Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: bump to release 0.9.3-1

Browse source 
* provides an option to transfer log events on remote servers via cgi interface (disabled by default), see readme for details
* refine the allowlist check to support IP intervals as well before adding an IP to the blocklist

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2023-12-11 17:35:13 +01:00
parent b8254cdac4
commit df81585cea
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
5 changed files with 62 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
net/banip/Makefile
View file

@ -5,8 +5,8 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.9.2 PKG_VERSION:=0.9.3
PKG_RELEASE:=4 PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -63,6 +63,9 @@ define Package/banip/install
$(INSTALL_CONF) ./files/banip.countries $(1)/etc/banip $(INSTALL_CONF) ./files/banip.countries $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.feeds $(1)/etc/banip $(INSTALL_CONF) ./files/banip.feeds $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.custom.feeds $(1)/etc/banip $(INSTALL_CONF) ./files/banip.custom.feeds $(1)/etc/banip
$(INSTALL_DIR) $(1)/www/cgi-bin
$(INSTALL_BIN) ./files/banip.cgi $(1)/www/cgi-bin/banip
endef endef
$(eval $(call BuildPackage,banip)) $(eval $(call BuildPackage,banip))

18
net/banip/files/README.md
View file

@ -89,6 +89,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor * Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor
* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
* Supports allowing / blocking of certain VLAN forwards * Supports allowing / blocking of certain VLAN forwards
* Provides an option to transfer logging events on remote servers via cgi interface
## Prerequisites ## Prerequisites
* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support * **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
@ -141,7 +142,7 @@ Available commands:
| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) | | ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) |
| ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor | | ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor |
| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious | | ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious |
| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | | ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk and cgi-remote events) |
| ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread | | ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
| ban_debug | option | 0 | enable banIP related debug logging | | ban_debug | option | 0 | enable banIP related debug logging |
@ -191,6 +192,8 @@ Available commands:
| ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | | ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run |
| ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly | | ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly |
| ban_resolver | option | - | external resolver used for DNS lookups | | ban_resolver | option | - | external resolver used for DNS lookups |
| ban_remotelog | option | 0 | enable the cgi interface to receive remote logging events |
| ban_remotetoken | option | - | unique token to communicate with the cgi interface |
## Examples ## Examples
**banIP report information** **banIP report information**
@ -292,6 +295,7 @@ list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded' list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]' list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
list ban_logterm 'received a suspicious remote IP '\''.*'\'''
``` ```
**allow-/blocklist handling** **allow-/blocklist handling**
@ -324,6 +328,18 @@ MAC-address with IPv4 and IPv6 wildcard concatenation:
C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0 C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0
``` ```
**enable the cgi interface to receive remote logging events**
banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options:
* set 'ban_remotelog' to '1' to enbale the cgi interface
* set 'ban_remotetoken' to a secret transfer token, allowed token characters consist of '[A-Za-z]', '[0-9]', '.' and ':'
Examples to transfer remote logging events from an internal server to banIP via cgi interface:
* POST request: curl --insecure --data "<ban_remotetoken>=<suspicious IP>" https://192.168.1.1/cgi-bin/banip
* GET request: wget --no-check-certificate https://192.168.1.1/cgi-bin/banip?<ban_remotetoken>=<suspicious IP>
Please note: for security reasons use this cgi interface only internally and only encrypted via https transfer protocol.
**redirect Asterisk security logs to lodg/logread** **redirect Asterisk security logs to lodg/logread**
banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration. banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration.

4
net/banip/files/banip-functions.sh
View file

@ -43,6 +43,8 @@ ban_mailtopic="banIP notification"
ban_mailprofile="ban_notify" ban_mailprofile="ban_notify"
ban_mailnotification="0" ban_mailnotification="0"
ban_reportelements="1" ban_reportelements="1"
ban_remotelog="0"
ban_remotetoken=""
ban_nftloglevel="warn" ban_nftloglevel="warn"
ban_nftpriority="-200" ban_nftpriority="-200"
ban_nftpolicy="memory" ban_nftpolicy="memory"
@ -1526,7 +1528,7 @@ f_monitor() {
ip="${ip##* }" ip="${ip##* }"
[ -n "${ip}" ] && proto="v6" [ -n "${ip}" ] && proto="v6"
fi fi
if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_grepcmd}" -q "^${ip}" "${ban_allowlist}"; then if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP allowlist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
f_log "info" "suspicious IP '${ip}'" f_log "info" "suspicious IP '${ip}'"
log_raw="$(eval ${loglimit_cmd})" log_raw="$(eval ${loglimit_cmd})"
log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")" log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")"

36
net/banip/files/banip.cgi Normal file
View file

@ -0,0 +1,36 @@
#!/bin/sh
# banIP cgi remote logging script - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=all
# handle post/get requests
#
post_string="$(cat)"
request="${post_string//[^[:alnum:]=\.\:]/}"
[ -z "${request}" ] && request="${QUERY_STRING//[^[:alnum:]=\.\:]/}"
request_decode() {
local key value token
key="${request%=*}"
value="${request#*=}"
token="$(uci -q get banip.global.ban_remotetoken)"
if [ -n "${key}" ] && [ -n "${value}" ] && [ "${key}" = "${token}" ] && /etc/init.d/banip running; then
[ -r "/usr/lib/banip-functions.sh" ] && { . "/usr/lib/banip-functions.sh"; f_conf; }
if [ "${ban_remotelog}" = "1" ] && [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then
f_log "info" "received a suspicious remote IP '${value}'"
fi
fi
}
cat <<EOF
Status: 202 Accepted
Content-Type: text/plain; charset=UTF-8
EOF
request_decode

1
net/banip/files/banip.conf
View file

@ -7,3 +7,4 @@ config banip 'global'
list ban_logterm 'error: maximum authentication attempts exceeded' list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]' list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
list ban_logterm 'received a suspicious remote IP '\''.*'\'''