banip: release 0.8.7-1
* Optionally auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP, set 'ban_autoblocksubnet' accordingly (disabled by default). For more information regarding RDAP see https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap for reference. * small fixes & cosmetics * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
parent
c5737be112
commit
767d1ec663
3 changed files with 68 additions and 35 deletions
|
@ -5,8 +5,8 @@
|
||||||
include $(TOPDIR)/rules.mk
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=banip
|
PKG_NAME:=banip
|
||||||
PKG_VERSION:=0.8.6
|
PKG_VERSION:=0.8.7
|
||||||
PKG_RELEASE:=2
|
PKG_RELEASE:=1
|
||||||
PKG_LICENSE:=GPL-3.0-or-later
|
PKG_LICENSE:=GPL-3.0-or-later
|
||||||
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
||||||
|
|
||||||
|
|
|
@ -65,10 +65,11 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
||||||
* Auto-add the uplink subnet or uplink IP to the local allowlist
|
* Auto-add the uplink subnet or uplink IP to the local allowlist
|
||||||
* Provides a small background log monitor to ban unsuccessful login attempts in real-time
|
* Provides a small background log monitor to ban unsuccessful login attempts in real-time
|
||||||
* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
|
* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
|
||||||
|
* Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP
|
||||||
* Fast feed processing as they are handled in parallel as background jobs
|
* Fast feed processing as they are handled in parallel as background jobs
|
||||||
* Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains)
|
* Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains)
|
||||||
* Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
|
* Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
|
||||||
* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
|
* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget
|
||||||
* Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
|
* Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
|
||||||
* Deduplicate IPs accross all Sets (single IPs only, no intervals)
|
* Deduplicate IPs accross all Sets (single IPs only, no intervals)
|
||||||
* Provides comprehensive runtime information
|
* Provides comprehensive runtime information
|
||||||
|
@ -78,7 +79,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
||||||
* Minimal status & error logging to syslog, enable debug logging to receive more output
|
* Minimal status & error logging to syslog, enable debug logging to receive more output
|
||||||
* Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup)
|
* Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup)
|
||||||
* Procd network interface trigger support
|
* Procd network interface trigger support
|
||||||
* Add new or edit existing banIP feeds on your own with the integrated custom feed editor
|
* Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor
|
||||||
* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
|
* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
|
||||||
|
|
||||||
## Prerequisites
|
## Prerequisites
|
||||||
|
@ -97,7 +98,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
||||||
* Install the LuCI companion package 'luci-app-banip' (opkg install luci-app-banip)
|
* Install the LuCI companion package 'luci-app-banip' (opkg install luci-app-banip)
|
||||||
* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
|
* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
|
||||||
* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
|
* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
|
||||||
* Start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status'
|
* Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status'
|
||||||
|
|
||||||
## banIP CLI interface
|
## banIP CLI interface
|
||||||
* All important banIP functions are accessible via CLI.
|
* All important banIP functions are accessible via CLI.
