Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: update 0.8.1-2

Browse source 
* add oisdbig as new feed
* LuCI frontend preparation:
  - the json feed file points always to /etc/banip/banip.feeds (and is no longer compressed)
  - supply country list in /etc/banip/banip.countries
* update readme

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2023-02-26 08:16:15 +01:00
parent e68c98a0ce
commit 0706b1d2d9
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
5 changed files with 28 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
net/banip/Makefile
View file

@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.8.1 PKG_VERSION:=0.8.1
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -61,8 +61,8 @@ define Package/banip/install
$(INSTALL_CONF) ./files/banip.tpl $(1)/etc/banip $(INSTALL_CONF) ./files/banip.tpl $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.allowlist $(1)/etc/banip $(INSTALL_CONF) ./files/banip.allowlist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.blocklist $(1)/etc/banip $(INSTALL_CONF) ./files/banip.blocklist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.countries $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.feeds $(1)/etc/banip $(INSTALL_CONF) ./files/banip.feeds $(1)/etc/banip
gzip -9n $(1)/etc/banip/banip.feeds
endef endef
$(eval $(call BuildPackage,banip)) $(eval $(call BuildPackage,banip))

30
net/banip/files/README.md
View file

@ -7,7 +7,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
## Main Features ## Main Features
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses). * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
**Please note:** the columns "WAN-INP", "WAN-FWD" and "LAN_FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below. **Please note:** the columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.
| Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Information | | Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Information |
| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------------------------------------------------------- | | :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------------------------------------------------------- |
@ -36,6 +36,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
| iblockspy | Malicious spyware IPs | x | x | x | [Link](https://www.iblocklist.com) | | iblockspy | Malicious spyware IPs | x | x | x | [Link](https://www.iblocklist.com) |
| myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) | | myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) |
| nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) | | nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) |
| oisdbig | OISD-big IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) | | proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
@ -64,10 +65,11 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* provides a small background log monitor to ban unsuccessful login attempts in real-time * provides a small background log monitor to ban unsuccessful login attempts in real-time
* auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist * auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
* fast feed processing as they are handled in parallel as background jobs * fast feed processing as they are handled in parallel as background jobs
* per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains) * per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains)
* automatic blocklist backup & restore, the backups will be used in case of download errors or during startup * automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
* automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget * automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
* supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs * supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
* deduplicate IPs accross all sets (single IPs only, no intervals)
* provides comprehensive runtime information * provides comprehensive runtime information
* provides a detailed set report * provides a detailed set report
* provides a set search engine for certain IPs * provides a set search engine for certain IPs
@ -85,13 +87,12 @@ IP address blocking is commonly used to protect against brute force attacks, pre
**Please note the following:** **Please note the following:**
* Devices with less than 256Mb of RAM are **_not_** supported * Devices with less than 256Mb of RAM are **_not_** supported
* Any previous installation of banIP must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed) * Any previous installation of ancient banIP 0.7.x must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)
* There is no LuCI frontend at this time
## Installation & Usage ## Installation & Usage
* update your local opkg repository (_opkg update_) * update your local opkg repository (_opkg update_)
* install banIP (_opkg install banip_) - the banIP service is disabled by default * install banIP (_opkg install banip_) - the banIP service is disabled by default
* edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the config options below) * edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
* start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status' * start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status'
## banIP CLI interface ## banIP CLI interface
@ -162,7 +163,6 @@ Available commands:
| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | | ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails |
| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | | ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails |
| ban_resolver | option | - | external resolver used for DNS lookups | | ban_resolver | option | - | external resolver used for DNS lookups |
| ban_feedarchive | option | /etc/banip/banip.feeds.gz | full path to the compressed feed archive file used by banIP |
## Examples ## Examples
**banIP report information** **banIP report information**
@ -217,7 +217,7 @@ Available commands:
~# /etc/init.d/banip status ~# /etc/init.d/banip status
::: banIP runtime information ::: banIP runtime information
+ status : active + status : active
+ version : 0.8.1-1 + version : 0.8.1-2
+ element_count : 206644 + element_count : 206644
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, torv4, torv6, countryv6, countryv4, dohv4, dohv6, firehol1v4, deblv4, deblv6, + active_feeds : allowlistvMAC, allowlistv4, allowlistv6, torv4, torv6, countryv6, countryv4, dohv4, dohv6, firehol1v4, deblv4, deblv6,
adguardv6, adguardv4, adguardtrackersv6, adguardtrackersv4, adawayv6, adawayv4, oisdsmallv6, oisdsmallv4, stevenblack adguardv6, adguardv4, adguardtrackersv6, adguardtrackersv4, adawayv6, adawayv4, oisdsmallv6, oisdsmallv4, stevenblack
