Dirk Brenken
GitHub
commit
3a1798155c
4 changed files with 40 additions and 27 deletions
|
|
@ -6,7 +6,7 @@
|
||||||
include $(TOPDIR)/rules.mk
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=banip
|
PKG_NAME:=banip
|
||||||
PKG_VERSION:=0.7.2
|
PKG_VERSION:=0.7.3
|
||||||
PKG_RELEASE:=1
|
PKG_RELEASE:=1
|
||||||
PKG_LICENSE:=GPL-3.0-or-later
|
PKG_LICENSE:=GPL-3.0-or-later
|
||||||
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
||||||
|
|
|
||||||
|
|
@ -31,6 +31,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
||||||
| nixspam | iX spam protection | [Link](http://www.nixspam.org) |
|
| nixspam | iX spam protection | [Link](http://www.nixspam.org) |
|
||||||
| proxy | Firehol list of open proxies | [Link](https://iplists.firehol.org/?ipset=proxylists) |
|
| proxy | Firehol list of open proxies | [Link](https://iplists.firehol.org/?ipset=proxylists) |
|
||||||
| ssbl | SSL botnet IP blacklist | [Link](https://sslbl.abuse.ch) |
|
| ssbl | SSL botnet IP blacklist | [Link](https://sslbl.abuse.ch) |
|
||||||
|
| talos | Cisco Talos IP Blacklist | [Link](https://talosintelligence.com/reputation_center) |
|
||||||
| threat | Emerging Threats | [Link](https://rules.emergingthreats.net) |
|
| threat | Emerging Threats | [Link](https://rules.emergingthreats.net) |
|
||||||
| tor | Tor exit nodes | [Link](https://fissionrelays.net/lists) |
|
| tor | Tor exit nodes | [Link](https://fissionrelays.net/lists) |
|
||||||
| uceprotect1 | Spam protection level 1 | [Link](http://www.uceprotect.net/en/index.php) |
|
| uceprotect1 | Spam protection level 1 | [Link](http://www.uceprotect.net/en/index.php) |
|
||||||
|
|
@ -68,6 +69,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
||||||
* [OpenWrt](https://openwrt.org), tested with the stable release series (19.07.x) and with the latest rolling snapshot releases. On turris devices it has been successfully tested with TurrisOS 5.2.x
|
* [OpenWrt](https://openwrt.org), tested with the stable release series (19.07.x) and with the latest rolling snapshot releases. On turris devices it has been successfully tested with TurrisOS 5.2.x
|
||||||
<b>Please note:</b> Older OpenWrt releases like 18.06.x or 17.01.x are _not_ supported!
|
<b>Please note:</b> Older OpenWrt releases like 18.06.x or 17.01.x are _not_ supported!
|
||||||
<b>Please note:</b> Devices with less than 128 MByte RAM are _not_ supported!
|
<b>Please note:</b> Devices with less than 128 MByte RAM are _not_ supported!
|
||||||
|
<b>Please note:</b> If you're updating from former banIP 0.3x please manually remove your config (/etc/config/banip) before you start!
