Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: release 0.8.0 (nft rewrite)

Browse source 
- complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2023-02-13 17:56:57 +01:00
parent 33d32450b4
commit 82a491bac8
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
17 changed files with 1966 additions and 2548 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
net/banip/Makefile
View file

@ -1,13 +1,14 @@
#
# Copyright (c) 2018-2021 Dirk Brenken (dev@brenken.org)
# banIP - ban incoming and outgoing ip adresses/subnets via sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.7.10
PKG_RELEASE:=6
PKG_VERSION:=0.8.0
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -16,23 +17,22 @@ include $(INCLUDE_DIR)/package.mk
define Package/banip
SECTION:=net
CATEGORY:=Network
TITLE:=Ban incoming and outgoing ip adresses via ipsets
DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables +ca-bundle @BROKEN
TITLE:=banIP blocks IP addresses via named nftables sets
DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys
PKGARCH:=all
endef
define Package/banip/description
Powerful banIP script to block ip addresses via ipsets.
The script supports many ip blacklist sites plus manual black- and whitelist overrides.
banIP blocks IP addresses via named nftables sets.
banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime.
Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information.
endef
define Package/banip/conffiles
/etc/config/banip
/etc/banip/banip.maclist
/etc/banip/banip.blacklist
/etc/banip/banip.whitelist
/etc/banip/banip.allowlist
/etc/banip/banip.blocklist
endef
define Build/Prepare
@ -46,27 +46,23 @@ endef
define Package/banip/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) ./files/banip.sh $(1)/usr/bin
$(INSTALL_BIN) ./files/banip-service.sh $(1)/usr/bin
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/banip.init $(1)/etc/init.d/banip
$(INSTALL_DIR) $(1)/usr/lib
$(INSTALL_CONF) ./files/banip-functions.sh $(1)/usr/lib
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip
$(INSTALL_DIR) $(1)/etc/banip
$(INSTALL_BIN) ./files/banip.dns $(1)/etc/banip
$(INSTALL_BIN) ./files/banip.mail $(1)/etc/banip
$(INSTALL_BIN) ./files/banip.service $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.maclist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.blacklist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.whitelist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.countries $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.sources $(1)/etc/banip
gzip -9n $(1)/etc/banip/banip.sources
$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
$(INSTALL_DATA) ./files/banip.hotplug $(1)/etc/hotplug.d/firewall/30-banip
$(INSTALL_CONF) ./files/banip.tpl $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.allowlist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.blocklist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.feeds $(1)/etc/banip
gzip -9n $(1)/etc/banip/banip.feeds
endef
$(eval $(call BuildPackage,banip))

