├── README.md
├── create-ipset-lists.sh
├── html-dir.sh
├── html-syslog.sh
├── telemetry_and_scanners.txt
├── ya-malware-block-tomato.sh
├── ya-malware-block.blacks
├── ya-malware-block.sh
├── ya-malware-block.urls
└── ya-malware-block.whites
/README.md:
--------------------------------------------------------------------------------
1 | # misc-scripts
2 | Miscellaneous scripts for ASUSWRT
3 |
--------------------------------------------------------------------------------
/create-ipset-lists.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # snbforums thread:
3 | # https://www.snbforums.com/threads/country-blocking-script.36732/page-2#post-311407
4 |
5 | # Re-download blocklist if locally saved blocklist is older than this many days
6 | BLOCKLISTS_SAVE_DAYS=15
7 |
8 | # For the users of mips routers (kernel 2.x): You can now block sources with IPv6 with country blocklists
9 | # Enable if you want to add huge country IPv6 netmask lists directly into ip6tables rules.
10 | # Also, enabling this will add a *lot* of processing time!
11 | # Note: This has no effect *if* you have ipset v6: It will always use ipset v6 for IPv6 country blocklists regardless of whether this is enabled or not.
12 | USE_IP6TABLES_IF_IPSETV6_UNAVAILABLE=disabled # [enabled|disabled]
13 |
14 | # Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
15 | BLOCKED_COUNTRY_LIST="ar au br cn de fr jp kp kr pk ru sa sc tr tw ua vn"
16 |
17 | # Use DROP or REJECT for iptable rule for the ipset. Briefly, for DROP, attacker (or IP being blocked) will get no response and timeout, and REJECT will send immediate response of destination-unreachable (Attacker will know your IP is actively rejecting requests)
18 | # See: http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject and http://serverfault.com/questions/157375/reject-vs-drop-when-using-iptables
19 | IPTABLES_RULE_TARGET=DROP # [DROP|REJECT]
20 |
21 | # Preparing folder to cache downloaded files
22 | IPSET_LISTS_DIR=/jffs/ipset_lists
23 | [ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR
24 |
25 | # Different routers got different iptables and ipset syntax
26 | case $(ipset -v | grep -o "v[4,6]") in
27 | v6)
28 | MATCH_SET='--match-set'; CREATE='create'; ADD='add'; SWAP='swap'; TEST='test'; DELETE='del'; FLUSH='flush'; IPHASH='hash:ip'; NETHASH='hash:net family inet'; NETHASH6='hash:net family inet6'; SETNOTFOUND='name does not exist'
29 | # Loading ipset modules
30 | lsmod | grep -q "xt_set" || \
31 | for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set; do
32 | modprobe $module
33 | done;;
34 | v4)
35 | MATCH_SET='--set'; CREATE='--create'; ADD='--add'; SWAP='--swap'; TEST='--test'; DELETE='--del'; FLUSH='--flush'; IPHASH='iphash'; NETHASH='nethash'; SETNOTFOUND='Unknown set'
36 | # Loading ipset modules
37 | lsmod | grep -q "ipt_set" || \
38 | for module in ip_set ip_set_nethash ip_set_iphash ipt_set; do
39 | modprobe $module
40 | done;;
41 | *)
42 | logger -t Firewall "$0: Unknown ipset version: $(ipset -v). Exiting."
