Browse Source

banip: update 0.3.0

* new 'ca-bundle' dependency as all https connections
  are now validated by default
* automatically select the download utility: 'aria2', 'curl',
  'uclient-fetch' with libustream-* or wget are supported
* track & ban failed LuCI login attempts as well
* add a small log/banIP background monitor to block
  SSH/LuCI brute force attacks in realtime (disabled by default)
* add a config version check (please update your default config!)
* made the automatic wan detection more stable
* fix the IPv6 logfile parser
* fix the service status message
* update readme

Signed-off-by: Dirk Brenken <dev@brenken.org>
lilik-openwrt-22.03
Dirk Brenken 5 years ago
parent
commit
ff8b853a6d
No known key found for this signature in database GPG Key ID: 9D71CD547BFAE684
6 changed files with 167 additions and 77 deletions
  1. +7
    -6
      net/banip/Makefile
  2. +14
    -13
      net/banip/files/README.md
  3. +2
    -2
      net/banip/files/banip.conf
  4. +6
    -6
      net/banip/files/banip.init
  5. +27
    -0
      net/banip/files/banip.service
  6. +111
    -50
      net/banip/files/banip.sh

+ 7
- 6
net/banip/Makefile View File

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.2.1
PKG_VERSION:=0.3.0
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -17,7 +17,7 @@ define Package/banip
SECTION:=net
CATEGORY:=Network
TITLE:=Ban incoming and/or outgoing ip adresses via ipsets
DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables
DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables +ca-bundle
PKGARCH:=all
endef
@ -45,7 +45,7 @@ endef
define Package/banip/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) ./files/banip.sh $(1)/usr/bin/
$(INSTALL_BIN) ./files/banip.sh $(1)/usr/bin
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/banip.init $(1)/etc/init.d/banip
@ -54,9 +54,10 @@ define Package/banip/install
$(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip
$(INSTALL_DIR) $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.blacklist $(1)/etc/banip/
$(INSTALL_CONF) ./files/banip.whitelist $(1)/etc/banip/
$(INSTALL_BIN) ./files/banip.service $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.blacklist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.whitelist $(1)/etc/banip
$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
$(INSTALL_DATA) ./files/banip.hotplug $(1)/etc/hotplug.d/firewall/30-banip
endef


