From 27e86ef42e832545a9a66d479c4bbd99afaab5c5 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Thu, 30 May 2024 21:36:33 +0200 Subject: [PATCH] banip: update 0.9.6-2 * fix regex for nixspam and sslbl feed * list the pre-routing limits in the banIP status * small fixes and log improvements Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/README.md | 56 +++++++++++++----------------- net/banip/files/banip-functions.sh | 11 +++--- net/banip/files/banip.feeds | 4 +-- 4 files changed, 32 insertions(+), 41 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 58da64e281..29da8a2bed 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.9.6 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index fef0e9caaa..c0ccb6b156 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -219,14 +219,14 @@ Available commands: ::: Timestamp: 2024-04-17 23:02:15 ------------------------------ - blocked syn-flood packets in prerouting : 5 - blocked udp-flood packets in prerouting : 11 - blocked icmp-flood packets in prerouting : 6 - blocked invalid ct packets in prerouting : 277 - blocked invalid tcp packets in prerouting: 0 - ---------- - auto-added IPs to allowlist today: 0 - auto-added IPs to blocklist today: 0 + blocked syn-flood packets : 5 + blocked udp-flood packets : 11 + blocked icmp-flood packets : 6 + blocked invalid ct packets : 277 + blocked invalid tcp packets: 0 + --- + auto-added IPs to allowlist: 0 + auto-added IPs to blocklist: 0 Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) | Port/Protocol Limit ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------ @@ -261,19 +261,18 @@ Available commands: **banIP runtime information** ``` -~# /etc/init.d/banip status ::: banIP runtime information + status : active (nft: ✔, monitor: ✔) - + version : 0.9.5-r1 - + element_count : 335706 - + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, becyberv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dohv4, dropv4, dohv6, threatv4, firehol1v4, ipthreatv4, firehol2v4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6 + + version : 0.9.6-r1 + + element_count : 108036 + + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dohv4, dohv6, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6 + active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: - + active_uplink : 217.83.205.130, fe80::9cd6:12e9:c4df:75d3, 2003:ed:b5ff:43bd:9cd5:12e7:c3ef:75d8 - + nft_info : priority: 0, policy: performance, loglevel: warn, expiry: 2h + + nft_info : priority: -100, policy: performance, loglevel: warn, expiry: 2h, limit (icmp/syn/udp): 10/10/100 + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report + run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/inp/fwd/lan): ✔/✘/✘/✘, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘ - + last_run : action: reload, log: logread, fetch: curl, duration: 2m 33s, date: 2024-04-17 05:57:56 - + system_info : cores: 4, memory: 1573, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25932-338b463e1e + + last_run : action: reload, log: logread, fetch: curl, duration: 1m 21s, date: 2024-05-27 05:56:29 + + system_info : cores: 4, memory: 1661, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r26353-a96354bcfb ``` **banIP search information** @@ -300,16 +299,6 @@ Available commands: 1.10.255.58 1.11.67.53 1.11.114.211 -1.11.208.29 -1.12.75.87 -1.12.231.227 -1.12.247.134 -1.12.251.141 -1.14.96.156 -1.14.250.37 -1.15.40.79 -1.15.71.140 -1.15.77.237 [...] ``` **default regex for logfile parsing** @@ -423,19 +412,22 @@ The banIP default blocklist feeds are stored in an external JSON file '/etc/bani A valid JSON source object contains the following information, e.g.: ``` [...] - "tor":{ - "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", - "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", - "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", - "descr": "tor exit nodes", - "flag": "gz tcp 80-88 udp 50000" +"stevenblack":{ + "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv4.txt", + "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv6.txt", + "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "descr": "stevenblack IPs", + "flag": "tcp 80 443" }, [...] ``` Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed. Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations - multiple definitions are possible. +## FAQ +TODO! + ## Support Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 936f0aad36..08b4b10f17 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -97,7 +97,7 @@ f_system() { local cpu core if [ -z "${ban_dev}" ]; then - ban_debug="$(uci_get banip global ban_debug)" + ban_debug="$(uci_get banip global ban_debug "0")" ban_cores="$(uci_get banip global ban_cores)" fi ban_packages="$("${ban_ubuscmd}" -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" @@ -1258,7 +1258,7 @@ f_genstatus() { json_add_string "${object}" "${object}" done json_close_array - json_add_string "nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}" + json_add_string "nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}, limit (icmp/syn/udp): ${ban_icmplimit}/${ban_synlimit}/${ban_udplimit}" json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}" json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (pre/inp/fwd/lan): $(f_char ${ban_logprerouting})/$(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})" json_add_string "last_run" "${runtime:-"-"}" @@ -1354,7 +1354,7 @@ f_lookup() { end_time="$(date "+%s")" duration="$(((end_time - start_time) / 60))m $(((end_time - start_time) % 60))s" - f_log "debug" "f_lookup ::: feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}" + f_log "info" "domain lookup finished in ${duration} (${feed}, ${cnt_domain} domains, ${cnt_ip} IPs)" } # table statistics @@ -1509,7 +1509,7 @@ f_report() { printf "%s\n" " blocked icmp-flood packets : ${sum_icmpflood}" printf "%s\n" " blocked invalid ct packets : ${sum_ctinvalid}" printf "%s\n" " blocked invalid tcp packets: ${sum_tcpinvalid}" - printf "%s\n" " ----------" + printf "%s\n" " ---" printf "%s\n" " auto-added IPs to allowlist: ${autoadd_allow}" printf "%s\n\n" " auto-added IPs to blocklist: ${autoadd_block}" json_select "sets" >/dev/null 2>&1 @@ -1752,10 +1752,9 @@ ban_sedcmd="$(f_cmd sed)" ban_ubuscmd="$(f_cmd ubus)" ban_zcatcmd="$(f_cmd zcat)" +f_system if [ "${ban_action}" != "stop" ]; then [ ! -d "/etc/banip" ] && f_log "err" "no banIP config directory" [ ! -r "/etc/config/banip" ] && f_log "err" "no banIP config" [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is disabled" fi - -f_system diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index 79af2bd5d3..2d05563e21 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -179,7 +179,7 @@ }, "nixspam":{ "url_4": "https://www.nixspam.net/download/nixspam-ip.dump.gz", - "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$2}", + "rule_4": "/127\\./{next}/(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$2}", "descr": "iX spam protection", "flag": "gz" }, @@ -219,7 +219,7 @@ }, "sslbl":{ "url_4": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", - "rule_4": "BEGIN{FS=\",\"}/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$2}", + "rule_4": "BEGIN{FS=\",\"}/127\\./{next}/(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$2}", "descr": "SSL botnet IPs" }, "stevenblack":{ -- 2.30.2