43 | exit 1;;
44 | esac
45 |
46 | # Wait if this is run early on (before the router has internet connectivity) [Needed by wget to download files]
47 | while ! ping -q -c 1 google.com &>/dev/null; do
48 | sleep 1
49 | WaitSeconds=$((WaitSeconds+1))
50 | [ $WaitSeconds -gt 300 ] && logger -t Firewall "$0: Warning: Router not online! Aborting after a wait of 5 minutes..." && exit 1
51 | done
52 | # Block traffic from Tor nodes [IPv4 nodes only]
53 | if [ ! -s "$IPSET_LISTS_DIR/tor.lst" -o -n "$(find $IPSET_LISTS_DIR/tor.lst -mtime +$BLOCKLISTS_SAVE_DAYS -print 2>/dev/null)" ]; then
54 | $(ipset -q $SWAP BlockedCountries BlockedCountries) && ipset $DELETE BlockedCountries 194.63.140.0/22 2>/dev/null
55 | wget -q -O $IPSET_LISTS_DIR/tor.lst "http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv"
56 | touch $IPSET_LISTS_DIR/tor.lst
57 | Action="Add"
58 | $(ipset -q $SWAP TorNodes TorNodes) && ipset $FLUSH TorNodes && Action="Reload"
59 | fi
60 | if $(ipset $SWAP TorNodes TorNodes 2>&1 | grep -q "$SETNOTFOUND"); then
61 | ipset $CREATE TorNodes $IPHASH
62 | Action="Add"
63 | fi
64 | if [ -n "${Action}" ]; then
65 | entryCount=0
66 | for IP in $(cat $IPSET_LISTS_DIR/tor.lst); do
67 | ipset $ADD TorNodes $IP
68 | [ $? -eq 0 ] && entryCount=$((entryCount+1))
69 | done
70 | logger -t Firewall "$0: ${Action}ed TorNodes list ($entryCount entries)"
71 | unset Action
72 | fi
73 | iptables-save | grep -q TorNodes || iptables -I INPUT -m set $MATCH_SET TorNodes src -j $IPTABLES_RULE_TARGET
74 |
75 | # Country blocking by nethashes [Both IPv4 and IPv6 sources]
76 | for country in ${BLOCKED_COUNTRY_LIST}; do
77 | if [ ! -e "$IPSET_LISTS_DIR/$country.lst" -o -n "$(find $IPSET_LISTS_DIR/$country.lst -mtime +$BLOCKLISTS_SAVE_DAYS -print 2>/dev/null)" ]; then
78 | wget -q -O $IPSET_LISTS_DIR/$country.lst "http://www.ipdeny.com/ipblocks/data/aggregated/${country}-aggregated.zone"
79 | touch $IPSET_LISTS_DIR/$country.lst
80 | Action="Reload"
81 | fi
82 | [ "${Action}" == "Reload" ] && $(ipset -q $SWAP BlockedCountries BlockedCountries) && ipset $FLUSH BlockedCountries
83 | done
84 | if $(ipset $SWAP BlockedCountries BlockedCountries 2>&1 | grep -q "$SETNOTFOUND"); then
85 | ipset $CREATE BlockedCountries $NETHASH
86 | Action="Add"
87 | fi
88 | for country in ${BLOCKED_COUNTRY_LIST}; do
89 | if [ -n "${Action}" ]; then
90 | entryCount=0
91 | for IP in $(cat $IPSET_LISTS_DIR/$country.lst); do
92 | ipset $ADD BlockedCountries $IP
93 | [ $? -eq 0 ] && entryCount=$((entryCount+1))
94 | done
95 | logger -t Firewall "$0: ${Action}ed country [$country] to BlockedCountries list ($entryCount entries)"
96 | fi
97 | done
98 | iptables-save | grep -q BlockedCountries || iptables -I INPUT -m set $MATCH_SET BlockedCountries src -j $IPTABLES_RULE_TARGET
99 | unset Action
100 |
101 | if [ $(nvram get ipv6_fw_enable) -eq 1 -a "$(nvram get ipv6_service)" != "disabled" ]; then
102 | for country in ${BLOCKED_COUNTRY_LIST}; do
103 | if [ -n "$NETHASH6" -o $USE_IP6TABLES_IF_IPSETV6_UNAVAILABLE = "enabled" ] && [ ! -e "$IPSET_LISTS_DIR/${country}6.lst" -o -n "$(find $IPSET_LISTS_DIR/${country}6.lst -mtime +$BLOCKLISTS_SAVE_DAYS -print 2>/dev/null)" ]; then
104 | wget -q -O $IPSET_LISTS_DIR/${country}6.lst "http://www.ipdeny.com/ipv6/ipaddresses/aggregated/${country}-aggregated.zone"
105 | touch $IPSET_LISTS_DIR/${country}6.lst
106 | Action="Reload"
107 | fi
108 | done
109 | [ "${Action}" == "Reload" ] && $(ipset -q $SWAP BlockedCountries6 BlockedCountries6) && ipset $FLUSH BlockedCountries6