+ 14
- 13
net/banip/files/README.md View File

@ -1,20 +1,21 @@
# banIP - ban incoming and/or outgoing ip adresses via ipsets
## Description
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unautherized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.
## Main Features
* support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses):
* zero-conf like automatic installation & setup, usually no manual changes needed
* supports four different download utilities: uclient-fetch, wget, curl, aria2c
* automatically selects one of the following download utilities: aria2c, curl, uclient-fetch, wget
* Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
* full IPv4 and IPv6 support
* ipsets (one per source) are used to ban a large number of IP addresses
* supports blocking by ASN numbers
* supports blocking by iso country codes
* supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist
* auto-add unsuccessful ssh login attempts to 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
* auto-add unsuccessful LuCI and ssh login attempts via 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
* auto-add the uplink subnet to local whitelist (see 'ban_autowhitelist' option)
* provides a small background log monitor to ban unsuccessful login attempts in real-time
* per source configuration of SRC (incoming) and DST (outgoing)
* integrated IPSet-Lookup
* integrated RIPE-Lookup
@ -29,8 +30,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
## Prerequisites
* [OpenWrt](https://openwrt.org), tested with the stable release series (19.07) and with the latest snapshot
* a download utility:
* to support all blocklist sources a full version with ssl support of 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
* download utility: 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'wget', 'aria2c' or 'curl' is required
## Installation & Usage
* install 'banip' (_opkg install banip_)
@ -47,8 +47,8 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* the following options apply to the 'global' config section:
* ban\_enabled => main switch to enable/disable banIP service (bool/default: '0', disabled)
* ban\_automatic => determine the L2/L3 WAN network device automatically (bool/default: '1', enabled)
* ban\_fetchutil => name of the used download utility: 'uclient-fetch', 'wget', 'curl', 'aria2c', 'wget-nossl'. 'busybox' (default: 'uclient-fetch')
* ban\_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: automatically set by banIP ('ban_automatic'))
* ban\_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: not set, automatically detected)
* ban\_realtime => a small log/banIP background monitor to block SSH/LuCI brute force attacks in realtime (bool/default: 'false', disabled)
* the following options apply to the 'extra' config section:
* ban\_debug => enable/disable banIP debug output (bool/default: '0', disabled)
@ -56,8 +56,9 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* ban\_triggerdelay => additional trigger delay in seconds before banIP processing begins (int/default: '2')
* ban\_backupdir => target directory for banIP backups (default: '/tmp')
* ban\_sshdaemon => select the SSH daemon for logfile parsing, 'dropbear' or 'sshd' (default: 'dropbear')
* ban\_starttype => select the used start type during boot, 'start' or 'reload' (default: 'start')
* ban\_starttype => select the used start type during boot, 'start', 'refresh' or 'reload' (default: 'start')
* ban\_maxqueue => size of the download queue to handle downloads & IPSet processing in parallel (int/default: '4')
* ban\_fetchutil => name of the used download utility: 'uclient-fetch', 'wget', 'curl', 'aria2c' (default: not set, automatically detected)
* ban\_fetchparm => special config options for the download utility (default: not set)
* ban\_autoblacklist => store auto-addons temporary in ipset and permanently in local blacklist as well (bool/default: '1', enabled)
* ban\_autowhitelist => store auto-addons temporary in ipset and permanently in local whitelist as well (bool/default: '1', enabled)
@ -69,12 +70,12 @@ IP address blocking is commonly used to protect against brute force attacks, pre
/etc/init.d/banip status
::: banIP runtime information
+ status : enabled
+ version : 0.2.0
+ fetch_info : /bin/uclient-fetch (libustream-ssl)
+ ipset_info : 11 IPSets with overall 118359 IPs/Prefixes
+ version : 0.3.0
+ util_info : /usr/bin/aria2c, true
+ ipset_info : 10 IPSets with overall 106729 IPs/Prefixes
+ backup_dir : /tmp
+ last_run : 09.09.2019 16:49:40
+ system : UBNT-ERX, OpenWrt SNAPSHOT r10962-c19b9f9a26
+ last_run : 03.10.2019 19:15:25
+ system : UBNT-ERX, OpenWrt SNAPSHOT r11102-ced4c0e635
</code></pre>
**cronjob for a regular IPSet blocklist update (/etc/crontabs/root):**


+ 2
- 2
net/banip/files/banip.conf View File

@ -1,9 +1,9 @@
config banip 'global'
option ban_enabled '0'
option ban_basever '0.3'
option ban_automatic '1'
option ban_fetchutil 'uclient-fetch'
option ban_iface 'wan'
option ban_realtime 'false'
config banip 'extra'
option ban_debug '0'


+ 6
- 6
net/banip/files/banip.init View File

@ -5,7 +5,7 @@ START=30
USE_PROCD=1
EXTRA_COMMANDS="refresh status"
EXTRA_HELP=" refresh Refresh ipsets only (no new download!)
EXTRA_HELP=" refresh Refresh ipsets without new list downloads
status Print runtime information"
ban_init="/etc/init.d/banip"
@ -53,9 +53,9 @@ stop_service()
rc_procd "${ban_script}" stop
}
status()
status_service()
{
local key keylist value
local key keylist value
local rtfile="$(uci_get banip global ban_rtfile "/tmp/ban_runtime.json")"
json_load_file "${rtfile}" >/dev/null 2>&1
@ -76,14 +76,14 @@ status()
service_triggers()
{
local ban_iface="$(uci_get banip global ban_iface)"
local iface iface_list="$(uci_get banip global ban_iface)"
local delay="$(uci_get banip extra ban_triggerdelay "2")"
local type="$(uci_get banip extra ban_starttype "start")"
PROCD_RELOAD_DELAY=$((${delay}*1000))
if [ -n "${ban_iface}" ]
if [ -n "${iface_list}" ]
then
for iface in ${ban_iface}
for iface in ${iface_list}
do
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "${type}"
done


