LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23172 Commits
1 Branch
46 MiB
Tree: f4f777403d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f4f777403d'
${ noResults }
openwrt-packages-dist/net/banip/files/README.md

117 lines
8.0 KiB
Raw Normal View History

banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: update 0.3.0 * new 'ca-bundle' dependency as all https connections are now validated by default * automatically select the download utility: 'aria2', 'curl', 'uclient-fetch' with libustream-* or wget are supported * track & ban failed LuCI login attempts as well * add a small log/banIP background monitor to block SSH/LuCI brute force attacks in realtime (disabled by default) * add a config version check (please update your default config!) * made the automatic wan detection more stable * fix the IPv6 logfile parser * fix the service status message * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
5 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: update 0.3.0 * new 'ca-bundle' dependency as all https connections are now validated by default * automatically select the download utility: 'aria2', 'curl', 'uclient-fetch' with libustream-* or wget are supported * track & ban failed LuCI login attempts as well * add a small log/banIP background monitor to block SSH/LuCI brute force attacks in realtime (disabled by default) * add a config version check (please update your default config!) * made the automatic wan detection more stable * fix the IPv6 logfile parser * fix the service status message * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
5 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: update 0.3.0 * new 'ca-bundle' dependency as all https connections are now validated by default * automatically select the download utility: 'aria2', 'curl', 'uclient-fetch' with libustream-* or wget are supported * track & ban failed LuCI login attempts as well * add a small log/banIP background monitor to block SSH/LuCI brute force attacks in realtime (disabled by default) * add a config version check (please update your default config!) * made the automatic wan detection more stable * fix the IPv6 logfile parser * fix the service status message * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
5 years ago
banip: update 0.1.5 * add extra options to control auto-addons to blacklist & whitelist ('ban_autoblacklist' & 'ban_autowhitelist', both enabled by default). If disabled auto-addons are only stored temporary in the black/whitelist ipset but not in the list itself, fixes #9631 * remove old, no longer needed procd workaround * remove 'zeus' source from default config (discontinued) Signed-off-by: Dirk Brenken <dev@brenken.org> Signed-off-by: Dirk Brenken <dev@brenken.org>
5 years ago
banip: update 0.3.0 * new 'ca-bundle' dependency as all https connections are now validated by default * automatically select the download utility: 'aria2', 'curl', 'uclient-fetch' with libustream-* or wget are supported * track & ban failed LuCI login attempts as well * add a small log/banIP background monitor to block SSH/LuCI brute force attacks in realtime (disabled by default) * add a config version check (please update your default config!) * made the automatic wan detection more stable * fix the IPv6 logfile parser * fix the service status message * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
5 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: update 0.2.0 * remove 'http-only' mode, all sources are now fetched from https sites * the backup mode is now mandatory ('/tmp' is the default backup directory), always create and re-use backups if available. To force a re-download take the 'reload' action. * support 'sshd' in addition to 'dropbear' for logfile parsing to detect break-in events * always update the black-/whitelist with logfile parsing results in 'refresh' mode (no new downloads) * rework the return code handling * tweak procd trigger * various small fixes * (s)hellsheck cosmetics Signed-off-by: Dirk Brenken <dev@brenken.org>
5 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: update 0.2.0 * remove 'http-only' mode, all sources are now fetched from https sites * the backup mode is now mandatory ('/tmp' is the default backup directory), always create and re-use backups if available. To force a re-download take the 'reload' action. * support 'sshd' in addition to 'dropbear' for logfile parsing to detect break-in events * always update the black-/whitelist with logfile parsing results in 'refresh' mode (no new downloads) * rework the return code handling * tweak procd trigger * various small fixes * (s)hellsheck cosmetics Signed-off-by: Dirk Brenken <dev@brenken.org>
