Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: update 0.2.1

Browse source 
* remove 'http-only' mode, all sources are now fetched from https sites
* the backup mode is now mandatory ('/tmp' is the default backup
  directory), always create and re-use backups if available.
  To force a re-download take the 'reload' action.
* support 'sshd' in addition to 'dropbear' for logfile parsing
  to detect break-in events
* always update the black-/whitelist with logfile parsing results
  in 'refresh' mode (no new downloads)
* rework the return code handling
* tweak procd trigger
* various small fixes
* (s)hellsheck cosmetics
* Change .*GPL.*+ licenses to SPDX compatible identifier

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2019-09-11 06:21:20 +02:00
parent 1ad19c6bfa
commit 3f89abbf0d
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
6 changed files with 230 additions and 220 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
net/banip/Makefile
View file

@ -6,9 +6,9 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.1.4 PKG_VERSION:=0.2.1
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0+ PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk

42
net/banip/files/README.md
View file

@ -6,39 +6,36 @@ IP address blocking is commonly used to protect against brute force attacks, pre
## Main Features ## Main Features
* support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses): * support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses):
* zero-conf like automatic installation & setup, usually no manual changes needed * zero-conf like automatic installation & setup, usually no manual changes needed
* supports six different download utilities: uclient-fetch, wget, curl, aria2c, wget-nossl, busybox-wget * supports four different download utilities: uclient-fetch, wget, curl, aria2c
* Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue' * Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
* provides 'http only' mode without installed ssl library for all non-SSL blocklist sources
* full IPv4 and IPv6 support * full IPv4 and IPv6 support
* ipsets (one per source) are used to ban a large number of IP addresses * ipsets (one per source) are used to ban a large number of IP addresses
* supports blocking by ASN numbers * supports blocking by ASN numbers
* supports blocking by iso country codes * supports blocking by iso country codes
* supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist * supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist
* auto-add unsuccessful ssh login attempts to local blacklist * auto-add unsuccessful ssh login attempts to 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
* auto-add the uplink subnet to local whitelist * auto-add the uplink subnet to local whitelist (see 'ban_autowhitelist' option)
* per source configuration of SRC (incoming) and DST (outgoing) * per source configuration of SRC (incoming) and DST (outgoing)
* integrated IPSet-Lookup * integrated IPSet-Lookup
* integrated RIPE-Lookup * integrated RIPE-Lookup
* blocklist source parsing by fast & flexible regex rulesets * blocklist source parsing by fast & flexible regex rulesets
* minimal status & error logging to syslog, enable debug logging to receive more output * minimal status & error logging to syslog, enable debug logging to receive more output
* procd based init system support (start/stop/restart/reload/status) * procd based init system support (start/stop/restart/reload/refresh/status)
* procd network interface trigger support * procd network interface trigger support
* automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode * automatic blocklist backup & restore, they will be used in case of download errors or during startup
* 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action
* output comprehensive runtime information via LuCI or via 'status' init command * output comprehensive runtime information via LuCI or via 'status' init command
* strong LuCI support * strong LuCI support
* optional: add new banIP sources on your own * optional: add new banIP sources on your own
## Prerequisites ## Prerequisites
* [OpenWrt](https://openwrt.org), tested with the stable release series (18.06) and with the latest snapshot * [OpenWrt](https://openwrt.org), tested with the stable release series (19.07) and with the latest snapshot
* a download utility: * a download utility:
* to support all blocklist sources a full version (with ssl support) of 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required * to support all blocklist sources a full version with ssl support of 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
* for limited devices with real memory constraints, banIP provides also a 'http only' option and supports wget-nossl and uclient-fetch (without libustream-ssl) as well
## Installation & Usage ## Installation & Usage
* install 'banip' (_opkg install banip_) * install 'banip' (_opkg install banip_)