110 | if $(ipset $SWAP BlockedCountries6 BlockedCountries6 2>&1 | grep -q "$SETNOTFOUND"); then
111 | [ -n "$NETHASH6" ] && ipset $CREATE BlockedCountries6 $NETHASH6 && Action="Add"
112 | fi
113 | for country in ${BLOCKED_COUNTRY_LIST}; do
114 | [ -e "/tmp/ipv6_country_blocks_loaded" ] && logger -t Firewall "$0: Country block rules has already been loaded into ip6tables... Skipping." && break
115 | entryCount=0
116 | if [ -n "${Action}" ]; then
117 | for IP6 in $(cat $IPSET_LISTS_DIR/${country}6.lst); do
118 | if [ -n "$NETHASH6" ]; then
119 | ipset $ADD BlockedCountries6 $IP6
120 | elif [ $USE_IP6TABLES_IF_IPSETV6_UNAVAILABLE = "enabled" ]; then
121 | ip6tables -I INPUT -s $IP6 -j $IPTABLES_RULE_TARGET
122 | fi
123 | [ $? -eq 0 ] && entryCount=$((entryCount+1))
124 | done
125 | if [ -n "$NETHASH6" ]; then
126 | logger -t Firewall "$0: ${Action}ed country [$country] to BlockedCountries6 list ($entryCount entries)"
127 | elif [ $USE_IP6TABLES_IF_IPSETV6_UNAVAILABLE = "enabled" ]; then
128 | logger -t Firewall "$0: Added country [$country] to ip6tables rules ($entryCount entries)"
129 | fi
130 | fi
131 | done
132 | if [ -n "$NETHASH6" ]; then
133 | ip6tables -L | grep -q BlockedCountries6 || ip6tables -I INPUT -m set $MATCH_SET BlockedCountries6 src -j $IPTABLES_RULE_TARGET
134 | elif [ $USE_IP6TABLES_IF_IPSETV6_UNAVAILABLE = "enabled" -a ! -e "/tmp/ipv6_country_blocks_loaded" ]; then
135 | logger -t Firewall "$0: Creating [/tmp/ipv6_country_blocks_loaded] to prevent accidental reloading of country blocklists in ip6table rules."
136 | touch /tmp/ipv6_country_blocks_loaded
137 | fi
138 | fi
139 |
140 | # Block Microsoft telemetry spying servers [IPv4 only]
141 | if $(ipset $SWAP MicrosoftSpyServers MicrosoftSpyServers 2>&1 | grep -q "$SETNOTFOUND"); then
142 | ipset $CREATE MicrosoftSpyServers $IPHASH
143 | [ $? -eq 0 ] && entryCount=0
144 | for IP in 23.99.10.11 63.85.36.35 63.85.36.50 64.4.6.100 64.4.54.22 64.4.54.32 64.4.54.254 \
145 | 65.52.100.7 65.52.100.9 65.52.100.11 65.52.100.91 65.52.100.92 65.52.100.93 65.52.100.94 \
146 | 65.55.29.238 65.55.39.10 65.55.44.108 65.55.163.222 65.55.252.43 65.55.252.63 65.55.252.71 \
147 | 65.55.252.92 65.55.252.93 66.119.144.157 93.184.215.200 104.76.146.123 111.221.29.177 \
148 | 131.107.113.238 131.253.40.37 134.170.52.151 134.170.58.190 134.170.115.60 134.170.115.62 \
149 | 134.170.188.248 157.55.129.21 157.55.133.204 157.56.91.77 168.62.187.13 191.234.72.183 \
150 | 191.234.72.186 191.234.72.188 191.234.72.190 204.79.197.200 207.46.223.94 207.68.166.254; do
151 | ipset $ADD MicrosoftSpyServers $IP
152 | [ $? -eq 0 ] && entryCount=$((entryCount+1))
153 | done
154 | logger -t Firewall "$0: Added MicrosoftSpyServers list ($entryCount entries)"
155 | fi
156 | iptables-save | grep -q MicrosoftSpyServers || iptables -I FORWARD -m set $MATCH_SET MicrosoftSpyServers dst -j $IPTABLES_RULE_TARGET
157 |
158 | # Block traffic from custom block list [IPv4 only]
159 | if [ -e $IPSET_LISTS_DIR/custom.lst ]; then
160 | if $(ipset $SWAP CustomBlock CustomBlock 2>&1 | grep -q "$SETNOTFOUND"); then
161 | ipset $CREATE CustomBlock $IPHASH
162 | [ $? -eq 0 ] && entryCount=0
163 | for IP in $(cat $IPSET_LISTS_DIR/custom.lst); do
164 | ipset $ADD CustomBlock $IP
165 | [ $? -eq 0 ] && entryCount=$((entryCount+1))
166 | done
167 | logger -t Firewall "$0: Added CustomBlock list ($entryCount entries)"
168 | fi
169 | iptables-save | grep -q CustomBlock || iptables -I INPUT -m set $MATCH_SET CustomBlock src -j $IPTABLES_RULE_TARGET