|
||||||
* A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
|
* A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
|
||||||
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
|
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
|
||||||
* Optional E-Mail notification support: for E-Mail notifications you need to install the additional 'msmtp' package
|
* Optional E-Mail notification support: for E-Mail notifications you need to install the additional 'msmtp' package
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@
|
||||||
export LC_ALL=C
|
export LC_ALL=C
|
||||||
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
|
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
ban_ver="0.7.2"
|
ban_ver="0.7.3"
|
||||||
ban_enabled="0"
|
ban_enabled="0"
|
||||||
ban_mail_enabled="0"
|
ban_mail_enabled="0"
|
||||||
ban_proto4_enabled="0"
|
ban_proto4_enabled="0"
|
||||||
|
|
@ -93,11 +93,11 @@ f_load()
|
||||||
#
|
#
|
||||||
if [ "${ban_enabled}" = "0" ]
|
if [ "${ban_enabled}" = "0" ]
|
||||||
then
|
then
|
||||||
|
f_bgsrv "stop"
|
||||||
f_ipset "destroy"
|
f_ipset "destroy"
|
||||||
f_jsnup "disabled"
|
f_jsnup "disabled"
|
||||||
f_rmbckp
|
f_rmbckp
|
||||||
f_rmtmp
|
f_rmtmp
|
||||||
f_bgsrv "stop"
|
|
||||||
f_log "info" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service"
|
f_log "info" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service"
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
@ -739,22 +739,24 @@ f_ipset()
|
||||||
return "${out_rc}"
|
return "${out_rc}"
|
||||||
;;
|
;;
|
||||||
"create")
|
"create")
|
||||||
if [ "${src_name}" = "maclist" ] && [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]
|
if [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]
|
||||||
then
|
then
|
||||||
"${ban_ipset_cmd}" create "${src_name}" hash:mac maxelem 262144 counters timeout "${ban_maclist_timeout:-"0"}"
|
cnt="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)"
|
||||||
out_rc="${?}"
|
cnt=$((cnt+262144))
|
||||||
elif [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]
|
if [ "${src_name}" = "maclist" ]
|
||||||
then
|
|
||||||
if [ "${src_name%_*}" = "whitelist" ]
|
|
||||||
then
|
then
|
||||||
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem 262144 family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}"
|
"${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${cnt}" counters timeout "${ban_maclist_timeout:-"0"}"
|
||||||
|
out_rc="${?}"
|
||||||
|
elif [ "${src_name%_*}" = "whitelist" ]
|
||||||
|
then
|
||||||
|
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}"
|
||||||
out_rc="${?}"
|
out_rc="${?}"
|
||||||
elif [ "${src_name%_*}" = "blacklist" ]
|
elif [ "${src_name%_*}" = "blacklist" ]
|
||||||
then
|
then
|
||||||
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem 262144 family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}"
|
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}"
|
||||||
out_rc="${?}"
|
out_rc="${?}"
|
||||||
else
|
else
|
||||||
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem 262144 family "${src_ipver}" counters
|
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters
|
||||||
out_rc="${?}"
|
out_rc="${?}"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
|
|
@ -821,19 +823,22 @@ f_ipset()
|
||||||
f_log "debug" "f_ipset ::: name: ${src:-"-"}, mode: ${mode:-"-"}"
|
f_log "debug" "f_ipset ::: name: ${src:-"-"}, mode: ${mode:-"-"}"
|
||||||
;;
|
;;
|
||||||
"resume")
|
"resume")
|
||||||
"${ban_ipset_cmd}" -q -! restore < "${ban_backupdir}/${src_name}.file"
|
if [ -f "${ban_backupdir}/${src_name}.file" ]
|
||||||
out_rc="${?}"
|
|
||||||
if [ "${out_rc}" = "0" ]
|
|
||||||
then
|
then
|
||||||
rm -f "${ban_backupdir}/${src_name}.file"
|
"${ban_ipset_cmd}" -q -! restore < "${ban_backupdir}/${src_name}.file"
|
||||||
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
