Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Sorry gents, first thing in the morning over here now.. Yep, different base images will explain things. I will add some checks for pre-existing snort.rules and L2.blacklist files before trying to rename them *.bak Also, if I've based paths on suricata ones and there are better vanilla snort ones to use, let me know! On Sun, 18 Aug. 2019, 4:18 am Grommish [via Itus Networks Owners Forum], <[hidden email]> wrote: Ok.. Road/Gnomad, try this image.
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
I've already corrected the image to fit your script, so nothing should need to be changed on your end. That snort.tgz file was creating some of the directory structure when it built out first boot. With that gone, it stopped creating them 😀 Anyway, it's fixed now if you want to check out the new image, and double check that it works. Just copy the image over to /dev/mmcblk1p1 and remove /.norwits then reboot and it'll clear out the old partition and rebuild from the image On Sat, Aug 17, 2019, 9:14 PM Gnomad [via Itus Networks Owners Forum] <[hidden email]> wrote:
... [show rest of quote]
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
The advantage to me being Eastern US time is that I have time while you sleep to get things done.. Besides, it takes almost no time to compile this on my laptop, unless I'm doing a kernel change or removing a dependency and have to do a make clean. Otherwise, it literally takes about a minute and a half.
As far as Suricata goes, Suricata 5 will REQUIRE Rust and Cargo to compile and run. Unfortunately, Rust does not have a mips compatible source code (at least, not yet). I was able to get Suricata 4.1.4 to build once I finagled it, but abandoned the task once I started looking into the requirements for the current Beta. If they ever update it, then I'll go back to it. So, for now, we can put them where-ever we want.. Even if Suracata comes back to the Shield down the line, we can make the structure however. Itus used the "profiles" directly to hold the Suricata AND Snort configs, and I wasn't even aware Suricata was an option.. You can see tags for it in the LUA page for IDS on the original Shield files. I don't know if they ever included Suricata or not, but it's the whole reason we have a profile directory at all. I didn't understand at the beginning what they were using profiles for, so I just dropped it to profile and stored my config files for Snort in there so they could be cat'ed when the service starts into snort.conf (and edited in pieces from luCi)
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
In reply to this post by Grommish
Whoah - new theme! :)
Yes I can confirm that works nicely. Apologies for the mixup deleting snort.tar.gz. I figured files under /files would be unpacked to track changes, so had assumed the .tar was a leftover. On the console updaterules.sh will complain about no initial snort.rules and L2.blacklist files on first run only, but that doesn't stop it doing its thing. Subsequent runs it doesn't complain. PS: don't see any 404s but the serif font looks a little funny - might be missing a font replacement?
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
No worries on the tgz. The original plan was to house complete snort configurations, and other configs, in one of three tgz files and unpack it at first boot depending on which mode the Shield was in (by reading the switch GPIOs) That way, we only really have to maintain a single image and put things like network configs, snort configs, e2guardian configs in the tgz files where they differ from router to bridge to Gateway. And I included 3 additional luCi themes in the image, besides the default On Sat, Aug 17, 2019, 9:51 PM Gnomad [via Itus Networks Owners Forum] <[hidden email]> wrote: Whoah - new theme! :) ... [show rest of quote]
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
In reply to this post by Roadrunnere42
Btw cheers for the compliment @Roadrunner, but you (& Hans, user8446 etc) did all the heavy lifting!
I just based it all from your fw_upgrade and got the benefit of slapping Grommish's v2 label on it ;) Note, I'm not having any problems with heat or throughput with the case on - all seems pretty solid so far..
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
In reply to this post by Grommish
All working fine Been playing around and maybe you want to change this file in /etc/config/hhttpd to prevent uhttpd listing on the wan port, they also say unbind ipv6 but couldn't fine any reference in uhttpd. I will make suggestion as i play and let you full time computer guys decide what to include, Im just a guy who likes computers with no programming knowledge, just picking things up as i go Securing uHTTPd
By default, uHTTPd is bind to To get your current LAN IP address run this command: root@OpenWrt:~# uci get network.lan.ipaddr 10.10.10.10
Then edit config uhttpd main # HTTP listen addresses, multiple allowed list listen_http 10.10.10.10:80 # list listen_http [::]:80 # HTTPS listen addresses, multiple allowed list listen_https 10.10.10.10:443 # list listen_https [::]:443 On Sat, 17 Aug 2019 at 16:34, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote:
... [show rest of quote] |
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Added.. I can't see a downside except for potentially not being able to access luCi from the outside for those who need it.. But, You'd expect someone needing to do that would have VPN, so I'm good with the change.
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
As a small update, I've put in a script that automates the process of black-listing URLs (rather than IP addresses). Ideally, it is used as an ad-hoc ad-blocker.
Anyone feel like creating a luCi page for it? Let me know and I can give you details since I've not pushed it to GH yet.
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Can do, flick me the deets.
Domains blocked via snort or e2guardian? We could maybe add the ability to update via published ad lists like those at https://filterlists.com..
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Even better and more reliable. I used the local /etc/hosts file to void out specific urls. The lists are maintained, but any URL list should work. I'll put a commit up shortly I hope On Mon, Sep 2, 2019, 6:15 AM Gnomad [via Itus Networks Owners Forum] <[hidden email]> wrote: Can do, flick me the deets.
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
I have this as /etc/snort/updateblacklist.sh
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
I have a concern that I need help addressing with the update script.
1) We are pulling these from external sources 2) The update lists can contain anything We need to see if there is a way to ENSURE anything added via the update script points to 0.0.0.0 or 127.0.0.1 so if the external source gets poisoned, we aren't effected by a DNS attack. So, we gotta figure out a way to do it. Suggestions? Gnomad, you might be able to to come up with something script wise?
