Browse Source

banip: update to 0.7.3

* fix search string/pipe preparation for the background service
* fix IPSet maxelem limitation, made it more flexible
* fix potential error during resume action
* add Cisco Talos IP blacklist
* update readme

Signed-off-by: Dirk Brenken <dev@brenken.org>
lilik-openwrt-22.03
Dirk Brenken 4 years ago
parent
commit
b65353b4f7
No known key found for this signature in database GPG Key ID: 9D71CD547BFAE684
4 changed files with 40 additions and 27 deletions
  1. +1
    -1
      net/banip/Makefile
  2. +2
    -0
      net/banip/files/README.md
  3. +31
    -26
      net/banip/files/banip.sh
  4. +6
    -0
      net/banip/files/banip.sources

+ 1
- 1
net/banip/Makefile View File

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.7.2
PKG_VERSION:=0.7.3
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>


+ 2
- 0
net/banip/files/README.md View File

@ -31,6 +31,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
| nixspam | iX spam protection | [Link](http://www.nixspam.org) |
| proxy | Firehol list of open proxies | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IP blacklist | [Link](https://sslbl.abuse.ch) |
| talos | Cisco Talos IP Blacklist | [Link](https://talosintelligence.com/reputation_center) |
| threat | Emerging Threats | [Link](https://rules.emergingthreats.net) |
| tor | Tor exit nodes | [Link](https://fissionrelays.net/lists) |
| uceprotect1 | Spam protection level 1 | [Link](http://www.uceprotect.net/en/index.php) |
@ -68,6 +69,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* [OpenWrt](https://openwrt.org), tested with the stable release series (19.07.x) and with the latest rolling snapshot releases. On turris devices it has been successfully tested with TurrisOS 5.2.x
<b>Please note:</b> Older OpenWrt releases like 18.06.x or 17.01.x are _not_ supported!
<b>Please note:</b> Devices with less than 128 MByte RAM are _not_ supported!
<b>Please note:</b> If you're updating from former banIP 0.3x please manually remove your config (/etc/config/banip) before you start!
* A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
* Optional E-Mail notification support: for E-Mail notifications you need to install the additional 'msmtp' package


+ 31
- 26
net/banip/files/banip.sh View File

@ -12,7 +12,7 @@
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
ban_ver="0.7.2"
ban_ver="0.7.3"
ban_enabled="0"
ban_mail_enabled="0"
ban_proto4_enabled="0"
@ -93,11 +93,11 @@ f_load()
#
if [ "${ban_enabled}" = "0" ]
then
f_bgsrv "stop"
f_ipset "destroy"
f_jsnup "disabled"
f_rmbckp
f_rmtmp
f_bgsrv "stop"
f_log "info" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service"
exit 0
fi
@ -739,22 +739,24 @@ f_ipset()
return "${out_rc}"
;;
"create")
if [ "${src_name}" = "maclist" ] && [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]
then
"${ban_ipset_cmd}" create "${src_name}" hash:mac maxelem 262144 counters timeout "${ban_maclist_timeout:-"0"}"
out_rc="${?}"
elif [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]
if [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]
then
if [ "${src_name%_*}" = "whitelist" ]
cnt="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)"
cnt=$((cnt+262144))
if [ "${src_name}" = "maclist" ]
then
"${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${cnt}" counters timeout "${ban_maclist_timeout:-"0"}"
out_rc="${?}"
elif [ "${src_name%_*}" = "whitelist" ]
then
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem 262144 family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}"
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}"
out_rc="${?}"
elif [ "${src_name%_*}" = "blacklist" ]
then
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem 262144 family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}"
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}"
out_rc="${?}"
else
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem 262144 family "${src_ipver}" counters
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters
out_rc="${?}"
fi
else
@ -821,19 +823,22 @@ f_ipset()
f_log "debug" "f_ipset ::: name: ${src:-"-"}, mode: ${mode:-"-"}"
;;
"resume")
"${ban_ipset_cmd}" -q -! restore < "${ban_backupdir}/${src_name}.file"
out_rc="${?}"
if [ "${out_rc}" = "0" ]
if [ -f "${ban_backupdir}/${src_name}.file" ]
then
rm -f "${ban_backupdir}/${src_name}.file"
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")"
cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")"
cnt_ip=$((cnt-cnt_cidr-cnt_mac))
printf "%s\n" "${cnt}" > "${tmp_cnt}"
"${ban_ipset_cmd}" -q -! restore < "${ban_backupdir}/${src_name}.file"
out_rc="${?}"
if [ "${out_rc}" = "0" ]
then
rm -f "${ban_backupdir}/${src_name}.file"
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")"
cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")"
cnt_ip=$((cnt-cnt_cidr-cnt_mac))
printf "%s\n" "${cnt}" > "${tmp_cnt}"
fi
f_iptables
fi
f_iptables
end_ts="$(date +%s)"
out_rc="${out_rc:-"${in_rc}"}"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, ipver: ${src_ipver:-"-"}, settype: ${src_settype:-"-"}, count(sum/ip/cidr/mac): ${cnt}/${cnt_ip}/${cnt_cidr}/${cnt_mac}, time: $((end_ts-start_ts)), out_rc: ${out_rc}"
@ -937,9 +942,9 @@ f_bgsrv()
fi
if [ -n "$(printf "%s\n" "${ban_logterms}" | grep -F "nginx")" ]
then
ban_search="${ban_search}nginx\[[0-9]+\]:.*\[error\].*open().*client: [[:alnum:].:]+"
ban_search="${ban_search}nginx\[[0-9]+\]:.*\[error\].*open().*client: [[:alnum:].:]+|"
fi
( "${ban_logservice}" "${ban_ver}" "${ban_search}" & )
( "${ban_logservice}" "${ban_ver}" "${ban_search%?}" & )
elif [ "${action}" = "stop" ] && [ -n "${bg_pid}" ]
then
kill -HUP "${bg_pid}" 2>/dev/null
@ -1750,10 +1755,10 @@ fi
f_load
case "${ban_action}" in
"stop")
f_bgsrv "stop"
f_ipset "destroy"
f_jsnup "stopped"
f_rmbckp
f_bgsrv "stop"
;;
"restart")
f_ipset "destroy"
@ -1764,10 +1769,10 @@ case "${ban_action}" in
"suspend")
if [ "${ban_status}" = "enabled" ]
then
f_bgsrv "stop"
f_jsnup "running"
f_ipset "suspend"
f_jsnup "paused"
f_bgsrv "stop"
fi
f_rmtmp
;;


+ 6
- 0
net/banip/files/banip.sources View File

@ -142,6 +142,12 @@
"focus": "SSL botnet IP blacklist",
"descurl": "https://sslbl.abuse.ch"
},
"talos": {
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add talos_4 \"$1}",
"focus": "Cisco Talos IP Blacklist",
"descurl": "https://talosintelligence.com/reputation_center"
},
"threat": {
"url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add threat_4 \"$1}",


Loading…
Cancel
Save