552
net/banip/files/README.md
View file

@ -1,91 +1,103 @@
<!-- markdownlint-disable -->
# banIP - ban incoming and/or outgoing ip adresses via ipsets
# banIP - ban incoming and outgoing IP addresses/subnets via sets in nftables
## Description
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IP addresses that make too many password failures, e.g. via ssh.
## Main Features
* Support of the following fully pre-configured domain blocklist sources (free for private usage, for commercial use please check their individual licenses)
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
**Please note:** the columns "INP" and "FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to forward chain - see the config options 'ban\_blockforward' and 'ban\_blockinput' below.
| Source | Focus | Information |
| :------------------ | :----------------------------: | :-------------------------------------------------------------------------------- |
| asn | ASN block | [Link](https://asn.ipinfo.app) |
| bogon | Bogon prefixes | [Link](https://team-cymru.com) |
| country | Country blocks | [Link](https://www.ipdeny.com/ipblocks) |
| darklist | blocks suspicious attacker IPs | [Link](https://darklist.de) |
| debl | Fail2ban IP blacklist | [Link](https://www.blocklist.de) |
| doh | Public DoH-Provider | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| drop | Spamhaus drop compilation | [Link](https://www.spamhaus.org) |
| dshield | Dshield IP blocklist | [Link](https://www.dshield.org) |
| edrop | Spamhaus edrop compilation | [Link](https://www.spamhaus.org) |
| feodo | Feodo Tracker | [Link](https://feodotracker.abuse.ch) |
| firehol1 | Firehol Level 1 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
| firehol2 | Firehol Level 2 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
| firehol3 | Firehol Level 3 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
| firehol4 | Firehol Level 4 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
| greensnow | blocks suspicious server IPs | [Link](https://greensnow.co) |
| iblockads | Advertising blocklist | [Link](https://www.iblocklist.com) |
| iblockspy | Malicious spyware blocklist | [Link](https://www.iblocklist.com) |
| myip | Myip Live IP blacklist | [Link](https://myip.ms) |
| nixspam | iX spam protection | [Link](http://www.nixspam.org) |
| proxy | Firehol list of open proxies | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IP blacklist | [Link](https://sslbl.abuse.ch) |
| talos | Cisco Talos IP Blacklist | [Link](https://talosintelligence.com/reputation_center) |
| threat | Emerging Threats | [Link](https://rules.emergingthreats.net) |
| tor | Tor exit nodes | [Link](https://fissionrelays.net/lists) |
| uceprotect1 | Spam protection level 1 | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect2 | Spam protection level 2 | [Link](http://www.uceprotect.net/en/index.php) |
| voip | VoIP fraud blocklist | [Link](http://www.voipbl.org) |
| yoyo | Ad protection blacklist | [Link](https://pgl.yoyo.org/adservers/) |
| Feed | Focus | INP | FWD | Information |
| :------------------ | :----------------------------: | :-: | :-: | :-------------------------------------------------------------------- |
| adaway | adaway IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguard | adguard IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguardtrackers | adguardtracker IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| antipopads | antipopads IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| asn | ASN IPs | | x | [Link](https://asn.ipinfo.app) |
| backscatterer | backscatterer IPs | x | x | [Link](https://www.uceprotect.net/en/index.php) |
| bogon | bogon prefixes | x | x | [Link](https://team-cymru.com) |
| country | country blocks | x | | [Link](https://www.ipdeny.com/ipblocks) |
| cinsscore | suspicious attacker IPs | x | x | [Link](https://cinsscore.com/#list) |
| darklist | blocks suspicious attacker IPs | x | x | [Link](https://darklist.de) |
| debl | fail2ban IP blacklist | x | x | [Link](https://www.blocklist.de) |
| doh | public DoH-Provider | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| drop | spamhaus drop compilation | x | x | [Link](https://www.spamhaus.org) |
| dshield | dshield IP blocklist | x | x | [Link](https://www.dshield.org) |
| edrop | spamhaus edrop compilation | x | x | [Link](https://www.spamhaus.org) |
| feodo | feodo tracker | x | x | [Link](https://feodotracker.abuse.ch) |
| firehol1 | firehol level 1 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
| firehol2 | firehol level 2 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
| firehol3 | firehol level 3 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
| firehol4 | firehol level 4 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
| greensnow | suspicious server IPs | x | x | [Link](https://greensnow.co) |
| iblockads | Advertising IPs | | x | [Link](https://www.iblocklist.com) |
| iblockspy | Malicious spyware IPs | x | x | [Link](https://www.iblocklist.com) |
| myip | real-time IP blocklist | x | x | [Link](https://myip.ms) |
| nixspam | iX spam protection | x | x | [Link](http://www.nixspam.org) |
| oisdnsfw | OISD-nsfw IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdsmall | OISD-small IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| proxy | open proxies | x | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IPs | x | x | [Link](https://sslbl.abuse.ch) |
| stevenblack | stevenblack IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| talos | talos IPs | x | x | [Link](https://talosintelligence.com/reputation_center) |
| threat | emerging threats | x | x | [Link](https://rules.emergingthreats.net) |
| threatview | malicious IPs | x | x | [Link](https://threatview.io) |
| tor | tor exit nodes | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
| uceprotect1 | spam protection level 1 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect2 | spam protection level 2 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect3 | spam protection level 3 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
| urlhaus | urlhaus IDS IPs | x | x | [Link](https://urlhaus.abuse.ch) |
| urlvir | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) |
| webclient | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
| voip | VoIP fraud blocklist | x | x | [Link](https://voipbl.org) |
| yoyo | yoyo IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
* zero-conf like automatic installation & setup, usually no manual changes needed
* automatically selects one of the following supported download utilities: aria2c, curl, uclient-fetch, wget
* fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
* all sets are handled in a separate nft table/namespace 'banIP'
* full IPv4 and IPv6 support
* ipsets (one per source) are used to ban a large number of IP addresses
* supports blocking by ASN numbers
* supports blocking by iso country codes
* supports local black- & whitelist (IPv4, IPv6, CIDR notation or domain names)
* auto-add unsuccessful LuCI, nginx or ssh login attempts via 'dropbear'/'sshd' to local blacklist
* auto-add the uplink subnet to local whitelist
* black- and whitelist also accept domain names as input to allow IP filtering based on these names
* supports a 'whitelist only' mode, this option allows to restrict Internet access from/to a small number of secure websites/IPs
* supports nft atomic set loading
* supports blocking by ASN numbers and by iso country codes
* supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
* auto-add the uplink subnet to the local allowlist
* provides a small background log monitor to ban unsuccessful login attempts in real-time
* per source configuration of SRC (incoming) and DST (outgoing)
* integrated IPSet-Lookup
* integrated bgpview-Lookup
* blocklist source parsing by fast & flexible regex rulesets
* minimal status & error logging to syslog, enable debug logging to receive more output
* procd based init system support (start/stop/restart/reload/refresh/status)
* procd network interface trigger support
* automatic blocklist backup & restore, they will be used in case of download errors or during startup
* auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
* fast feed processing as they are handled in parallel as background jobs
* per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
* automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
* automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
* supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
* provides comprehensive runtime information
* provides a detailed IPSet Report
* provides a powerful query function to quickly find blocked IPs/CIDR in banIP related IPSets
* provides an easily configurable blocklist update scheduler called 'Refresh Timer'
* strong LuCI support
* optional: add new banIP sources on your own
* provides a detailed set report
* provides a set search engine for certain IPs
* feed parsing by fast & flexible regex rulesets
* minimal status & error logging to syslog, enable debug logging to receive more output
* procd based init system support (start/stop/restart/reload/status/report/search)
* procd network interface trigger support
* ability to add new banIP feeds on your own
## Prerequisites
* [OpenWrt](https://openwrt.org), tested with the stable release series (21.02.x) and with the latest rolling snapshot releases. On turris devices it has been successfully tested with TurrisOS 5.2.x
<b>Please note:</b> Ancient OpenWrt releases like 18.06.x or 17.01.x are _not_ supported!
<b>Please note:</b> Devices with less than 128 MByte RAM are _not_ supported!
<b>Please note:</b> If you're updating from former banIP 0.3x please manually remove your config (/etc/config/banip) before you start!
* A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
* Optional E-Mail notification support: for E-Mail notifications you need to install and setup the additional 'msmtp' package
* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
* a download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' SSL libraries, 'aria2c' or 'curl' is required
* a certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
* for E-Mail notifications you need to install and setup the additional 'msmtp' package
**Please note the following:**
* Devices with less than 256Mb of RAM are **_not_** supported
* Any previous installation of banIP must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)
* There is no LuCI frontend at this time
## Installation & Usage
* Update your local opkg repository (_opkg update_)
* Install 'banip' (_opkg install banip_). The banIP service is disabled by default
* Install the LuCI companion package 'luci-app-banip' (_opkg install luci-app-banip_)
* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
* update your local opkg repository (_opkg update_)
* install banIP (_opkg install banip_) - the banIP service is disabled by default
* edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the config options below)
* start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status'
## banIP CLI
* All important banIP functions are accessible via CLI as well.
<pre><code>
~# /etc/init.d/banip
## banIP CLI interface
* All important banIP functions are accessible via CLI. A LuCI frontend will be available in due course.
```
~# /etc/init.d/banip
Syntax: /etc/init.d/banip [command]
Available commands:
@ -96,259 +108,151 @@ Available commands:
enable Enable service autostart
disable Disable service autostart
enabled Check if service is started on boot
refresh Refresh ipsets without new list downloads
suspend Suspend banIP processing
resume Resume banIP processing
query &lt;IP&gt; Query active banIP IPSets for a specific IP address
report [&lt;cli&gt;|&lt;mail&gt;|&lt;gen&gt;|&lt;json&gt;] Print banIP related IPset statistics
list [&lt;add&gt;|&lt;add_asn&gt;|&lt;add_country&gt;|&lt;remove>|&lt;remove_asn&gt;|&lt;remove_country&gt;] &lt;source(s)&gt; List/Edit available sources
timer [&lt;add&gt; &lt;tasks&gt; &lt;hour&gt; [&lt;minute&gt;] [&lt;weekday&gt;]]|[&lt;remove&gt; &lt;line no.&gt;] List/Edit cron update intervals
version Print version information
report [text|json|mail] Print banIP related set statistics
search [<IPv4 address>|<IPv6 address>] Check if an element exists in the banIP sets
running Check if service is running
status Service status
trace Start with syscall trace
</code></pre>
info Dump procd service info
```
## banIP config options
* Usually the auto pre-configured banIP setup works quite well and no manual overrides are needed
| Option | Type | Default | Description |
| :---------------------- | :----- | :---------------------------- | :------------------------------------------------------------------------------------ |
| ban_enabled | option | 0 | enable the banIP service |
| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) |
| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) |
| ban_loglimit | option | 100 | the logread monitor scans only the last n lines of the logfile |
| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious |
| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
| ban_debug | option | 0 | enable banIP related debug logging |
| ban_mail_enabled | option | 0 | enable the mail service |
| ban_monitor_enabled | option | 0 | enable the log monitor, e.g. to catch failed ssh/luci logins |
| ban_logsrc_enabled | option | 0 | enable the src-related logchain |
| ban_logdst_enabled | option | 0 | enable the dst-related logchain |
| ban_autoblacklist | option | 1 | add suspicious IPs automatically to the local blacklist |
| ban_autowhitelist | option | 1 | add wan IPs/subnets automatically to the local whitelist |
| ban_whitelistonly | option | 0 | allow to restrict Internet access from/to a small number of secure websites/IPs |
| ban_maxqueue | option | 4 | size of the download queue to handle downloads and processing in parallel |
| ban_reportdir | option | /tmp/banIP-Report | directory where banIP stores the report files |
| ban_backupdir | option | /tmp/banIP-Backup | directory where banIP stores the compressed backup files |
| ban_ifaces | list | - | list option to add logical wan interfaces manually |
| ban_sources | list | - | list option to add banIP sources |
| ban_countries | list | - | list option to add certain countries as an alpha-2 ISO code, e.g. 'de' for germany |
| ban_asns | list | - | list option to add certain ASNs (autonomous system number), e.g. '32934' for facebook |
| ban_chain | option | banIP | name of the root chain used by banIP |
| ban_global_settype | option | src+dst | global settype as default for all sources |
| ban_settype_src | list | - | special SRC settype for a certain sources |
| ban_settype_dst | list | - | special DST settype for a certain sources |
| ban_settype_all | list | - | special SRC+DST settype for a certain sources |
| ban_target_src | option | DROP | default src action (used by log chains as well) |
| ban_target_dst | option | REJECT | default dst action (used by log chains as well) |
| ban_lan_inputchains_4 | list | input_lan_rule | list option to add IPv4 lan input chains |
| ban_lan_inputchains_6 | list | input_lan_rule | list option to add IPv6 lan input chains |
| ban_lan_forwardchains_4 | list | forwarding_lan_rule | list option to add IPv4 lan forward chains |
| ban_lan_forwardchains_6 | list | forwarding_lan_rule | list option to add IPv6 lan forward chains |
| ban_wan_inputchains_4 | list | input_wan_rule | list option to add IPv4 wan input chains |
| ban_wan_inputchains_6 | list | input_wan_rule | list option to add IPv6 wan input chains |
| ban_wan_forwardchains_4 | list | forwarding_wan_rule | list option to add IPv4 wan forward chains |
| ban_wan_forwardchains_6 | list | forwarding_wan_rule | list option to add IPv6 wan forward chains |
| ban_fetchutil | option | -, auto-detected | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
| ban_fetchparm | option | -, auto-detected | manually override the config options for the selected download utility |
| ban_fetchinsecure | option | 0, disabled | don't check SSL server certificates during download |
| ban_loginput | option | 1 | log drops in the input chain |
| ban_logforward | option | 0 | log rejects in the forward chain |
| ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist |
| ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist |
| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files |
| ban_protov4 | option | - / autodetect | enable IPv4 support |
| ban_protov6 | option | - / autodetect | enable IPv4 support |
| ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' |
| ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' |
| ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' |
| ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' |
| ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins |
| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets |
| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) |
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
| ban_nftpriority | option | -200 | nft banIP table priority (default is the prerouting table priority) |
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
| ban_blockinput | list | - | limit a feed to the input chain, e.g. 'country' |
| ban_blockforward | list | - | limit a feed to the forward chain, e.g. 'doh' |
| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility |
| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download |
| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails |
| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails |
| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails |
| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails |
| ban_srcarc | option | /etc/banip/banip.sources.gz | full path to the compressed source archive file used by banIP |
| ban_localsources | list | maclist, whitelist, blacklist | limit the selection to certain local sources |
| ban_extrasources | list | - | add additional, non-banIP related IPSets e.g. for reporting or queries |
| ban_maclist_timeout | option | - | individual maclist IPSet timeout |
| ban_whitelist_timeout | option | - | individual whitelist IPSet timeout |
| ban_blacklist_timeout | option | - | individual blacklist IPSet timeout |
| ban_logterms | list | dropbear, sshd, luci, nginx | limit the log monitor to certain log terms |
| ban_loglimit | option | 100 | parse only the last stated number of log entries for suspicious events |
| ban_ssh_logcount | option | 3 | number of the failed ssh login repetitions of the same ip in the log before banning |
| ban_luci_logcount | option | 3 | number of the failed luci login repetitions of the same ip in the log before banning |
| ban_nginx_logcount | option | 5 | number of the failed nginx requests of the same ip in the log before banning |
## Examples
**list/edit banIP sources:**
<pre><code>
~# /etc/init.d/banip list
::: Available banIP sources
:::
Name Enabled Focus Info URL
---------------------------------------------------------------------------
+ asn ASN blocks https://asn.ipinfo.app
+ bogon Bogon prefixes https://team-cymru.com
+ country x Country blocks https://www.ipdeny.com/ipblocks
+ darklist x Blocks suspicious attacker IPs https://darklist.de
+ debl x Fail2ban IP blacklist https://www.blocklist.de
+ doh x Public DoH-Provider https://github.com/dibdot/DoH-IP-blocklists
+ drop x Spamhaus drop compilation https://www.spamhaus.org
+ dshield x Dshield IP blocklist https://www.dshield.org
+ edrop Spamhaus edrop compilation https://www.spamhaus.org
+ feodo x Feodo Tracker https://feodotracker.abuse.ch
+ firehol1 x Firehol Level 1 compilation https://iplists.firehol.org/?ipset=firehol_level1
+ firehol2 Firehol Level 2 compilation https://iplists.firehol.org/?ipset=firehol_level2
+ firehol3 Firehol Level 3 compilation https://iplists.firehol.org/?ipset=firehol_level3
+ firehol4 Firehol Level 4 compilation https://iplists.firehol.org/?ipset=firehol_level4
+ greensnow x Blocks suspicious server IPs https://greensnow.co
+ iblockads Advertising blocklist https://www.iblocklist.com
+ iblockspy x Malicious spyware blocklist https://www.iblocklist.com
+ myip Myip Live IP blacklist https://myip.ms
+ nixspam x iX spam protection http://www.nixspam.org
+ proxy Firehol list of open proxies https://iplists.firehol.org/?ipset=proxylists
+ sslbl x SSL botnet IP blacklist https://sslbl.abuse.ch
+ talos x Cisco Talos IP Blacklist https://talosintelligence.com/reputation_center
+ threat x Emerging Threats https://rules.emergingthreats.net
+ tor x Tor exit nodes https://fissionrelays.net/lists
+ uceprotect1 x Spam protection level 1 http://www.uceprotect.net/en/index.php
+ uceprotect2 Spam protection level 2 http://www.uceprotect.net/en/index.php
+ voip x VoIP fraud blocklist http://www.voipbl.org
+ yoyo x Ad protection blacklist https://pgl.yoyo.org/adservers/
---------------------------------------------------------------------------
* Configured ASNs: -
* Configured Countries: af, bd, br, cn, hk, hu, id, il, in, iq, ir, kp, kr, no, pk, pl, ro, ru, sa, th, tr, ua, gb
</code></pre>
**receive banIP runtime information:**
<pre><code>
~# /etc/init.d/banip status
::: banIP runtime information
+ status : enabled
+ version : 0.7.7
+ ipset_info : 2 IPSets with 30 IPs/Prefixes
+ active_sources : whitelist
+ active_devs : wlan0
+ active_ifaces : trm_wwan, trm_wwan6
+ active_logterms : dropbear, sshd, luci, nginx
+ active_subnets : xxx.xxx.xxx.xxx/24, xxxx:xxxx:xxxx:xx::xxx/128
+ run_infos : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
+ run_flags : protocols (4/6): ✔/✔, log (src/dst): ✔/✘, monitor: ✔, mail: ✘, whitelist only: ✔
+ last_run : restart, 0m 3s, 122/30/14, 21.04.2021 20:14:36
+ system : TP-Link RE650 v1, OpenWrt SNAPSHOT r16574-f7e00d81bc
</code></pre>
**black-/whitelist handling:**
banIP supports a local black & whitelist (IPv4, IPv6, CIDR notation or domain names), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist.
Unsuccessful LuCI logins, suspicious nginx request or ssh login attempts via 'dropbear'/'sshd' could be tracked and automatically added to the local blacklist (see the 'ban_autoblacklist' option). Furthermore the uplink subnet could be automatically added to local whitelist (see 'ban_autowhitelist' option). The list behaviour could be further tweaked with different timeout and counter options (see the config options section above).
Last but not least, both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be resolved in a detached background process and added to the IPsets. The detached name lookup takes place only during 'restart' or 'reload' action, 'start' and 'refresh' actions are using an auto-generated backup instead.
**whitelist-only mode:**
banIP supports a "whitelist only" mode. This option allows to restrict the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the whitelist are blocked. Please note: suspend/resume does not work in this mode.
