Browse Source

Merge pull request #16489 from dibdot/banIP

banip: update 0.7.10
lilik-openwrt-22.03
Dirk Brenken 3 years ago
committed by GitHub
parent
commit
6b7193bbd1
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 697 additions and 1113 deletions
  1. +2
    -2
      net/banip/Makefile
  2. +42
    -97
      net/banip/files/banip.dns
  3. +5
    -9
      net/banip/files/banip.hotplug
  4. +74
    -126
      net/banip/files/banip.init
  5. +24
    -46
      net/banip/files/banip.mail
  6. +17
    -25
      net/banip/files/banip.service
  7. +530
    -805
      net/banip/files/banip.sh
  8. +3
    -3
      net/banip/files/banip.sources

+ 2
- 2
net/banip/Makefile View File

@ -6,8 +6,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.7.9
PKG_RELEASE:=2
PKG_VERSION:=0.7.10
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>


+ 42
- 97
net/banip/files/banip.dns View File

@ -1,122 +1,67 @@
#!/bin/sh
# helper script to resolve domains for adding to banIP-related IPSets
# written by Dirk Brenken (dev@brenken.org)
#
# Copyright (c) 2020-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
#
# (s)hellcheck exceptions
# shellcheck disable=1091,2030,2031,2034,2039,2086,2129,2140,2143,2154,2181,2183,2188
# shellcheck disable=1091,3040
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
if [ -r "/lib/functions.sh" ]
then
. "/lib/functions.sh"
ban_debug="$(uci_get banip global ban_debug "0")"
ban_tmpbase="$(uci_get banip global ban_tmpbase "/tmp")"
ban_backupdir="$(uci_get banip global ban_backupdir "${ban_tmpbase}/banIP-Backup")"
ban_proto4_enabled="$(uci_get banip global ban_proto4_enabled "0")"
ban_proto6_enabled="$(uci_get banip global ban_proto6_enabled "0")"
else
exit 1
fi
ban_ver="${1}"
ban_action="${2}"
ban_src_name="${3}"
ban_src_file="${4}"
. "/lib/functions.sh"
ban_action="${1}"
ban_src_name="${2}"
ban_src_file="${3}"
ban_tmpbase="$(uci_get banip global ban_tmpbase "/tmp")"
ban_backupdir="$(uci_get banip global ban_backupdir "${ban_tmpbase}/banIP-Backup")"
ban_proto4_enabled="$(uci_get banip global ban_proto4_enabled "0")"
ban_proto6_enabled="$(uci_get banip global ban_proto6_enabled "0")"
ban_ipset_cmd="$(command -v ipset)"
ban_lookup_cmd="$(command -v nslookup)"
ban_logger_cmd="$(command -v logger)"
ban_rc=1
f_log()
{
local class="${1}" log_msg="${2}"
if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; }
then
if [ -x "${ban_logger_cmd}" ]
then
"${ban_logger_cmd}" -p "${class}" -t "banIP-${ban_ver%-*}[${$}]" "${log_msg}"
else
printf "%s %s %s\n" "${class}" "banIP-${ban_ver%-*}[${$}]" "${log_msg}"
fi
fi
}
if [ "${ban_action}" = "start" ] || [ "${ban_action}" = "refresh" ]
then
for proto in "4" "6"
do
if [ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}.gz" ]
then
gzip -df "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}.gz"
if [ "${?}" = "0" ]
then
ban_rc=0
else
ban_rc=1
break
fi
if [ "${ban_action}" = "start" ] || [ "${ban_action}" = "refresh" ]; then
for proto in "4" "6"; do
if { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ]; } ||
{ [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ]; }; then
gzip -df "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}.gz" 2>/dev/null
fi
done
fi
if [ "${ban_rc}" = "1" ]
then
> "${ban_backupdir}/banIP.${ban_src_name}_addon_4"
> "${ban_backupdir}/banIP.${ban_src_name}_addon_6"
while read -r domain
do
update_ips=""
result="$("${ban_lookup_cmd}" "${domain}" 2>/dev/null; printf "%s" "${?}")"
if [ "$(printf "%s" "${result}" | tail -1)" = "0" ]
then
if { [ "${ban_proto4_enabled}" = "1" ] && [ ! -s "${ban_backupdir}/banIP.${ban_src_name}_addon_4" ]; } ||
{ [ "${ban_proto6_enabled}" = "1" ] && [ ! -s "${ban_backupdir}/banIP.${ban_src_name}_addon_6" ]; }; then
[ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_4" ] && : > "${ban_backupdir}/banIP.${ban_src_name}_addon_4"
[ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_6" ] && : > "${ban_backupdir}/banIP.${ban_src_name}_addon_6"
while read -r domain; do
result="$(
"${ban_lookup_cmd}" "${domain}" 2>/dev/null
printf "%s" "${?}"
)"
if [ "$(printf "%s" "${result}" | tail -1)" = "0" ]; then
ips="$(printf "%s" "${result}" | awk '/^Address[ 0-9]*: /{ORS=" ";print $NF}')"
for ip in ${ips}
do
for proto in "4" "6"
do
if { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ] && \
[ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && \
[ -n "$(printf "%s" "${ip}" | awk '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print $1}')" ]; } || \
{ [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ] && \
[ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && \
[ -z "$(printf "%s" "${ip}" | awk '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print $1}')" ]; }
then
printf "%s\n" "add ${ban_src_name}_${proto} ${ip}" >> "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
if [ -z "${update_ips}" ]
then
update_ips="${ip}"
else
update_ips="${update_ips}, ${ip}"
fi
for ip in ${ips}; do
for proto in "4" "6"; do
if { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] &&
[ -n "$(printf "%s" "${ip}" | awk '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print $1}')" ]; } ||
{ [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] &&
[ -n "$(printf "%s" "${ip}" | awk '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print $1}')" ]; }; then
printf "%s\n" "add ${ban_src_name}_${proto} ${ip}" >>"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
fi
done
done
if [ -n "${update_ips}" ]
then
ban_rc=0
f_log "debug" "dns_imp ::: source '${ban_src_name}' supplemented by '${domain}' (${update_ips})"
fi
fi
done < "${ban_src_file}"
done <"${ban_src_file}"
fi
if [ "${ban_rc}" = "0" ]
then
for proto in "4" "6"
do
if [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && [ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" ]
then
"${ban_ipset_cmd}" -q -! restore < "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
gzip -f "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
fi
rm -f "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
done
fi
f_log "info" "banIP domain import for source '${ban_src_name}' has been finished with rc '${ban_rc}'"
for proto in "4" "6"; do
if [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && [ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" ]; then
"${ban_ipset_cmd}" -q -! restore <"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
gzip -f "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
fi
done
"${ban_logger_cmd}" -p "info" -t "banIP-resolve [${$}]" "banIP domain import for source '${ban_src_name}' has been finished" 2>/dev/null
rm -f "${ban_src_file}"
exit "${ban_rc}"