170 | fi
171 |
172 | # Allow traffic from AllowList [IPv4 only] [$IPSET_LISTS_DIR/whitelist.lst can contain a combination of IPv4 IP or IPv4 netmask] (previous)
173 | # Allow traffic from AllowList [IPv4 only] [$IPSET_LISTS_DIR/whitelist.lst can contain IPv4 IPs] (current)
174 | if [ -e $IPSET_LISTS_DIR/whitelist.lst ]; then
175 | if $(ipset $SWAP AllowList AllowList 2>&1 | grep -q "$SETNOTFOUND"); then
176 | ipset $CREATE AllowList $IPHASH #(was $NETHASH)
177 | [ $? -eq 0 ] && entryCount=0
178 | for IP in $(cat $IPSET_LISTS_DIR/whitelist.lst); do
179 | #[ "${IP##*/}" == "$IP" ] && ipset $ADD AllowList $IP/31 || ipset $ADD AllowList $IP
180 | ipset $ADD AllowList $IP
181 | [ $? -eq 0 ] && entryCount=$((entryCount+1))
182 | done
183 | logger -t Firewall "$0: Added AllowList ($entryCount entries)"
184 | fi
185 | iptables-save | grep -q AllowList || iptables -I INPUT -m set $MATCH_SET AllowList src -j ACCEPT
186 | fi
187 |
--------------------------------------------------------------------------------
/html-dir.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Author: redhat27
3 | # snbforums thread: https://www.snbforums.com/threads/fun-with-www-user.38546/
4 |
5 | [ -z "$1" ] && echo "$0: Specify a directory on the router you want to expose!" && exit 1
6 | [ ! -d "$1" ] && echo "$0: Cannot find the directory $1 on this router!" && exit 2
7 | ps_line=$(ps | sed -n '/[l]ighttpd /s/-[D,f]//p')
8 | if [ -n "$ps_line" ]; then
9 | root=$(sed -n 's/"//g;/document-root/s/^.*= //p' ${ps_line##* })
10 | port=$(sed -n 's/"//g;/port/s/^.*= //p' ${ps_line##* })
11 | base=${1#/} base=${base%%/*}
12 | [ -L "$root/$base" ] || ln -s /$base $root/$base
13 | echo -e "Created symlink $root/$base and $root/$(basename $1).html\nPlease remove [rm -f $root/$base $root/$(basename $1).html] to undo the changes!"
14 | append=":$port"
15 | else
16 | Complain="
This page would work so much better if you had lighttpd installed and running. If you have entware, you can install it with opkg install lighttpd
Right now, you can only see the file listings inside of $1, but will not be able to see the contents or download any of the files. Sad :(
"
17 | root="/www/user"
18 | httpd_ps=$(ps | grep "[h]ttpd ")
19 | if [ -n "$httpd_ps" ]; then
20 | httpd_port=$(ps | grep "[h]ttpd " | sed -n "s/^.*-p //p" | awk '{print $1}')
21 | [ -z "$httpd_port" -o "$httpd_port" = "80" ] || append=":$httpd_port"
22 | else
23 | httpds_port=$(ps | grep "[h]ttpds " | sed -n "s/^.*-p //p" | awk '{print $1}')
24 | [ -z "$httpds_port" -o "$httpds_port" = "443" ] || append=":$httpds_port"
25 | s=s
26 | fi
27 | append="$append/user"
28 | fi
29 |
30 | OUT="$root/$(basename $1).html"
31 | echo -e "\n\n\tListing of ${1}\n\n\n${Complain}
Listing of $1 on router
\n" > $OUT
32 | find "$1" -type d | sort | while read dir; do
33 | echo -e "\t
\n\t- $dir
\n\t" >> $OUT
34 | find "$dir" -maxdepth 1 -type f | sort | while read filepath; do
35 | [ -z "$Complain" ] && echo -e "\t\t- $(basename "$filepath")
" >> $OUT || echo -e "\t\t- $(basename "$filepath")
" >> $OUT
36 | done
37 | echo -e "\t
" >> $OUT
38 | done
39 | echo -en "
\n" >> $OUT
40 | grep -q "router.asus.com" /etc/hosts && router="router.asus.com" || router=$(nvram get lan_ipaddr)
41 | echo "You can now see the listing of $1 from http${s}://${router}${append}/$(basename $1).html"
42 |
--------------------------------------------------------------------------------
/html-syslog.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | DEFAULT_LOG="/tmp/syslog.log"
