@ -6,39 +6,36 @@ IP address blocking is commonly used to protect against brute force attacks, pre
## Main Features
## Main Features
* support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses):
* support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses):
* zero-conf like automatic installation & setup, usually no manual changes needed
* zero-conf like automatic installation & setup, usually no manual changes needed
* supports six different download utilities: uclient-fetch, wget, curl, aria2c, wget-nossl, busybox-wget
* supports four different download utilities: uclient-fetch, wget, curl, aria2c
* Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
* Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
* provides 'http only' mode without installed ssl library for all non-SSL blocklist sources
* full IPv4 and IPv6 support
* full IPv4 and IPv6 support
* ipsets (one per source) are used to ban a large number of IP addresses
* ipsets (one per source) are used to ban a large number of IP addresses
* supports blocking by ASN numbers
* supports blocking by ASN numbers
* supports blocking by iso country codes
* supports blocking by iso country codes
* supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist
* supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist
* auto-add unsuccessful ssh login attempts to local blacklist (see 'ban_autoblacklist' option)
* auto-add unsuccessful ssh login attempts to 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
* auto-add the uplink subnet to local whitelist (see 'ban_autowhitelist' option)
* auto-add the uplink subnet to local whitelist (see 'ban_autowhitelist' option)
* per source configuration of SRC (incoming) and DST (outgoing)
* per source configuration of SRC (incoming) and DST (outgoing)
* integrated IPSet-Lookup
* integrated IPSet-Lookup
* integrated RIPE-Lookup
* integrated RIPE-Lookup
* blocklist source parsing by fast & flexible regex rulesets
* blocklist source parsing by fast & flexible regex rulesets
* minimal status & error logging to syslog, enable debug logging to receive more output
* minimal status & error logging to syslog, enable debug logging to receive more output
* procd based init system support (start/stop/restart/reload/status)
* procd based init system support (start/stop/restart/reload/refresh/status)
* procd network interface trigger support
* procd network interface trigger support
* automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode
* 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action
* automatic blocklist backup & restore, they will be used in case of download errors or during startup
* output comprehensive runtime information via LuCI or via 'status' init command
* output comprehensive runtime information via LuCI or via 'status' init command
* strong LuCI support
* strong LuCI support
* optional: add new banIP sources on your own
* optional: add new banIP sources on your own
## Prerequisites
## Prerequisites
* [OpenWrt](https://openwrt.org), tested with the stable release series (18.06) and with the latest snapshot
* [OpenWrt](https://openwrt.org), tested with the stable release series (19.07) and with the latest snapshot
* a download utility:
* a download utility:
* to support all blocklist sources a full version (with ssl support) of 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
* for limited devices with real memory constraints, banIP provides also a 'http only' option and supports wget-nossl and uclient-fetch (without libustream-ssl) as well
* to support all blocklist sources a full version with ssl support of 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
## Installation & Usage
## Installation & Usage
* install 'banip' (_opkg install banip_)
* install 'banip' (_opkg install banip_)
* at minimum configure the needed IP blocklist sources, the download utility and enable the banIP service in _/etc/config/banip_
* at minimum configure the needed IP blocklist sources, the download utility and enable the banIP service in _/etc/config/banip_
* control the banip service manually with _/etc/init.d/banip_ start/stop/restart/reload/status or use the LuCI frontend
* control the banip service manually with _/etc/init.d/banip_ start/stop/restart/reload/refresh/status or use the LuCI frontend
## LuCI banIP companion package
## LuCI banIP companion package
* it's recommended to use the provided LuCI frontend to control all aspects of banIP
* it's recommended to use the provided LuCI frontend to control all aspects of banIP
@ -57,10 +54,10 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* ban\_nice => set the nice level of the banIP process and all sub-processes (int/default: '0', standard priority)
* ban\_nice => set the nice level of the banIP process and all sub-processes (int/default: '0', standard priority)
* ban\_triggerdelay => additional trigger delay in seconds before banIP processing begins (int/default: '2')
* ban\_triggerdelay => additional trigger delay in seconds before banIP processing begins (int/default: '2')
* ban\_backup => create compressed blocklist backups, they will be used in case of download errors or during startup in 'backup mode' (bool/default: '0', disabled)
* ban\_backupdir => target directory for adblock backups (default: not set)
* ban\_backupboot => do not automatically update blocklists during startup, use their backups instead (bool/default: '0', disabled)
* ban\_maxqueue => size of the download queue to handle downloads & IPSet processing in parallel (int/default: '8')
* ban\_backupdir => target directory for banIP backups (default: '/tmp')
* ban\_sshdaemon => select the SSH daemon for logfile parsing, 'dropbear' or 'sshd' (default: 'dropbear')
* ban\_starttype => select the used start type during boot, 'start' or 'reload' (default: 'start')
* ban\_maxqueue => size of the download queue to handle downloads & IPSet processing in parallel (int/default: '4')
* ban\_fetchparm => special config options for the download utility (default: not set)
* ban\_fetchparm => special config options for the download utility (default: not set)
* ban\_autoblacklist => store auto-addons temporary in ipset and permanently in local blacklist as well (bool/default: '1', enabled)
* ban\_autoblacklist => store auto-addons temporary in ipset and permanently in local blacklist as well (bool/default: '1', enabled)
* ban\_autowhitelist => store auto-addons temporary in ipset and permanently in local whitelist as well (bool/default: '1', enabled)
* ban\_autowhitelist => store auto-addons temporary in ipset and permanently in local whitelist as well (bool/default: '1', enabled)
@ -72,14 +69,15 @@ IP address blocking is commonly used to protect against brute force attacks, pre
f_log "err""the backup directory '${ban_backupdir}' does not exist/is not mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start"
f_log "err""download utility not found, please install 'uclient-fetch' with 'libustream-mbedtls' or the full 'wget' package"
f_log "err""download utility not found, please install 'uclient-fetch' with the 'libustream-mbedtls' ssl library or the full 'wget' package"
fi
fi
# get wan device and wan subnets
# get wan device and wan subnets
@ -215,16 +207,19 @@ f_envcheck()
#
#
f_temp()
f_temp()
{
{
if[ -z "${ban_tmpdir}"]
if[ -d "/tmp"]&&[ -z "${ban_tmpdir}"]
then
then
ban_tmpdir="$(mktemp -p /tmp -d)"
ban_tmpdir="$(mktemp -p /tmp -d)"
ban_tmpload="$(mktemp -p "${ban_tmpdir}" -tu)"
ban_tmpload="$(mktemp -p "${ban_tmpdir}" -tu)"
ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)"
ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)"
elif[ ! -d "/tmp"]
then
f_log "err""the temp directory '/tmp' does not exist/is not mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start"