**Manually override the download options:**
By default banIP uses the following pre-configured download options:
* aria2c: <code>--timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o</code>
* curl: <code>--connect-timeout 20 --silent --show-error --location -o</code>
* uclient-fetch: <code>--timeout=20 -O</code>
* wget: <code>--no-cache --no-cookies --max-redirect=0 --timeout=20 -O</code>
| ban_resolver | option | - | external resolver used for DNS lookups |
| ban_feedarchive | option | /etc/banip/banip.feeds.gz | full path to the compressed feed archive file used by banIP |
To override the default set 'ban_fetchparm' manually to your needs.
**generate an IPSet report:**
<pre><code>
## Examples
**banIP report information**
```
~# /etc/init.d/banip report
:::
::: report on all banIP related IPSets
::: banIP Set Statistics
:::
+ Report timestamp ::: 04.02.2021 06:24:41
+ Number of all IPSets ::: 24
+ Number of all entries ::: 302448
+ Number of IP entries ::: 224748
+ Number of CIDR entries ::: 77700
+ Number of MAC entries ::: 0
+ Number of accessed entries ::: 36
Timestamp: 2023-02-08 22:12:40
------------------------------
auto-added to allowlist: 1
auto-added to blocklist: 0
Set | Set Elements | Chain Input | Chain Forward | Input Packets | Forward Packets
---------------------+---------------+---------------+---------------+---------------+----------------
allowlistvMAC | 0 | n/a | OK | n/a | 0
allowlistv4 | 1 | OK | OK | 0 | 0
allowlistv6 | 0 | OK | OK | 0 | 0
blocklistvMAC | 0 | n/a | OK | n/a | 0
blocklistv4 | 0 | OK | OK | 0 | 0
blocklistv6 | 0 | OK | OK | 0 | 0
dohv4 | 542 | n/a | OK | n/a | 22
adguardv4 | 23007 | n/a | OK | n/a | 18
yoyov4 | 1936 | n/a | OK | n/a | 1
oisdbasicv4 | 26000 | n/a | OK | n/a | 325
---------------------+---------------+---------------+---------------+---------------+----------------
10 | 51486 | 4 | 10 | 0 | 366
```
**banIP runtime information**
```
~# etc/init.d/banip status
::: banIP runtime information
+ status : active
+ version : 0.8.0
+ element_count : 51486
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, blocklistvMAC, blocklistv4, blocklistv6, dohv4, adguardv4
, yoyov4, oisdbasicv4
+ active_devices : eth2
+ active_interfaces : wan
+ active_subnets : 192.168.98.107/24
+ run_info : base_dir: /tmp, backup_dir: /tmp/banIP-backup, report_dir: /tmp/banIP-report, feed_archive: /etc/b
anip/banip.feeds.gz
+ run_flags : protocol (4/6): ✔/✘, log (inp/fwd): ✔/✘, deduplicate: ✔, split: ✘, allowed only: ✘
+ last_run : action: start, duration: 0m 15s, date: 2023-02-08 22:12:46
+ system_info : cores: 2, memory: 3614, device: PC Engines apu1, OpenWrt SNAPSHOT r21997-b5193291bd
```
**banIP search information**
```
~# /etc/init.d/banip search 221.228.105.173
:::
::: IPSet details
::: banIP Search
:::
Name Type Count Cnt_IP Cnt_CIDR Cnt_MAC Cnt_ACC Entry details (Entry/Count)
--------------------------------------------------------------------------------------------------------------------
whitelist_4 src+dst 1 0 1 0 1
xxx.xxxx.xxx.xxxx/24 85
--------------------------------------------------------------------------------------------------------------------
whitelist_6 src+dst 2 0 2 0 1
xxxx:xxxx:xxxx::/64 29
--------------------------------------------------------------------------------------------------------------------
blacklist_4 src+dst 513 513 0 0 2
192.35.168.16 3
80.82.65.74 1
--------------------------------------------------------------------------------------------------------------------
blacklist_6 src+dst 1 1 0 0 0
--------------------------------------------------------------------------------------------------------------------
country_4 src 52150 0 52150 0 23
124.5.0.0/16 1
95.188.0.0/14 1
121.16.0.0/12 1
46.161.0.0/18 1
42.56.0.0/14 1
113.64.0.0/10 1
113.252.0.0/14 1
5.201.128.0/17 1
125.64.0.0/11 1
90.188.0.0/15 1
60.0.0.0/11 1
78.160.0.0/11 1
1.80.0.0/12 1
183.184.0.0/13 1
175.24.0.0/14 1
119.176.0.0/12 1
59.88.0.0/13 1
103.78.12.0/22 1
123.128.0.0/13 1
116.224.0.0/12 1
42.224.0.0/12 1
82.80.0.0/15 1
14.32.0.0/11 1
--------------------------------------------------------------------------------------------------------------------
country_6 src 20099 0 20099 0 0
--------------------------------------------------------------------------------------------------------------------
debl_4 src+dst 29389 29389 0 0 1
5.182.210.16 4
--------------------------------------------------------------------------------------------------------------------
debl_6 src+dst 64 64 0 0 0
--------------------------------------------------------------------------------------------------------------------
doh_4 src+dst 168 168 0 0 0
--------------------------------------------------------------------------------------------------------------------
doh_6 src+dst 122 122 0 0 0
--------------------------------------------------------------------------------------------------------------------
drop_4 src+dst 965 0 965 0 0
--------------------------------------------------------------------------------------------------------------------
drop_6 src+dst 36 0 36 0 0
--------------------------------------------------------------------------------------------------------------------
dshield_4 src+dst 20 0 20 0 1
89.248.165.0/24 1
--------------------------------------------------------------------------------------------------------------------
feodo_4 src+dst 325 325 0 0 0
--------------------------------------------------------------------------------------------------------------------
firehol1_4 src+dst 2763 403 2360 0 0
--------------------------------------------------------------------------------------------------------------------
iblockspy_4 src+dst 3650 2832 818 0 0
--------------------------------------------------------------------------------------------------------------------
nixspam_4 src+dst 9577 9577 0 0 0
--------------------------------------------------------------------------------------------------------------------
sslbl_4 src+dst 104 104 0 0 0
--------------------------------------------------------------------------------------------------------------------
threat_4 src+dst 1300 315 985 0 0
--------------------------------------------------------------------------------------------------------------------
tor_4 src+dst 1437 1437 0 0 0
--------------------------------------------------------------------------------------------------------------------
tor_6 src+dst 478 478 0 0 0
--------------------------------------------------------------------------------------------------------------------
uceprotect1_4 src+dst 156249 156249 0 0 6
192.241.220.137 1
128.14.137.178 1
61.219.11.153 1
138.34.32.33 1
107.174.133.130 2
180.232.99.46 1
--------------------------------------------------------------------------------------------------------------------
voip_4 src+dst 12563 12299 264 0 0
--------------------------------------------------------------------------------------------------------------------
yoyo_4 src+dst 10472 10472 0 0 1
204.79.197.200 2
--------------------------------------------------------------------------------------------------------------------
</code></pre>
**Enable E-Mail notification via 'msmtp':**
To use the email notification you have to install & configure the package 'msmtp'.
Looking for IP 221.228.105.173 on 2023-02-08 22:12:48
---
IP found in set oisdbasicv4
```
**allow-/blocklist handling**
banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.
Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option.
Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autowallowlist' option).
Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted in a detached background process and added to the sets.
**allowlist-only mode**
banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked.
**redirect Asterisk security logs to lodg/logread**
banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration.
**tweaks for low memory systems**
nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:
* point 'ban_reportdir' and 'ban_backupdir' to an external usb drive
* set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
* set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members
**tweak the download options**
By default banIP uses the following pre-configured download options:
```
* aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
* curl: --connect-timeout 20 --silent --show-error --location -o
* uclient-fetch: --timeout=20 -O
* wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O
```
To override the default set 'ban_fetchparm' manually to your needs.
**send E-Mail notifications via 'msmtp'**
To use the email notification you must install & configure the package 'msmtp'.
Modify the file '/etc/msmtprc', e.g.:
<pre><code>
```
[...]
defaults
auth on
@ -360,39 +264,37 @@ syslog LOG_MAIL
account ban_notify
host smtp.gmail.com
port 587
from &lt;address&gt;@gmail.com
user &lt;gmail-user&gt;
password &lt;password&gt;
</code></pre>
Finally enable E-Mail support and add a valid E-Mail receiver address in LuCI.
**Edit, add new banIP sources:**
The banIP blocklist sources are stored in an external, compressed JSON file '/etc/banip/banip.sources.gz'.
This file is directly parsed in LuCI and accessible via CLI, just call _/etc/init.d/banip list_.
from <address>@gmail.com
user <gmail-user>
password <password>
```
Finally add a valid E-Mail receiver address.
To add new or edit existing sources extract the compressed JSON file _gunzip /etc/banip/banip.sources.gz_.
**add new banIP feeds**
The banIP blocklist feeds are stored in an external, compressed JSON file '/etc/banip/banip.feeds.gz'.
To add a new or edit an existing feed extract the compressed JSON file _gunzip /etc/banip/banip.feeds.gz_.
A valid JSON source object contains the following required information, e.g.:
<pre><code>
```
[...]
"tor": {
"url_4": "https://lists.fissionrelays.net/tor/exits-ipv4.txt",
"url_6": "https://lists.fissionrelays.net/tor/exits-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add tor_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add tor_6 \"$1}",
"focus": "Tor exit nodes",
"descurl": "https://fissionrelays.net/lists"
"url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "tor exit nodes",
"descurl": "https://github.com/SecOps-Institute/Tor-IP-Addresses"
},
[...]
</code></pre>
Add an unique object name, make the required changes to 'url_4', 'rule_4' (and/or 'url_6', 'rule_6'), 'focus' and 'descurl' and finally compress the changed JSON file _gzip /etc/banip/banip.sources.gz_ to use the new source object in banIP.
<b>Please note:</b> if you're going to add new sources on your own, please make a copy of the default file and work with that copy further on, cause the default will be overwritten with every banIP update. To reference your copy set the option 'ban\_srcarc' which points by default to '/etc/banip/banip.sources.gz'
```
Add an unique object name, make the required changes and compress the changed JSON file finally with _gzip /etc/banip/banip.feeds_ to use the new feed file in banIP.
**Please note:** if you're going to add new feeds, **always** work with a copy of the default file; this file is always overwritten with every banIP update. To reference your own file set the option 'ban\_feedarchive' accordingly
## Support
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
## Removal
* stop all banIP related services with _/etc/init.d/banip stop_
* optional: remove the banip package (_opkg remove banip_)
Have fun!
Dirk
Dirk

1159
net/banip/files/banip-functions.sh Normal file
View file

File diff suppressed because it is too large Load diff

193
net/banip/files/banip-service.sh Executable file
View file

@ -0,0 +1,193 @@
#!/bin/sh
# banIP main service script - ban incoming and outgoing ip adresses/subnets via sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=all
ban_action="${1}"
ban_starttime="$(date "+%s")"
ban_funlib="/usr/lib/banip-functions.sh"
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
# load config and set banIP environment
#
f_conf
f_log "info" "start banIP processing (${ban_action})"
f_genstatus "processing"
f_tmp
f_fetch
f_getif
f_getdev
f_getsub
f_mkdir "${ban_backupdir}"
f_mkfile "${ban_blocklist}"
f_mkfile "${ban_allowlist}"
# firewall check
#
if [ "${ban_action}" != "reload" ]; then
if [ -x "${ban_fw4cmd}" ]; then
cnt=0
while [ "${cnt}" -lt "10" ] && ! /etc/init.d/firewall status | grep -q "^active"; do
cnt="$((cnt + 1))"
sleep 1
done
if ! /etc/init.d/firewall status | grep -q "^active"; then
f_log "err" "nft based firewall/fw4 not functional"
fi
else
f_log "err" "nft based firewall/fw4 not found"
fi
fi
# init nft namespace
#
if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list table inet banIP >/dev/null 2>&1; then
if f_nftinit "${ban_tmpfile}".init.nft; then
f_log "info" "nft namespace initialized"
else
f_log "err" "nft namespace can't be initialized"
fi
fi
# handle downloads
#
f_log "info" "start banIP download processes"
if [ "${ban_allowlistonly}" = "1" ]; then
ban_feed=""
else
json_init
if ! json_load_file "${ban_basedir}/ban_feeds.json" >/dev/null 2>&1; then
f_log "err" "banIP feed file can't be loaded"
fi
[ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate"
fi
cnt="1"
for feed in allowlist ${ban_feed} blocklist; do
# local feeds
#
if [ "${feed}" = "allowlist" ] || [ "${feed}" = "blocklist" ]; then
for proto in MAC 4 6; do
[ "${feed}" = "blocklist" ] && wait
(f_down "${feed}" "${proto}") &
[ "${feed}" = "blocklist" ] || { [ "${feed}" = "allowlist" ] && [ "${proto}" = "MAC" ]; } && wait
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
done
wait
continue
fi
# read external feed information
#
if ! json_select "${feed}" >/dev/null 2>&1; then
continue
fi
json_objects="url_4 rule_4 url_6 rule_6 flag"
for object in ${json_objects}; do
eval json_get_var feed_"${object}" '${object}' >/dev/null 2>&1
done
json_select ..
# handle IPv4/IPv6 feeds with the same/single download URL
#
if [ "${feed_url_4}" = "${feed_url_6}" ]; then
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
feed_url_6="local"
wait
fi
if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then
(f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
fi
continue
fi
# handle IPv4/IPv6 feeds with separated download URLs
#
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
fi
if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then
(f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
fi
done
wait
# start domain lookup
#
f_log "info" "start detached banIP domain lookup"
(f_lookup "allowlist") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
(f_lookup "blocklist") &
# tidy up
#
f_rmset
f_rmdir "${ban_tmpdir}"
f_genstatus "active"
f_log "info" "finished banIP download processes"
rm -rf "${ban_lock}"
# start log service
#
if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ]; then
f_log "info" "start detached banIP log service"
nft_expiry="$(printf "%s" "${ban_nftexpiry}" | grep -oE "([0-9]+[h|m|s]$)")"
[ -n "${nft_expiry}" ] && nft_expiry="timeout ${nft_expiry}"
# read log continuously with given logterms
#
"${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null |
while read -r line; do
# IPv4 log parsing
#
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')"
ip="$(f_trim "${ip}")"
ip="${ip##* }"
[ -n "${ip}" ] && proto="v4"
if [ -z "${proto}" ]; then
# IPv6 log parsing
#
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{if(!seen[RT]++)printf "%s ",RT}')"
ip="$(f_trim "${ip}")"
ip="${ip##* }"
[ -n "${ip}" ] && proto="v6"
fi
if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
f_log "info" "suspicious IP found '${ip}'"
log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")"
if [ "${log_count}" -ge "${ban_logcount}" ]; then
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
f_log "info" "added IP '${ip}' (${nft_expiry:-"-"}) to blocklist${proto} set"
if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then
printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
f_log "info" "added IP '${ip}' to local blocklist"
fi
fi
fi
fi
done
# start no-op service loop
#
else
f_log "info" "start detached no-op banIP service (logterms are missing)"
while :; do
sleep 1
done
fi