+ 5
- 9
net/banip/files/banip.hotplug View File

@ -1,14 +1,10 @@
#!/bin/sh
#
ban_pidfile="/var/run/banip.pid"
ban_enabled="$(/etc/init.d/banip enabled; printf "%u" "${?}")"
# firewall hotplug script for banIP
# Copyright (c) 2019-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
if [ "${ban_enabled}" = "0" ] && [ "${ACTION}" = "add" ] && [ -n "${INTERFACE}" ]
then
ban_ifaces="$(uci_get banip global ban_ifaces)"
if [ ! -s "${ban_pidfile}" ] && [ -n "$(printf "%s\n" "${ban_ifaces}" | grep -F "${INTERFACE}")" ]
then
if /etc/init.d/banip enabled && [ "${ACTION}" = "add" ] && [ -n "${INTERFACE}" ]; then
if [ ! -s "/var/run/banip.pid" ] && uci_get banip global ban_ifaces | grep -q "${INTERFACE}"; then
/etc/init.d/banip refresh
fi
fi
exit 0

+ 74
- 126
net/banip/files/banip.init View File

@ -1,16 +1,14 @@
#!/bin/sh /etc/rc.common
# written by Dirk Brenken (dev@brenken.org)
#
# Copyright (c) 2018-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
#
# (s)hellcheck exceptions
# shellcheck disable=1091,2030,2031,2034,2039,2086,2129,2140,2143,2154,2181,2183,2188
# shellcheck disable=1091,2034,3043,3057,3060
START=30
USE_PROCD=1
if [ -n "$(type -t extra_command)" ]
then
if type extra_command >/dev/null 2>&1; then
extra_command "refresh" "Refresh ipsets without new list downloads"
extra_command "suspend" "Suspend banIP processing"
extra_command "resume" "Resume banIP processing"
@ -18,7 +16,6 @@ then
extra_command "report" "[<cli>|<mail>|<gen>|<json>] Print banIP related IPset statistics"
extra_command "list" "[<add>|<add_asn>|<add_country>|<remove>|<remove_asn>|<remove_country>] <source(s)> List/Edit available sources"
extra_command "timer" "[<add> <tasks> <hour> [<minute>] [<weekday>]]|[<remove> <line no.>] List/Edit cron update intervals"
extra_command "version" "Print version information"
else
EXTRA_COMMANDS="status refresh suspend resume query report list timer version"
EXTRA_HELP=" status Service status
@ -28,34 +25,28 @@ else
query <IP> Query active banIP IPSets for a specific IP address
report [<cli>|<mail>|<gen>|<json>] Print banIP related IPset statistics
list [<add>|<add_asn>|<add_country>|<remove>|<remove_asn>|<remove_country>] <source(s)> List/Edit available sources
timer [<add> <tasks> <hour> [<minute>] [<weekday>]]|[<remove> <line no.>] List/Edit cron update intervals
version Print version information"
timer [<add> <tasks> <hour> [<minute>] [<weekday>]]|[<remove> <line no.>] List/Edit cron update intervals"
fi
ban_init="/etc/init.d/banip"
ban_script="/usr/bin/banip.sh"
ban_pidfile="/var/run/banip.pid"
if [ -s "${ban_pidfile}" ] && { [ "${action}" = "start" ] || [ "${action}" = "stop" ] || \
[ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "refresh" ] || \
[ "${action}" = "suspend" ] || [ "${action}" = "resume" ] || [ "${action}" = "query" ] || \
{ [ "${action}" = "list" ] && [ -n "${1}" ]; } || { [ "${action}" = "report" ] && [ "${1}" != "json" ]; }; }
then
if [ -s "${ban_pidfile}" ] && { [ "${action}" = "start" ] || [ "${action}" = "stop" ] ||
[ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "refresh" ] ||