3 | [ -L "$DEFAULT_LOG" ] && LogFile=$(readlink $DEFAULT_LOG) || LogFile="$DEFAULT_LOG"
4 | if [ -L "/www/user" ]; then
5 | sed -i '1s/^//' $LogFile
6 | [ -L "/www/user/log.html" ] || ln -s $LogFile /www/user/log.html
7 | grep -q "router.asus.com" /etc/hosts && router="router.asus.com" || router=$(nvram get lan_ipaddr)
8 | httpd_ps=$(ps | grep "[h]ttpd ")
9 | if [ -n "$httpd_ps" ]; then
10 | httpd_port=$(ps | grep "[h]ttpd " | sed -n "s/^.*-p //p" | awk '{print $1}')
11 | [ -z "$httpd_port" -o "$httpd_port" = "80" ] || append=":$httpd_port"
12 | else
13 | httpds_port=$(ps | grep "[h]ttpds " | sed -n "s/^.*-p //p" | awk '{print $1}')
14 | [ -z "$httpds_port" -o "$httpds_port" = "443" ] || append=":$httpds_port"
15 | s=s
16 | fi
17 | echo "You can now access $(basename $DEFAULT_LOG) from http${s}://${router}${append}/user/log.html"
18 | else
19 | echo "This script is not for you, sorry :("
20 | fi
21 |
--------------------------------------------------------------------------------
/telemetry_and_scanners.txt:
--------------------------------------------------------------------------------
1 | # This is a static list of IPs of Microsoft telemetry, Shodan and Project 25499 scanners
2 | # from https://github.com/shounak-de/iblocklist-loader/blob/master/blacklist-domains.txt
3 |
4 | 134.170.165.251
5 | 93.184.215.201
6 | 198.20.69.98
7 | 82.221.105.6
8 | 65.55.252.190
9 | 104.25.90.97
10 | 198.20.69.74
11 | 216.117.2.180
12 | 131.253.40.109
13 | 184.27.199.19
14 | 71.6.135.131
15 | 66.240.236.119
16 | 209.126.110.38
17 | 85.25.43.94
18 | 207.46.114.58
19 | 65.52.100.91
20 | 198.20.99.130
21 | 52.161.22.198
22 | 13.84.218.189
23 | 71.6.158.166
24 | 23.38.206.236
25 | 104.131.0.69
26 | 65.55.252.63
27 | 66.240.192.138
28 | 71.6.165.200
29 | 23.103.189.158
30 | 65.55.130.50
31 | 82.221.105.7
32 | 104.25.89.97
33 | 65.55.138.111
34 | 65.55.138.110
35 | 71.6.167.142
36 | 207.46.223.94
37 | 184.27.199.34
38 | 207.68.166.254
39 | 188.138.9.50
40 | 157.56.57.5
41 | 65.52.100.93
42 | 98.124.243.41
43 | 104.236.198.48
44 | 65.55.252.93
45 | 191.232.80.58
46 | 98.143.148.107
47 | 65.52.100.7
48 | 168.61.24.141
49 | 198.20.70.114
50 | 155.94.254.133
51 | 155.94.254.143
52 | 157.58.249.57
53 | 155.94.222.12
54 | 93.120.27.62
55 | 65.52.100.9
56 | 65.52.214.46
57 | 64.4.54.254
58 | 65.55.138.186
59 | 65.52.100.94
60 | 40.77.228.92
61 | 65.55.252.71
62 | 23.103.189.157
63 | 65.55.138.112
64 | 65.52.100.92
65 | 98.143.148.135
66 | 65.52.100.11
67 | 85.25.103.50
68 | 64.4.54.32
69 | 64.4.54.22
70 | 134.170.165.249
71 | 114.80.68.223
72 | 195.22.26.248
73 |
--------------------------------------------------------------------------------
/ya-malware-block-tomato.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Author: redhat27, Version 2.5 [Tomato]
3 | # snbforums thread: https://www.snbforums.com/threads/yet-another-malware-block-script-using-ipset-v4-and-v6.38935/
4 |
5 | URLList=/jffs/ipset_lists/ya-malware-block.urls # Change to an appropriate download location if needed (This file has the list of URLs of files that has the blocking IP and CIDR soures)
6 | WhiteList=/jffs/ipset_lists/ya-malware-block.whites # Change to an appropriate download location if needed (This file must exist. Append to this file your own whitelisted discrete IPs)
7 | BlackList=/jffs/ipset_lists/ya-malware-block.blacks # Change to an appropriate location if needed (This file is optional. You may put your manual IPs and CIDR ranges to block)