5 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: Added packet logging feature. Resolved shellcheck warnings. Signed-off-by: Richard Gering <rg4github@dutchies.us>
4 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: update 0.2.0 * remove 'http-only' mode, all sources are now fetched from https sites * the backup mode is now mandatory ('/tmp' is the default backup directory), always create and re-use backups if available. To force a re-download take the 'reload' action. * support 'sshd' in addition to 'dropbear' for logfile parsing to detect break-in events * always update the black-/whitelist with logfile parsing results in 'refresh' mode (no new downloads) * rework the return code handling * tweak procd trigger * various small fixes * (s)hellsheck cosmetics Signed-off-by: Dirk Brenken <dev@brenken.org>
5 years ago
banip: update 0.3.0 * new 'ca-bundle' dependency as all https connections are now validated by default * automatically select the download utility: 'aria2', 'curl', 'uclient-fetch' with libustream-* or wget are supported * track & ban failed LuCI login attempts as well * add a small log/banIP background monitor to block SSH/LuCI brute force attacks in realtime (disabled by default) * add a config version check (please update your default config!) * made the automatic wan detection more stable * fix the IPv6 logfile parser * fix the service status message * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
5 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: update 0.2.0 * remove 'http-only' mode, all sources are now fetched from https sites * the backup mode is now mandatory ('/tmp' is the default backup directory), always create and re-use backups if available. To force a re-download take the 'reload' action. * support 'sshd' in addition to 'dropbear' for logfile parsing to detect break-in events * always update the black-/whitelist with logfile parsing results in 'refresh' mode (no new downloads) * rework the return code handling * tweak procd trigger * various small fixes * (s)hellsheck cosmetics Signed-off-by: Dirk Brenken <dev@brenken.org>
5 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banIP: release 0.1.0 * add automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode * add a 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action * procd interface trigger now supports multiple WAN interfaces * change URL for abuse.ch/feodo list source in default config * small fixes * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: Added packet logging feature. Resolved shellcheck warnings. Signed-off-by: Richard Gering <rg4github@dutchies.us>
4 years ago
banIP: release 0.1.0 * add automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode * add a 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action * procd interface trigger now supports multiple WAN interfaces * change URL for abuse.ch/feodo list source in default config * small fixes * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: Added packet logging feature. Resolved shellcheck warnings. Signed-off-by: Richard Gering <rg4github@dutchies.us>
4 years ago
banIP: release 0.1.0 * add automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode * add a 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action * procd interface trigger now supports multiple WAN interfaces * change URL for abuse.ch/feodo list source in default config * small fixes * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: Added packet logging feature. Resolved shellcheck warnings. Signed-off-by: Richard Gering <rg4github@dutchies.us>
4 years ago
banip: update 0.2.0 * remove 'http-only' mode, all sources are now fetched from https sites * the backup mode is now mandatory ('/tmp' is the default backup directory), always create and re-use backups if available. To force a re-download take the 'reload' action. * support 'sshd' in addition to 'dropbear' for logfile parsing to detect break-in events * always update the black-/whitelist with logfile parsing results in 'refresh' mode (no new downloads) * rework the return code handling * tweak procd trigger * various small fixes * (s)hellsheck cosmetics Signed-off-by: Dirk Brenken <dev@brenken.org>
5 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: Added packet logging feature. Resolved shellcheck warnings. Signed-off-by: Richard Gering <rg4github@dutchies.us>
4 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banIP: release 0.1.0 * add automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode * add a 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action * procd interface trigger now supports multiple WAN interfaces * change URL for abuse.ch/feodo list source in default config * small fixes * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
 
  1. # banIP - ban incoming and/or outgoing ip adresses via ipsets

  2. 

  3. ## Description

  4. IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.  
  5. 

  6. ## Main Features

  7. * support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses):
  8. * zero-conf like automatic installation & setup, usually no manual changes needed
  9. * automatically selects one of the following download utilities: aria2c, curl, uclient-fetch, wget
  10. * Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
  11. * full IPv4 and IPv6 support
  12. * ipsets (one per source) are used to ban a large number of IP addresses
  13. * supports blocking by ASN numbers
  14. * supports blocking by iso country codes
  15. * supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist
  16. * auto-add unsuccessful LuCI and ssh login attempts via 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
  17. * auto-add the uplink subnet to local whitelist (see 'ban_autowhitelist' option)
  18. * provides a small background log monitor to ban unsuccessful login attempts in real-time
  19. * per source configuration of SRC (incoming) and DST (outgoing)
  20. * integrated IPSet-Lookup
  21. * integrated RIPE-Lookup
  22. * blocklist source parsing by fast & flexible regex rulesets
  23. * minimal status & error logging to syslog, enable debug logging to receive more output
  24. * procd based init system support (start/stop/restart/reload/refresh/status)
  25. * procd network interface trigger support
  26. * automatic blocklist backup & restore, they will be used in case of download errors or during startup
  27. * output comprehensive runtime information via LuCI or via 'status' init command
  28. * strong LuCI support
  29. * optional: add new banIP sources on your own
  30. * optional: log banned inbound and/or outbound IP to syslog.
  31. 

  32. ## Prerequisites

  33. * [OpenWrt](https://openwrt.org), tested with the stable release series (19.07) and with the latest snapshot
  34. * download utility: 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'wget',  'aria2c' or 'curl' is required
  35. 

  36. ## Installation & Usage

  37. * install 'banip' (_opkg install banip_)
  38. * at minimum configure the needed IP blocklist sources, the download utility and enable the banIP service in _/etc/config/banip_
  39. * control the banip service manually with _/etc/init.d/banip_ start/stop/restart/reload/refresh/status or use the LuCI frontend
  40. 

  41. ## LuCI banIP companion package

  42. * it's recommended to use the provided LuCI frontend to control all aspects of banIP
  43. * install 'luci-app-banip' (_opkg install luci-app-banip_)
  44. * the application is located in LuCI under 'Services' menu
  45. 

  46. ## banIP config options

  47. * usually the pre-configured banIP setup works quite well and no manual overrides are needed
  48. * the following options apply to the 'global' config section:
  49.   * ban\_enabled => main switch to enable/disable banIP service (bool/default: '0', disabled)
  50.   * ban\_automatic => determine the L2/L3 WAN network device automatically (bool/default: '1', enabled)
  51.   * ban\_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: not set, automatically detected)
  52.   * ban\_realtime => a small log/banIP background monitor to block SSH/LuCI brute force attacks in realtime (bool/default: 'false', disabled)
  53.   * ban\_target\_src => action to perform when banning inbound IPv4 packets ('DROP'/'REJECT', default: 'DROP')
  54.   * ban\_target\_src\_6 => action to perform when banning inbound IPv6 packets ('DROP'/'REJECT', default: 'DROP')
  55.   * ban\_target\_dst => action to perform when banning outbound IPv4 packets ('DROP'/'REJECT', default: 'REJECT')
  56.   * ban\_target\_dst\_6 => action to perform when banning outbound IPv6 packets ('DROP'/'REJECT', default: 'REJECT')
  57.   * ban\_log\_src => switch to enable/disable logging of banned inbound IPv4 packets (bool/default: '0', disabled)
  58.   * ban\_log\_dst => switch to enable/disable logging of banned outbound IPv4 packets (bool/default: '0', disabled)
  59. 

  60. * the following options apply to the 'extra' config section:
  61.   * ban\_debug => enable/disable banIP debug output (bool/default: '0', disabled)
  62.   * ban\_nice => set the nice level of the banIP process and all sub-processes (int/default: '0', standard priority)
  63.   * ban\_triggerdelay => additional trigger delay in seconds before banIP processing begins (int/default: '2')
  64.   * ban\_backupdir => target directory for banIP backups (default: '/tmp')
  65.   * ban\_sshdaemon => select the SSH daemon for logfile parsing, 'dropbear' or 'sshd' (default: 'dropbear')
  66.   * ban\_starttype => select the used start type during boot, 'start', 'refresh' or 'reload' (default: 'start')
  67.   * ban\_maxqueue => size of the download queue to handle downloads & IPSet processing in parallel (int/default: '4')
  68.   * ban\_fetchutil => name of the used download utility: 'uclient-fetch', 'wget', 'curl', 'aria2c' (default: not set, automatically detected)
  69.   * ban\_fetchparm => special config options for the download utility (default: not set)
  70.   * ban\_autoblacklist => store auto-addons temporary in ipset and permanently in local blacklist as well (bool/default: '1', enabled)
  71.   * ban\_autowhitelist => store auto-addons temporary in ipset and permanently in local whitelist as well (bool/default: '1', enabled)
  72. 

  73. ## Logging of banned packets

  74. * by setting ban\_log\_src=1 / ban\_log\_dst=1 in the config options, banIP will log banned inbound / outbound packets to syslog.
  75. * example of a logged inbound (dst) and outbound (src) packet:
  76. <pre><code>
  77. Oct  2 12:49:14 gateway kernel: [434134.855130] REJECT(dst banIP) IN=br-lan OUT=br-wan MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=x.x.x.x DST=x.x.x.x LEN=100 TOS=0x00 PREC=0x00 TTL=63 ID=7938 PROTO=UDP SPT=16393 DPT=16393 LEN=80
  78. 

  79. Oct  3 14:11:13 gateway kernel: [11290.429712] DROP(src banIP) IN=br-wan OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=x.x.x.x DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=63275 PROTO=TCP SPT=48246 DPT=37860 WINDOW=1024 RES=0x00 SYN URGP=0
  80. </code></pre>
  81. * to change the default logging behavior, the following options can be added to the 'global' config section:
  82.   * ban\_log\_src\_opts => IPv4 iptables LOG options for banned inbound packets (default: '-m limit --limit 10/sec')
  83.   * ban\_log\_src\_opts\_6 => IPv6 iptables LOG options for banned inbound packets (default: '-m limit --limit 10/sec')
  84.   * ban\_log\_src\_prefix (default: '<ban\_target\_src>(src banIP) ', typically 'DROP(src banIP) ')
  85.   * ban\_log\_src\_prefix\_6 (default: '<ban\_target\_src\_6>(src banIP) ', typically 'DROP('src banIP)' )
  86.   * ban\_log\_dst\_opts => IPv4 iptables LOG options for banned outbound packets (default: '-m limit --limit 10/sec')
  87.   * ban\_log\_dst\_opts\_6 => IPv6 iptables LOG options for banned outbound packets (default: '-m limit --limit 10/sec')
  88.   * ban\_log\_dst\_prefix (default: '<ban\_target\_dst>(dst banIP) ', typically 'REJECT(dst banIP) ')
  89.   * ban\_log\_dst\_prefix\_6 (default: '<ban\_target\_dst\_6>(dst banIP) ', typically 'REJECT('dst banIP)' )
  90. 

  91. ## Examples

  92. **receive banIP runtime information:**
  93. 

  94.     # /etc/init.d/banip status
  95.     ::: banIP runtime information
  96.       + status     : enabled
  97.       + version    : 0.3.0
  98.       + util_info  : /usr/bin/aria2c, true
  99.       + ipset_info : 10 IPSets with overall 106729 IPs/Prefixes
  100.       + backup_dir : /tmp
  101.       + last_run   : 03.10.2019 19:15:25
  102.       + system     : UBNT-ERX, OpenWrt SNAPSHOT r11102-ced4c0e635
  103. 

  104. **cronjob for a regular IPSet blocklist update (/etc/crontabs/root):**
  105. 

  106.     # Every day at 06:00, update the IPSets of banIP
  107.     00 06 * * *    /etc/init.d/banip reload
  108. 

  109. ## Support

  110. Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>  
  111. 

  112. ## Removal

  113. * stop all banIP related services with _/etc/init.d/banip stop_
  114. * optional: remove the banip package (_opkg remove banip_)
  115. 

  116. Have fun!  
  117. Dirk