0
net/banip/files/banip.blacklist → net/banip/files/banip.allowlist
View file

0
net/banip/files/banip.maclist → net/banip/files/banip.blocklist
View file

17
net/banip/files/banip.conf
View file

@ -1,16 +1,9 @@
config banip 'global'
option ban_enabled '0'
option ban_debug '0'
option ban_mail_enabled '0'
option ban_monitor_enabled '0'
option ban_logsrc_enabled '0'
option ban_logdst_enabled '0'
option ban_autodetect '1'
option ban_autoblacklist '1'
option ban_autowhitelist '1'
option ban_nice '0'
option ban_maxqueue '4'
option ban_global_settype 'src+dst'
option ban_target_src 'DROP'
option ban_target_dst 'REJECT'
option ban_loglimit '100'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"ChallengeResponseFailed\".*RemoteAddress='

64
net/banip/files/banip.dns
View file

@ -1,64 +0,0 @@
#!/bin/sh
# helper script to resolve domains for adding to banIP-related IPSets
# Copyright (c) 2020-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=1091,3040
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
. "/lib/functions.sh"
ban_src_name="${1}"
ban_src_file="${2}"
ban_tmpbase="$(uci_get banip global ban_tmpbase "/tmp")"
ban_backupdir="$(uci_get banip global ban_backupdir "${ban_tmpbase}/banIP-Backup")"
ban_proto4_enabled="$(uci_get banip global ban_proto4_enabled "0")"
ban_proto6_enabled="$(uci_get banip global ban_proto6_enabled "0")"
ban_ipset_cmd="$(command -v ipset)"
ban_lookup_cmd="$(command -v nslookup)"
ban_logger_cmd="$(command -v logger)"
ban_cnt_err="0"
ban_message=""
rm -f "${ban_backupdir}/banIP.${ban_src_name}_addon_4" "${ban_backupdir}/banIP.${ban_src_name}_addon_6"
while read -r domain; do
result="$(
"${ban_lookup_cmd}" "${domain}" 2>/dev/null
printf "%s" "${?}"
)"
if [ "$(printf "%s" "${result}" | tail -1)" = "0" ]; then
ips="$(printf "%s" "${result}" | awk '/^Address[ 0-9]*: /{ORS=" ";print $NF}')"
for ip in ${ips}; do
for proto in "4" "6"; do
if { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] &&
[ -n "$(printf "%s" "${ip}" | awk '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print $1}')" ]; } ||
{ [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] &&
[ -n "$(printf "%s" "${ip}" | awk '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print $1}')" ]; }; then
printf "%s\n" "add ${ban_src_name}_${proto} ${ip}" >>"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
fi
done
done
[ -n "${ips}" ] && "${ban_logger_cmd}" -p "debug" -t "banIP-resolve [${$}]" "added IPs of '${domain}' to ${ban_src_name} (${ips})" 2>/dev/null
else
ban_cnt_err=$((ban_cnt_err + 1))
fi
done <"${ban_src_file}"
for proto in "4" "6"; do
if { { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ]; } || { [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ]; }; } &&
[ ! -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" ] && [ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}.gz" ]; then
gzip -df "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}.gz" 2>/dev/null
"${ban_ipset_cmd}" -q -! restore <"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
ban_message="backup used"
elif [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && [ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" ]; then
"${ban_ipset_cmd}" -q -! restore <"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
ban_message="${ban_cnt_err} lookup errors"
fi
gzip -f "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" 2>/dev/null
done
"${ban_logger_cmd}" -p "info" -t "banIP-resolve [${$}]" "${ban_src_name} domain import has been finished (${ban_message:-"-"})" 2>/dev/null
rm -f "${ban_src_file}"

295
net/banip/files/banip.feeds Normal file
View file

@ -0,0 +1,295 @@
{
"adaway": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "adaway IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"adguard": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "adguard IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"adguardtrackers": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "adguardtracker IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"antipopads": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "antipopads IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"asn": {
"url_4": "https://asn.ipinfo.app/api/text/list/",
"url_6": "https://asn.ipinfo.app/api/text/list/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "ASN IPs",
"descurl": "https://asn.ipinfo.app"
},
"backscatterer": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "backscatterer IPs",
"descurl": "https://www.uceprotect.net/en/index.php",
"flag": "gz"
},
"bogon": {
"url_4": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt",
"url_6": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "bogon prefixes",
"descurl": "https://team-cymru.com"
},
"cinsscore": {
"url_4": "https://cinsscore.com/list/ci-badguys.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "suspicious attacker IPs",
"descurl": "https://cinsscore.com/#list"
},
"country": {
"url_4": "https://www.ipdeny.com/ipblocks/data/aggregated/",
"url_6": "https://www.ipdeny.com/ipv6/ipaddresses/aggregated/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "country blocks",
"descurl": "http://www.ipdeny.com/ipblocks"
},
"darklist": {
"url_4": "https://darklist.de/raw.php",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "suspicious attacker IPs",
"descurl": "https://darklist.de"
},
"debl": {
"url_4": "https://www.blocklist.de/downloads/export-ips_all.txt",
"url_6": "https://www.blocklist.de/downloads/export-ips_all.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "fail2ban IP blacklist",
"descurl": "https://www.blocklist.de"
},
"doh": {
"url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "public DoH-Provider",
"descurl": "https://github.com/dibdot/DoH-IP-blocklists"
},
"drop": {
"url_4": "https://www.spamhaus.org/drop/drop.txt",
"url_6": "https://www.spamhaus.org/drop/dropv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "spamhaus drop compilation",
"descurl": "https://www.spamhaus.org"
},
"dshield": {
"url_4": "https://feeds.dshield.org/block.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s/%s,\\n\",$1,$3}",
"focus": "dshield IP blocklist",
"descurl": "https://www.dshield.org"
},
"edrop": {
"url_4": "https://www.spamhaus.org/drop/edrop.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "spamhaus edrop compilation",
"descurl": "https://www.spamhaus.org"
},
"feodo": {
"url_4": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt",
"rule_4": "BEGIN{RS=\"\\r\\n\"}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "feodo tracker",
"descurl": "https://feodotracker.abuse.ch"
},
"firehol1": {
"url_4": "https://iplists.firehol.org/files/firehol_level1.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "firehol level 1 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level1"
},
"firehol2": {
"url_4": "https://iplists.firehol.org/files/firehol_level2.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "firehol level 2 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level2"
},
"firehol3": {
"url_4": "https://iplists.firehol.org/files/firehol_level3.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "firehol level 3 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level3"
},
"firehol4": {
"url_4": "https://iplists.firehol.org/files/firehol_level4.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{if(!seen[$1]++)printf \"%s,\\n\",$1}",
"focus": "firehol level 4 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level4"
},
"greensnow": {
"url_4": "https://blocklist.greensnow.co/greensnow.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "suspicious server IPs",
"descurl": "https://greensnow.co"
},
"iblockads": {
"url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "advertising IPs",
"descurl": "https://www.iblocklist.com",
"flag": "gz",
"login": true
},
"iblockspy": {
"url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "malicious spyware IPs",
"descurl": "https://www.iblocklist.com",
"flag": "gz",
"login": true
},
"myip": {
"url_4": "https://myip.ms/files/blacklist/general/latest_blacklist.txt",
"url_6": "https://myip.ms/files/blacklist/general/latest_blacklist.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "real-time IP blocklist",
"descurl": "https://myip.ms"
},
"nixspam": {
"url_4": "https://www.nixspam.net/download/nixspam-ip.dump.gz",
"rule_4": "/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$2}",
"focus": "iX spam protection",
"descurl": "https://www.nixspam.net",
"flag": "gz"
},
"oisdnsfw": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "OISD-nsfw IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"oisdsmall": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "OISD-small IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"proxy": {
"url_4": "https://iplists.firehol.org/files/proxylists.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "open proxies",
"descurl": "https://iplists.firehol.org/?ipset=proxylists"
},
"sslbl": {
"url_4": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv",
"rule_4": "BEGIN{FS=\",\"}/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$2}",
"focus": "SSL botnet IPs",
"descurl": "https://sslbl.abuse.ch"
},
"stevenblack": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "stevenblack IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"talos": {
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "talos IPs",
"descurl": "https://talosintelligence.com/reputation_center"
},
"threat": {
"url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "emerging threats",
"descurl": "https://rules.emergingthreats.net"
},
"threatview": {
"url_4": "https://threatview.io/Downloads/IP-High-Confidence-Feed.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "malicious IPs",
"descurl": "https://threatview.io"
},
"tor": {
"url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "tor exit nodes",
"descurl": "https://github.com/SecOps-Institute/Tor-IP-Addresses"
},
"uceprotect1": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "spam protection level 1",
"descurl": "http://www.uceprotect.net/en/index.php",
"flag": "gz"
},
"uceprotect2": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz",
"rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]NET)/{printf \"%s,\\n\",$1}",
"focus": "spam protection level 2",
"descurl": "http://www.uceprotect.net/en/index.php",
"flag": "gz"
},
"uceprotect3": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-3.uceprotect.net.gz",
"rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]YOUR)/{printf \"%s,\\n\",$1}",
"focus": "spam protection level 3",
"descurl": "http://www.uceprotect.net/en/index.php",
"flag": "gz"
},
"urlhaus": {
"url_4": "https://urlhaus.abuse.ch/downloads/ids/",
"rule_4": "match($0,/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5]))/){printf \"%s,\\n\",substr($0,RSTART,RLENGTH)}",
"focus": "urlhaus IDS IPs",
"descurl": "https://urlhaus.abuse.ch"
},
"urlvir": {
"url_4": "https://iplists.firehol.org/files/urlvir.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "malware related IPs",
"descurl": "https://iplists.firehol.org/?ipset=urlvir"
},
"voip": {
"url_4": "https://voipbl.org/update/",
"rule_4": "BEGIN{RS=\"(([0-9]{1,3}\\\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)\"}{if(RT)printf \"%s,\\n\",RT}",
"focus": "VoIP fraud blocklist",
"descurl": "https://voipbl.org"
},
"webclient": {
"url_4": "https://iplists.firehol.org/files/firehol_webclient.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "malware related IPs",
"descurl": "https://iplists.firehol.org/?ipset=firehol_webclient"
},
"yoyo": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "yoyo IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
}
}