* at minimum configure the needed IP blocklist sources, the download utility and enable the banIP service in _/etc/config/banip_ * at minimum configure the needed IP blocklist sources, the download utility and enable the banIP service in _/etc/config/banip_
* control the banip service manually with _/etc/init.d/banip_ start/stop/restart/reload/status or use the LuCI frontend * control the banip service manually with _/etc/init.d/banip_ start/stop/restart/reload/refresh/status or use the LuCI frontend
## LuCI banIP companion package ## LuCI banIP companion package
* it's recommended to use the provided LuCI frontend to control all aspects of banIP * it's recommended to use the provided LuCI frontend to control all aspects of banIP
@ -54,14 +51,16 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* ban\_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: automatically set by banIP ('ban_automatic')) * ban\_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: automatically set by banIP ('ban_automatic'))
* the following options apply to the 'extra' config section: * the following options apply to the 'extra' config section:
* ban\_debug => enable/disable banIP debug output (default: '0', disabled) * ban\_debug => enable/disable banIP debug output (bool/default: '0', disabled)
* ban\_nice => set the nice level of the banIP process and all sub-processes (int/default: '0', standard priority) * ban\_nice => set the nice level of the banIP process and all sub-processes (int/default: '0', standard priority)
* ban\_triggerdelay => additional trigger delay in seconds before banIP processing begins (int/default: '2') * ban\_triggerdelay => additional trigger delay in seconds before banIP processing begins (int/default: '2')
* ban\_backup => create compressed blocklist backups, they will be used in case of download errors or during startup in 'backup mode' (bool/default: '0', disabled) * ban\_backupdir => target directory for banIP backups (default: '/tmp')
* ban\_backupdir => target directory for adblock backups (default: not set) * ban\_sshdaemon => select the SSH daemon for logfile parsing, 'dropbear' or 'sshd' (default: 'dropbear')
* ban\_backupboot => do not automatically update blocklists during startup, use their backups instead (bool/default: '0', disabled) * ban\_starttype => select the used start type during boot, 'start' or 'reload' (default: 'start')
* ban\_maxqueue => size of the download queue to handle downloads & IPSet processing in parallel (int/default: '8') * ban\_maxqueue => size of the download queue to handle downloads & IPSet processing in parallel (int/default: '4')
* ban\_fetchparm => special config options for the download utility (default: not set) * ban\_fetchparm => special config options for the download utility (default: not set)
* ban\_autoblacklist => store auto-addons temporary in ipset and permanently in local blacklist as well (bool/default: '1', enabled)
* ban\_autowhitelist => store auto-addons temporary in ipset and permanently in local whitelist as well (bool/default: '1', enabled)
## Examples ## Examples
**receive banIP runtime information:** **receive banIP runtime information:**
@ -70,14 +69,15 @@ IP address blocking is commonly used to protect against brute force attacks, pre
/etc/init.d/banip status /etc/init.d/banip status
::: banIP runtime information ::: banIP runtime information
+ status : enabled + status : enabled
+ version : 0.1.0 + version : 0.2.0
+ fetch_info : /bin/uclient-fetch (libustream-ssl) + fetch_info : /bin/uclient-fetch (libustream-ssl)
+ ipset_info : 1 IPSets with overall 516 IPs/Prefixes (backup mode) + ipset_info : 11 IPSets with overall 118359 IPs/Prefixes
+ last_run : 05.01.2019 14:48:18 + backup_dir : /tmp
+ system : TP-LINK RE450, OpenWrt SNAPSHOT r8910+72-25d8aa7d02 + last_run : 09.09.2019 16:49:40
+ system : UBNT-ERX, OpenWrt SNAPSHOT r10962-c19b9f9a26
</code></pre> </code></pre>
**cronjob for a regular block list update (/etc/crontabs/root):** **cronjob for a regular IPSet blocklist update (/etc/crontabs/root):**
<pre><code> <pre><code>
0 06 * * * /etc/init.d/banip reload 0 06 * * * /etc/init.d/banip reload

17
net/banip/files/banip.conf
View file

@ -1,5 +1,3 @@
# banIP configuration, for further information
# see 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'
config banip 'global' config banip 'global'
option ban_enabled '0' option ban_enabled '0'
@ -9,7 +7,6 @@ config banip 'global'
config banip 'extra' config banip 'extra'
option ban_debug '0' option ban_debug '0'
option ban_backup '0'
option ban_maxqueue '4' option ban_maxqueue '4'
config source 'whitelist' config source 'whitelist'
@ -85,21 +82,13 @@ config source 'myip'
option ban_src_on_6 '0' option ban_src_on_6 '0'
config source 'yoyo' config source 'yoyo'
option ban_src 'http://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext' option ban_src 'https://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext'
option ban_src_desc 'IP blocklist provided by Peter Lowe (IPv4)' option ban_src_desc 'IP blocklist provided by Peter Lowe (IPv4)'
option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add yoyo \"\$1}' option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add yoyo \"\$1}'