[ "${action}" = "suspend" ] || [ "${action}" = "resume" ] || [ "${action}" = "query" ] ||
{ [ "${action}" = "list" ] && [ -n "${1}" ]; } || { [ "${action}" = "report" ] && [ "${1}" != "json" ]; }; }; then
exit 0
fi
boot()
{
> "${ban_pidfile}"
boot() {
: >"${ban_pidfile}"
rc_procd start_service
}
start_service()
{
if [ "$("${ban_init}" enabled; printf "%u" ${?})" = "0" ]
then
if [ "${action}" = "boot" ]
then
start_service() {
if "${ban_init}" enabled; then
if [ "${action}" = "boot" ]; then
return 0
fi
procd_open_instance "banip"
@ -68,102 +59,84 @@ start_service()
fi
}
version()
{
version() {
rc_procd "${ban_script}" version
}
refresh()
{
refresh() {
rc_procd start_service refresh
}
reload_service()
{
reload_service() {
rc_procd start_service reload
}
stop_service()
{
stop_service() {
rc_procd "${ban_script}" stop
}
restart()
{
restart() {
rc_procd start_service restart
}
suspend()
{
suspend() {
rc_procd start_service suspend
}
resume()
{
resume() {
rc_procd start_service resume
}
query()
{
query() {
rc_procd "${ban_script}" query "${1}"
}
list()
{
local src_archive src_file src_enabled key name enabled focus url_4 rule_4 url_6 rule_6 action="${1}"
list() {
local src_archive src_file src_enabled key name enabled focus descurl url_4 rule_4 url_6 rule_6 action="${1}"
if [ "${action%_*}" = "add" ] || [ "${action%_*}" = "remove" ]
then
if [ "${action%_*}" = "add" ] || [ "${action%_*}" = "remove" ]; then
shift
for name in "${@}"
do
for name in "${@}"; do
case "${action}" in
"add")
if [ -z "$(uci_get banip global ban_sources | grep -Fo "${name}")" ]
then
if ! uci_get banip global ban_sources | grep -q "${name}"; then
uci_add_list banip global ban_sources "${name}"
printf "%s\n" "::: banIP source '${name}' added to config"
fi
;;
;;
"remove")
if [ -n "$(uci_get banip global ban_sources | grep -Fo "${name}")" ]
then
if uci_get banip global ban_sources | grep -q "${name}"; then
uci_remove_list banip global ban_sources "${name}"
printf "%s\n" "::: banIP source '${name}' removed from config"
fi
;;
;;
"add_asn")
if [ -z "$(uci_get banip global ban_asns | grep -Fo "${name}")" ]
then
if ! uci_get banip global ban_asns | grep -q "${name}"; then
uci_add_list banip global ban_asns "${name}"
printf "%s\n" "::: banIP asn '${name}' added to config"
fi
;;
;;
"remove_asn")
if [ -n "$(uci_get banip global ban_asns | grep -Fo "${name}")" ]
then
if uci_get banip global ban_asns | grep -q "${name}"; then
uci_remove_list banip global ban_asns "${name}"
printf "%s\n" "::: banIP asn '${name}' removed from config"
fi
;;
;;
"add_country")
if [ -z "$(uci_get banip global ban_countries | grep -Fo "${name}")" ]
then
if ! uci_get banip global ban_countries | grep -q "${name}"; then
uci_add_list banip global ban_countries "${name}"
printf "%s\n" "::: banIP country '${name}' added to config"
fi
;;
;;
"remove_country")
if [ -n "$(uci_get banip global ban_countries | grep -Fo "${name}")" ]
then
if uci_get banip global ban_countries | grep -q "${name}"; then
uci_remove_list banip global ban_countries "${name}"
