From: Dirk Brenken <dev@brenken.org>
Date: Sat, 22 Jun 2024 08:12:59 +0000 (+0200)
Subject: banip: update 1.0.0-4
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=15c2051eace3db746bf461af940be568c572c198;p=feed%2Fpackages.git

banip: update 1.0.0-4

* relax the firewall pre-check if fw4 is not running
* replace former stale tor feed source with 'https://www.dan.me.uk/torlist/?exit'
* add openvpn log term/search pattern example to the readme
* the default config now includes only log terms for dropbear and LuCI, all others are optional
* readme update

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit d17f661aee8aab300bd73d682748eac61bea27a2)
---

diff --git a/net/banip/Makefile b/net/banip/Makefile
index 5c008601f9..92cf704956 100644
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
 PKG_VERSION:=1.0.0
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
 
diff --git a/net/banip/files/README.md b/net/banip/files/README.md
index 14310abbef..7b2e8c178b 100644
--- a/net/banip/files/README.md
+++ b/net/banip/files/README.md
@@ -7,7 +7,11 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 
 ## Main Features
 * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).  
-  **Please note:** By default every feed blocks all supported chains. The columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockpolicy', 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.  
+**Please note:** By default every feed blocks packet traversal in all supported chains, the table columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios:  
+  * WAN-INP chain applies to packets from internet to your router  
+  * WAN-FWD chain applies to packets from internet to other local devices (not your router)  
+  * LAN-FWD chain applies to local packets going out to the internet (not your router)  
+  For instance the first entry should be limited to the LAN forward chain - just set the 'LAN-Forward Chain' option under the 'Feed/Set Seetings' config tab accordingly.  
 
 | Feed                | Focus                          | WAN-INP | WAN-FWD | LAN-FWD | Port-Limit   | Information                                                  |
 | :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------: | :----------------------------------------------------------- |
@@ -52,7 +56,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 | talos               | talos IPs                      |    x    |    x    |         |              | [Link](https://talosintelligence.com/reputation_center)      |
 | threat              | emerging threats               |    x    |    x    |         |              | [Link](https://rules.emergingthreats.net)                    |
 | threatview          | malicious IPs                  |    x    |    x    |         |              | [Link](https://threatview.io)                                |
-| tor                 | tor exit nodes                 |    x    |    x    |         |              | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
+| tor                 | tor exit nodes                 |    x    |    x    |    x    |              | [Link](https://www.dan.me.uk)                                |
 | turris              | turris sentinel blocklist      |    x    |    x    |         |              | [Link](https://view.sentinel.turris.cz)                      |
 | uceprotect1         | spam protection level 1        |    x    |    x    |         |              | [Link](https://www.uceprotect.net/en/index.php)              |
 | uceprotect2         | spam protection level 2        |    x    |    x    |         |              | [Link](https://www.uceprotect.net/en/index.php)              |
@@ -319,17 +323,19 @@ The following feeds are just my personal recommendation as an initial setup:
 In total, this feed selection blocks about 20K IP addresses. It may also be useful to include some countries to the country feed in WAN-Input and WAN-Forward chain.  
 Please note: don't just blindly activate (too) many feeds at once, sooner or later this will lead to OOM conditions.  
 