option ban_src_settype 'ip' option ban_src_settype 'ip'
option ban_src_ruletype 'src' option ban_src_ruletype 'src'
option ban_src_on '0' option ban_src_on '0'
config source 'zeus'
option ban_src 'https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist'
option ban_src_desc 'Zeus Tracker by abuse.ch (IPv4)'
option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add zeus \"\$1}'
option ban_src_settype 'ip'
option ban_src_ruletype 'src'
option ban_src_on '0'
config source 'sslbl' config source 'sslbl'
option ban_src 'https://sslbl.abuse.ch/blacklist/sslipblacklist.csv' option ban_src 'https://sslbl.abuse.ch/blacklist/sslipblacklist.csv'
option ban_src_desc 'SSL Blacklist by abuse.ch (IPv4)' option ban_src_desc 'SSL Blacklist by abuse.ch (IPv4)'
@ -125,7 +114,7 @@ config source 'feodo'
option ban_src_on '0' option ban_src_on '0'
config source 'dshield' config source 'dshield'
option ban_src 'http://feeds.dshield.org/block.txt' option ban_src 'https://feeds.dshield.org/block.txt'
option ban_src_desc 'Dshield recommended IP blocklist. Contains top 20 attacking class C subnets (IPv4)' option ban_src_desc 'Dshield recommended IP blocklist. Contains top 20 attacking class C subnets (IPv4)'
option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add dshield \"\$1 \"/\"\$3}' option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add dshield \"\$1 \"/\"\$3}'
option ban_src_settype 'net' option ban_src_settype 'net'
@ -141,7 +130,7 @@ config source 'proxy'
option ban_src_on '0' option ban_src_on '0'
config source 'iblocklist' config source 'iblocklist'
option ban_src 'http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz' option ban_src 'https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz'
option ban_src_desc 'Contains advertising trackers and a short list of bad/intrusive porn sites (IPv4)' option ban_src_desc 'Contains advertising trackers and a short list of bad/intrusive porn sites (IPv4)'
option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add iblocklist \"\$1}' option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add iblocklist \"\$1}'
option ban_src_settype 'net' option ban_src_settype 'net'

7
net/banip/files/banip.hotplug
View file

@ -1,12 +1,11 @@
#!/bin/sh #!/bin/sh
# #
ban_pidfile="/var/run/banip.pid" ban_pidfile="/var/run/banip.pid"
ban_enabled="$(/etc/init.d/banip enabled; printf "%u" ${?})" ban_enabled="$(/etc/init.d/banip enabled; printf "%u" "${?}")"
if [ "${ban_enabled}" = "1" ] || [ ! -f "${ban_pidfile}" ] || [ -s "${ban_pidfile}" ] || [ "${ACTION}" != "add" ] if [ "${ban_enabled}" = "1" ] || [ ! -f "${ban_pidfile}" ] || [ -s "${ban_pidfile}" ] || [ "${ACTION}" != "add" ]
then then
exit 0 exit 0
else
/etc/init.d/banip refresh
fi fi
/etc/init.d/banip refresh

38
net/banip/files/banip.init
View file

@ -20,17 +20,17 @@ boot()
start_service() start_service()
{ {
if [ $("${ban_init}" enabled; printf "%u" ${?}) -eq 0 ] if [ "$("${ban_init}" enabled; printf "%u" ${?})" -eq 0 ]
then then
if [ "${ban_boot}" = "1" ] if [ "${ban_boot}" = "1" ]
then then
return 0 return 0
fi fi
local nice="$(uci_get banip extra ban_nice)" local nice="$(uci_get banip extra ban_nice "0")"
procd_open_instance "banip" procd_open_instance "banip"
procd_set_param command "${ban_script}" "${@}" procd_set_param command "${ban_script}" "${@}"
procd_set_param pidfile "${ban_pidfile}" procd_set_param pidfile "${ban_pidfile}"
procd_set_param nice ${nice:-0} procd_set_param nice "${nice}"
procd_set_param stdout 1 procd_set_param stdout 1
procd_set_param stderr 1 procd_set_param stderr 1
procd_close_instance procd_close_instance
@ -39,6 +39,7 @@ start_service()
refresh() refresh()
{ {
[ -s "${ban_pidfile}" ] && return 1
rc_procd start_service refresh rc_procd start_service refresh
} }
@ -50,39 +51,44 @@ reload_service()
stop_service() stop_service()
{ {
rc_procd "${ban_script}" stop rc_procd "${ban_script}" stop
rc_procd start_service
} }
status() status()
{ {
local key keylist value rtfile="$(uci_get banip global ban_rtfile)" local key keylist value
local rtfile="$(uci_get banip global ban_rtfile "/tmp/ban_runtime.json")"
rtfile="${rtfile:-"/tmp/ban_runtime.json"}"
json_load_file "${rtfile}" >/dev/null 2>&1 json_load_file "${rtfile}" >/dev/null 2>&1
json_select data >/dev/null 2>&1 json_select data >/dev/null 2>&1
if [ ${?} -eq 0 ] if [ "${?}" -eq 0 ]
then then
printf "%s\n" "::: banIP runtime information" printf "%s\\n" "::: banIP runtime information"
json_get_keys keylist json_get_keys keylist
for key in ${keylist} for key in ${keylist}
do do
json_get_var value "${key}" json_get_var value "${key}"
printf " + %-10s : %s\n" "${key}" "${value}" printf " + %-10s : %s\\n" "${key}" "${value}"
done done
else else
printf "%s\n" "::: no banIP runtime information available" printf "%s\\n" "::: no banIP runtime information available"
fi fi
} }
service_triggers() service_triggers()
{ {
local ban_iface="$(uci_get banip global ban_iface)" local ban_iface="$(uci_get banip global ban_iface)"
