What's new

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@redhat27:
Thank you VERY MUCH! The script does not show any errors in Tomato logs neither when run via SSH.
Is there other simple way to check if its working?

P.
 
You can use next command to monitor malware packets been dropped

iptables -vL -t raw

If you see chain pkts counter goes up that means your firewall is doing it's thing.
 
thanks for this as i've been wondering if it was possible to do it!
/jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (53445) and YAMalwareBlockCIDR (5811) in 11 seconds

RT-AC68U here on a gigabit fibre connection. I'll see if any of my regular sites break and then play around with the whitelist mentioned on page 1!
cheers
peter
 
Last edited:
thanks for this as i've been wondering if it was possible to do it!
/jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (53445) and YAMalwareBlockCIDR (5811) in 11 seconds

RT-AC68U here on a gigabit fibre connection. I'll see if any of my regular sites break and then play around with the whitelist mentioned on page 1!
cheers
peter

Have a look at post #420.
You can make the script even better by implementing what's mentioned there.
(Put the code in between the "esac" and "startTS" command to the ya-malware-block.sh script.)

I hope @redhat27 will add this, but he seems to be offline quite a lot.
 
Last edited:
Have a look at post #420.
You can make the script even better by implementing what's mentioned there.
(Put the code in between the "esac" and "startTS" command to the ya-malware-block.sh script.)

I hope @redhat27 will add this, but he seems to be offline quite a lot.

Version 2.5 (just uploaded in github) will take care of the issue of removing older ipsets and rules if they are no longer needed.
 
Thx!

Also read your Git comment.
To make sure I understand it correct.

I don't change my ya-malware-block.urls file at all.
It's just the active urls in it make I often go up and down around 65k.
Simply because the content changes a bit grabbed from the urls.

Does your change account for that?
 
I don't change my ya-malware-block.urls file at all.
Apologies, I had misunderstood. Regardless, this version should take care of it. Thanks for pushing me to do it. BTW: I should post a similar fix to your other gihub issue soon (create-ipset-lists.sh)

Does your change account for that?
Yes, and just to test it, you can edit the /jffs/ipset_lists/ya-malware-block.urls file and uncomment the level4 url, run it (it creates few more ipsets) check the iptable rules and ipsets, and then comment it back and run it again. You should see the older ipsets and iptables rules removed.
 
Last edited:
Apologies, I had misunderstood. Regardless, this version should take care of it. Thanks for pushing me to do it. BTW: I should post a similar fix to your other gihub issue soon (create-ipset-lists.sh)


Yes, and just to test it, you can edit the /jffs/ipset_lists/ya-malware-block.urls file and uncomment the level4 url, run it (it creates few more ipsets) check the iptable rules and ipsets, and then comment it back and run it again. You should see the older ipsets and iptables rules removed.

Tested as you suggested and works like a charm. :D

Just want to make sure the script isn't looking at the ya-malware-block.urls file being edited or something like that.
Because, in my case, that file is always the same and not the issue here.

As a script noob I can't understand how you fixed it because the script is just too complicated for me. :oops:
Hence my question.
 
No, it's not looking at .urls being edited :)

I've added some new lists to the .urls file in github. These are not included in FireHOL levels 1 through 4:

Counts are as of the time of writing this post and will vary over time:
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset (68255 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms1.netset (2565 subnets, 5268567 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms3.netset (1146 subnets, 30151694 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bds_atif.ipset (5022 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_bots.ipset (143 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_ssh.ipset (11261 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_strongips.ipset (104 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dyndns_ponmocup.ipset (163 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_block.netset (1980 subnets, 24411811 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_botcc.ipset (728 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_compromised.ipset (1801 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_exp.ipset (314 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_hjk.ipset (57 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_mmt.ipset (1136 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_feed.ipset (5216 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_locky_ps.ipset (3 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/taichung.ipset (10694 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/urandomusto_ssh.ipset (410 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/urandomusto_telnet.ipset (445 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/uscert_hidden_cobra.ipset (627 unique IPs)
Users of this script can update their ya-malware-block.urls file from the GitHub version if they choose to include these additional lists
 
No, it's not looking at .urls being edited :)

I've added some new lists to the .urls file in github. These are not included in FireHOL levels 1 through 4:

