# banIP - ban incoming and/or outgoing ip adresses via ipsets
## Description
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unautherized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.
## Main Features
* support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses):
* zero-conf like automatic installation & setup, usually no manual changes needed
* supports four different download utilities: uclient-fetch, wget, curl, aria2c
* automatically selects one of the following download utilities: aria2c, curl, uclient-fetch, wget
* Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
* full IPv4 and IPv6 support
* ipsets (one per source) are used to ban a large number of IP addresses
* supports blocking by ASN numbers
* supports blocking by iso country codes
* supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist
* auto-add unsuccessful ssh login attempts to 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
* auto-add unsuccessful LuCI and ssh login attempts via 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
* auto-add the uplink subnet to local whitelist (see 'ban_autowhitelist' option)
* provides a small background log monitor to ban unsuccessful login attempts in real-time
* per source configuration of SRC (incoming) and DST (outgoing)
* integrated IPSet-Lookup
* integrated RIPE-Lookup
@ -29,8 +30,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
## Prerequisites
* [OpenWrt](https://openwrt.org), tested with the stable release series (19.07) and with the latest snapshot
* a download utility:
* to support all blocklist sources a full version with ssl support of 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
* download utility: 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'wget', 'aria2c' or 'curl' is required
## Installation & Usage
* install 'banip' (_opkg install banip_)
@ -47,8 +47,8 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* the following options apply to the 'global' config section:
* ban\_enabled => main switch to enable/disable banIP service (bool/default: '0', disabled)
* ban\_automatic => determine the L2/L3 WAN network device automatically (bool/default: '1', enabled)
* ban\_fetchutil => name of the used download utility: 'uclient-fetch', 'wget', 'curl', 'aria2c', 'wget-nossl'. 'busybox' (default: 'uclient-fetch')
* ban\_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: automatically set by banIP ('ban_automatic'))
* ban\_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: not set, automatically detected)
* ban\_realtime => a small log/banIP background monitor to block SSH/LuCI brute force attacks in realtime (bool/default: 'false', disabled)
* the following options apply to the 'extra' config section:
f_log "err""download utility not found, please install 'uclient-fetch' with the 'libustream-mbedtls' ssl library or the full 'wget' package"
f_log "err""download utility with SSL support not found, please install 'uclient-fetch' with a 'libustream-*' variant or another download utility like 'wget', 'curl' or 'aria2'"
fi
# get wan device and wan subnets
#
if["${ban_automatic}"="1"]
then
network_find_wan ban_iface
if[ -z "${ban_iface}"]
then
network_find_wan6 ban_iface
fi
while["${cnt}" -le 30]
do
network_find_wan ban_iface
if[ -z "${ban_iface}"]
then
network_find_wan6 ban_iface
fi
if[ -z "${ban_iface}"]
then
network_flush_cache
cnt=$((cnt+1))
sleep 1
else
break
fi
done
fi
for iface in ${ban_iface}
@ -194,13 +233,11 @@ f_envcheck()
if[ -z "${ban_iface}"]||[ -z "${ban_dev}"]
then
f_log "err""wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
else
ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"