What's new

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I have installed ya-malware-blocker-tomato.sh in Tomato by Shibby 1.40 Multiwan, in /jffs/scripts folder, and did "
chmod a+rx /jffs/scripts/*". However I do get some errors, please help:

./ya-malware-blocker-tomato.sh
./ya-malware-blocker-tomato.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)...wget: not an http or ftp url: #https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset
[47509/41575/5934] ~3s
>>> Adding data and processing rule for YAMalwareBlock1IP..../ya-malware-blocker-tomato.sh: line 22: iptables-save: not found
~2s
>>> Adding data and processing rule for YAMalwareBlockCIDR..../ya-malware-blocker-tomato.sh: line 23: iptables-save: not found
~1s
>>> Cleaning up... ~0s
./ya-malware-blocker-tomato.sh: Loaded sets YAMalwareBlock1IP (41575) and YAMalwareBlockCIDR (5934) in 7 seconds
 
I have installed ya-malware-blocker-tomato.sh in Tomato by Shibby 1.40 Multiwan, in /jffs/scripts folder, and did "
chmod a+rx /jffs/scripts/*". However I do get some errors, please help:

./ya-malware-blocker-tomato.sh
./ya-malware-blocker-tomato.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)...wget: not an http or ftp url: #https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset
[47509/41575/5934] ~3s
>>> Adding data and processing rule for YAMalwareBlock1IP..../ya-malware-blocker-tomato.sh: line 22: iptables-save: not found
~2s
>>> Adding data and processing rule for YAMalwareBlockCIDR..../ya-malware-blocker-tomato.sh: line 23: iptables-save: not found
~1s
>>> Cleaning up... ~0s
./ya-malware-blocker-tomato.sh: Loaded sets YAMalwareBlock1IP (41575) and YAMalwareBlockCIDR (5934) in 7 seconds

I'm using Merlin's firmware. I'm not familiar with Tomato but looks like in your version there is no iptables-save command.

You can ignore the first error, this is just a wget reporting on commented line with level4 list. Then we see script fetched 47k ip list, so this part is working fine. But there is no iptables-save command to be found.

Try to find out if this command comes with your firmware or needs to be installed from other sources separately.

PS: did you see that author of ya-malware script tested it on Tomato 2.3 and 2.4? and yours is 1.4
 
Last edited:
(...) did you see that author of ya-malware script tested it on Tomato 2.3 and 2.4? and yours is 1.4

@VZ3:
There are no 2.3 and 2.4 Tomato firmwares AFAIK.
This is kernel version.

Tomato 1.28 v.140 is based on (uname -a):

Linux 2.6.36.4

How can I DL missing part?


Wysłane z iPad za pomocą Tapatalk Pro
 
Script 2.4 was running fine for quite a while.
Now all of a sudden I am getting this:
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (73) and YAMalwareBlockCIDR (1) in 2 seconds.
Can you please advise?
I am on 380.68.0 for about a week now.
This is also showing up in syslog.
 
Most probably due to the repo being down it can't populate lists with anything other than your blacklist
Script 2.4 was running fine for quite a while.
Now all of a sudden I am getting this:
./ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (73) and YAMalwareBlockCIDR (1) in 2 seconds.
Can you please advise?
I am on 380.68.0 for about a week now.
This is also showing up in syslog.[/QUOTE
 

We need to find new URLs for ip block list.
I guess we have hammered github with read requests and administration does not like it and blocked the repository.
PS: well, looks like it's not us reading too much it's automatic script updates lists too often.
They contacted Github and waiting on response.

Edit: ok, Firehol provided a local copy of the ipset lists, so we need to replace in ya-malware-blocks.urls addresses for github with corresponding local ones like this:
https://iplists.firehol.org/files/firehol_level1.netset
https://iplists.firehol.org/files/firehol_level2.netset
https://iplists.firehol.org/files/firehol_level3.netset
 
Last edited:
Also, let's make time when our routers will hit the firehol server for the updates a bit random.

Imaging if thousands clients hitting firehol server at exact same time like 0:00 then 6:00 then 12:00 then 18:00. It will look like DoS attack.

At least put some random minutes number into your cron schedule, so instead of

cru a UpdateYAMalwareBlock "0 */6 * * * /jffs/scripts/ya-malware-block.sh"

use your random minutes say 11 like this:

cru a UpdateYAMalwareBlock "11 */6 * * * /jffs/scripts/ya-malware-block.sh"

Well, we are in different time zones but I guess there are only that much of it and traffic surge at the beginning of the hour might push server close to the limits.
 
Makes sense.

I picked a random minutes number, which I will not tell you. :p
So it stays random. :D
 
I'm sorry for my long absence :(

@Builder71 Appreciate your effort in removing unused sets, I'll take a look when I get some time. I believe like @VZ3 pointed out, this may not be of much concern
@Jack Yaz and @VZ3 Thanks as always for helping out
@Przem I believe you should be able to substitute "iptables -t raw -L" instead of "iptables-save" I have edited the tomato version to reflect this. Can you test it if possible and let me know if that helped?

I apologize again on my sporadic presence lately.
 
I am using the ASUS firewall + this Malware script. I have a few IP cameras that I have manually blocked outside network access to both within the camera (Foscam settings) and on the router (network services filter). For the router, I entered the IP address of the camera (static), then blocked ports 1 through something like 65000. I turned on the firewall logging, and see lots of DROPs from my cameras, but this one seems to have snuck through:

Oct 4 16:18:54 kernel: ACCEPT IN=br0 OUT=eth0 SRC=192.168.1.XXX DST=211.115.194.21 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=4492 DF PROTO=UDP SPT=60013 DPT=123 LEN=56

I typed in the destination IP address into an IP search website and it came up with some network in Korea, possibly the "Korea Network Information Center." Should I be worried about this? Is this possibly just the camera trying to get an updated date/time stamp?
 
I am using the ASUS firewall + this Malware script. I have a few IP cameras that I have manually blocked outside network access to both within the camera (Foscam settings) and on the router (network services filter). For the router, I entered the IP address of the camera (static), then blocked ports 1 through something like 65000. I turned on the firewall logging, and see lots of DROPs from my cameras, but this one seems to have snuck through:

Oct 4 16:18:54 kernel: ACCEPT IN=br0 OUT=eth0 SRC=192.168.1.XXX DST=211.115.194.21 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=4492 DF PROTO=UDP SPT=60013 DPT=123 LEN=56

I typed in the destination IP address into an IP search website and it came up with some network in Korea, possibly the "Korea Network Information Center." Should I be worried about this? Is this possibly just the camera trying to get an updated date/time stamp?

For the Foscam cameras - they like to keep "heart bit" thingy for the cloud services, kinda thing Foscam using for it's application in order to connect through their hosted server. And it's impossible to turn it off through Foscam UI.

Sure thing to block this shady behavior is to not specify gateway in IP camera static address set.

PS: I have contacted Foscam regarding my camera, explain them the same problem and they send me a non-official patch which stopped that heart bit.
 
For the Foscam cameras - they like to keep "heart bit" thingy for the cloud services, kinda thing Foscam using for it's application in order to connect through their hosted server. And it's impossible to turn it off through Foscam UI.

Sure thing to block this shady behavior is to not specify gateway in IP camera static address set.

PS: I have contacted Foscam regarding my camera, explain them the same problem and they send me a non-official patch which stopped that heart bit.
Thanks for the info. I thought that the network service filter in Merlin would help block, but I had also tried parental controls and typing in a fake gateway. However, those last two options caused my camera viewing app on my phone to stop working, so I had to turn those off. I use OWLR on my iPhone, after using OpenVPN to get into my home network.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top