local delay="$(uci_get banip extra ban_triggerdelay)" local delay="$(uci_get banip extra ban_triggerdelay "2")"
local type="$(uci_get banip extra ban_starttype "start")"
PROCD_RELOAD_DELAY=$((${delay:-2} * 1000)) PROCD_RELOAD_DELAY=$((${delay}*1000))
for iface in ${ban_iface:-"wan"} if [ -n "${ban_iface}" ]
do then
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" start for iface in ${ban_iface}
done do
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "${type}"
done
else
procd_add_raw_trigger "interface.*.up" ${PROCD_RELOAD_DELAY} "${ban_init}" "${type}"
fi
procd_add_reload_trigger "banip" procd_add_reload_trigger "banip"
} }

342
net/banip/files/banip.sh
View file

@ -6,21 +6,23 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
# (s)hellcheck exceptions
# shellcheck disable=1091 disable=2039 disable=2143 disable=2181 disable=2188
# set initial defaults # set initial defaults
# #
LC_ALL=C LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin" PATH="/usr/sbin:/usr/bin:/sbin:/bin"
ban_ver="0.1.4" ban_ver="0.2.1"
ban_sysver="unknown"
ban_enabled=0 ban_enabled=0
ban_automatic="1" ban_automatic="1"
ban_sources="" ban_sources=""
ban_iface="" ban_iface=""
ban_debug=0 ban_debug=0
ban_backup=0
ban_backupboot=0
ban_backupdir="/mnt" ban_backupdir="/mnt"
ban_maxqueue=4 ban_maxqueue=4
ban_autoblacklist=1
ban_autowhitelist=1
ban_fetchutil="uclient-fetch" ban_fetchutil="uclient-fetch"
ban_ip="$(command -v ip)" ban_ip="$(command -v ip)"
ban_ipt="$(command -v iptables)" ban_ipt="$(command -v iptables)"
@ -34,25 +36,18 @@ ban_chain="banIP"
ban_action="${1:-"start"}" ban_action="${1:-"start"}"
ban_pidfile="/var/run/banip.pid" ban_pidfile="/var/run/banip.pid"
ban_rtfile="/tmp/ban_runtime.json" ban_rtfile="/tmp/ban_runtime.json"
ban_sshdaemon="dropbear"
ban_setcnt=0 ban_setcnt=0
ban_cnt=0 ban_cnt=0
ban_rc=0
# load environment # load environment
# #
f_envload() f_envload()
{ {
local sys_call sys_desc sys_model
# get system information # get system information
# #
sys_call="$(ubus -S call system board 2>/dev/null)" ban_sysver="$(ubus -S call system board 2>/dev/null | jsonfilter -e '@.model' -e '@.release.description' | \
if [ -n "${sys_call}" ] awk 'BEGIN{ORS=", "}{print $0}' | awk '{print substr($0,1,length($0)-2)}')"
then
sys_desc="$(printf '%s' "${sys_call}" | jsonfilter -e '@.release.description')"
sys_model="$(printf '%s' "${sys_call}" | jsonfilter -e '@.model')"
ban_sysver="${sys_model}, ${sys_desc}"
fi
# parse 'global' and 'extra' section by callback # parse 'global' and 'extra' section by callback
# #
@ -122,33 +117,32 @@ f_envcheck()
{ {
local ssl_lib tmp local ssl_lib tmp
# check backup directory
#
if [ ! -d "${ban_backupdir}" ]
then
f_log "err" "the backup directory '${ban_backupdir}' does not exist/is not mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start"
fi
# check fetch utility # check fetch utility
# #
case "${ban_fetchutil}" in case "${ban_fetchutil}" in
uclient-fetch) "uclient-fetch")
if [ -f "/lib/libustream-ssl.so" ] if [ -f "/lib/libustream-ssl.so" ]
then then
ban_fetchparm="${ban_fetchparm:-"--timeout=20 --no-check-certificate -O"}" ban_fetchparm="${ban_fetchparm:-"--timeout=20 --no-check-certificate -O"}"
ssl_lib="libustream-ssl" ssl_lib="libustream-ssl"
else
ban_fetchparm="${ban_fetchparm:-"--timeout=20 -O"}"
fi fi
;; ;;
wget) "wget")
ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 --no-check-certificate -O"}" ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 --no-check-certificate -O"}"
ssl_lib="built-in" ssl_lib="built-in"
;; ;;
wget-nossl) "curl")
ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
;;
busybox)
ban_fetchparm="${ban_fetchparm:-"-O"}"
;;
curl)
ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 --insecure -o"}" ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 --insecure -o"}"
ssl_lib="built-in" ssl_lib="built-in"
;; ;;
aria2c) "aria2c")
ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=false -o"}" ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=false -o"}"
ssl_lib="built-in" ssl_lib="built-in"
;; ;;
@ -158,7 +152,7 @@ f_envcheck()
if [ ! -x "${ban_fetchutil}" ] || [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ] if [ ! -x "${ban_fetchutil}" ] || [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
then then
f_log "err" "download utility not found, please install 'uclient-fetch' with 'libustream-mbedtls' or the full 'wget' package" f_log "err" "download utility not found, please install 'uclient-fetch' with the 'libustream-mbedtls' ssl library or the full 'wget' package"
fi fi
# get wan device and wan subnets # get wan device and wan subnets
@ -213,16 +207,19 @@ f_envcheck()
# #
f_temp() f_temp()
{ {
if [ -z "${ban_tmpdir}" ] if [ -d "/tmp" ] && [ -z "${ban_tmpdir}" ]
then then
ban_tmpdir="$(mktemp -p /tmp -d)" ban_tmpdir="$(mktemp -p /tmp -d)"
ban_tmpload="$(mktemp -p "${ban_tmpdir}" -tu)" ban_tmpload="$(mktemp -p "${ban_tmpdir}" -tu)"
ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)" ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)"
elif [ ! -d "/tmp" ]
then
f_log "err" "the temp directory '/tmp' does not exist/is not mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start"