8 | GitURLBase=https://raw.githubusercontent.com/shounak-de/misc-scripts/master/
9 |
10 | case $(ipset -v | grep -o "v[4,6]") in
11 | v6) MATCH_SET='--match-set'; CREATE='n'; DESTROY='destroy'; RESTORE='restore'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net'; ESL=7
12 | lsmod | grep -q "xt_set" || for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set; do modprobe $module; done;;
13 | v4) MATCH_SET='--set'; CREATE='-N'; DESTROY='--destroy'; RESTORE='--restore'; ADD='-A'; SWAP='--swap'; IPHASH='iphash'; NETHASH='nethash'; ESL=6
14 | lsmod | grep -q "ipt_set" || for module in ip_set ip_set_nethash ip_set_iphash ipt_set; do modprobe $module; done;;
15 | *) logger -t Firewall "$0: Unknown ipset version. Exiting." && exit 1;;
16 | esac
17 | startTS=$(date +%s); logger -t Firewall "$0: Adding ya-malware-block rules to firewall..." && [ -t 1 ] && echo "$0: Adding ya-malware-block rules to firewall..."
18 | [ ! -d $(dirname $URLList) ] && mkdir -p $(dirname $URLList)
19 | [ ! -s $URLList ] && wget "${GitURLBase}$(basename $URLList)" -qO $URLList
20 | [ ! -s $WhiteList ] && wget "${GitURLBase}$(basename $WhiteList)" -qO $WhiteList
21 | lastTS=$(date +%s); [ -t 1 ] && echo -n ">>> Downloading and aggregating malware sources (also processing whitelists)..."; ((while read -r url; do nice -n 15 wget $url -qO-; done <$URLList); [ -s $BlackList ] && cat $BlackList) | nice -n 15 sed -n "s/\r//;/^$/d;/^[0-9,\.,\/]*$/p" | nice -n 15 grep -vf $WhiteList | nice -n 15 awk '!a[$0]++' >/tmp/ya-malware-block.sources; TotalCount=$(wc -l >> Adding data and processing rule for YAMalwareBlock${this}IP..."); lastTS=$(date +%s); ipset -q $CREATE YAMalwareBlock${this}IP $IPHASH; ipset -q $DESTROY tYAMB; (echo "$CREATE tYAMB $IPHASH"; sed -n "/\//!p" /tmp/ya-malware-block.sources | sed -n "$(((($this-1)*65535)+1)),$(($this*65535)) s/^/$ADD tYAMB /p"; echo "COMMIT") | nice -n 15 ipset $RESTORE && ipset $SWAP tYAMB YAMalwareBlock${this}IP; iptables-save | grep -q YAMalwareBlock${this}IP || iptables -t raw -I PREROUTING -m set $MATCH_SET YAMalwareBlock${this}IP src -j DROP; FinalMessage="$FinalMessage YAMalwareBlock${this}IP ($(expr $(ipset -L YAMalwareBlock${this}IP | wc -l) - $ESL))"; this=$((this+1)); done
24 | [ -t 1 ] && (elapsed=$(($(date +%s)-$lastTS)); echo -en " ~${elapsed}s\n>>> Adding data and processing rule for YAMalwareBlockCIDR..."); lastTS=$(date +%s); ipset -q $CREATE YAMalwareBlockCIDR $NETHASH; ipset -q $DESTROY tYAMB; (echo "$CREATE tYAMB $NETHASH"; sed -n "/\//s/^/$ADD tYAMB /p" /tmp/ya-malware-block.sources; echo "COMMIT") | nice -n 15 ipset $RESTORE && ipset $SWAP tYAMB YAMalwareBlockCIDR; iptables-save | grep -q YAMalwareBlockCIDR || iptables -t raw -I PREROUTING -m set $MATCH_SET YAMalwareBlockCIDR src -j DROP; FinalMessage="$FinalMessage and YAMalwareBlockCIDR ($(expr $(ipset -L YAMalwareBlockCIDR | wc -l) - $ESL)) in $(($(date +%s)-$startTS)) seconds"
25 | [ -t 1 ] && (elapsed=$(($(date +%s)-$lastTS)); echo -en " ~${elapsed}s\n>>> Cleaning up..."); ipset $DESTROY tYAMB; rm /tmp/ya-malware-block.sources; lastTS=$(date +%s)
26 | logger -t Firewall $FinalMessage && [ -t 1 ] && (elapsed=$(($(date +%s)-$lastTS)); echo -e " ~${elapsed}s\n$FinalMessage")
27 |
--------------------------------------------------------------------------------
/ya-malware-block.blacks:
--------------------------------------------------------------------------------
1 | # This file has some sample data if you want to manually add some blacklist entries for ya-malware-block.