|
||||||
|
@ -140,6 +141,7 @@ Available commands:
|
||||||
| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
|
| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
|
||||||
| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
|
| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
|
||||||
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
|
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
|
||||||
|
| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
|
||||||
| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
|
| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
|
||||||
| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
|
| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
|
||||||
| ban_basedir | option | /tmp | base working directory while banIP processing |
|
| ban_basedir | option | /tmp | base working directory while banIP processing |
|
||||||
|
|
|
@ -20,8 +20,12 @@ ban_blocklist="/etc/banip/banip.blocklist"
|
||||||
ban_mailtemplate="/etc/banip/banip.tpl"
|
ban_mailtemplate="/etc/banip/banip.tpl"
|
||||||
ban_pidfile="/var/run/banip.pid"
|
ban_pidfile="/var/run/banip.pid"
|
||||||
ban_rtfile="/var/run/banip_runtime.json"
|
ban_rtfile="/var/run/banip_runtime.json"
|
||||||
|
ban_rdapfile="/var/run/banip_rdap.json"
|
||||||
|
ban_rdapurl="https://rdap.db.ripe.net/ip/"
|
||||||
ban_lock="/var/run/banip.lock"
|
ban_lock="/var/run/banip.lock"
|
||||||
ban_fetchcmd=""
|
ban_fetchcmd=""
|
||||||
|
ban_fetchparm=""
|
||||||
|
ban_rdapparm=""
|
||||||
ban_logreadcmd="$(command -v logread)"
|
ban_logreadcmd="$(command -v logread)"
|
||||||
ban_logcmd="$(command -v logger)"
|
ban_logcmd="$(command -v logger)"
|
||||||
ban_ubuscmd="$(command -v ubus)"
|
ban_ubuscmd="$(command -v ubus)"
|
||||||
|
@ -33,12 +37,13 @@ ban_sedcmd="$(command -v sed)"
|
||||||
ban_catcmd="$(command -v cat)"
|
ban_catcmd="$(command -v cat)"
|
||||||
ban_zcatcmd="$(command -v zcat)"
|
ban_zcatcmd="$(command -v zcat)"
|
||||||
ban_lookupcmd="$(command -v nslookup)"
|
ban_lookupcmd="$(command -v nslookup)"
|
||||||
|
ban_jsoncmd="$(command -v jsonfilter)"
|
||||||
ban_mailcmd="$(command -v msmtp)"
|
ban_mailcmd="$(command -v msmtp)"
|
||||||
ban_mailsender="no-reply@banIP"
|
ban_mailsender="no-reply@banIP"
|
||||||
ban_mailreceiver=""
|
ban_mailreceiver=""
|
||||||
ban_mailtopic="banIP notification"
|
ban_mailtopic="banIP notification"
|
||||||
ban_mailprofile="ban_notify"
|
ban_mailprofile="ban_notify"
|
||||||
ban_mailnotifcation="0"
|
ban_mailnotification="0"
|
||||||
ban_reportelements="1"
|
ban_reportelements="1"
|
||||||
ban_nftloglevel="warn"
|
ban_nftloglevel="warn"
|
||||||
ban_nftpriority="-200"
|
ban_nftpriority="-200"
|
||||||
|
@ -57,6 +62,7 @@ ban_allowlistonly="0"
|
||||||
ban_autoallowlist="1"
|
ban_autoallowlist="1"
|
||||||
ban_autoallowuplink="subnet"
|
ban_autoallowuplink="subnet"
|
||||||
ban_autoblocklist="1"
|
ban_autoblocklist="1"
|
||||||
|
ban_autoblocksubnet="0"
|
||||||
ban_deduplicate="1"
|
ban_deduplicate="1"
|
||||||
ban_splitsize="0"
|
ban_splitsize="0"
|
||||||
ban_autodetect="1"
|
ban_autodetect="1"
|
||||||
|
@ -93,8 +99,8 @@ f_system() {
|
||||||
fi
|
fi
|
||||||
ban_packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
|
ban_packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
|
||||||
ban_memory="$("${ban_awkcmd}" '/^MemAvailable/{printf "%s",int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
|
ban_memory="$("${ban_awkcmd}" '/^MemAvailable/{printf "%s",int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
|
||||||
ban_ver="$(printf "%s" "${ban_packages}" | jsonfilter -ql1 -e '@.packages.banip')"
|
ban_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')"
|
||||||
ban_sysver="$(${ban_ubuscmd} -S call system board 2>/dev/null | jsonfilter -ql1 -e '@.model' -e '@.release.description' |
|
ban_sysver="$("${ban_ubuscmd}" -S call system board 2>/dev/null | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.description' |
|
||||||
"${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"
|
"${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"
|
||||||
if [ -z "${ban_cores}" ]; then
|
if [ -z "${ban_cores}" ]; then
|
||||||
cpu="$("${ban_grepcmd}" -c '^processor' /proc/cpuinfo 2>/dev/null)"
|
cpu="$("${ban_grepcmd}" -c '^processor' /proc/cpuinfo 2>/dev/null)"
|
||||||
|
@ -236,6 +242,9 @@ f_conf() {
|
||||||
"ban_ifv6")
|
"ban_ifv6")
|
||||||
eval "${option}=\"$(printf "%s" "${ban_ifv6}")${value} \""
|
eval "${option}=\"$(printf "%s" "${ban_ifv6}")${value} \""
|
||||||
;;
|
;;
|
||||||
|
"ban_trigger")
|
||||||
|
eval "${option}=\"$(printf "%s" "${ban_trigger}")${value} \""
|
||||||
|
;;
|
||||||
"ban_feed")
|
"ban_feed")
|
||||||
eval "${option}=\"$(printf "%s" "${ban_feed}")${value} \""
|
eval "${option}=\"$(printf "%s" "${ban_feed}")${value} \""
|
||||||
;;
|
;;
|
||||||
|
@ -321,22 +330,26 @@ f_getfetch() {
|
||||||
"aria2c")
|
"aria2c")
|
||||||
[ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false"
|
[ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false"
|
||||||
ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --retry-wait=10 --max-tries=${ban_fetchretry} --max-file-not-found=${ban_fetchretry} --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}"
|
ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --retry-wait=10 --max-tries=${ban_fetchretry} --max-file-not-found=${ban_fetchretry} --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}"
|
||||||
|
ban_rdapparm="--timeout=5 --allow-overwrite=true --auto-file-renaming=false --dir=/ -o"
|
||||||
;;
|
;;
|
||||||
"curl")
|
"curl")
|
||||||
[ "${ban_fetchinsecure}" = "1" ] && insecure="--insecure"
|
[ "${ban_fetchinsecure}" = "1" ] && insecure="--insecure"
|
||||||
ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --retry-delay 10 --retry ${ban_fetchretry} --retry-all-errors --fail --silent --show-error --location -o"}"
|
ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --retry-delay 10 --retry ${ban_fetchretry} --retry-all-errors --fail --silent --show-error --location -o"}"
|
||||||
|
ban_rdapparm="--connect-timeout 5 --silent --location -o"
|
||||||
;;
|
;;
|
||||||
"uclient-fetch")
|
"uclient-fetch")
|
||||||
[ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate"
|
[ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate"
|
||||||
ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 -O"}"
|
ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 -O"}"
|
||||||
|
ban_rdapparm="--timeout=5 -O"
|
||||||
;;
|
;;
|
||||||
"wget")
|
"wget")
|
||||||
[ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate"
|
[ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate"
|
||||||
ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=${ban_fetchretry} --retry-connrefused --max-redirect=0 -O"}"
|
ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=${ban_fetchretry} --retry-connrefused -O"}"
|
||||||
|
ban_rdapparm="--timeout=5 -O"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
f_log "debug" "f_getfetch ::: auto/update: ${ban_autodetect}/${update}, cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}"
|
f_log "debug" "f_getfetch ::: auto/update: ${ban_autodetect}/${update}, cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, rdap_parm: ${ban_rdapparm:-"-"}"
|
||||||
}
|
}
|
||||||
|
|
||||||
# get wan interfaces
|
# get wan interfaces
|
||||||
|
@ -593,11 +606,11 @@ f_down() {
|
||||||
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
||||||
{
|
{
|
||||||
printf "%s\n" "flush set inet banIP ${feed}"
|
printf "%s\n" "flush set inet banIP ${feed}"
|
||||||
handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${feed}\"].handle")"
|
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${feed}\"].handle")"
|
||||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
|
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
|
||||||
handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${feed}\"].handle")"
|
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${feed}\"].handle")"
|
||||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
|
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
|
||||||
handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${feed}\"].handle")"
|
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${feed}\"].handle")"
|
||||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
|
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
|
||||||
} >"${tmp_flush}"
|
} >"${tmp_flush}"
|
||||||
fi
|
fi
|
||||||
|
@ -866,7 +879,7 @@ f_down() {
|
||||||
rm -f "${split_file}"
|
rm -f "${split_file}"
|
||||||
done
|
done
|
||||||
if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then
|
if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then
|
||||||
cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
|
cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
|
@ -916,7 +929,7 @@ f_rmset() {
|
||||||
json_get_keys feedlist
|
json_get_keys feedlist
|
||||||
tmp_del="${ban_tmpfile}.final.delete"
|
tmp_del="${ban_tmpfile}.final.delete"
|
||||||
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
||||||
table_sets="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')"
|
table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
|
||||||
{
|
{
|
||||||
printf "%s\n\n" "#!/usr/sbin/nft -f"
|
printf "%s\n\n" "#!/usr/sbin/nft -f"
|
||||||
for item in ${table_sets}; do
|
for item in ${table_sets}; do
|
||||||
|
@ -925,11 +938,11 @@ f_rmset() {
|
||||||
del_set="${del_set}${item}, "
|
del_set="${del_set}${item}, "
|
||||||
rm -f "${ban_backupdir}/banIP.${item}.gz"
|
rm -f "${ban_backupdir}/banIP.${item}.gz"
|
||||||
printf "%s\n" "flush set inet banIP ${item}"
|
printf "%s\n" "flush set inet banIP ${item}"
|
||||||
handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].handle")"
|
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].handle")"
|
||||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
|
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
|
||||||
handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")"
|
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")"
|
||||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
|
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
|
||||||
handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")"
|
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")"
|
||||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
|
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
|
||||||
printf "%s\n\n" "delete set inet banIP ${item}"
|
printf "%s\n\n" "delete set inet banIP ${item}"
|
||||||
fi
|
fi
|
||||||
|
@ -957,10 +970,10 @@ f_genstatus() {
|
||||||
ban_endtime="$(date "+%s")"
|
ban_endtime="$(date "+%s")"
|
||||||
duration="$(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s"
|
duration="$(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s"
|
||||||
fi
|
fi
|
||||||
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')"
|
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
|
||||||
if [ "${ban_reportelements}" = "1" ]; then
|
if [ "${ban_reportelements}" = "1" ]; then
|
||||||
for item in ${table_sets}; do
|
for item in ${table_sets}; do
|
||||||
cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
|
cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
runtime="action: ${ban_action:-"-"}, duration: ${duration:-"-"}, date: $(date "+%Y-%m-%d %H:%M:%S")"
|
runtime="action: ${ban_action:-"-"}, duration: ${duration:-"-"}, date: $(date "+%Y-%m-%d %H:%M:%S")"
|
||||||
|
@ -1132,7 +1145,7 @@ f_report() {
|
||||||
# json output preparation
|
# json output preparation
|
||||||
#
|
#
|
||||||
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
||||||
table_sets="$(printf "%s" "${ruleset_raw}" | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')"
|
table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
|
||||||
sum_sets="0"
|
sum_sets="0"
|
||||||
sum_setinput="0"
|
sum_setinput="0"
|
||||||
sum_setforwardwan="0"
|
sum_setforwardwan="0"
|
||||||
|
@ -1147,11 +1160,11 @@ f_report() {
|
||||||
printf "%s\n" "{"
|
printf "%s\n" "{"
|
||||||
printf "\t%s\n" '"sets":{'
|
printf "\t%s\n" '"sets":{'
|
||||||
for item in ${table_sets}; do
|
for item in ${table_sets}; do
|
||||||
set_cntinput="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")"
|
set_cntinput="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")"
|
||||||
set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")"
|
set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")"
|
||||||
set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")"
|
set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")"
|
||||||
if [ "${ban_reportelements}" = "1" ]; then
|
if [ "${ban_reportelements}" = "1" ]; then
|
||||||
set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
|
set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
|
||||||
sum_setelements="$((sum_setelements + set_cnt))"
|
sum_setelements="$((sum_setelements + set_cnt))"
|
||||||
else
|
else
|
||||||
set_cnt=""
|
set_cnt=""
|
||||||
|
@ -1295,7 +1308,7 @@ f_search() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ -n "${proto}" ]; then
|
if [ -n "${proto}" ]; then
|
||||||
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe "@.nftables[@.set.table=\"banIP\"&&@.set.type=\"ip${proto}_addr\"].set.name")"
|
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe "@.nftables[@.set.table=\"banIP\"&&@.set.type=\"ip${proto}_addr\"].set.name")"
|
||||||
else
|
else
|
||||||
printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::"
|
printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::"
|
||||||
return
|
return
|
||||||
|
@ -1332,7 +1345,7 @@ f_survey() {
|
||||||
printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::"
|
printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::"
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')"
|
set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]')"
|
||||||
printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::"
|
printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::"
|
||||||
printf " %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")"
|
printf " %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")"
|
||||||
printf " %s\n" "---"
|
printf " %s\n" "---"
|
||||||
|
@ -1366,7 +1379,7 @@ f_mail() {
|
||||||
# log monitor
|
# log monitor
|
||||||
#
|
#
|
||||||
f_monitor() {
|
f_monitor() {
|
||||||
local nft_expiry line proto ip log_raw log_count
|
local nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info
|
||||||
|
|
||||||
if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then
|
if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then
|
||||||
|
|
||||||
|
@ -1375,6 +1388,7 @@ f_monitor() {
|
||||||
|
|
||||||
"${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null |
|
"${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null |
|
||||||
while read -r line; do
|
while read -r line; do
|
||||||
|
: >"{ban_rdapfile}"
|
||||||
proto=""
|
proto=""
|
||||||
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')"
|
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')"
|
||||||
ip="$(f_trim "${ip}")"
|
ip="$(f_trim "${ip}")"
|
||||||
|
@ -1387,17 +1401,34 @@ f_monitor() {
|
||||||
[ -n "${ip}" ] && proto="v6"
|
[ -n "${ip}" ] && proto="v6"
|
||||||
fi
|
fi
|
||||||
if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
|
if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
|
||||||
f_log "info" "suspicious IP${proto} '${ip}'"
|
f_log "info" "suspicious IP '${ip}'"
|
||||||
log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
|
log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
|
||||||
log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP${proto} '${ip}'")"
|
log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")"
|
||||||
if [ "${log_count}" -ge "${ban_logcount}" ]; then
|
if [ "${log_count}" -ge "${ban_logcount}" ]; then
|
||||||
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
|
if [ "${ban_autoblocksubnet}" = "1" ]; then
|
||||||
f_log "info" "add IP${proto} '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
|
rdap_log="$("${ban_fetchcmd}" ${ban_rdapparm} "${ban_rdapfile}" "${ban_rdapurl}${ip}" 2>&1)"
|
||||||
if [ -z "${ban_nftexpiry}" ] && [ "${ban_autoblocklist}" = "1" ] && ! "${ban_grepcmd}" -q "^${ip}" "${ban_blocklist}"; then
|
rdap_rc="${?}"
|
||||||
printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
|
if [ "${rdap_rc}" = "0" ] && [ -s "${ban_rdapfile}" ]; then
|
||||||
f_log "info" "add IP${proto} '${ip}' to local blocklist"
|
rdap_elements="$(jsonfilter -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*' | awk 'BEGIN{FS="[\" ]"}{printf "%s/%s, ",$6,$11}')"
|
||||||
|
rdap_info="$(jsonfilter -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"
|
||||||
|
if [ -n "${rdap_elements//\/*/}" ]; then
|
||||||
|
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${rdap_elements%%??} ${nft_expiry} }" >/dev/null 2>&1; then
|
||||||
|
f_log "info" "add IP range '${rdap_elements%%??}' (source: ${rdap_info:-"-"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
f_log "info" "rdap request failed (rc: ${rdap_rc:-"-"}/log: ${rdap_log})"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_elements//\/*/}" ]; then
|
||||||
|
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
|
||||||
|
f_log "info" "add IP '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ -z "${ban_nftexpiry}" ] && [ "${ban_autoblocklist}" = "1" ] && ! "${ban_grepcmd}" -q "^${ip}" "${ban_blocklist}"; then
|
||||||
|
printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
|
||||||
|
f_log "info" "add IP '${ip}' to local blocklist"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
Loading…
Reference in a new issue