10
net/banip/files/banip.hotplug
View file

@ -1,10 +0,0 @@
#!/bin/sh
# firewall hotplug script for banIP
# Copyright (c) 2019-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
if /etc/init.d/banip enabled && [ "${ACTION}" = "add" ] && [ -n "${INTERFACE}" ]; then
if [ ! -s "/var/run/banip.pid" ] && uci_get banip global ban_ifaces | grep -q "${INTERFACE}"; then
/etc/init.d/banip refresh
fi
fi

282
net/banip/files/banip.init
View file

@ -1,202 +1,69 @@
#!/bin/sh /etc/rc.common
# Copyright (c) 2018-2021 Dirk Brenken (dev@brenken.org)
# banIP init script - ban incoming and outgoing ip adresses/subnets via sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=1091,2034,3043,3057,3060
# shellcheck disable=all
START=30
USE_PROCD=1
if type extra_command >/dev/null 2>&1; then
extra_command "refresh" "Refresh ipsets without new list downloads"
extra_command "suspend" "Suspend banIP processing"
extra_command "resume" "Resume banIP processing"
extra_command "query" "<IP> Query active banIP IPSets for a specific IP address"
extra_command "report" "[<cli>|<mail>|<gen>|<json>] Print banIP related IPset statistics"
extra_command "list" "[<add>|<add_asn>|<add_country>|<remove>|<remove_asn>|<remove_country>] <source(s)> List/Edit available sources"
extra_command "timer" "[<add> <tasks> <hour> [<minute>] [<weekday>]]|[<remove> <line no.>] List/Edit cron update intervals"
else
EXTRA_COMMANDS="status refresh suspend resume query report list timer version"
EXTRA_HELP=" status Service status
refresh Refresh ipsets without new list downloads
suspend Suspend banIP processing
resume Resume banIP processing
query <IP> Query active banIP IPSets for a specific IP address
report [<cli>|<mail>|<gen>|<json>] Print banIP related IPset statistics
list [<add>|<add_asn>|<add_country>|<remove>|<remove_asn>|<remove_country>] <source(s)> List/Edit available sources
timer [<add> <tasks> <hour> [<minute>] [<weekday>]]|[<remove> <line no.>] List/Edit cron update intervals"
fi
extra_command "report" "[text|json|mail] Print banIP related set statistics"
extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in the banIP sets"
ban_init="/etc/init.d/banip"
ban_script="/usr/bin/banip.sh"
ban_service="/usr/bin/banip-service.sh"
ban_funlib="/usr/lib/banip-functions.sh"
ban_pidfile="/var/run/banip.pid"
ban_lock="/var/run/banip.lock"
if [ -s "${ban_pidfile}" ] && { [ "${action}" = "start" ] || [ "${action}" = "stop" ] ||
[ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "refresh" ] ||
[ "${action}" = "suspend" ] || [ "${action}" = "resume" ] || [ "${action}" = "query" ] ||
{ [ "${action}" = "list" ] && [ -n "${1}" ]; } || { [ "${action}" = "report" ] && [ "${1}" != "json" ]; }; }; then
exit 0
fi
[ ! -r "${ban_funlib}" ] && exit 1
[ "${action}" = "stop" ] && ! /etc/init.d/banip running && exit 0
[ -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && exit 1
[ ! -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && mkdir -p "${ban_lock}"
boot() {
: >"${ban_pidfile}"
rc_procd start_service
rc_procd start_service "boot"
}
start_service() {
if "${ban_init}" enabled; then
if [ "${action}" = "boot" ]; then
return 0
fi
procd_open_instance "banip"
procd_set_param command "${ban_script}" "${@}"
[ "${action}" = "boot" ] && [ -n "$(uci_get banip global ban_trigger)" ] && return 0
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_rmpid
procd_open_instance "banip-service"
procd_set_param command "${ban_service}" "${@:-"${action}"}"
procd_set_param pidfile "${ban_pidfile}"
procd_set_param nice "$(uci_get banip global ban_nice "0")"
procd_set_param nice "$(uci_get banip global ban_nicelimit "0")"
procd_set_param limits nofile="$(uci_get banip global ban_filelimit "1024")"
procd_set_param stdout 1
procd_set_param stderr 1
procd_close_instance
else
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_log "err" "banIP service autostart is currently disabled, please enable the service autostart with '/etc/init.d/banip enable'"
rm -rf "${ban_lock}"
fi
}
version() {
rc_procd "${ban_script}" version
}
refresh() {
rc_procd start_service refresh
}
reload_service() {
rc_procd start_service reload
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_rmpid
rc_procd start_service "reload"
}
stop_service() {
rc_procd "${ban_script}" stop
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
"${ban_nftcmd}" delete table inet banIP >/dev/null 2>&1
f_genstatus "stopped"
f_rmpid
}
restart() {
rc_procd start_service restart
}
suspend() {
rc_procd start_service suspend
}
resume() {
rc_procd start_service resume
}
query() {
rc_procd "${ban_script}" query "${1}"
}
list() {
local src_archive src_file src_enabled key name enabled focus descurl url_4 rule_4 url_6 rule_6 action="${1}"
if [ "${action%_*}" = "add" ] || [ "${action%_*}" = "remove" ]; then
shift
for name in "${@}"; do
case "${action}" in
"add")
if ! uci_get banip global ban_sources | grep -q "${name}"; then
uci_add_list banip global ban_sources "${name}"
printf "%s\n" "::: banIP source '${name}' added to config"
fi
;;
"remove")
if uci_get banip global ban_sources | grep -q "${name}"; then
uci_remove_list banip global ban_sources "${name}"
printf "%s\n" "::: banIP source '${name}' removed from config"
fi
;;
"add_asn")
if ! uci_get banip global ban_asns | grep -q "${name}"; then
uci_add_list banip global ban_asns "${name}"
printf "%s\n" "::: banIP asn '${name}' added to config"
fi
;;
"remove_asn")
if uci_get banip global ban_asns | grep -q "${name}"; then
uci_remove_list banip global ban_asns "${name}"
printf "%s\n" "::: banIP asn '${name}' removed from config"
fi
;;
"add_country")
if ! uci_get banip global ban_countries | grep -q "${name}"; then
uci_add_list banip global ban_countries "${name}"
printf "%s\n" "::: banIP country '${name}' added to config"
fi
;;
"remove_country")
if uci_get banip global ban_countries | grep -q "${name}"; then
uci_remove_list banip global ban_countries "${name}"
printf "%s\n" "::: banIP country '${name}' removed from config"
fi
;;
esac
done
if [ -n "$(uci -q changes banip)" ]; then
uci_commit banip
"${ban_init}" start
fi
else
src_archive="$(uci_get banip global ban_srcarc "/etc/banip/banip.sources.gz")"
src_file="$(uci_get banip global ban_srcfile "/tmp/ban_sources.json")"
src_enabled="$(uci -q show banip.global.ban_sources)"
if [ -r "${src_archive}" ]; then
zcat "${src_archive}" >"${src_file}"
else
printf "%s\n" "::: banIP source archive '${src_archive}' not found"
fi
if [ -r "${src_file}" ]; then
src_enabled="${src_enabled#*=}"
src_enabled="${src_enabled//\'/}"
printf "%s\n" "::: Available banIP sources"
printf "%s\n" ":::"
printf "%-25s%-10s%-36s%s\n" " Name" "Enabled" "Focus" "Info URL"
printf "%s\n" " ---------------------------------------------------------------------------"
json_load_file "${src_file}"
json_get_keys keylist
for key in ${keylist}; do
json_select "${key}"
json_get_var focus "focus"
json_get_var descurl "descurl"
json_get_var url_4 "url_4"
json_get_var rule_4 "rule_4"
json_get_var url_6 "url_6"
json_get_var rule_6 "rule_6"
if { [ -n "${url_4}" ] && [ -n "${rule_4}" ]; } || { [ -n "${url_6}" ] && [ -n "${rule_6}" ]; }; then
if printf "%s" "${src_enabled}" | grep -q "${key}"; then
enabled="x"
else
enabled=" "
fi
src_enabled="${src_enabled/${key}/}"
printf " + %-21s%-10s%-36s%s\n" "${key:0:20}" "${enabled}" "${focus:0:35}" "${descurl:0:50}"
else
src_enabled="${src_enabled} ${key}"
fi
json_select ..
done
asn_list="$(uci_get banip global ban_asns "-")"
country_list="$(uci_get banip global ban_countries "-")"
printf "%s\n" " ---------------------------------------------------------------------------"
printf " * %s\n" "Configured ASNs: ${asn_list// /, }"
printf " * %s\n" "Configured Countries: ${country_list// /, }"
if [ -n "${src_enabled// /}" ]; then
printf "%s\n" " ---------------------------------------------------------------------------"
printf "%s\n" " Sources without valid configuration"
printf "%s\n" " ---------------------------------------------------------------------------"
for key in ${src_enabled}; do
printf " - %s\n" "${key:0:20}"
done
fi
else
printf "%s\n" "::: banIP source file '${src_file}' not found"
fi
fi
stop_service
rc_procd start_service "restart"
}
status() {
@ -204,90 +71,29 @@ status() {
}
status_service() {
local key keylist type value index_value values rtfile
rtfile="$(uci_get banip global ban_rtfile "/tmp/ban_runtime.json")"
json_load_file "${rtfile}" >/dev/null 2>&1
json_get_keys keylist
if [ -n "${keylist}" ]; then
printf "%s\n" "::: banIP runtime information"
for key in ${keylist}; do
json_get_var value "${key}" >/dev/null 2>&1
if [ "${key%_*}" = "active" ]; then
printf " + %-15s : " "${key}"
json_select "${key}" >/dev/null 2>&1
values=""
index=1
while json_get_type type "${index}" && [ "${type}" = "object" ]; do
json_get_values index_value "${index}" >/dev/null 2>&1
if [ "${index}" = "1" ]; then
values="${index_value}"
else
values="${values}, ${index_value}"
fi
index=$((index + 1))
done
values="$(printf "%s" "${values}" | awk '{NR=1;max=98;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-22s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
printf "%s\n" "${values:-"-"}"
json_select ".."
else
printf " + %-15s : %s\n" "${key}" "${value:-"-"}"
fi
done
else
printf "%s\n" "::: no banIP runtime information available"
fi
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_getstatus
}
report() {
rc_procd "${ban_script}" report "${1:-"cli"}"
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_report "${1:-"text"}"
}
timer() {
local cron_file cron_content cron_lineno action="${1:-"list"}" cron_tasks="${2}" hour="${3}" minute="${4:-0}" weekday="${5:-"*"}"
cron_file="/etc/crontabs/root"
if [ -s "${cron_file}" ] && [ "${action}" = "list" ]; then
awk '{print NR "> " $0}' "${cron_file}"
elif [ "${action}" = "add" ]; then
hour="${hour//[[:alpha:]]/}"
minute="${minute//[[:alpha:]]/}"
if [ -n "${cron_tasks}" ] && [ -n "${hour}" ] && [ -n "${minute}" ] && [ -n "${weekday}" ] &&
[ "${hour}" -ge 0 ] && [ "${hour}" -le 23 ] &&
[ "${minute}" -ge 0 ] && [ "${minute}" -le 59 ]; then
printf "%02d %02d %s\n" "${minute}" "${hour}" "* * ${weekday} ${ban_init} ${cron_tasks}" >>"${cron_file}"
/etc/init.d/cron restart
fi
elif [ -s "${cron_file}" ] && [ "${action}" = "remove" ]; then
cron_tasks="${cron_tasks//[[:alpha:]]/}"
cron_lineno="$(awk 'END{print NR}' "${cron_file}")"
cron_content="$(awk '{print $0}' "${cron_file}")"
if [ "${cron_tasks:-"0"}" -le "${cron_lineno:-"1"}" ] && [ -n "${cron_content}" ]; then
printf "%s\n" "${cron_content}" | awk "NR!~/^${cron_tasks}$/" >"${cron_file}"
/etc/init.d/cron restart
fi
fi
search() {
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_search "${1}"
}
service_triggers() {
local iface delay
local iface trigger delay
iface="$(uci_get banip global ban_trigger)"
trigger="$(uci_get banip global ban_trigger)"
delay="$(uci_get banip global ban_triggerdelay "5")"
PROCD_RELOAD_DELAY=$((delay * 1000))
if [ -z "${iface}" ]; then
. "/lib/functions/network.sh"
network_find_wan iface
if [ -n "${iface}" ]; then
uci_set banip global ban_trigger "${iface}"
uci_commit "banip"
fi
fi
if [ -n "${iface}" ]; then
for iface in ${trigger}; do
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "start"
fi
done
procd_add_reload_trigger "banip"
}

62
net/banip/files/banip.mail
View file

@ -1,62 +0,0 @@
#!/bin/sh
# send mail script for banIP notifications
# Copyright (c) 2020-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=1091,3040
# Please note: you have to setup the package 'msmtp' before using this script
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
. "/lib/functions.sh"
ban_debug="$(uci_get banip global ban_debug "0")"
ban_loglimit="$(uci_get banip global ban_loglimit "100")"
ban_mailsender="$(uci_get banip global ban_mailsender "no-reply@banIP")"
ban_mailreceiver="$(uci_get banip global ban_mailreceiver)"
ban_mailtopic="$(uci_get banip global ban_mailtopic "banIP notification")"
ban_mailprofile="$(uci_get banip global ban_mailprofile "ban_notify")"
ban_mail="$(command -v msmtp)"
ban_logger="$(command -v logger)"
ban_logread="$(command -v logread)"
if [ -z "${ban_mailreceiver}" ]; then
f_log "err" "please set the mail receiver with the 'ban_mailreceiver' option"
exit 1
fi
if [ "${ban_debug}" = "1" ]; then
msmtp_debug="--debug"
fi
ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n"
# info preparation
#
sys_info="$(
strings /etc/banner 2>/dev/null
ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}'
)"
ban_info="$(/etc/init.d/banip "status" 2>/dev/null)"
rep_info="${1}"
log_info="$("${ban_logread}" -l "${ban_loglimit}" -e "banIP-" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
# mail body
#
ban_mailtext="<html><body><pre style='display:block;font-family:monospace;font-size:1rem;padding:20;background-color:#f3eee5;white-space:pre'>"
ban_mailtext="${ban_mailtext}\n<strong>++\n++ System Information ++\n++</strong>\n${sys_info}"
ban_mailtext="${ban_mailtext}\n\n<strong>++\n++ banIP Status ++\n++</strong>\n${ban_info}"
if [ -n "${rep_info}" ]; then
ban_mailtext="${ban_mailtext}\n\n<strong>++\n++ banIP Report ++\n++</strong>\n${rep_info}"
fi
ban_mailtext="${ban_mailtext}\n\n<strong>++\n++ Logfile Information ++\n++</strong>\n${log_info}"
ban_mailtext="${ban_mailtext}</pre></body></html>"
# send mail
#
printf "%b" "${ban_mailhead}${ban_mailtext}" 2>/dev/null | "${ban_mail}" ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1
"${ban_logger}" -p "info" -t "banIP-mail [${$}]" "mail sent to '${ban_mailreceiver}' with rc '${?}'" 2>/dev/null