Counts are as of the time of writing this post and will vary over time:
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset (68255 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms1.netset (2565 subnets, 5268567 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms3.netset (1146 subnets, 30151694 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bds_atif.ipset (5022 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_bots.ipset (143 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_ssh.ipset (11261 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_strongips.ipset (104 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dyndns_ponmocup.ipset (163 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_block.netset (1980 subnets, 24411811 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_botcc.ipset (728 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_compromised.ipset (1801 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_exp.ipset (314 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_hjk.ipset (57 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_mmt.ipset (1136 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_feed.ipset (5216 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_locky_ps.ipset (3 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/taichung.ipset (10694 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/urandomusto_ssh.ipset (410 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/urandomusto_telnet.ipset (445 unique IPs)
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/uscert_hidden_cobra.ipset (627 unique IPs)
Users of this script can update their ya-malware-block.urls file from the GitHub version if they choose to include these additional lists
Should these new lists be just appended to the bottom of the .url file.
I have already updated to 2.5.
 
Should these new lists be just appended to the bottom of the .url file.
I have already updated to 2.5.
You can simply replace your .urls file. Let the script redownload it on the next run:
Code:
rm /jffs/ipset_lists/ya-malware-block.urls
or download it yourself:
Code:
wget --no-check-certificate -O /jffs/ipset_lists/ya-malware-block.urls https://raw.githubusercontent.com/shounak-de/misc-scripts/master/ya-malware-block.urls

Uncomment Level4 if you want
 
Version 2.5 is working great! :)

Also deleted ya-malware-block.urls to get the new one.
A lot of new urls!
I was still using the below urls because of the recent GitHub drama. ;)

Is it OK if we use Git now?

In the new ya-malware-block.urls file a lot is active. (No # sign in front.)
What about false positives?
Run into that before and then the family goes :mad:. :D
 
I would tend to be an optimist and think that GitHub incident to be a one-off. Let's see if that recurs.
Regarding false positives, I think if a site gets blocked, or something stops working, it should be fairly easy to whitelist: Just ping the domain to verify its blocked, and if it is, then just add that IP to the .whites file and rerun the script. A family typically has a handful of favourite sites (at least mine does) and I've whitelisted what I've seen blocked (I have Level4 active)
 
Need some help

I am having this

/jffs/scripts/ya-malware-block.sh
/jffs/scripts/ya-malware-block.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)...[87619/80687/6932] ~18s
>>> Adding data and processing rule for YAMalwareBlock1IP...Can't find library for match `webstr'
~4s
>>> Adding data and processing rule for YAMalwareBlock2IP...Can't find library for match `webstr'
~1s
>>> Adding data and processing rule for YAMalwareBlockCIDR...Can't find library for match `webstr'
~1s
>>> Cleaning up... ~0s
/jffs/scripts/ya-malware-block.sh: Loaded sets YAMalwareBlock1IP (65535) YAMalwareBlock2IP (15152) and YAMalwareBlockCIDR (6932) in 24 seconds


but this shows right

iptables -vL -t raw
Chain PREROUTING (policy ACCEPT 223K packets, 185M bytes)
pkts bytes target prot opt in out source destination
63 3507 DROP all -- any any anywhere anywhere match-set YAMalwareBlockCIDR src
126 5967 DROP all -- any any anywhere anywhere match-set YAMalwareBlock2IP src
194 11880 DROP all -- any any anywhere anywhere match-set YAMalwareBlock1IP src

Chain OUTPUT (policy ACCEPT 16415 packets, 4212K bytes)
pkts bytes target prot opt in out source destination

Any idea?
 
ASUS RT-AC66U, ASUSWRT Merlin 380 68 4
Thank you. Can you post the output of these?
Code:
ipset --version
iptables --version
Also, do you get the 'webstr' library error on each run of the script, or just the first time?
 
ipset --version
ipset v4.5, protocol version 4.
Kernel module protocol version 4.

iptables --version
iptables v1.4.21

each time
 
ipset --version
ipset v4.5, protocol version 4.
Kernel module protocol version 4.

iptables --version
iptables v1.4.21

each time
Sorry for the late reply. I'm assuming that you are running the script unmodified. Let me know if that is not the case.

Do you get any output when you issue these commands:
Code:
iptables-save | grep -q YAMalwareBlockCIDR && echo "found"

iptables -t raw -I PREROUTING -m set --set YAMalwareBlockCIDR src -j DROP
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top