2 | # This file is totally optional, and the script will work just fine without this blacklist file present.
3 | # You can put comment lines just like this, but do not put in-line comments (comments in the same line as IP or CIDR data)
4 |
5 |
6 | # Some sample (test) manually added discrete IPs to blacklist
7 | 3.3.3.3
8 | 3.3.3.4
9 | 3.3.3.5
10 |
11 | # Some sample (test) manually added CIDR ranges to blacklist
12 | 4.4.4.0/24
13 | 5.5.5.0/28
14 |
--------------------------------------------------------------------------------
/ya-malware-block.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Author: redhat27, Version 2.5
3 | # snbforums thread: https://www.snbforums.com/threads/yet-another-malware-block-script-using-ipset-v4-and-v6.38935/
4 |
5 | URLList=/jffs/ipset_lists/ya-malware-block.urls # Change to an appropriate download location if needed (This file has the list of URLs of files that has the blocking IP and CIDR soures)
6 | WhiteList=/jffs/ipset_lists/ya-malware-block.whites # Change to an appropriate download location if needed (This file must exist. Append to this file your own whitelisted discrete IPs)
7 | BlackList=/jffs/ipset_lists/ya-malware-block.blacks # Change to an appropriate location if needed (This file is optional. You may put your manual IPs and CIDR ranges to block)
8 | GitURLBase=https://raw.githubusercontent.com/shounak-de/misc-scripts/master/
9 |
10 | case $(ipset -v | grep -o "v[4,6]") in
11 | v6) MATCH_SET='--match-set'; CREATE='n'; DESTROY='destroy'; RESTORE='restore'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net'; ESL=7
12 | lsmod | grep -q "xt_set" || for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set; do modprobe $module; done;;
13 | v4) MATCH_SET='--set'; CREATE='-N'; DESTROY='--destroy'; RESTORE='--restore'; ADD='-A'; SWAP='--swap'; IPHASH='iphash'; NETHASH='nethash'; ESL=6
14 | lsmod | grep -q "ipt_set" || for module in ip_set ip_set_nethash ip_set_iphash ipt_set; do modprobe $module; done;;
15 | *) logger -t Firewall "$0: Unknown ipset version. Exiting." && exit 1;;
16 | esac
17 | startTS=$(date +%s); logger -t Firewall "$0: Adding ya-malware-block rules to firewall..." && [ -t 1 ] && echo "$0: Adding ya-malware-block rules to firewall..."