@ -225,8 +225,7 @@ Available commands:
+ active_devices : eth2 + active_devices : eth2
+ active_interfaces : wan, wan6 + active_interfaces : wan, wan6
+ active_subnets : 91.61.199.218/24, 2a02:910c:0:80:e542:4b0c:846d:1d33/128 + active_subnets : 91.61.199.218/24, 2a02:910c:0:80:e542:4b0c:846d:1d33/128
+ run_info : base_dir: /tmp, backup_dir: /mnt/data/banIP-backup, report_dir: /mnt/data/banIP-report, feed_archive: /etc/banip/banip + run_info : base_dir: /tmp, backup_dir: /mnt/data/banIP-backup, report_dir: /mnt/data/banIP-report, feed_file: /etc/banip/banip.feeds
.feeds.gz
+ run_flags : proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, deduplicate: ✔, split: ✘, allowed only: ✘ + run_flags : proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, deduplicate: ✔, split: ✘, allowed only: ✘
+ last_run : action: restart, duration: 1m 6s, date: 2023-02-25 08:55:55 + last_run : action: restart, duration: 1m 6s, date: 2023-02-25 08:55:55
+ system_info : cores: 2, memory: 1826, device: Turris Omnia, OpenWrt SNAPSHOT r22125-52ddb38469 + system_info : cores: 2, memory: 1826, device: Turris Omnia, OpenWrt SNAPSHOT r22125-52ddb38469
@ -293,9 +292,8 @@ password <password>
``` ```
Finally add a valid E-Mail receiver address. Finally add a valid E-Mail receiver address.
**add new banIP feeds** **change existing banIP feeds or add a new one**
The banIP blocklist feeds are stored in an external, compressed JSON file '/etc/banip/banip.feeds.gz'. The banIP blocklist feeds are stored in an external JSON file '/etc/banip/banip.feeds'.
To add a new or edit an existing feed extract the compressed JSON file _gunzip /etc/banip/banip.feeds.gz_.
A valid JSON source object contains the following required information, e.g.: A valid JSON source object contains the following required information, e.g.:
``` ```
[...] [...]
@ -309,15 +307,15 @@ A valid JSON source object contains the following required information, e.g.:
}, },
[...] [...]
``` ```
Add an unique object name, make the required changes and compress the changed JSON file finally with _gzip /etc/banip/banip.feeds_ to use the new feed file in banIP. Add an unique object name (no spaces, no special chars) and make the required changes: adapt at least the URL the regex to the new feed.
**Please note:** if you're going to add new feeds, **always** work with a copy of the default file; this file is always overwritten with every banIP update. To reference your own file set the option 'ban\_feedarchive' accordingly **Please note:** if you're going to add new feeds, **always** make a backup of your work, cause this file is always overwritten with the maintainers version on every banIP update.
## Support ## Support
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org> Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
## Removal ## Removal
* stop all banIP related services with _/etc/init.d/banip stop_ * stop all banIP related services with _/etc/init.d/banip stop_
* optional: remove the banip package (_opkg remove banip_) * remove the banip package (_opkg remove banip_)
Have fun! Have fun!
Dirk Dirk

6
net/banip/files/banip-functions.sh
View file

@ -13,7 +13,7 @@ export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
ban_basedir="/tmp" ban_basedir="/tmp"
ban_backupdir="${ban_basedir}/banIP-backup" ban_backupdir="${ban_basedir}/banIP-backup"
ban_reportdir="${ban_basedir}/banIP-report" ban_reportdir="${ban_basedir}/banIP-report"
ban_feedarchive="/etc/banip/banip.feeds.gz" ban_feedfile="/etc/banip/banip.feeds"
ban_pidfile="/var/run/banip.pid" ban_pidfile="/var/run/banip.pid"
ban_lock="/var/run/banip.lock" ban_lock="/var/run/banip.lock"
ban_blocklist="/etc/banip/banip.blocklist" ban_blocklist="/etc/banip/banip.blocklist"
@ -873,7 +873,7 @@ f_genstatus() {
done done
fi fi
json_close_array json_close_array
json_add_string "run_info" "base_dir: ${ban_basedir}, backup_dir: ${ban_backupdir}, report_dir: ${ban_reportdir}, feed_archive: ${ban_feedarchive}" json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}, feed: ${ban_feedfile}"
json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})" json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})"
json_add_string "last_run" "${runtime:-"-"}" json_add_string "last_run" "${runtime:-"-"}"
json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}" json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}"
@ -1203,7 +1203,7 @@ if [ "${ban_action}" != "stop" ]; then
f_log "err" "system libraries not found" f_log "err" "system libraries not found"
fi fi
[ ! -d "/etc/banip" ] && f_log "err" "banIP config directory not found, please re-install the package" [ ! -d "/etc/banip" ] && f_log "err" "banIP config directory not found, please re-install the package"
[ ! -r "/etc/banip/banip.feeds" ] && f_log "err" "banIP feed file not found, please re-install the package"
[ ! -r "/etc/config/banip" ] && f_log "err" "banIP config not found, please re-install the package" [ ! -r "/etc/config/banip" ] && f_log "err" "banIP config not found, please re-install the package"
[ ! -r "/etc/banip/banip.feeds.gz" ] || ! zcat "$(uci_get banip global ban_feedarchive "/etc/banip/banip.feeds.gz")" >"$(uci_get banip global ban_basedir "/tmp")/ban_feeds.json" && f_log "err" "banIP feed archive not found, please re-install the package"
[ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service" [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service"
fi fi

2
net/banip/files/banip-service.sh
View file

@ -59,7 +59,7 @@ if [ "${ban_allowlistonly}" = "1" ]; then
ban_feed="" ban_feed=""
else else
json_init json_init
if ! json_load_file "${ban_basedir}/ban_feeds.json" >/dev/null 2>&1; then if ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then
f_log "err" "banIP feed file can't be loaded" f_log "err" "banIP feed file can't be loaded"
fi fi
[ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate" [ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate"

8
net/banip/files/banip.feeds
View file

@ -177,6 +177,14 @@
"descurl": "https://www.nixspam.net", "descurl": "https://www.nixspam.net",
"flag": "gz" "flag": "gz"
}, },
"oisdbig": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdbig-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdbig-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "OISD-big IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"oisdnsfw": { "oisdnsfw": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt", "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv6.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv6.txt",