
 
I'll have to white list this address i'm blocked........lol
Yep, I had to do the same thing last night. I tried to access GitHub.com and got a blank page. I used MatchIP to find out where it was blocked. I recently expanded ya-malware-filter to include the fourth list. That is what did it.
 
Installed.
Much appreciated!

Code:
Jul 26 21:32:44 Firewall: ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (36671) and YAMalwareBlockCIDR (6156) in 36 seconds
 
After using this script for a bit longer than a day - I feel lonely...

No more scrip-kiddies from all over the world trying to brute-force me :). Before it was like 10 - 30 different IP's.

Looks like quality of block lists by FireHOL is really good. So far I have no false positives (using default levels 1, 2 and 3). And thanks to redhat27 for bringing this goodness to us.

From my point of view this way of blocking pesky IPs is better and more flexible than geofencing entire countries.

Peace and tranquility! :).
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top