printf "%s\n" "::: banIP country '${name}' removed from config"
fi
;;
;;
esac
done
if [ -n "$(uci -q changes banip)" ]
then
if [ -n "$(uci -q changes banip)" ]; then
uci_commit banip
"${ban_init}" start
fi
@ -171,24 +144,21 @@ list()
src_archive="$(uci_get banip global ban_srcarc "/etc/banip/banip.sources.gz")"
src_file="$(uci_get banip global ban_srcfile "/tmp/ban_sources.json")"
src_enabled="$(uci -q show banip.global.ban_sources)"
if [ -r "${src_archive}" ]
then
zcat "${src_archive}" > "${src_file}"
if [ -r "${src_archive}" ]; then
zcat "${src_archive}" >"${src_file}"
else
printf "%s\n" "::: banIP source archive '${src_archive}' not found"
fi
if [ -r "${src_file}" ]
then
if [ -r "${src_file}" ]; then
src_enabled="${src_enabled#*=}"
src_enabled="${src_enabled//\'}"
src_enabled="${src_enabled//\'/}"
printf "%s\n" "::: Available banIP sources"
printf "%s\n" ":::"
printf "%-25s%-10s%-36s%s\n" " Name" "Enabled" "Focus" "Info URL"
printf "%s\n" " ---------------------------------------------------------------------------"
json_load_file "${src_file}"
json_get_keys keylist
for key in ${keylist}
do
for key in ${keylist}; do
json_select "${key}"
json_get_var focus "focus"
json_get_var descurl "descurl"
@ -196,15 +166,13 @@ list()
json_get_var rule_4 "rule_4"
json_get_var url_6 "url_6"
json_get_var rule_6 "rule_6"
if { [ -n "${url_4}" ] && [ -n "${rule_4}" ]; } || { [ -n "${url_6}" ] && [ -n "${rule_6}" ]; }
then
if [ -n "$(printf "%s" "${src_enabled}" | grep -Fo "${key}")" ]
then
if { [ -n "${url_4}" ] && [ -n "${rule_4}" ]; } || { [ -n "${url_6}" ] && [ -n "${rule_6}" ]; }; then
if printf "%s" "${src_enabled}" | grep -q "${key}"; then
enabled="x"
else
enabled=" "
fi
src_enabled="${src_enabled/${key}}"
src_enabled="${src_enabled/${key}/}"
printf " + %-21s%-10s%-36s%s\n" "${key:0:20}" "${enabled}" "${focus:0:35}" "${descurl:0:50}"
else
src_enabled="${src_enabled} ${key}"
@ -217,13 +185,11 @@ list()
printf " * %s\n" "Configured ASNs: ${asn_list// /, }"
printf " * %s\n" "Configured Countries: ${country_list// /, }"
if [ -n "${src_enabled// }" ]
then
if [ -n "${src_enabled// /}" ]; then
printf "%s\n" " ---------------------------------------------------------------------------"
printf "%s\n" " Sources without valid configuration"
printf "%s\n" " ---------------------------------------------------------------------------"
for key in ${src_enabled}
do
for key in ${src_enabled}; do
printf " - %s\n" "${key:0:20}"
done
fi
@ -233,41 +199,34 @@ list()
fi
}
status()
{
status() {
status_service
}
status_service()
{
local key keylist value index_value values rtfile
status_service() {
local key keylist type value index_value values rtfile
rtfile="$(uci_get banip global ban_rtfile "/tmp/ban_runtime.json")"
json_load_file "${rtfile}" >/dev/null 2>&1
json_get_keys keylist
if [ -n "${keylist}" ]
then
if [ -n "${keylist}" ]; then
printf "%s\n" "::: banIP runtime information"
for key in ${keylist}
do
for key in ${keylist}; do
json_get_var value "${key}" >/dev/null 2>&1
if [ "${key%_*}" = "active" ]
then
if [ "${key%_*}" = "active" ]; then
printf " + %-15s : " "${key}"
json_select "${key}" >/dev/null 2>&1
values=""
index=1
while json_get_type type "${index}" && [ "${type}" = "object" ]
do
while json_get_type type "${index}" && [ "${type}" = "object" ]; do
json_get_values index_value "${index}" >/dev/null 2>&1
if [ "${index}" = "1" ]
then
if [ "${index}" = "1" ]; then
values="${index_value}"
else
values="${values}, ${index_value}"
fi
index=$((index+1))
index=$((index + 1))
done
values="$(printf "%s" "${values}" | awk '{NR=1;max=98;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-22s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
printf "%s\n" "${values:-"-"}"
@ -281,64 +240,53 @@ status_service()
fi
}
report()
{
report() {
rc_procd "${ban_script}" report "${1:-"cli"}"
}
timer()
{
timer() {
local cron_file cron_content cron_lineno action="${1:-"list"}" cron_tasks="${2}" hour="${3}" minute="${4:-0}" weekday="${5:-"*"}"
cron_file="/etc/crontabs/root"
if [ -s "${cron_file}" ] && [ "${action}" = "list" ]
then
if [ -s "${cron_file}" ] && [ "${action}" = "list" ]; then
awk '{print NR "> " $0}' "${cron_file}"
elif [ "${action}" = "add" ]
then
elif [ "${action}" = "add" ]; then
hour="${hour//[[:alpha:]]/}"
minute="${minute//[[:alpha:]]/}"
if [ -n "${cron_tasks}" ] && [ -n "${hour}" ] && [ -n "${minute}" ] && [ -n "${weekday}" ] && \
[ "${hour}" -ge 0 ] && [ "${hour}" -le 23 ] && \
[ "${minute}" -ge 0 ] && [ "${minute}" -le 59 ]
then
printf "%02d %02d %s\n" "${minute}" "${hour}" "* * ${weekday} ${ban_init} ${cron_tasks}" >> "${cron_file}"
if [ -n "${cron_tasks}" ] && [ -n "${hour}" ] && [ -n "${minute}" ] && [ -n "${weekday}" ] &&
[ "${hour}" -ge 0 ] && [ "${hour}" -le 23 ] &&
[ "${minute}" -ge 0 ] && [ "${minute}" -le 59 ]; then
printf "%02d %02d %s\n" "${minute}" "${hour}" "* * ${weekday} ${ban_init} ${cron_tasks}" >>"${cron_file}"
/etc/init.d/cron restart
fi
elif [ -s "${cron_file}" ] && [ "${action}" = "remove" ]
then
elif [ -s "${cron_file}" ] && [ "${action}" = "remove" ]; then
cron_tasks="${cron_tasks//[[:alpha:]]/}"
cron_lineno="$(awk 'END{print NR}' "${cron_file}")"
cron_content="$(awk '{print $0}' "${cron_file}")"
if [ "${cron_tasks:-"0"}" -le "${cron_lineno:-"1"}" ] && [ -n "${cron_content}" ]
then
printf "%s\n" "${cron_content}" | awk "NR!~/^${cron_tasks}$/" > "${cron_file}"
if [ "${cron_tasks:-"0"}" -le "${cron_lineno:-"1"}" ] && [ -n "${cron_content}" ]; then
printf "%s\n" "${cron_content}" | awk "NR!~/^${cron_tasks}$/" >"${cron_file}"
/etc/init.d/cron restart
fi
fi
}
service_triggers()
{
service_triggers() {
local iface delay
iface="$(uci_get banip global ban_trigger)"
delay="$(uci_get banip global ban_triggerdelay "5")"
PROCD_RELOAD_DELAY=$((delay*1000))
PROCD_RELOAD_DELAY=$((delay * 1000))
if [ -z "${iface}" ]
then
if [ -z "${iface}" ]; then
. "/lib/functions/network.sh"
network_find_wan iface
if [ -n "${iface}" ]
then
if [ -n "${iface}" ]; then
uci_set banip global ban_trigger "${iface}"
uci_commit "banip"
fi
fi
if [ -n "${iface}" ]
then
if [ -n "${iface}" ]; then
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "start"
fi
procd_add_reload_trigger "banip"


+ 24
- 46
net/banip/files/banip.mail View File

@ -1,52 +1,35 @@
#!/bin/sh
# send mail script for banIP notifications
# written by Dirk Brenken (dev@brenken.org)
#
# Copyright (c) 2020-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
#
# (s)hellcheck exceptions
# shellcheck disable=1091,2030,2031,2034,2039,2086,2129,2140,2143,2154,2181,2183,2188
# shellcheck disable=1091,3040
# Please note: you have to setup the package 'msmtp' before using this script
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
if [ -r "/lib/functions.sh" ]
then
. "/lib/functions.sh"
ban_debug="$(uci_get banip global ban_debug "0")"
ban_loglimit="$(uci_get banip global ban_loglimit "100")"
ban_mailsender="$(uci_get banip global ban_mailsender "no-reply@banIP")"
ban_mailreceiver="$(uci_get banip global ban_mailreceiver)"
ban_mailtopic="$(uci_get banip global ban_mailtopic "banIP notification")"
ban_mailprofile="$(uci_get banip global ban_mailprofile "ban_notify")"
fi
ban_ver="${1}"
. "/lib/functions.sh"
ban_debug="$(uci_get banip global ban_debug "0")"
ban_loglimit="$(uci_get banip global ban_loglimit "100")"
ban_mailsender="$(uci_get banip global ban_mailsender "no-reply@banIP")"
ban_mailreceiver="$(uci_get banip global ban_mailreceiver)"
ban_mailtopic="$(uci_get banip global ban_mailtopic "banIP notification")"
ban_mailprofile="$(uci_get banip global ban_mailprofile "ban_notify")"
ban_mail="$(command -v msmtp)"
ban_logger="$(command -v logger)"
ban_logread="$(command -v logread)"
ban_rc=1
f_log()
{
local class="${1}" log_msg="${2}"
if [ -x "${ban_logger}" ]
then
"${ban_logger}" -p "${class}" -t "banIP-${ban_ver%-*}[${$}]" "${log_msg}"
else
printf "%s %s %s\n" "${class}" "banIP-${ban_ver%-*}[${$}]" "${log_msg}"
fi
}
if [ -z "${ban_mailreceiver}" ]
then
if [ -z "${ban_mailreceiver}" ]; then
f_log "err" "please set the mail receiver with the 'ban_mailreceiver' option"
exit ${ban_rc}
exit 1
fi
if [ "${ban_debug}" = "1" ]
then
if [ "${ban_debug}" = "1" ]; then
msmtp_debug="--debug"
fi
@ -54,9 +37,12 @@ ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_m
# info preparation
#
sys_info="$(strings /etc/banner 2>/dev/null)"
sys_info="$(
strings /etc/banner 2>/dev/null
ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}'
)"
ban_info="$(/etc/init.d/banip "status" 2>/dev/null)"
rep_info="${2}"
rep_info="${1}"
log_info="$("${ban_logread}" -l "${ban_loglimit}" -e "banIP-" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
# mail body
@ -64,8 +50,7 @@ log_info="$("${ban_logread}" -l "${ban_loglimit}" -e "banIP-" 2>/dev/null | awk
ban_mailtext="<html><body><pre style='display:block;font-family:monospace;font-size:1rem;padding:20;background-color:#f3eee5;white-space:pre'>"
ban_mailtext="${ban_mailtext}\n<strong>++\n++ System Information ++\n++</strong>\n${sys_info}"
ban_mailtext="${ban_mailtext}\n\n<strong>++\n++ banIP Status ++\n++</strong>\n${ban_info}"
if [ -n "${rep_info}" ]
then
if [ -n "${rep_info}" ]; then
ban_mailtext="${ban_mailtext}\n\n<strong>++\n++ banIP Report ++\n++</strong>\n${rep_info}"
fi
ban_mailtext="${ban_mailtext}\n\n<strong>++\n++ Logfile Information ++\n++</strong>\n${log_info}"
@ -73,12 +58,5 @@ ban_mailtext="${ban_mailtext}</pre></body></html>"
# send mail
#
if [ -x "${ban_mail}" ]
then
printf "%b" "${ban_mailhead}${ban_mailtext}" 2>/dev/null | "${ban_mail}" ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1
ban_rc=${?}
f_log "info" "mail sent to '${ban_mailreceiver}' with rc '${ban_rc}'"
else
f_log "err" "msmtp mail daemon not found"
fi
exit ${ban_rc}
printf "%b" "${ban_mailhead}${ban_mailtext}" 2>/dev/null | "${ban_mail}" ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1
"${ban_logger}" -p "info" -t "banIP-mail [${$}]" "mail sent to '${ban_mailreceiver}' with rc '${?}'" 2>/dev/null