|
out_rc="${?}"
|
||||||
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
|
if [ "${out_rc}" = "0" ]
|
||||||
cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")"
|
then
|
||||||
cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")"
|
rm -f "${ban_backupdir}/${src_name}.file"
|
||||||
cnt_ip=$((cnt-cnt_cidr-cnt_mac))
|
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
|
||||||
printf "%s\n" "${cnt}" > "${tmp_cnt}"
|
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
|
||||||
|
cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")"
|
||||||
|
cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")"
|
||||||
|
cnt_ip=$((cnt-cnt_cidr-cnt_mac))
|
||||||
|
printf "%s\n" "${cnt}" > "${tmp_cnt}"
|
||||||
|
fi
|
||||||
|
f_iptables
|
||||||
fi
|
fi
|
||||||
f_iptables
|
|
||||||
end_ts="$(date +%s)"
|
end_ts="$(date +%s)"
|
||||||
out_rc="${out_rc:-"${in_rc}"}"
|
out_rc="${out_rc:-"${in_rc}"}"
|
||||||
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, ipver: ${src_ipver:-"-"}, settype: ${src_settype:-"-"}, count(sum/ip/cidr/mac): ${cnt}/${cnt_ip}/${cnt_cidr}/${cnt_mac}, time: $((end_ts-start_ts)), out_rc: ${out_rc}"
|
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, ipver: ${src_ipver:-"-"}, settype: ${src_settype:-"-"}, count(sum/ip/cidr/mac): ${cnt}/${cnt_ip}/${cnt_cidr}/${cnt_mac}, time: $((end_ts-start_ts)), out_rc: ${out_rc}"
|
||||||
|
|
@ -937,9 +942,9 @@ f_bgsrv()
|
||||||
fi
|
fi
|
||||||
if [ -n "$(printf "%s\n" "${ban_logterms}" | grep -F "nginx")" ]
|
if [ -n "$(printf "%s\n" "${ban_logterms}" | grep -F "nginx")" ]
|
||||||
then
|
then
|
||||||
ban_search="${ban_search}nginx\[[0-9]+\]:.*\[error\].*open().*client: [[:alnum:].:]+"
|
ban_search="${ban_search}nginx\[[0-9]+\]:.*\[error\].*open().*client: [[:alnum:].:]+|"
|
||||||
fi
|
fi
|
||||||
( "${ban_logservice}" "${ban_ver}" "${ban_search}" & )
|
( "${ban_logservice}" "${ban_ver}" "${ban_search%?}" & )
|
||||||
elif [ "${action}" = "stop" ] && [ -n "${bg_pid}" ]
|
elif [ "${action}" = "stop" ] && [ -n "${bg_pid}" ]
|
||||||
then
|
then
|
||||||
kill -HUP "${bg_pid}" 2>/dev/null
|
kill -HUP "${bg_pid}" 2>/dev/null
|
||||||
|
|
@ -1750,10 +1755,10 @@ fi
|
||||||
f_load
|
f_load
|
||||||
case "${ban_action}" in
|
case "${ban_action}" in
|
||||||
"stop")
|
"stop")
|
||||||
|
f_bgsrv "stop"
|
||||||
f_ipset "destroy"
|
f_ipset "destroy"
|
||||||
f_jsnup "stopped"
|
f_jsnup "stopped"
|
||||||
f_rmbckp
|
f_rmbckp
|
||||||
f_bgsrv "stop"
|
|
||||||
;;
|
;;
|
||||||
"restart")
|
"restart")
|
||||||
f_ipset "destroy"
|
f_ipset "destroy"
|
||||||
|
|
@ -1764,10 +1769,10 @@ case "${ban_action}" in
|
||||||
"suspend")
|
"suspend")
|
||||||
if [ "${ban_status}" = "enabled" ]
|
if [ "${ban_status}" = "enabled" ]
|
||||||
then
|
then
|
||||||
|
f_bgsrv "stop"
|
||||||
f_jsnup "running"
|
f_jsnup "running"
|
||||||
f_ipset "suspend"
|
f_ipset "suspend"
|
||||||
f_jsnup "paused"
|
f_jsnup "paused"
|
||||||
f_bgsrv "stop"
|
|
||||||
fi
|
fi
|
||||||
f_rmtmp
|
f_rmtmp
|
||||||
;;
|
;;
|
||||||
|
|
|
||||||
|
|
@ -142,6 +142,12 @@
|
||||||
"focus": "SSL botnet IP blacklist",
|
"focus": "SSL botnet IP blacklist",
|
||||||
"descurl": "https://sslbl.abuse.ch"
|
"descurl": "https://sslbl.abuse.ch"
|
||||||
},
|
},
|
||||||
|
"talos": {
|
||||||
|
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
|
||||||
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add talos_4 \"$1}",
|
||||||
|
"focus": "Cisco Talos IP Blacklist",
|
||||||
|
"descurl": "https://talosintelligence.com/reputation_center"
|
||||||
|
},
|
||||||
"threat": {
|
"threat": {
|
||||||
"url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
|
"url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add threat_4 \"$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add threat_4 \"$1}",
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue