Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: release 0.8.5-1

Browse source 
* add support for external allowlist URLs to reference additional IPv4/IPv6 feeds, set 'ban_allowurl' accordingly
* make download retries in case of an error configurable, set 'ban_fetchretry' accordingly (default 5)
* small fixes
* readme update
* LuCI update (separate commit)

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2023-05-06 22:41:56 +02:00
parent 5f58aa7a4e
commit 7ac5f0a3d9
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
4 changed files with 67 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
net/banip/Makefile
View file

@ -5,8 +5,8 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.8.4 PKG_VERSION:=0.8.5
PKG_RELEASE:=5 PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

19
net/banip/files/README.md
View file

@ -62,7 +62,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* Supports nft atomic Set loading * Supports nft atomic Set loading
* Supports blocking by ASN numbers and by iso country codes * Supports blocking by ASN numbers and by iso country codes
* Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) * Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
* Auto-add the uplink subnet to the local allowlist * Auto-add the uplink subnet or uplink IP to the local allowlist
* Provides a small background log monitor to ban unsuccessful login attempts in real-time * Provides a small background log monitor to ban unsuccessful login attempts in real-time
* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist * Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
* Fast feed processing as they are handled in parallel as background jobs * Fast feed processing as they are handled in parallel as background jobs
@ -79,6 +79,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup) * Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup)
* Procd network interface trigger support * Procd network interface trigger support
* Add new or edit existing banIP feeds on your own with the integrated custom feed editor * Add new or edit existing banIP feeds on your own with the integrated custom feed editor
* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
## Prerequisites ## Prerequisites
* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support * **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
@ -168,6 +169,7 @@ Available commands:
| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' | | ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' |
| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | | ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | | ban_fetchparm | option | - / autodetect | set the config options for the selected download utility |
| ban_fetchretry | option | 5 | number of download attempts in case of an error (not supported by uclient-fetch) |
| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | | ban_fetchinsecure | option | 0 | don't check SSL server certificates during download |
| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails | | ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails |
| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails | | ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails |
@ -289,9 +291,10 @@ list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
**allow-/blocklist handling** **allow-/blocklist handling**
banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.
Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option. Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option.
Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autoallowlist' option). Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist.
Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl').
Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
**allowlist-only mode** **allowlist-only mode**
banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked. banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked.
@ -317,12 +320,12 @@ nftables supports the atomic loading of firewall rules (incl. elements), which i
**tweak the download options** **tweak the download options**
By default banIP uses the following pre-configured download options: By default banIP uses the following pre-configured download options:
``` ```
* aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o * aria2c: --timeout=20 --retry-wait=10 --max-tries=5 --max-file-not-found=5 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
* curl: --connect-timeout 20 --fail --silent --show-error --location -o * curl: --connect-timeout 20 --retry-delay 10 --retry 5 --retry-all-errors --fail --silent --show-error --location -o
* wget: --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=5 --retry-connrefused --max-redirect=0 -O
* uclient-fetch: --timeout=20 -O * uclient-fetch: --timeout=20 -O
* wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O
``` ```
To override the default set 'ban_fetchparm' manually to your needs. To override the default set 'ban_fetchretry', 'ban_fetchinsecure' or globally 'ban_fetchparm' to your needs.
**send E-Mail notifications via 'msmtp'** **send E-Mail notifications via 'msmtp'**
To use the email notification you must install & configure the package 'msmtp'. To use the email notification you must install & configure the package 'msmtp'.

79
net/banip/files/banip-functions.sh
View file

@ -30,6 +30,8 @@ ban_fw4cmd="$(command -v fw4)"
ban_awkcmd="$(command -v awk)" ban_awkcmd="$(command -v awk)"
ban_grepcmd="$(command -v grep)" ban_grepcmd="$(command -v grep)"
ban_sedcmd="$(command -v sed)" ban_sedcmd="$(command -v sed)"
ban_catcmd="$(command -v cat)"
ban_zcatcmd="$(command -v zcat)"
ban_lookupcmd="$(command -v nslookup)" ban_lookupcmd="$(command -v nslookup)"
ban_mailcmd="$(command -v msmtp)" ban_mailcmd="$(command -v msmtp)"
ban_mailsender="no-reply@banIP" ban_mailsender="no-reply@banIP"
@ -50,6 +52,7 @@ ban_asn=""
ban_loginput="1" ban_loginput="1"
ban_logforwardwan="1" ban_logforwardwan="1"
ban_logforwardlan="0" ban_logforwardlan="0"
ban_allowurl=""
ban_allowlistonly="0" ban_allowlistonly="0"
ban_autoallowlist="1" ban_autoallowlist="1"
ban_autoallowuplink="subnet" ban_autoallowuplink="subnet"
@ -69,6 +72,7 @@ ban_ifv6=""
ban_dev="" ban_dev=""
ban_uplink="" ban_uplink=""
ban_fetchinsecure="" ban_fetchinsecure=""
ban_fetchretry="5"
ban_cores="" ban_cores=""
ban_memory="" ban_memory=""
ban_trigger="" ban_trigger=""
@ -197,7 +201,7 @@ f_log() {
# load config # load config
# #
f_conf() { f_conf() {
unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn
config_cb() { config_cb() {
option_cb() { option_cb() {
local option="${1}" local option="${1}"
@ -220,6 +224,9 @@ f_conf() {
"ban_feed") "ban_feed")
eval "${option}=\"$(printf "%s" "${ban_feed}")${value} \"" eval "${option}=\"$(printf "%s" "${ban_feed}")${value} \""
;; ;;
"ban_allowurl")
eval "${option}=\"$(printf "%s" "${ban_allowurl}")${value} \""
;;
"ban_blockinput") "ban_blockinput")
eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \"" eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \""
;; ;;
@ -251,7 +258,7 @@ f_conf() {
f_fetch() { f_fetch() {
local item utils packages insecure local item utils packages insecure
if [ -z "${ban_fetchcmd}" ] || [ ! -x "${ban_fetchcmd}" ]; then if [ -z "${ban_fetchcmd}" ] || [ ! -x "$(command -v "${ban_fetchcmd}")" ]; then
packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
[ -z "${packages}" ] && f_log "err" "no local package repository" [ -z "${packages}" ] && f_log "err" "no local package repository"
utils="aria2c curl wget uclient-fetch" utils="aria2c curl wget uclient-fetch"
@ -267,16 +274,18 @@ f_fetch() {
fi fi
fi fi
done done
else
ban_fetchcmd="$(command -v "${ban_fetchcmd}")"
fi fi
[ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support" [ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support"
case "${ban_fetchcmd##*/}" in case "${ban_fetchcmd##*/}" in
"aria2c") "aria2c")
[ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false" [ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false"
ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}" ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --retry-wait=10 --max-tries=${ban_fetchretry} --max-file-not-found=${ban_fetchretry} --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}"
;; ;;
"curl") "curl")
[ "${ban_fetchinsecure}" = "1" ] && insecure="--insecure" [ "${ban_fetchinsecure}" = "1" ] && insecure="--insecure"
ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --fail --silent --show-error --location -o"}" ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --retry-delay 10 --retry ${ban_fetchretry} --retry-all-errors --fail --silent --show-error --location -o"}"
;; ;;
"uclient-fetch") "uclient-fetch")
[ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate" [ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate"
@ -284,7 +293,7 @@ f_fetch() {
;; ;;
"wget") "wget")
[ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate" [ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate"
ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}" ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=${ban_fetchretry} --retry-connrefused --max-redirect=0 -O"}"
;; ;;
esac esac
@ -296,7 +305,7 @@ f_fetch() {
f_rmpid() { f_rmpid() {
local ppid pid pids local ppid pid pids
ppid="$(cat "${ban_pidfile}" 2>/dev/null)" ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)"
[ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0 [ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0
for pid in ${pids}; do for pid in ${pids}; do
kill -INT "${pid}" >/dev/null 2>&1 kill -INT "${pid}" >/dev/null 2>&1
@ -314,7 +323,7 @@ f_actual() {
else else
nft="$(f_char "0")" nft="$(f_char "0")"
fi fi
if pgrep -f "logread" -P "$(cat "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then if pgrep -f "logread" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then
monitor="$(f_char "1")" monitor="$(f_char "1")"
else else
monitor="$(f_char "0")" monitor="$(f_char "0")"
@ -468,7 +477,7 @@ f_getfeed() {
f_getelements() { f_getelements() {
local file="${1}" local file="${1}"
[ -s "${file}" ] && printf "%s" "elements={ $(cat "${file}" 2>/dev/null) };" [ -s "${file}" ] && printf "%s" "elements={ $("${ban_catcmd}" "${file}" 2>/dev/null) };"
} }
# build initial nft file with base table, chains and rules # build initial nft file with base table, chains and rules
@ -533,6 +542,7 @@ f_down() {
tmp_file="${ban_tmpfile}.${feed}.file" tmp_file="${ban_tmpfile}.${feed}.file"
tmp_flush="${ban_tmpfile}.${feed}.flush" tmp_flush="${ban_tmpfile}.${feed}.flush"
tmp_nft="${ban_tmpfile}.${feed}.nft" tmp_nft="${ban_tmpfile}.${feed}.nft"
tmp_allow="${ban_tmpfile}.${feed%v*}"
[ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/drp/${feed}: \"" [ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/drp/${feed}: \""
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/drp/${feed}: \"" [ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/drp/${feed}: \""
@ -592,18 +602,33 @@ f_down() {
feed_rc="${restore_rc}" feed_rc="${restore_rc}"
fi fi
# handle local lists # prepare local allowlist
#
if [ "${feed%v*}" = "allowlist" ] && [ ! -f "${tmp_allow}" ]; then
"${ban_catcmd}" "${ban_allowlist}" 2>/dev/null >"${tmp_allow}"
for feed_url in ${ban_allowurl}; do
feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" 2>&1)"
feed_rc="${?}"
if [ "${feed_rc}" = "0" ] && [ -s "${tmp_load}" ]; then
"${ban_catcmd}" "${tmp_load}" 2>/dev/null >>"${tmp_allow}"
else
f_log "info" "download for feed '${feed%v*}' failed (rc: ${feed_rc:-"-"}/log: ${feed_log})"
fi
done
fi
# handle local feeds
# #
if [ "${feed%v*}" = "allowlist" ]; then if [ "${feed%v*}" = "allowlist" ]; then
{ {
printf "%s\n\n" "#!/usr/sbin/nft -f" printf "%s\n\n" "#!/usr/sbin/nft -f"
[ -s "${tmp_flush}" ] && cat "${tmp_flush}" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
if [ "${proto}" = "MAC" ]; then if [ "${proto}" = "MAC" ]; then
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}" "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${tmp_allow}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept"
elif [ "${proto}" = "4" ]; then elif [ "${proto}" = "4" ]; then
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}" "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${tmp_allow}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*input*}" ]; then if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_allowlistonly}" = "1" ]; then
@ -627,7 +652,7 @@ f_down() {
fi fi
fi fi
elif [ "${proto}" = "6" ]; then elif [ "${proto}" = "6" ]; then
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" | "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${tmp_allow}" |
"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*input*}" ]; then if [ -z "${feed_direction##*input*}" ]; then
@ -657,7 +682,7 @@ f_down() {
elif [ "${feed%v*}" = "blocklist" ]; then elif [ "${feed%v*}" = "blocklist" ]; then
{ {
printf "%s\n\n" "#!/usr/sbin/nft -f" printf "%s\n\n" "#!/usr/sbin/nft -f"
[ -s "${tmp_flush}" ] && cat "${tmp_flush}" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
if [ "${proto}" = "MAC" ]; then if [ "${proto}" = "MAC" ]; then
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}" "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
@ -667,7 +692,7 @@ f_down() {
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}" "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}"
"${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}"
"${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}"
cat "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}"
else else
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}" "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}"
fi fi
@ -682,7 +707,7 @@ f_down() {
"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_raw}" "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_raw}"
"${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}"
"${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}"
cat "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}"
else else
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" | "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" |
"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}" "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}"
@ -695,7 +720,8 @@ f_down() {
fi fi
} >"${tmp_nft}" } >"${tmp_nft}"
feed_rc="0" feed_rc="0"
# handle external downloads
# handle external feeds
# #
elif [ "${restore_rc}" != "0" ] && [ "${feed_url}" != "local" ]; then elif [ "${restore_rc}" != "0" ] && [ "${feed_url}" != "local" ]; then
# handle country downloads # handle country downloads
@ -704,7 +730,7 @@ f_down() {
for country in ${ban_country}; do for country in ${ban_country}; do
feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}${country}-aggregated.zone" 2>&1)" feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}${country}-aggregated.zone" 2>&1)"
feed_rc="${?}" feed_rc="${?}"
[ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}" [ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
done done
rm -f "${tmp_raw}" rm -f "${tmp_raw}"
@ -714,7 +740,7 @@ f_down() {
for asn in ${ban_asn}; do for asn in ${ban_asn}; do
feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}AS${asn}" 2>&1)" feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}AS${asn}" 2>&1)"
feed_rc="${?}" feed_rc="${?}"
[ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}" [ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
done done
rm -f "${tmp_raw}" rm -f "${tmp_raw}"
@ -726,7 +752,7 @@ f_down() {
feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)" feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)"
feed_rc="${?}" feed_rc="${?}"
if [ "${feed_rc}" = "0" ]; then if [ "${feed_rc}" = "0" ]; then
zcat "${tmp_raw}" 2>/dev/null >"${tmp_load}" "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}"
feed_rc="${?}" feed_rc="${?}"
fi fi
rm -f "${tmp_raw}" rm -f "${tmp_raw}"
@ -740,6 +766,7 @@ f_down() {
feed_rc="${?}" feed_rc="${?}"
fi fi
fi fi
[ "${feed_rc}" != "0" ] && f_log "info" "download for feed '${feed}' failed (rc: ${feed_rc:-"-"}/log: ${feed_log})"
# backup/restore # backup/restore
# #
@ -782,7 +809,7 @@ f_down() {
# nft header (IPv4 Set) # nft header (IPv4 Set)
# #
printf "%s\n\n" "#!/usr/sbin/nft -f" printf "%s\n\n" "#!/usr/sbin/nft -f"
[ -s "${tmp_flush}" ] && cat "${tmp_flush}" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }"
# input and forward rules # input and forward rules
@ -796,7 +823,7 @@ f_down() {
# nft header (IPv6 Set) # nft header (IPv6 Set)
# #
printf "%s\n\n" "#!/usr/sbin/nft -f" printf "%s\n\n" "#!/usr/sbin/nft -f"
[ -s "${tmp_flush}" ] && cat "${tmp_flush}" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }"
# input and forward rules # input and forward rules
@ -825,7 +852,7 @@ f_down() {
rm -f "${split_file}" rm -f "${split_file}"
continue continue
fi fi
if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $(cat "${split_file}") }" >/dev/null 2>&1; then if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $("${ban_catcmd}" "${split_file}") }" >/dev/null 2>&1; then
f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'" f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'"
fi fi
rm -f "${split_file}" rm -f "${split_file}"
@ -864,7 +891,7 @@ f_restore() {
[ "${feed_rc}" != "0" ] && restore_rc="${feed_rc}" [ "${feed_rc}" != "0" ] && restore_rc="${feed_rc}"
[ "${feed_url}" = "local" ] && tmp_feed="${feed%v*}v4" || tmp_feed="${feed}" [ "${feed_url}" = "local" ] && tmp_feed="${feed%v*}v4" || tmp_feed="${feed}"
if [ -f "${ban_backupdir}/banIP.${tmp_feed}.gz" ]; then if [ -f "${ban_backupdir}/banIP.${tmp_feed}.gz" ]; then
zcat "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}" "${ban_zcatcmd}" "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}"
restore_rc="${?}" restore_rc="${?}"
fi fi
@ -1234,10 +1261,10 @@ f_report() {
# #
case "${output}" in case "${output}" in
"text") "text")
[ -s "${report_txt}" ] && cat "${report_txt}" [ -s "${report_txt}" ] && "${ban_catcmd}" "${report_txt}"
;; ;;
"json") "json")
[ -s "${report_jsn}" ] && cat "${report_jsn}" [ -s "${report_jsn}" ] && "${ban_catcmd}" "${report_jsn}"
;; ;;
"mail") "mail")
[ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail

2
net/banip/files/banip.feeds
View file

@ -69,7 +69,7 @@
"url_6": "https://www.blocklist.de/downloads/export-ips_all.txt", "url_6": "https://www.blocklist.de/downloads/export-ips_all.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"descr": "fail2ban IP blacklist" "descr": "fail2ban IP blocklist"
}, },
"doh":{ "doh":{
"url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt", "url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt",