Browse Source

banip: update to 0.7.7

* add a "whitelist only" mode, this option allows to restrict Internet
  access from/to a small number of secure websites/IPs, and block access
  from/to the rest of the Internet.

Signed-off-by: Dirk Brenken <dev@brenken.org>
lilik-openwrt-22.03
Dirk Brenken 4 years ago
parent
commit
515397b009
No known key found for this signature in database GPG Key ID: 9D71CD547BFAE684
3 changed files with 91 additions and 66 deletions
  1. +2
    -2
      net/banip/Makefile
  2. +16
    -12
      net/banip/files/README.md
  3. +73
    -52
      net/banip/files/banip.sh

+ 2
- 2
net/banip/Makefile View File

@ -6,8 +6,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.7.6
PKG_RELEASE:=2
PKG_VERSION:=0.7.7
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>


+ 16
- 12
net/banip/files/README.md View File

@ -50,6 +50,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* auto-add unsuccessful LuCI, nginx or ssh login attempts via 'dropbear'/'sshd' to local blacklist
* auto-add the uplink subnet to local whitelist
* black- and whitelist also accept domain names as input to allow IP filtering based on these names
* supports a 'whitelist only' mode, this option allows to restrict Internet access from/to a small number of secure websites/IPs
* provides a small background log monitor to ban unsuccessful login attempts in real-time
* per source configuration of SRC (incoming) and DST (outgoing)
* integrated IPSet-Lookup
@ -122,6 +123,7 @@ Available commands:
| ban_logdst_enabled | option | 0 | enable the dst-related logchain |
| ban_autoblacklist | option | 1 | add suspicious IPs automatically to the local blacklist |
| ban_autowhitelist | option | 1 | add wan IPs/subnets automatically to the local whitelist |
| ban_whitelistonly | option | 0 | allow to restrict Internet access from/to a small number of secure websites/IPs |
| ban_maxqueue | option | 4 | size of the download queue to handle downloads and processing in parallel |
| ban_reportdir | option | /tmp/banIP-Report | directory where banIP stores the report files |
| ban_backupdir | option | /tmp/banIP-Backup | directory where banIP stores the compressed backup files |
@ -206,18 +208,17 @@ Available commands:
~# /etc/init.d/banip status
::: banIP runtime information
+ status : enabled
+ version : 0.7.5
+ ipset_info : 27 IPSets with 280704 IPs/Prefixes
+ active_sources : blacklist, country, darklist, debl, doh, drop, dshield, feodo, firehol1, greensnow, iblockspy, nix
spam, sslbl, talos, threat, tor, uceprotect1, voip, whitelist, yoyo
+ active_devs : eth3
+ active_ifaces : wan, wan6
+ active_logterms : dropbear, luci
+ active_subnets : xxx.xxx.x.xxx/24, xxxx:xxxx:xxxx:0:xxxx:xxxx:xxxx:xxxx/64
+ run_infos : settype: src+dst, backup_dir: /mnt/data/banIP/backup, report_dir: /mnt/data/banIP/report
+ run_flags : protocols (4/6): ✔/✔, log (src/dst): ✔/✘, monitor: ✔, mail: ✔
+ last_run : refresh, 0m 15s, 4019/3743/3784, 15.03.2021 09:28:01
+ system : PC Engines apu4, OpenWrt SNAPSHOT r16186-bf4aa0c6a2
+ version : 0.7.7
+ ipset_info : 2 IPSets with 30 IPs/Prefixes
+ active_sources : whitelist
+ active_devs : wlan0
+ active_ifaces : trm_wwan, trm_wwan6
+ active_logterms : dropbear, sshd, luci, nginx
+ active_subnets : xxx.xxx.xxx.xxx/24, xxxx:xxxx:xxxx:xx::xxx/128
+ run_infos : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
+ run_flags : protocols (4/6): ✔/✔, log (src/dst): ✔/✘, monitor: ✔, mail: ✘, whitelist only: ✔
+ last_run : restart, 0m 3s, 122/30/14, 21.04.2021 20:14:36
+ system : TP-Link RE650 v1, OpenWrt SNAPSHOT r16574-f7e00d81bc
</code></pre>
**black-/whitelist handling:**
@ -225,6 +226,9 @@ banIP supports a local black & whitelist (IPv4, IPv6, CIDR notation or domain na
Unsuccessful LuCI logins, suspicious nginx request or ssh login attempts via 'dropbear'/'sshd' could be tracked and automatically added to the local blacklist (see the 'ban_autoblacklist' option). Furthermore the uplink subnet could be automatically added to local whitelist (see 'ban_autowhitelist' option). The list behaviour could be further tweaked with different timeout and counter options (see the config options section above).
Last but not least, both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be resolved in a detached background process and added to the IPsets. The detached name lookup takes place only during 'restart' or 'reload' action, 'start' and 'refresh' actions are using an auto-generated backup instead.
**whitelist-only mode:**
banIP supports a "whitelist only" mode. This option allows to restrict the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the whitelist are blocked. Please note: suspend/resume does not work in this mode.
**generate an IPSet report:**
<pre><code>
~# /etc/init.d/banip report


+ 73
- 52
net/banip/files/banip.sh View File

@ -12,7 +12,7 @@
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
ban_ver="0.7.6"
ban_ver="0.7.7"
ban_enabled="0"
ban_mail_enabled="0"
ban_proto4_enabled="0"
@ -23,6 +23,7 @@ ban_monitor_enabled="0"
ban_autodetect="1"
ban_autoblacklist="1"
ban_autowhitelist="1"
ban_whitelistonly="0"
ban_logterms=""
ban_loglimit="100"
ban_ssh_logcount="3"
@ -240,7 +241,7 @@ f_conf()
fi
ban_localsources="${ban_localsources:-"maclist whitelist blacklist"}"
ban_logterms="${ban_logterms:-"dropbear sshd luci nginx"}"
f_log "debug" "f_conf ::: ifaces: ${ban_ifaces:-"-"}, chain: ${ban_chain}, set_type: ${ban_global_settype}, log_chains (src/dst): ${ban_logchain_src}/${ban_logchain_dst}, targets (src/dst): ${ban_target_src}/${ban_target_dst}"
f_log "debug" "f_conf ::: ifaces: ${ban_ifaces:-"-"}, chain: ${ban_chain}, set_type: ${ban_global_settype}, log_chains (src/dst): ${ban_logchain_src}/${ban_logchain_dst}, targets (src/dst): ${ban_target_src}/${ban_target_dst}, whitelist_only: ${ban_whitelistonly}"
f_log "debug" "f_conf ::: lan_inputs (4/6): ${ban_lan_inputchains_4}/${ban_lan_inputchains_6}, lan_forwards (4/6): ${ban_lan_forwardchains_4}/${ban_lan_forwardchains_6}, wan_inputs (4/6): ${ban_wan_inputchains_4}/${ban_wan_inputchains_6}, wan_forwards (4/6): ${ban_wan_forwardchains_4}/${ban_wan_forwardchains_6}"
f_log "debug" "f_conf ::: local_sources: ${ban_localsources:-"-"}, extra_sources: ${ban_extrasources:-"-"}, log_terms: ${ban_logterms:-"-"}, log_prefixes (src/dst): ${ban_logprefix_src}/${ban_logprefix_dst}, log_options (src/dst): ${ban_logopts_src}/${ban_logopts_dst}"
}
@ -547,8 +548,14 @@ f_iptables()
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} src -j RETURN"
elif [ "${src_name%_*}" = "whitelist" ]
then
f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN"
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN"
if [ "${ban_whitelistonly}" = "1" ]
then
f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set ! --match-set ${src_name} src -j ${ban_logtarget_src}"
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set ! --match-set ${src_name} dst -j ${ban_logtarget_dst}"
else
f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN"
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN"
fi
else
f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_logtarget_src}"
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_logtarget_dst}"
@ -599,7 +606,12 @@ f_iptables()
elif [ "${src_name%_*}" = "whitelist" ]
then
pos="$(( $("${ipt_cmd}" "${timeout}" -vnL "${ban_chain}" --line-numbers | grep -cF "RETURN")+1))"
f_iptrule "-I" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN" "${pos}"
if [ "${ban_whitelistonly}" = "1" ]
then
f_iptrule "-I" "${ban_chain}" "-i ${dev} -m set ! --match-set ${src_name} src -j ${ban_target_src}" "${pos}"
else
f_iptrule "-I" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN" "${pos}"
fi
else
f_iptrule "${action:-"-A"}" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_target_src}"
fi
@ -612,7 +624,12 @@ f_iptables()
if [ "${src_name%_*}" = "whitelist" ]
then
pos="$(( $("${ipt_cmd}" "${timeout}" -vnL "${ban_chain}" --line-numbers | grep -cF "RETURN")+1))"
f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN" "${pos}"
if [ "${ban_whitelistonly}" = "1" ]
then
f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set ! --match-set ${src_name} dst -j ${ban_target_dst}" "${pos}"
else
f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN" "${pos}"
fi
elif [ "${src_name}" != "maclist" ]
then
f_iptrule "${action:-"-A"}" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_target_dst}"
@ -913,7 +930,7 @@ f_bgsrv()
local bg_pid action="${1}"
bg_pid="$(pgrep -f "^/bin/sh ${ban_logservice}|${ban_logread_cmd}|^grep -qE Exit before auth|^grep -qE error: maximum|^grep -qE luci: failed|^grep -qE nginx" | awk '{ORS=" "; print $1}')"
if [ "${action}" = "start" ] && [ -x "${ban_logservice}" ] && [ "${ban_monitor_enabled}" = "1" ]
if [ "${action}" = "start" ] && [ -x "${ban_logservice}" ] && [ "${ban_monitor_enabled}" = "1" ] && [ "${ban_whitelistonly}" = "0" ]
then
if [ -n "${bg_pid}" ]
then
@ -1269,7 +1286,7 @@ f_main()
fi
if [ "${ban_proto4_enabled}" = "1" ]
then
if [ "${src_name}" = "blacklist" ] && [ -s "${ban_blacklist}" ]
if [ "${src_name}" = "blacklist" ] && [ -s "${ban_blacklist}" ] && [ "${ban_whitelistonly}" = "0" ]
then
(
src_rule_4="/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add ${src_name}_4 \"\$1}"
@ -1290,7 +1307,7 @@ f_main()
fi
if [ "${ban_proto6_enabled}" = "1" ]
then
if [ "${src_name}" = "blacklist" ] && [ -s "${ban_blacklist}" ]
if [ "${src_name}" = "blacklist" ] && [ -s "${ban_blacklist}" ] && [ "${ban_whitelistonly}" = "0" ]
then
(
src_rule_6="/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add ${src_name}_6 \"\$1}"
@ -1314,50 +1331,53 @@ f_main()
# loop over all external sources
#
for src_name in ${ban_sources}
do
# get source data from JSON file
#
json_select "${src_name}" >/dev/null 2>&1
if [ "${?}" != "0" ]
then
continue
fi
json_objects="url_4 rule_4 url_6 rule_6 comp"
for object in ${json_objects}
if [ "${ban_whitelistonly}" = "0" ]
then
for src_name in ${ban_sources}
do
eval json_get_var src_${object} "\${object}" >/dev/null 2>&1
done
json_select ..
# get source data from JSON file
#
json_select "${src_name}" >/dev/null 2>&1
if [ "${?}" != "0" ]
then
continue
fi
json_objects="url_4 rule_4 url_6 rule_6 comp"
for object in ${json_objects}
do
eval json_get_var src_${object} "\${object}" >/dev/null 2>&1
done
json_select ..
# handle external IPv4 source downloads in a subshell
#
if [ "${ban_proto4_enabled}" = "1" ] && [ -n "${src_url_4}" ] && [ -n "${src_rule_4}" ]
then
(
f_down "${src_name}" "4" "inet" "${src_url_4}" "${src_rule_4}" "${src_comp}"
)&
fi
# handle external IPv4 source downloads in a subshell
#
if [ "${ban_proto4_enabled}" = "1" ] && [ -n "${src_url_4}" ] && [ -n "${src_rule_4}" ]
then
(
f_down "${src_name}" "4" "inet" "${src_url_4}" "${src_rule_4}" "${src_comp}"
)&
fi
# handle external IPv6 source downloads in a subshell
#
if [ "${ban_proto6_enabled}" = "1" ] && [ -n "${src_url_6}" ] && [ -n "${src_rule_6}" ]
then
(
f_down "${src_name}" "6" "inet6" "${src_url_6}" "${src_rule_6}" "${src_comp}"
)&
fi
# handle external IPv6 source downloads in a subshell
#
if [ "${ban_proto6_enabled}" = "1" ] && [ -n "${src_url_6}" ] && [ -n "${src_rule_6}" ]
then
(
f_down "${src_name}" "6" "inet6" "${src_url_6}" "${src_rule_6}" "${src_comp}"
)&
fi
# control/limit download queues
#
hold=$((cnt%ban_maxqueue))
if [ "${hold}" = "0" ]
then
wait
fi
cnt=$((cnt+1))
done
wait
# control/limit download queues
#
hold=$((cnt%ban_maxqueue))
if [ "${hold}" = "0" ]
then
wait
fi
cnt=$((cnt+1))
done
wait
fi
# error out
#
@ -1635,6 +1655,7 @@ f_report()
json_select ".."
done
content="$(cat "${report_txt}" 2>/dev/null)"
rm -f "${report_txt}"
fi
# report output
@ -1726,7 +1747,7 @@ f_jsnup()
done
json_close_array
json_add_string "run_infos" "settype: ${ban_global_settype}, backup_dir: ${ban_backupdir}, report_dir: ${ban_reportdir}"
json_add_string "run_flags" "protocols (4/6): $(f_char ${ban_proto4_enabled})/$(f_char ${ban_proto6_enabled}), log (src/dst): $(f_char ${ban_logsrc_enabled})/$(f_char ${ban_logdst_enabled}), monitor: $(f_char ${ban_monitor_enabled}), mail: $(f_char ${ban_mail_enabled})"
json_add_string "run_flags" "protocols (4/6): $(f_char ${ban_proto4_enabled})/$(f_char ${ban_proto6_enabled}), log (src/dst): $(f_char ${ban_logsrc_enabled})/$(f_char ${ban_logdst_enabled}), monitor: $(f_char ${ban_monitor_enabled}), mail: $(f_char ${ban_mail_enabled}), whitelist only: $(f_char ${ban_whitelistonly})"
json_add_string "last_run" "${runtime:-"-"}"
json_add_string "system" "${ban_sysver}"
json_dump > "${ban_rtfile}"
@ -1783,7 +1804,7 @@ case "${ban_action}" in
f_main
;;
"suspend")
if [ "${ban_status}" = "enabled" ]
if [ "${ban_status}" = "enabled" ] && [ "${ban_whitelistonly}" = "0" ]
then
f_bgsrv "stop"
f_jsnup "running"
@ -1793,7 +1814,7 @@ case "${ban_action}" in
f_rmtmp
;;
"resume")
if [ "${ban_status}" = "paused" ]
if [ "${ban_status}" = "paused" ] && [ "${ban_whitelistonly}" = "0" ]
then
f_env
f_main


Loading…
Cancel
Save