18 | [ ! -d $(dirname $URLList) ] && mkdir -p $(dirname $URLList)
19 | [ ! -s $URLList ] && curl -sk "${GitURLBase}$(basename $URLList)" -o $URLList
20 | [ ! -s $WhiteList ] && curl -sk "${GitURLBase}$(basename $WhiteList)" -o $WhiteList
21 | lastTS=$(date +%s); [ -t 1 ] && echo -n ">>> Downloading and aggregating malware sources (also processing whitelists)..."; ((while read -r url; do nice -n 15 curl -sk $url; done <$URLList); [ -s $BlackList ] && cat $BlackList) | nice -n 15 sed -n "s/\r//;/^$/d;/^[0-9,\.,\/]*$/p" | nice -n 15 grep -vf $WhiteList | nice -n 15 awk '!a[$0]++' >/tmp/ya-malware-block.sources; TotalCount=$(wc -l >> Adding data and processing rule for YAMalwareBlock${this}IP..."); lastTS=$(date +%s); ipset -q $CREATE YAMalwareBlock${this}IP $IPHASH; ipset -q $DESTROY tYAMB; (echo "$CREATE tYAMB $IPHASH"; sed -n "/\//!p" /tmp/ya-malware-block.sources | sed -n "$(((($this-1)*65535)+1)),$(($this*65535)) s/^/$ADD tYAMB /p"; echo "COMMIT") | nice -n 15 ipset $RESTORE && ipset $SWAP tYAMB YAMalwareBlock${this}IP; iptables-save | grep -q YAMalwareBlock${this}IP || iptables -t raw -I PREROUTING -m set $MATCH_SET YAMalwareBlock${this}IP src -j DROP; FinalMessage="$FinalMessage YAMalwareBlock${this}IP ($(expr $(ipset -L YAMalwareBlock${this}IP | wc -l) - $ESL))"; this=$((this+1)); done
24 | [ -t 1 ] && (elapsed=$(($(date +%s)-$lastTS)); echo -en " ~${elapsed}s\n>>> Adding data and processing rule for YAMalwareBlockCIDR..."); lastTS=$(date +%s); ipset -q $CREATE YAMalwareBlockCIDR $NETHASH; ipset -q $DESTROY tYAMB; (echo "$CREATE tYAMB $NETHASH"; sed -n "/\//s/^/$ADD tYAMB /p" /tmp/ya-malware-block.sources; echo "COMMIT") | nice -n 15 ipset $RESTORE && ipset $SWAP tYAMB YAMalwareBlockCIDR; iptables-save | grep -q YAMalwareBlockCIDR || iptables -t raw -I PREROUTING -m set $MATCH_SET YAMalwareBlockCIDR src -j DROP; FinalMessage="$FinalMessage and YAMalwareBlockCIDR ($(expr $(ipset -L YAMalwareBlockCIDR | wc -l) - $ESL)) in $(($(date +%s)-$startTS)) seconds"
25 | [ -t 1 ] && (elapsed=$(($(date +%s)-$lastTS)); echo -en " ~${elapsed}s\n>>> Cleaning up..."); ipset $DESTROY tYAMB; rm /tmp/ya-malware-block.sources; lastTS=$(date +%s)
26 | logger -t Firewall $FinalMessage && [ -t 1 ] && (elapsed=$(($(date +%s)-$lastTS)); echo -e " ~${elapsed}s\n$FinalMessage")
27 |
--------------------------------------------------------------------------------
/ya-malware-block.urls:
--------------------------------------------------------------------------------
1 | https://raw.githubusercontent.com/shounak-de/misc-scripts/master/telemetry_and_scanners.txt
2 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
3 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
4 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset
5 | #https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset
6 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset
7 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms1.netset
8 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms3.netset
9 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bds_atif.ipset
10 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_bots.ipset
11 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_ssh.ipset
12 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/blocklist_de_strongips.ipset
13 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dyndns_ponmocup.ipset
14 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_block.netset
15 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_botcc.ipset
16 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_compromised.ipset
17 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_exp.ipset
18 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_hjk.ipset
19 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_mmt.ipset
20 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_feed.ipset
21 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ransomware_locky_ps.ipset
22 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/taichung.ipset
23 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/urandomusto_ssh.ipset
24 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/urandomusto_telnet.ipset
25 | https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/uscert_hidden_cobra.ipset
26 |
--------------------------------------------------------------------------------
/ya-malware-block.whites:
--------------------------------------------------------------------------------
1 | ^0\.
2 | ^10\.
3 | ^127\.
4 | ^169\.254\.
5 | ^172\.1[6-9]\.
6 | ^172\.2[0-9]\.
7 | ^172\.3[0-1]\.
8 | ^192\.168\.
9 | ^216\.239\.3[2468]\.21
10 | 8.8.8.8
11 | 213.230.210.230
12 | 192.124.249.10
13 |
--------------------------------------------------------------------------------