-**Regular expressions for logfile parsing**  
-Like fail2ban, banIP supports logfile scanning and automatic blocking of suspicious attacker IPs. By default the following regex are in place to detect failed login attempts via dropbear, sshd, nginx, asterisk or LuCI.  
+**Log Terms for logfile parsing**  
+Like fail2ban and crowdsec, banIP supports logfile scanning and automatic blocking of suspicious attacker IPs.  
+In the default config only the log terms to detect failed login attempts via dropbear and LuCI are in place. The following search pattern has been tested as well - just transfer the required regular expression via cut and paste to your config (without quotation marks):  
 ```
-list ban_logterm 'Exit before auth from'
-list ban_logterm 'luci: failed login'
-list ban_logterm 'error: maximum authentication attempts exceeded'
-list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
-list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
-list ban_logterm 'received a suspicious remote IP '\''.*'\'''
+dropbear : 'Exit before auth from'
+LuCI     : 'luci: failed login'
+sshd1    : 'error: maximum authentication attempts exceeded'
+sshd2    : 'sshd.*Connection closed by.*\[preauth\]'
+asterisk : 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
+nginx    : 'received a suspicious remote IP '\''.*'\'''
+openvpn  : 'TLS Error: could not determine wrapping from \[AF_INET\]'
 ```
-Just add more log terms to protect additional services, e.g. an openvpn server.  
+You find the 'Log Terms' option in LuCI under the 'Log Settings' tab. Feel free to add more log terms to meet your needs and protect additional services.  
 
 **Allow-/Blocklist handling**  
 banIP supports local allow- and block-lists, MAC/IPv4/IPv6 addresses (incl. ranges in CIDR notation) or domain names. These files are located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.  
diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh
index 17bc26c907..0e31ba062a 100755
--- a/net/banip/files/banip-service.sh
+++ b/net/banip/files/banip-service.sh
@@ -27,21 +27,12 @@ f_mkdir "${ban_backupdir}"
 f_mkfile "${ban_allowlist}"
 f_mkfile "${ban_blocklist}"
 
-# firewall check
+# firewall/fw4 pre-check
 #
-if [ "${ban_action}" != "reload" ]; then
-	if [ -x "${ban_fw4cmd}" ]; then
-		cnt="0"
-		while [ "${cnt}" -lt "30" ] && ! /etc/init.d/firewall status >/dev/null 2>&1; do
-			cnt="$((cnt + 1))"
-			sleep 1
-		done
-		if ! /etc/init.d/firewall status >/dev/null 2>&1; then
-			f_log "err" "nftables based firewall error"
-		fi
-	else
-		f_log "err" "nftables based firewall not found"
-	fi
+if [ ! -x "${ban_fw4cmd}" ] || [ ! -x "/etc/init.d/firewall" ]; then
+	f_log "err" "firewall/fw4 not found"
+elif ! /etc/init.d/firewall status >/dev/null 2>&1; then
+	f_log "info" "firewall/fw4 is not running"
 fi
 
 # init banIP nftables namespace
diff --git a/net/banip/files/banip.cgi b/net/banip/files/banip.cgi
index 2ac5ef0d4f..975e3c5b26 100644
--- a/net/banip/files/banip.cgi
+++ b/net/banip/files/banip.cgi
@@ -1,6 +1,6 @@
 #!/bin/sh
 # banIP cgi remote logging script - ban incoming and outgoing IPs via named nftables Sets
-# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
+# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org)
 # This is free software, licensed under the GNU General Public License v3.
 
 # (s)hellcheck exceptions
diff --git a/net/banip/files/banip.conf b/net/banip/files/banip.conf
index 3bb5bc96c7..6102a598fc 100644
--- a/net/banip/files/banip.conf
+++ b/net/banip/files/banip.conf
@@ -4,7 +4,3 @@ config banip 'global'
 	option ban_autodetect '1'
 	list ban_logterm 'Exit before auth from'
 	list ban_logterm 'luci: failed login'
-	list ban_logterm 'error: maximum authentication attempts exceeded'
-	list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
-	list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
-	list ban_logterm 'received a suspicious remote IP '\''.*'\'''
diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds
index a135230360..66d0807c97 100644
--- a/net/banip/files/banip.feeds
+++ b/net/banip/files/banip.feeds
@@ -246,8 +246,8 @@
 		"descr": "malicious IPs"
 	},
 	"tor":{
-		"url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
-		"url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
+		"url_4": "https://www.dan.me.uk/torlist/?exit",
+		"url_6": "https://www.dan.me.uk/torlist/?exit",
 		"rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
 		"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
 		"descr": "tor exit nodes"