LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12625 Commits
1 Branch
46 MiB
Tree: 0873c8da60
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0873c8da60'
${ noResults }
openwrt-packages-dist/net/banip/files/README.md

75 lines
3.6 KiB
Raw Normal View History

banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
 
  1. # banIP - ban incoming and/or outgoing ip adresses via ipsets

  2. 

  3. ## Description

  4. IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unautherized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.  
  5. 

  6. ## Main Features

  7. * support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses):
  8. * zero-conf like automatic installation & setup, usually no manual changes needed
  9. * supports six different download utilities: uclient-fetch, wget, curl, aria2c, wget-nossl, busybox-wget
  10. * Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
  11. * provides 'http only' mode without installed ssl library for all non-SSL blocklist sources
  12. * full IPv4 and IPv6 support
  13. * ipsets (one per source) are used to ban a large number of IP addresses
  14. * supports blocking by ASN numbers
  15. * supports blocking by iso country codes
  16. * supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist
  17. * auto-add unsuccessful ssh login attempts to local blacklist
  18. * auto-add the uplink subnet to local whitelist
  19. * per source configuration of SRC (incoming) and DST (outgoing)
  20. * integrated IPSet-Lookup
  21. * integrated RIPE-Lookup
  22. * blocklist source parsing by fast & flexible regex rulesets
  23. * minimal status & error logging to syslog, enable debug logging to receive more output
  24. * procd based init system support (start/stop/restart/reload/status)
  25. * procd network interface trigger support
  26. * output comprehensive runtime information via LuCI or via 'status' init command
  27. * strong LuCI support
  28. * optional: add new banIP sources on your own
  29. 

  30. ## Prerequisites

  31. * [OpenWrt](https://openwrt.org), tested with the stable release series (18.06) and with the latest snapshot
  32. * a download utility:
  33.     * to support all blocklist sources a full version (with ssl support) of 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
  34.     * for limited devices with real memory constraints, banIP provides also a 'http only' option and supports wget-nossl and uclient-fetch (without libustream-ssl) as well
  35. 

  36. ## Installation & Usage

  37. * install 'banip' (_opkg install banip_)
  38. * at minimum configure the needed IP blocklist sources, the download utility and enable the banIP service in _/etc/config/banip_
  39. * control the banip service manually with _/etc/init.d/banip_ start/stop/restart/reload/status or use the LuCI frontend
  40. 

  41. ## LuCI banIP companion package

  42. * it's recommended to use the provided LuCI frontend to control all aspects of banIP
  43. * install 'luci-app-banip' (_opkg install luci-app-banip_)
  44. * the application is located in LuCI under 'Services' menu
  45. 

  46. ## Examples

  47. **receive banIP runtime information:**
  48. 

  49. <pre><code>
  50. /etc/init.d/banip status
  51. ::: banIP runtime information
  52.   + status     : enabled
  53.   + version    : 0.0.5
  54.   + fetch_info : /bin/uclient-fetch (libustream-ssl)
  55.   + ipset_info : 3 IPSets with overall 29510 IPs/Prefixes
  56.   + last_run   : 08.11.2018 15:03:50
  57.   + system     : GL-AR750S, OpenWrt SNAPSHOT r8419-860de2e1aa
  58. </code></pre>
  59.   
  60. **cronjob for a regular block list update (/etc/crontabs/root):**
  61. 

  62. <pre><code>
  63. 0 06 * * *    /etc/init.d/banip reload
  64. </code></pre>
  65.   
  66. 

  67. ## Support

  68. Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985) or contact me by mail <dev@brenken.org>  
  69. 

  70. ## Removal

  71. * stop all banIP related services with _/etc/init.d/banip stop_
  72. * optional: remove the banip package (_opkg remove banip_)
  73. 

  74. Have fun!  
  75. Dirk