fi fi
if [ ! -s "${ban_pidfile}" ] if [ ! -s "${ban_pidfile}" ]
then then
printf '%s' "${$}" > "${ban_pidfile}" printf "%s" "${$}" > "${ban_pidfile}"
fi fi
} }
@ -257,7 +254,7 @@ f_iptrule()
then then
if [ -x "${ban_ipt6}" ] if [ -x "${ban_ipt6}" ]
then then
rc="$("${ban_ipt6}" "${timeout}" -C ${rule} 2>/dev/null; printf '%u' ${?})" rc="$("${ban_ipt6}" "${timeout}" -C ${rule} 2>/dev/null; printf "%u" ${?})"
if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \ if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
{ [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; } { [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
@ -268,7 +265,7 @@ f_iptrule()
else else
if [ -x "${ban_ipt}" ] if [ -x "${ban_ipt}" ]
then then
rc="$("${ban_ipt}" "${timeout}" -C ${rule} 2>/dev/null; printf '%u' ${?})" rc="$("${ban_ipt}" "${timeout}" -C ${rule} 2>/dev/null; printf "%u" ${?})"
if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \ if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
{ [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; } { [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
@ -337,7 +334,7 @@ f_iptadd()
# #
f_ipset() f_ipset()
{ {
local rc cnt cnt_ip cnt_cidr size source action ruleset ruleset_6 rule timeout="-w 5" mode="${1}" local out_rc source action ruleset ruleset_6 rule cnt=0 cnt_ip=0 cnt_cidr=0 timeout="-w 5" mode="${1}" in_rc="${src_rc:-0}"
if [ "${src_name%_6*}" = "whitelist" ] if [ "${src_name%_6*}" = "whitelist" ]
then then
@ -347,32 +344,33 @@ f_ipset()
fi fi
case "${mode}" in case "${mode}" in
backup) "backup")
ban_rc=4 gzip -cf "${tmp_load}" 2>/dev/null > "${ban_backupdir}/banIP.${src_name}.gz"
if [ -d "${ban_backupdir}" ] out_rc="${?:-"${in_rc}"}"
then f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}"
gzip -cf "${tmp_load}" 2>/dev/null > "${ban_backupdir}/banIP.${src_name}.gz" return "${out_rc}"
ban_rc=${?}
fi
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, rc: ${ban_rc}"
;; ;;
restore) "restore")
ban_rc=4 if [ -f "${ban_backupdir}/banIP.${src_name}.gz" ]
if [ -d "${ban_backupdir}" ] && [ -f "${ban_backupdir}/banIP.${src_name}.gz" ]
then then
gunzip -cf "${ban_backupdir}/banIP.${src_name}.gz" 2>/dev/null > "${tmp_load}" zcat "${ban_backupdir}/banIP.${src_name}.gz" 2>/dev/null > "${tmp_load}"
ban_rc=${?} out_rc="${?}"
fi fi
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, rc: ${ban_rc}" out_rc="${out_rc:-"${in_rc}"}"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}"
return "${out_rc}"
;; ;;
remove) "remove")
if [ -d "${ban_backupdir}" ] && [ -f "${ban_backupdir}/banIP.${src_name}.gz" ] if [ -f "${ban_backupdir}/banIP.${src_name}.gz" ]
then then
rm -f "${ban_backupdir}/banIP.${src_name}.gz" rm -f "${ban_backupdir}/banIP.${src_name}.gz"
out_rc="${?}"
fi fi
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}" out_rc="${out_rc:-"${in_rc}"}"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}"
return "${out_rc}"
;; ;;
initial) "initial")
if [ -x "${ban_ipt}" ] && [ -z "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ] if [ -x "${ban_ipt}" ] && [ -z "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
then then
"${ban_ipt}" "${timeout}" -N "${ban_chain}" "${ban_ipt}" "${timeout}" -N "${ban_chain}"
@ -385,7 +383,6 @@ f_ipset()
f_iptrule "-D" "${rule} -j ${ban_chain}" f_iptrule "-D" "${rule} -j ${ban_chain}"
done done
fi fi
if [ -x "${ban_ipt6}" ] && [ -z "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ] if [ -x "${ban_ipt6}" ] && [ -z "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
then then
"${ban_ipt6}" "${timeout}" -N "${ban_chain}" "${ban_ipt6}" "${timeout}" -N "${ban_chain}"
@ -400,48 +397,53 @@ f_ipset()
fi fi
f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}" f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}"
;; ;;
create) "create")
cnt="$(wc -l 2>/dev/null < "${tmp_file}")" if [ -x "${ban_ipset}" ]
cnt_cidr="$(grep -cF "/" "${tmp_file}")"
cnt_ip="$((cnt-cnt_cidr))"
size="$((cnt/4))"
if [ "${cnt}" -gt 0 ]
then then
if [ -x "${ban_ipset}" ] && [ -z "$("${ban_ipset}" -q -n list "${src_name}")" ] if [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset}" -q -n list "${src_name}")" ]
then then
"${ban_ipset}" -q create "${src_name}" hash:"${src_settype}" hashsize "${size}" maxelem 262144 family "${src_setipv}" counters "${ban_ipset}" -q create "${src_name}" hash:"${src_settype}" hashsize 64 maxelem 262144 family "${src_setipv}" counters
else else
"${ban_ipset}" -q flush "${src_name}" "${ban_ipset}" -q flush "${src_name}"
fi fi
"${ban_ipset}" -! restore < "${tmp_file}"
printf "%s\n" "1" > "${tmp_set}"
printf "%s\n" "${cnt}" > "${tmp_cnt}"
fi
f_iptadd
end_ts="$(date +%s)"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: ${src_setipv:-"-"}, ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time: $((end_ts-start_ts))"
;;
refresh)
ban_rc=4
if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${src_name}")" ]
then
"${ban_ipset}" -q save "${src_name}" > "${tmp_file}"
if [ -s "${tmp_file}" ] if [ -s "${tmp_file}" ]
then then