28
net/banip/files/banip.service
View file

@ -1,28 +0,0 @@
#!/bin/sh
# log service to trace suspicious logins and conditionally refresh banIP
# Copyright (c) 2019-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=3040
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
ban_search="${1}"
ban_logger_cmd="$(command -v logger)"
ban_logread_cmd="$(command -v logread)"
if [ -x "${ban_logread_cmd}" ]; then
"${ban_logger_cmd}" -p "info" -t "banIP-service [${$}]" "log/banIP service started" 2>/dev/null
"${ban_logread_cmd}" -f |
{
grep -qE "${ban_search}" && {
/etc/init.d/banip refresh
exit 0
}
}
else
"${ban_logger_cmd}" -p "err" -t "banIP-service [${$}]" "can't start log/banIP service" 2>/dev/null
fi

1595
net/banip/files/banip.sh
View file

File diff suppressed because it is too large Load diff

191
net/banip/files/banip.sources
View file

@ -1,191 +0,0 @@
{
"asn": {
"url_4": "https://asn.ipinfo.app/api/text/list/",
"url_6": "https://asn.ipinfo.app/api/text/list/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add asn_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add asn_6 \"$1}",
"focus": "ASN blocks",
"descurl": "https://asn.ipinfo.app"
},
"bogon": {
"url_4": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt",
"url_6": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add bogon_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add bogon_6 \"$1}",
"focus": "Bogon prefixes",
"descurl": "https://team-cymru.com"
},
"country": {
"url_4": "http://www.ipdeny.com/ipblocks/data/aggregated/",
"url_6": "http://www.ipdeny.com/ipv6/ipaddresses/aggregated/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add country_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add country_6 \"$1}",
"focus": "Country blocks",
"descurl": "http://www.ipdeny.com/ipblocks"
},
"darklist": {
"url_4": "https://darklist.de/raw.php",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add darklist_4 \"$1}",
"focus": "Blocks suspicious attacker IPs",
"descurl": "https://darklist.de"
},
"debl": {
"url_4": "https://www.blocklist.de/downloads/export-ips_all.txt",
"url_6": "https://www.blocklist.de/downloads/export-ips_all.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add debl_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add debl_6 \"$1}",
"focus": "Fail2ban IP blacklist",
"descurl": "https://www.blocklist.de"
},
"doh": {
"url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add doh_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add doh_6 \"$1}",
"focus": "Public DoH-Provider",
"descurl": "https://github.com/dibdot/DoH-IP-blocklists"
},
"drop": {
"url_4": "https://www.spamhaus.org/drop/drop.txt",
"url_6": "https://www.spamhaus.org/drop/dropv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add drop_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add drop_6 \"$1}",
"focus": "Spamhaus drop compilation",
"descurl": "https://www.spamhaus.org"
},
"dshield": {
"url_4": "https://feeds.dshield.org/block.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add dshield_4 \"$1 \"/\"$3}",
"focus": "Dshield IP blocklist",
"descurl": "https://www.dshield.org"
},
"edrop": {
"url_4": "https://www.spamhaus.org/drop/edrop.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add edrop_4 \"$1}",
"focus": "Spamhaus edrop compilation",
"descurl": "https://www.spamhaus.org"
},
"feodo": {
"url_4": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add feodo_4 \"$1}",
"focus": "Feodo Tracker",
"descurl": "https://feodotracker.abuse.ch"
},
"firehol1": {
"url_4": "https://iplists.firehol.org/files/firehol_level1.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol1_4 \"$1}",
"focus": "Firehol Level 1 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level1"
},
"firehol2": {
"url_4": "https://iplists.firehol.org/files/firehol_level2.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol2_4 \"$1}",
"focus": "Firehol Level 2 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level2"
},
"firehol3": {
"url_4": "https://iplists.firehol.org/files/firehol_level3.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol3_4 \"$1}",
"focus": "Firehol Level 3 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level3"
},
"firehol4": {
"url_4": "https://iplists.firehol.org/files/firehol_level4.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol4_4 \"$1}",
"focus": "Firehol Level 4 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level4"
},
"greensnow": {
"url_4": "https://blocklist.greensnow.co/greensnow.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add greensnow_4 \"$1}",
"focus": "Blocks suspicious server IPs",
"descurl": "https://greensnow.co"
},
"iblockads": {
"url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add iblockads_4 \"$1}",
"focus": "Advertising blocklist",
"descurl": "https://www.iblocklist.com",
"comp": "gz"
},
"iblockspy": {
"url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add iblockspy_4 \"$1}",
"focus": "Malicious spyware blocklist",
"descurl": "https://www.iblocklist.com",
"comp": "gz"
},
"myip": {
"url_4": "https://myip.ms/files/blacklist/general/latest_blacklist.txt",
"url_6": "https://myip.ms/files/blacklist/general/latest_blacklist.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add myip_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add myip_6 \"$1}",
"focus": "Myip Live IP blacklist",
"descurl": "https://myip.ms"
},
"nixspam": {
"url_4": "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz",
"rule_4": "/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add nixspam_4 \"$2}",
"focus": "iX spam protection",
"descurl": "http://www.nixspam.org",
"comp": "gz"
},
"proxy": {
"url_4": "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add proxy_4 \"$1}",
"focus": "Firehol list of open proxies",
"descurl": "https://iplists.firehol.org/?ipset=proxylists"
},
"sslbl": {
"url_4": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv",
"rule_4": "BEGIN{FS=\",\"}/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{print \"add sslbl_4 \"$2}",
"focus": "SSL botnet IP blacklist",
"descurl": "https://sslbl.abuse.ch"
},
"talos": {
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add talos_4 \"$1}",
"focus": "Cisco Talos IP Blacklist",
"descurl": "https://talosintelligence.com/reputation_center"
},
"threat": {
"url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add threat_4 \"$1}",
"focus": "Emerging Threats",
"descurl": "https://rules.emergingthreats.net"
},
"tor": {
"url_4": "https://lists.fissionrelays.net/tor/exits-ipv4.txt",
"url_6": "https://lists.fissionrelays.net/tor/exits-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add tor_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add tor_6 \"$1}",
"focus": "Tor exit nodes",
"descurl": "https://fissionrelays.net/lists"
},
"uceprotect1": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{print \"add uceprotect1_4 \"$1}",
"focus": "Spam protection level 1",
"descurl": "http://www.uceprotect.net/en/index.php",
"comp": "gz"
},
"uceprotect2": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz",
"rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]+NET[[:space:]]+)/{print \"add uceprotect2_4 \"$1}",
"focus": "Spam protection level 2",
"descurl": "http://www.uceprotect.net/en/index.php",
"comp": "gz"
},
"voip": {
"url_4": "http://www.voipbl.org/update/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add voip_4 \"$1}",
"focus": "VoIP fraud blocklist",
"descurl": "http://www.voipbl.org"
},
"yoyo": {
"url_4": "https://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add yoyo_4 \"$1}",
"focus": "Ad protection blacklist",
"descurl": "https://pgl.yoyo.org/adservers/"
}
}

24
net/banip/files/banip.tpl Normal file
View file

@ -0,0 +1,24 @@
# banIP mail template/include
# Copyright (c) 2020-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# info preparation
#
local banip_info report_info log_info system_info mail_text
banip_info="$(/etc/init.d/banip status 2>/dev/null)"
report_info="$(cat ${ban_reportdir}/ban_report.txt 2>/dev/null)"
log_info="$("${ban_logreadcmd}" -l 100 -e "banIP_" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
system_info="$(
strings /etc/banner 2>/dev/null
ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}'
)"
# mail body
#
mail_text="$(printf "%s\n" "<html><body><pre style='display:block;font-family:monospace;font-size:1rem;padding:20;background-color:#f3eee5;white-space:pre'>")"
mail_text="$(printf "%s\n" "${mail_text}\n<strong>++\n++ System Information ++\n++</strong>\n${system_info:-"-"}")"
mail_text="$(printf "%s\n" "${mail_text}\n\n<strong>++\n++ banIP Status ++\n++</strong>\n${banip_info:-"-"}")"
mail_text="$(printf "%s\n" "${mail_text}\n\n<strong>++\n++ banIP Report ++\n++</strong>\n${report_info:-"-"}")"
mail_text="$(printf "%s\n" "${mail_text}\n\n<strong>++\n++ Logfile Information ++\n++</strong>\n${log_info}")"
mail_text="$(printf "%s\n" "${mail_text}</pre></body></html>")"

0
net/banip/files/banip.whitelist
View file