+ 17
- 25
net/banip/files/banip.service View File

@ -1,36 +1,28 @@
#!/bin/sh
# log service to trace failed ssh/luci logins and conditionally refresh banIP
# written by Dirk Brenken (dev@brenken.org)
#
# log service to trace suspicious logins and conditionally refresh banIP
# Copyright (c) 2019-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
#
# (s)hellcheck exceptions
# shellcheck disable=1091,2030,2031,2034,2039,2086,2129,2140,2143,2154,2181,2183,2188
# shellcheck disable=3040
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
ban_ver="${1}"
ban_search="${2}"
ban_logger="$(command -v logger)"
ban_logread="$(command -v logread)"
f_log()
{
local class="${1}" log_msg="${2}"
if [ -x "${ban_logger}" ]
then
"${ban_logger}" -p "${class}" -t "banIP-${ban_ver%-*}[${$}]" "${log_msg}"
else
printf "%s %s %s\n" "${class}" "banIP-${ban_ver%-*}[${$}]" "${log_msg}"
fi
}
ban_search="${1}"
ban_logger_cmd="$(command -v logger)"
ban_logread_cmd="$(command -v logread)"
if [ -x "${ban_logread}" ]
then
f_log "info" "log/banIP service started"
"${ban_logread}" -f | { grep -qE "${ban_search}"; [ "${?}" = "0" ] && { /etc/init.d/banip refresh; exit 0; }; }
if [ -x "${ban_logread_cmd}" ]; then
"${ban_logger_cmd}" -p "info" -t "banIP-service [${$}]" "log/banIP service started" 2>/dev/null
"${ban_logread_cmd}" -f |
{
grep -qE "${ban_search}" && {
/etc/init.d/banip refresh
exit 0
}
}
else
f_log "err" "can't start log/banIP service"
"${ban_logger_cmd}" -p "err" -t "banIP-service [${$}]" "can't start log/banIP service" 2>/dev/null
fi

+ 530
- 805
net/banip/files/banip.sh
File diff suppressed because it is too large
View File


+ 3
- 3
net/banip/files/banip.sources View File

@ -16,12 +16,12 @@
"descurl": "https://team-cymru.com"
},
"country": {
"url_4": "https://www.ipdeny.com/ipblocks/data/aggregated/",
"url_6": "https://www.ipdeny.com/ipv6/ipaddresses/aggregated/",
"url_4": "http://www.ipdeny.com/ipblocks/data/aggregated/",
"url_6": "http://www.ipdeny.com/ipv6/ipaddresses/aggregated/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add country_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add country_6 \"$1}",
"focus": "Country blocks",
"descurl": "https://www.ipdeny.com/ipblocks"
"descurl": "http://www.ipdeny.com/ipblocks"
},
"darklist": {
"url_4": "https://darklist.de/raw.php",


Loading…
Cancel
Save