ban_rc=0 "${ban_ipset}" -! restore < "${tmp_file}"
out_rc="${?}"
"${ban_ipset}" -q save "${src_name}" > "${tmp_file}"
cnt="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))" cnt="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))"
cnt_cidr="$(grep -cF "/" "${tmp_file}")" cnt_cidr="$(grep -cF "/" "${tmp_file}")"
cnt_ip="$((cnt-cnt_cidr))" cnt_ip="$((cnt-cnt_cidr))"
printf "%s\n" "1" > "${tmp_set}" printf "%s\\n" "1" > "${tmp_set}"
printf "%s\n" "${cnt}" > "${tmp_cnt}" printf "%s\\n" "${cnt}" > "${tmp_cnt}"
fi fi
f_iptadd f_iptadd
fi fi
end_ts="$(date +%s)" end_ts="$(date +%s)"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, count: ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time: $((end_ts-start_ts)), rc: ${ban_rc}" out_rc="${out_rc:-"${in_rc}"}"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: ${src_setipv:-"-"}, ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt}/${cnt_ip}/${cnt_cidr}, time: $((end_ts-start_ts)), out_rc: ${out_rc}"
;; ;;
flush) "refresh")
if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${src_name}")" ]
then
"${ban_ipset}" -q save "${src_name}" > "${tmp_file}"
out_rc="${?}"
if [ -s "${tmp_file}" ]
then
cnt="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))"
cnt_cidr="$(grep -cF "/" "${tmp_file}")"
cnt_ip="$((cnt-cnt_cidr))"
printf "%s\\n" "1" > "${tmp_set}"
printf "%s\\n" "${cnt}" > "${tmp_cnt}"
fi
f_iptadd
fi
end_ts="$(date +%s)"
out_rc="${out_rc:-"${in_rc}"}"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, count: ${cnt}/${cnt_ip}/${cnt_cidr}, time: $((end_ts-start_ts)), out_rc: ${out_rc}"
return "${out_rc}"
;;
"flush")
f_iptadd "remove" f_iptadd "remove"
if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${src_name}")" ] if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${src_name}")" ]
@ -451,7 +453,7 @@ f_ipset()
fi fi
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}" f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}"
;; ;;
destroy) "destroy")
if [ -x "${ban_ipt}" ] && [ -x "${ban_ipt_save}" ] && [ -x "${ban_ipt_restore}" ] && \ if [ -x "${ban_ipt}" ] && [ -x "${ban_ipt_save}" ] && [ -x "${ban_ipt_restore}" ] && \
[ -n "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ] [ -n "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
then then
@ -459,7 +461,6 @@ f_ipset()
"${ban_ipt}" "${timeout}" -F "${ban_chain}" "${ban_ipt}" "${timeout}" -F "${ban_chain}"
"${ban_ipt}" "${timeout}" -X "${ban_chain}" "${ban_ipt}" "${timeout}" -X "${ban_chain}"
fi fi
if [ -x "${ban_ipt6}" ] && [ -x "${ban_ipt6_save}" ] && [ -x "${ban_ipt6_restore}" ] && \ if [ -x "${ban_ipt6}" ] && [ -x "${ban_ipt6_save}" ] && [ -x "${ban_ipt6_restore}" ] && \
[ -n "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ] [ -n "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
then then
@ -467,7 +468,6 @@ f_ipset()
"${ban_ipt6}" "${timeout}" -F "${ban_chain}" "${ban_ipt6}" "${timeout}" -F "${ban_chain}"
"${ban_ipt6}" "${timeout}" -X "${ban_chain}" "${ban_ipt6}" "${timeout}" -X "${ban_chain}"
fi fi
for source in ${ban_sources} for source in ${ban_sources}
do do
if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${source}")" ] if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${source}")" ]
@ -506,13 +506,13 @@ f_log()
f_main() f_main()
{ {
local pid pid_list start_ts end_ts ip tmp_raw tmp_cnt tmp_load tmp_file mem_total mem_free cnt=1 local pid pid_list start_ts end_ts ip tmp_raw tmp_cnt tmp_load tmp_file mem_total mem_free cnt=1
local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon src_rc
local wan_input wan_forward lan_input lan_forward target_src target_dst log_content local wan_input wan_forward lan_input lan_forward target_src target_dst log_content
log_content="$(logread -e "dropbear")" log_content="$(logread -e "${ban_sshdaemon}")"
mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)" mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)" mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
f_log "debug" "f_main ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup: ${ban_backup:-"-"}, backup_boot: ${ban_backupboot:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}" f_log "debug" "f_main ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
f_ipset initial f_ipset initial
@ -525,9 +525,9 @@ f_main()
then then
if [ -x "${ban_ipt6}" ] if [ -x "${ban_ipt6}" ]
then then
src_on="$(eval printf '%s' \"\${ban_src_on_6_${src_name%_6*}\}\")" src_on="$(eval printf "%s" \"\$\{ban_src_on_6_${src_name%_6*}\}\")"
src_url="$(eval printf '%s' \"\${ban_src_6_${src_name%_6*}\}\")" src_url="$(eval printf "%s" \"\$\{ban_src_6_${src_name%_6*}\}\")"
src_rset="$(eval printf '%s' \"\${ban_src_rset_6_${src_name%_6*}\}\")" src_rset="$(eval printf "%s" \"\$\{ban_src_rset_6_${src_name%_6*}\}\")"
src_setipv="inet6" src_setipv="inet6"
wan_input="${ban_wan_input_chain_6:-"input_wan_rule"}" wan_input="${ban_wan_input_chain_6:-"input_wan_rule"}"
wan_forward="${ban_wan_forward_chain_6:-"forwarding_wan_rule"}" wan_forward="${ban_wan_forward_chain_6:-"forwarding_wan_rule"}"
@ -539,9 +539,9 @@ f_main()
else else
if [ -x "${ban_ipt}" ] if [ -x "${ban_ipt}" ]
then then
src_on="$(eval printf '%s' \"\${ban_src_on_${src_name}\}\")" src_on="$(eval printf "%s" \"\$\{ban_src_on_${src_name}\}\")"
src_url="$(eval printf '%s' \"\${ban_src_${src_name}\}\")" src_url="$(eval printf "%s" \"\$\{ban_src_${src_name}\}\")"
src_rset="$(eval printf '%s' \"\${ban_src_rset_${src_name}\}\")" src_rset="$(eval printf "%s" \"\$\{ban_src_rset_${src_name}\}\")"
src_setipv="inet" src_setipv="inet"
wan_input="${ban_wan_input_chain:-"input_wan_rule"}" wan_input="${ban_wan_input_chain:-"input_wan_rule"}"
wan_forward="${ban_wan_forward_chain:-"forwarding_wan_rule"}" wan_forward="${ban_wan_forward_chain:-"forwarding_wan_rule"}"
@ -551,10 +551,11 @@ f_main()
target_dst="${ban_target_dst:-"REJECT"}" target_dst="${ban_target_dst:-"REJECT"}"
fi fi
fi fi
src_settype="$(eval printf '%s' \"\${ban_src_settype_${src_name%_6*}\}\")" src_settype="$(eval printf "%s" \"\$\{ban_src_settype_${src_name%_6*}\}\")"
src_ruletype="$(eval printf '%s' \"\${ban_src_ruletype_${src_name%_6*}\}\")" src_ruletype="$(eval printf "%s" \"\$\{ban_src_ruletype_${src_name%_6*}\}\")"
src_cat="$(eval printf '%s' \"\${ban_src_cat_${src_name%_6*}\}\")" src_cat="$(eval printf "%s" \"\$\{ban_src_cat_${src_name%_6*}\}\")"
src_addon="" src_addon=""
src_rc=4
tmp_load="${ban_tmpload}.${src_name}" tmp_load="${ban_tmpload}.${src_name}"
tmp_file="${ban_tmpfile}.${src_name}" tmp_file="${ban_tmpfile}.${src_name}"
tmp_raw="${tmp_load}.raw" tmp_raw="${tmp_load}.raw"
@ -571,11 +572,11 @@ f_main()
f_ipset flush f_ipset flush
f_ipset remove f_ipset remove
continue continue
elif [ "${ban_action}" = "refresh" ] elif [ "${ban_action}" = "refresh" ] && [ ! -f "${src_url}" ]
then then
start_ts="$(date +%s)" start_ts="$(date +%s)"
f_ipset refresh f_ipset refresh
if [ ${ban_rc} -eq 0 ] if [ "${?}" -eq 0 ]
then then
continue continue
fi fi
@ -585,45 +586,61 @@ f_main()
# #
( (
start_ts="$(date +%s)" start_ts="$(date +%s)"
if [ ! -f "${src_url}" ] && [ ${ban_backup} -eq 1 ] && [ ${ban_backupboot} -eq 1 ] && [ "${ban_action}" = "start" ] if [ "${ban_action}" = "start" ] && [ ! -f "${src_url}" ]
then then
f_ipset restore f_ipset restore
fi fi
src_rc="${?}"
if [ ${ban_rc} -ne 0 ] || [ ! -s "${tmp_load}" ] if [ "${src_rc}" -ne 0 ] || [ ! -s "${tmp_load}" ]
then then
if [ -f "${src_url}" ] if [ -f "${src_url}" ]
then then
src_log="$(cat "${src_url}" 2>/dev/null > "${tmp_load}")" src_log="$(cat "${src_url}" 2>/dev/null > "${tmp_load}")"
ban_rc=${?} src_rc="${?}"
case "${src_name}" in case "${src_name}" in
whitelist) "whitelist")
src_addon="${ban_subnets}" src_addon="${ban_subnets}"
;; ;;
whitelist_6) "whitelist_6")
src_addon="${ban_subnets6}" src_addon="${ban_subnets6}"
;; ;;
blacklist) "blacklist")
pid_list="$(printf "%s\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')" if [ "${ban_sshdaemon}" = "dropbear" ]
for pid in ${pid_list} then
do pid_list="$(printf "%s\\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
src_addon="${src_addon} $(printf "%s\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')" for pid in ${pid_list}
done do
src_addon="${src_addon} $(printf "%s\\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
done
elif [ "${ban_sshdaemon}" = "sshd" ]
then
src_addon="$(printf "%s\\n" "${log_content}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
fi
;; ;;
blacklist_6) "blacklist_6")
pid_list="$(printf "%s\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')" if [ "${ban_sshdaemon}" = "dropbear" ]
for pid in ${pid_list} then
do pid_list="$(printf "%s\\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
src_addon="${src_addon} $(printf "%s\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')" for pid in ${pid_list}
done do
src_addon="${src_addon} $(printf "%s\\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
done
elif [ "${ban_sshdaemon}" = "sshd" ]
then
src_addon="$(printf "%s\\n" "${log_content}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
fi
;; ;;
esac esac
for ip in ${src_addon} for ip in ${src_addon}
do do
if [ -z "$(grep -F "${ip}" "${src_url}")" ] if [ -z "$(grep -F "${ip}" "${src_url}")" ]
then then
printf '%s\n' "${ip}" >> "${tmp_load}" printf "%s\\n" "${ip}" >> "${tmp_load}"
printf '%s\n' "${ip}" >> "${src_url}" if { [ "${src_name//_*/}" = "blacklist" ] && [ "${ban_autoblacklist}" -eq 1 ]; } || \
{ [ "${src_name//_*/}" = "whitelist" ] && [ "${ban_autowhitelist}" -eq 1 ]; }
then
printf "%s\\n" "${ip}" >> "${src_url}"
fi
fi fi
done done
elif [ -n "${src_cat}" ] elif [ -n "${src_cat}" ]
@ -633,18 +650,18 @@ f_main()
for as in ${src_cat} for as in ${src_cat}
do do
src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}AS${as}" 2>&1)" src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}AS${as}" 2>&1)"
ban_rc=${?} src_rc="${?}"
if [ ${ban_rc} -eq 0 ] if [ "${src_rc}" -eq 0 ]
then then
jsonfilter -i "${tmp_raw}" -e '@.data.prefixes.*.prefix' 2>/dev/null >> "${tmp_load}" jsonfilter -i "${tmp_raw}" -e '@.data.prefixes.*.prefix' 2>/dev/null >> "${tmp_load}"
else else
break break
fi fi
done done
if [ ${ban_rc} -eq 0 ] && [ ${ban_backup} -eq 1 ] if [ "${src_rc}" -eq 0 ]