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
That script doesn't quite work on my Shield as-is - not sure if you had to make any edits?
I guess we're after a lua page with an on/off switch, plus potential replacement of the master list URL. Will have a bit of a play, also see if I can swing some `sed` filtering to strip any invalid localhost IPs.
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Hmm.
This is my output, and I'll repost the script. What is line 45 on you end? Mine is a for loop.
... [show rest of quote]
/etc/snort/updateblacklist.sh
... [show rest of quote]
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
All good once I `chmod`ed it to execute via `./updateblacklist.sh` as you did - not sure why it made a difference, but hey. On Sun, 8 Sep 2019 at 14:16, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote: Hmm. ... [show rest of quote]
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
In reply to this post by Gnomad
PR up for a "safe" /etc/snort/hosts/updatehosts.sh
https://github.com/Grommish/Itus_Shield_v2/pull/2/files#diff-f363d9f8c5abce896b52b3f2a5df9b3e But 1. although pinging from the Shield directly resolves to 127.0.0.1 as expected, browsing to these domains from a downstream client is not blocked. I guess we need to change client DNS to the Shield? 2. local speedtest was then 60% slower than before. I brought this back up to reasonable speeds by commenting out the larger https://hosts-file.net/emd.txt and psh.txt downloads. I wonder if e2guardian might perform better, obviate the need to change client DNS entries? root@OpenWrt:/# /etc/snort/hosts/updatehosts.sh Preparing working directory for host list download and ingestion /tmp/hosts Downloading bad host list urls from https://v.firebog.net/hosts/lists.php?type=tick ... 908683 badhosts.all Sorting bad hosts and removing duplicates Cleaning up working files Displaying host_counter.log # Hosts Url processed by etc/snort/hosts/updatehosts.sh -------- ----------------------------------------------- 526 https://hosts-file.net/grm.txt 713 https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts 3619 https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts 73 https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts 753 https://v.firebog.net/hosts/static/w3kbl.txt 411 https://adaway.org/hosts.txt 29855 https://v.firebog.net/hosts/AdguardDNS.txt 34374 https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt 2703 https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt 45739 https://hosts-file.net/ad_servers.txt 1609 https://v.firebog.net/hosts/Easylist.txt 3039 https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts;showintro=0 10 https://raw.githubusercontent.com/StevenBlack/hosts/master/data/UncheckyAds/hosts 4315 https://www.squidblacklist.org/downloads/dg-ads.acl 2766 https://v.firebog.net/hosts/Easyprivacy.txt 3634 https://v.firebog.net/hosts/Prigent-Ads.txt 14467 https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt 1286 https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.2o7Net/hosts 367 https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt 2738 https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt 26886 https://mirror1.malwaredomains.com/files/justdomains 1158 https://hosts-file.net/exp.txt 300351 https://hosts-file.net/emd.txt 189142 https://hosts-file.net/psh.txt 3202 https://mirror.cedia.org.ec/malwaredomains/immortal_domains.txt 1106 https://www.malwaredomainlist.com/hostslist/hosts.txt 2046 https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt 6785 https://v.firebog.net/hosts/Prigent-Malware.txt 6785 https://v.firebog.net/hosts/Prigent-Phishing.txt 1533 https://phishing.army/download/phishing_army_blocklist_extended.txt 155 https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt 1902 https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt 219 https://ransomwaretracker.abuse.ch/downloads/CW_C2_DOMBL.txt 214 https://ransomwaretracker.abuse.ch/downloads/LY_C2_DOMBL.txt 144 https://ransomwaretracker.abuse.ch/downloads/TC_C2_DOMBL.txt 33 https://ransomwaretracker.abuse.ch/downloads/TL_C2_DOMBL.txt 19570 https://v.firebog.net/hosts/Shalla-mal.txt 2580 https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Risk/hosts 165519 https://www.squidblacklist.org/downloads/dg-malicious.acl 26364 https://zerodot1.gitlab.io/CoinBlockerLists/hosts -------- ----------------------------------------------- 745135 unique bad hosts Using host template defined at /etc/snort/hosts/hosts Appending badhosts Replacing /etc/hosts Restarting network
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
I've not noticed a performance hit, but I've been tearing my network up here recently, so it wouldn't surprise me.
Does e2Guardian handle URL blacklisting or just content type blacklisting? I've not used it. Interesting about the clients being able to connect, because when I originally had the YouTube stuff in there (since removed), YouTube would freak out and tell me I'm offline when it tried (and failed) to load an ad.. Dunno. I say we call this is a serious work in progress, and look into the e2 suggestion.. If nothing else, we could probably modify the fixed script to update e2. The original concept for this was from a project called PiHole, which used a Raspberry Pi as a DNS server to blacklist. Think of it as a poor-man's Shield. They didn't have mips support for the program itself, so I pulled the update streams to see if it could be adapted.
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
I wonder if we could get dnsmasq to do what we need it to do. Maybe it should be in there and the /etc/hosts?
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
You're probably right re: dnsmasq, but my experience doesn't extend to much network admin.. If we can get these redirecting to the 10.10.10.11 "badhost" http server that the other images have, we also might be able to prevent Youtube thinking that the adservers are disconnected? On Mon, 16 Sep 2019 at 13:19, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote: I wonder if we could get dnsmasq to do what we need it to do. Maybe it should be in there and the /etc/hosts?
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Free forum by Nabble | Edit this page |