Yet another malware block script using ipset (v4 and v6)

[redhat27]

Thank you! Do feel free to submit a PR to contribute your changes, or fork my repo , even though there isn't much there. That's what open source is all about. The link to my Github repo is in post #1.

I too have an older AC66U: It hasn't given me any problems to incentivize me to upgrade it. This ya-malware-block script runs every 6 hours and that too hasn't given me any reason to change it. It works without issues, and I've left it at that all this time. To be quite frank, I haven't tinkered around with the router much in the recent months, except updating the pixelserv-tls with kvic's excellent work.

 

[c84]

Thank you! Do feel free to submit a PR to contribute your changes, or fork my repo , even though there isn't much there. That's what open source is all about. The link to my Github repo is in post #1.

I too have an older AC66U: It hasn't given me any problems to incentivize me to upgrade it. This ya-malware-block script runs every 6 hours and that too hasn't given me any reason to change it. It works without issues, and I've left it at that all this time. To be quite frank, I haven't tinkered around with the router much in the recent months, except updating the pixelserv-tls with kvic's excellent work.

Thanks a lot for the answer! The AC66U works as a charm here, so I'll do the same as you. If I or a friend make any changes to your code, I'll sure mention you. Wish you the best with the family, I'd rather have kids and a wife, than all this spare time. Others say that's something I'll regret saying after I get a wife and kids, heheh. Best wishes!

 

[MasterBash]

Would this work good with the ac86u?

Also would it make sense to use along with ab-solution and skynet?

 

[mrchow]

Would this work good with the ac86u?

Yup

Also would it make sense to use along with ab-solution and skynet?

It wouldn’t make sense to run skynet and yamalwareblock at the same time. If you install skynet after ya-malware-block, you’d receive an error since it checks if the script is installed. They share similar IPSet lists for blocking malware anyway (assuming you have malware banning enabled in skynet).


Sent from my iPhone using Tapatalk

 

[c84]

Is there an easy way to import this into Windows? My router is no longer supported, so I had to switch back to stock(Asus 66AC, rev 1). Thanks a lot! PS! I know that there is support for xterm in windows, but not sure if this will do the trick.

 

[OKLY]

@redhat27 Even if there is less support for this, does it still require any updating to the script? Or it'll just work fine as long as FireHOL still maintains and updates the list of IP address?

 

[kvic]

@redhat27 Even if there is less support for this, does it still require any updating to the script? Or it'll just work fine as long as FireHOL still maintains and updates the list of IP address?

Exactly.

No break no fix. Keep it simple.

Also note that IP blacklist's primary benefit is blocking outgoing traffic to malicious sites. By that if you happen to frequently see such blocked traffic, means some of your LAN clients are possibly infected already.

Hence, in addition, you'd better turn on anti-virus (Norton/Kaspersky/Ai-Protection/etc). These will give you a far better idea of what's going on and provides further protection.

 

[who me?]

I tried to install the Tomato version of ya-malware-block, but ended up losing connection and doing a full reset. Are there posted step-by-step instructions for installing the Tomato version, or would someone be willing to walk me through it? The router is an Asus RT-AC56R running FreshTomato 2018.4 AIO.
Thank you very much.

 

[redhat27]

@who me?
One of the things I would check carefully is the download path for the white or black lists. If /jffs does not exist on your router, it will fail. Can you give me a top-level default directory for your router with tomato?

 

[who me?]

Thank you for your reply. I had enabled JFFS (did not reboot after doing this) and then ran the wget script in post 295 of this thread.
How do I get the default directory? I apologize for my noobishness.

 

[redhat27]

You do need a "apply" after enabling jffs. Not sure if a reboot is needed for tomato. @HRearden did confirm it worked for him on #320
I would try doing the install from the command line (ssh/telnet session) as detailed on post #1, after creating a /jffs/scripts directory

 

[who me?]

It looks like jffs is the problem.
Formatting jffs gives an error at the end, saying to check the logs for more information. The same exact error appears in the log with no other details.

I created the /jffs/scripts directory, followed the instructions in post 1 and edited the "wget" url for the Tomato version. Progress went to 100 instantly. Running the "chmod" code got this:
chmod: /jffs/scripts/ya-malware-block-tomato.sh: No such file or directory

There doesn't seem to be any trouble with logging bandwidth on a USB stick. What would I need to do to run the script from the USB stick instead of jffs?
Thank you again.

 

[redhat27]

@who me? Please change the storage locations to a valid locations on your usb stick on lines 5,6,7 in the script

 

[who me?]

@who me? Please change the storage locations to a valid locations on your usb stick on lines 5,6,7 in the script

Done, including the edits to lines 5,6 and 7. Thank you very much.
Script run time was 38 seconds.

 

[kvic]

Script run time was 38 seconds.

Not bad!

 

[who me?]

JFFS seems to work after all. I made a mistake in the script filename (see post 492) . The script is in /jffs/scripts (checked with vi), but running it with "/jffs/scripts/ya-malware-block.sh" gets this:
root@unknown:/tmp/home/root# /jffs/scripts/ya-malware-block.sh
/jffs/scripts/ya-malware-block.sh: Adding ya-malware-block rules to firewall...
>>> Downloading and aggregating malware sources (also processing whitelists)...wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: not an http or ftp url: #https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
wget: bad address 'raw.githubusercontent.com'
^Z[1]+ Stopped /jffs/scripts/ya-malware-block.sh
root@unknown:/tmp/home/root#

I didn't know how long it would have kept going, so I used Ctrl-Z to stop it.
I tried copying and pasting "https://raw.githubusercontent.com/shounak-de/misc-scripts/master/" into a web browser, and got this: "400: Invalid request".

Same problem now with the USB stick, which was working before.

 

[kvic]

Same problem now with the USB stick, which was working before.

"wget: bad address" error has to do with DNS servers (e.g. dnsmasq, unbound etc). Check what your system use and how it's configured. Test independently with another tool such as "nslookup" on raw.githubusercontent.com.

It could be simply a config error in your DNS servers. Or perhaps your upstream DNS servers are blocking GitHub's domains..unlikely but possible.

 

[who me?]

"wget: bad address" error has to do with DNS servers (e.g. dnsmasq, unbound etc). Check what your system use and how it's configured. Test independently with another tool such as "nslookup" on raw.githubusercontent.com.

It could be simply a config error in your DNS servers. Or perhaps your upstream DNS servers are blocking GitHub's domains..unlikely but possible.

Thank you. Changing DNS servers didn't help. Here's the result from nslookup (Mac version).

nslookup raw.githubusercontent.com
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
raw.githubusercontent.com canonical name = github.map.fastly.net.
Name: github.map.fastly.net
Address: 151.101.0.133
Name: github.map.fastly.net
Address: 151.101.64.133
Name: github.map.fastly.net
Address: 151.101.128.133
Name: github.map.fastly.net
Address: 151.101.192.133

 

[kvic]

Thank you. Changing DNS servers didn't help. Here's the result from nslookup (Mac version).

I haven't run into the same error myself and I don't have a readily working solution for you. Google seems to tell it's not an uncommon error. I believe if you look into wget's source code (if that's comfortable with you), you should have a good chance to understand what causes the error.

 

[kvic]

I had some time looking into wget. I suggest you reduce the number of lists in your run (perhaps take it to the extreme minimal). See if you get a different error.

@who me? let me know if this helps..