then then
f_ipset backup f_ipset backup
elif [ ${ban_backup} -eq 1 ] elif [ "${ban_action}" != "start" ]
then then
f_ipset restore f_ipset restore
fi fi
@ -652,8 +669,8 @@ f_main()
for co in ${src_cat} for co in ${src_cat}
do do
src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}${co}&v4_format=prefix" 2>&1)" src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}${co}&v4_format=prefix" 2>&1)"
ban_rc=${?} src_rc="${?}"
if [ ${ban_rc} -eq 0 ] if [ "${src_rc}" -eq 0 ]
then then
if [ "${src_name##*_}" = "6" ] if [ "${src_name##*_}" = "6" ]
then then
@ -665,53 +682,62 @@ f_main()
break break
fi fi
done done
if [ ${ban_rc} -eq 0 ] && [ ${ban_backup} -eq 1 ] if [ "${src_rc}" -eq 0 ]
then then
f_ipset backup f_ipset backup
elif [ ${ban_backup} -eq 1 ] elif [ "${ban_action}" != "start" ]
then then
f_ipset restore f_ipset restore
fi fi
fi fi
else else
src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}" 2>&1)" src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}" 2>&1)"
ban_rc=${?} src_rc="${?}"
if [ ${ban_rc} -eq 0 ] if [ "${src_rc}" -eq 0 ]
then then
zcat "${tmp_raw}" 2>/dev/null > "${tmp_load}" zcat "${tmp_raw}" 2>/dev/null > "${tmp_load}"
ban_rc=${?} src_rc="${?}"
if [ ${ban_rc} -ne 0 ] if [ "${src_rc}" -ne 0 ]
then then
mv -f "${tmp_raw}" "${tmp_load}" mv -f "${tmp_raw}" "${tmp_load}"
ban_rc=${?} src_rc="${?}"
fi fi
if [ ${ban_rc} -eq 0 ] && [ ${ban_backup} -eq 1 ] if [ "${src_rc}" -eq 0 ]
then then
f_ipset backup f_ipset backup
src_rc="${?}"
fi fi
elif [ ${ban_backup} -eq 1 ] elif [ "${ban_action}" != "start" ]
then then
f_ipset restore f_ipset restore
src_rc="${?}"
fi fi
fi fi
fi fi
if [ ${ban_rc} -eq 0 ] if [ "${src_rc}" -eq 0 ]
then then
awk "${src_rset}" "${tmp_load}" 2>/dev/null > "${tmp_file}" awk "${src_rset}" "${tmp_load}" 2>/dev/null > "${tmp_file}"
ban_rc=${?} src_rc="${?}"
if [ ${ban_rc} -eq 0 ] if [ "${src_rc}" -eq 0 ]
then then
f_ipset create f_ipset create
else src_rc="${?}"
elif [ "${ban_action}" != "refresh" ]
then
f_ipset refresh f_ipset refresh
src_rc="${?}"
fi fi
else else
src_log="$(printf '%s' "${src_log}" | awk '{ORS=" ";print $0}')" src_log="$(printf "%s" "${src_log}" | awk '{ORS=" ";print $0}')"
f_log "debug" "f_main ::: name: ${src_name}, url: ${src_url}, rc: ${ban_rc}, log: ${src_log:-"-"}" if [ "${ban_action}" != "refresh" ]
f_ipset refresh then
f_ipset refresh
src_rc="${?}"
fi
f_log "debug" "f_main ::: name: ${src_name}, url: ${src_url}, rc: ${src_rc}, log: ${src_log:-"-"}"
fi fi
) & )&
hold="$((cnt%ban_maxqueue))" hold="$((cnt%ban_maxqueue))"
if [ "${hold}" -eq 0 ] if [ "${hold}" -eq 0 ]
then then
@ -719,40 +745,30 @@ f_main()
fi fi
cnt="$((cnt+1))" cnt="$((cnt+1))"
done done
wait wait
if [ "${ban_rc}" -eq 0 ]
then for cnt in $(cat "${ban_tmpfile}".*.setcnt 2>/dev/null)
for cnt in $(cat "${ban_tmpfile}".*.setcnt 2>/dev/null) do
do ban_setcnt="$((ban_setcnt+cnt))"
ban_setcnt="$((ban_setcnt+cnt))" done
done for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null)
for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null) do
do ban_cnt="$((ban_cnt+cnt))"
ban_cnt="$((ban_cnt+cnt))" done
done f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
fi
f_jsnup f_jsnup
f_rmtemp f_rmtemp
exit ${ban_rc}
} }
# update runtime information # update runtime information
# #
f_jsnup() f_jsnup()
{ {
local rundate mode status="${1:-"enabled"}" local rundate status="${1:-"enabled"}"
rundate="$(/bin/date "+%d.%m.%Y %H:%M:%S")" rundate="$(/bin/date "+%d.%m.%Y %H:%M:%S")"
mode="normal mode"
ban_cntinfo="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes" ban_cntinfo="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes"
if [ "${ban_backupboot}" -eq 1 ]
then
mode="backup mode"
fi
> "${ban_rtfile}" > "${ban_rtfile}"
json_load_file "${ban_rtfile}" >/dev/null 2>&1 json_load_file "${ban_rtfile}" >/dev/null 2>&1
json_init json_init
@ -760,12 +776,12 @@ f_jsnup()
json_add_string "status" "${status}" json_add_string "status" "${status}"
json_add_string "version" "${ban_ver}" json_add_string "version" "${ban_ver}"
json_add_string "fetch_info" "${ban_fetchinfo:-"-"}" json_add_string "fetch_info" "${ban_fetchinfo:-"-"}"
json_add_string "ipset_info" "${ban_cntinfo:-"-"} (${mode})" json_add_string "ipset_info" "${ban_cntinfo:-"-"}"
json_add_string "backup_dir" "${ban_backupdir}"
json_add_string "last_run" "${rundate:-"-"}" json_add_string "last_run" "${rundate:-"-"}"
json_add_string "system" "${ban_sysver}" json_add_string "system" "${ban_sysver}"
json_close_object json_close_object
json_dump > "${ban_rtfile}" json_dump > "${ban_rtfile}"
f_log "debug" "f_jsnup ::: status: ${status}, setcnt: ${ban_setcnt}, cnt: ${ban_cnt}" f_log "debug" "f_jsnup ::: status: ${status}, setcnt: ${ban_setcnt}, cnt: ${ban_cnt}"
} }
@ -784,13 +800,13 @@ fi
# #
f_envload f_envload
case "${ban_action}" in case "${ban_action}" in
stop) "stop")
f_jsnup stopped f_jsnup stopped
f_ipset destroy f_ipset destroy
f_rmbackup f_rmbackup
f_rmtemp f_rmtemp
;; ;;
start|restart|reload|refresh) "start"|"restart"|"reload"|"refresh")
f_envcheck f_envcheck
f_main f_main
;; ;;