+ 27
- 0
net/banip/files/banip.service View File

@ -0,0 +1,27 @@
#!/bin/sh
# log service to trace failed ssh/luci logins and conditionally refresh banIP
# written by Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin"
if [ -r "/lib/functions.sh" ]
then
. "/lib/functions.sh"
ban_sshdaemon="$(uci_get banip extra ban_sshdaemon "dropbear")"
fi
ban_ver="${1}"
ban_log="$(command -v logread)"
if [ -x "${ban_log}" ]
then
logger -p "info" -t "banIP-${ban_ver}[${$}]" "log/banIP service started"
"${ban_log}" -f -e "${ban_sshdaemon}\|luci: failed login" | \
{ grep -qE "Exit before auth|luci: failed login|[0-9]+ \[preauth\]$"; [ $? -eq 0 ] && /etc/init.d/banip refresh; }
else
logger -p "err" -t "banIP-${ban_ver}[${$}]" "can't start log/banIP service"
fi

+ 111
- 50
net/banip/files/banip.sh View File

@ -13,7 +13,8 @@
#
LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin"
ban_ver="0.2.1"
ban_ver="0.3.0"
ban_basever=""
ban_enabled=0
ban_automatic="1"
ban_sources=""
@ -23,7 +24,8 @@ ban_backupdir="/mnt"
ban_maxqueue=4
ban_autoblacklist=1
ban_autowhitelist=1
ban_fetchutil="uclient-fetch"
ban_realtime="false"
ban_fetchutil=""
ban_ip="$(command -v ip)"
ban_ipt="$(command -v iptables)"
ban_ipt_save="$(command -v iptables-save)"
@ -36,6 +38,7 @@ ban_chain="banIP"
ban_action="${1:-"start"}"
ban_pidfile="/var/run/banip.pid"
ban_rtfile="/tmp/ban_runtime.json"
ban_logservice="/etc/banip/banip.service"
ban_sshdaemon="dropbear"
ban_setcnt=0
ban_cnt=0
@ -94,6 +97,14 @@ f_envload()
config_load banip
config_foreach parse_config source
# version check
#
if [ -z "${ban_basever}" ] || [ "${ban_ver%.*}" != "${ban_basever}" ]
then
f_log "info" "your banIP config seems to be too old, please update your config with the '--force-maintainer' opkg option"
exit 0
fi
# create temp directory & files
#
f_temp
@ -102,6 +113,7 @@ f_envload()
#
if [ "${ban_enabled}" -eq 0 ]
then
f_bgserv "stop"
f_jsnup disabled
f_ipset destroy
f_rmbackup
@ -115,7 +127,7 @@ f_envload()
#
f_envcheck()
{
local ssl_lib tmp
local util utils packages tmp cnt=0
# check backup directory
#
@ -126,44 +138,71 @@ f_envcheck()
# check fetch utility
#
case "${ban_fetchutil}" in
"uclient-fetch")
if [ -f "/lib/libustream-ssl.so" ]
if [ -z "${ban_fetchutil}" ]
then
utils="aria2c curl wget uclient-fetch"
packages="$(opkg list-installed 2>/dev/null)"
for util in ${utils}
do
if { [ "${util}" = "uclient-fetch" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^libustream-")" ]; } || \
{ [ "${util}" = "wget" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^wget -")" ]; } || \
{ [ "${util}" != "uclient-fetch" ] && [ "${util}" != "wget" ]; }
then
ban_fetchparm="${ban_fetchparm:-"--timeout=20 --no-check-certificate -O"}"
ssl_lib="libustream-ssl"
ban_fetchutil="$(command -v "${util}")"
if [ -x "${ban_fetchutil}" ]
then
break
fi
fi
;;
"wget")
ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 --no-check-certificate -O"}"
ssl_lib="built-in"
unset ban_fetchutil util
done
else
util="${ban_fetchutil}"
ban_fetchutil="$(command -v "${util}")"
if [ ! -x "${ban_fetchutil}" ]
then
unset ban_fetchutil util
fi
fi
case "${util}" in
"aria2c")
ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=true --dir=" " -o"}"
;;
"curl")
ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 --insecure -o"}"
ssl_lib="built-in"
ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 -o"}"
;;
"aria2c")
ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=false -o"}"
ssl_lib="built-in"
"uclient-fetch")
ban_fetchparm="${ban_fetchparm:-"--timeout=20 -O"}"
;;
"wget")
ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
;;
esac
ban_fetchutil="$(command -v "${ban_fetchutil}")"
ban_fetchinfo="${ban_fetchutil:-"-"} (${ssl_lib:-"-"})"
if [ ! -x "${ban_fetchutil}" ] || [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
if [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
then
f_log "err" "download utility not found, please install 'uclient-fetch' with the 'libustream-mbedtls' ssl library or the full 'wget' package"
f_log "err" "download utility with SSL support not found, please install 'uclient-fetch' with a 'libustream-*' variant or another download utility like 'wget', 'curl' or 'aria2'"
fi
# get wan device and wan subnets
#
if [ "${ban_automatic}" = "1" ]
then
network_find_wan ban_iface
if [ -z "${ban_iface}" ]
then
network_find_wan6 ban_iface
fi
while [ "${cnt}" -le 30 ]
do
network_find_wan ban_iface
if [ -z "${ban_iface}" ]
then
network_find_wan6 ban_iface
fi
if [ -z "${ban_iface}" ]
then
network_flush_cache
cnt=$((cnt+1))
sleep 1
else
break
fi
done
fi
for iface in ${ban_iface}
@ -194,13 +233,11 @@ f_envcheck()
if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ]
then
f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
else
ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
f_jsnup "running"
f_log "info" "start banIP processing (${ban_action})"
fi
ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
uci_set banip global ban_iface "${ban_iface}"
uci_commit banip
f_jsnup "running"
f_log "info" "start banIP processing (${ban_action})"
}
# create temporary files and directories
@ -488,36 +525,54 @@ f_log()
if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" -eq 1 ]; }
then
logger -p "${class}" -t "banIP-[${ban_ver}]" "${log_msg}"
logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}"
if [ "${class}" = "err" ]
then
f_jsnup error
f_ipset destroy
f_rmbackup
f_rmtemp
logger -p "${class}" -t "banIP-[${ban_ver}]" "Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'"
logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'"
exit 1
fi
fi
}
# start log service to trace failed ssh/luci logins
#
f_bgserv()
{
local bg_pid status="${1}"
bg_pid="$(pgrep -f "^/bin/sh ${ban_logservice}.*|^logread -f -e ${ban_sshdaemon}\|luci: failed login|^grep -qE Exit before auth|luci: failed login|[0-9]+ \[preauth\]$" | awk '{ORS=" "; print $1}')"
if [ -z "${bg_pid}" ] && [ "${status}" = "start" ] \
&& [ -x "${ban_logservice}" ] && [ "${ban_realtime}" = "true" ]
then
( "${ban_logservice}" "${ban_ver}" &)
elif [ -n "${bg_pid}" ] && [ "${status}" = "stop" ]
then
kill -HUP "${bg_pid}" 2>/dev/null
fi
f_log "debug" "f_bgserv ::: status: ${status:-"-"}, bg_pid: ${bg_pid:-"-"}, ban_realtime: ${ban_realtime:-"-"}, log_service: ${ban_logservice:-"-"}"
}
# main function for banIP processing
#
f_main()
{
local pid pid_list start_ts end_ts ip tmp_raw tmp_cnt tmp_load tmp_file mem_total mem_free cnt=1
local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon src_rc
local wan_input wan_forward lan_input lan_forward target_src target_dst log_content
local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon src_ts src_rc
local wan_input wan_forward lan_input lan_forward target_src target_dst ssh_log luci_log
log_content="$(logread -e "${ban_sshdaemon}")"
ssh_log="$(logread -e "${ban_sshdaemon}" | grep -o "${ban_sshdaemon}.*" | sed 's/:[0-9]*$//g')"
luci_log="$(logread -e "luci: failed login" | grep -o "luci:.*")"
mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
f_log "debug" "f_main ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
f_ipset initial
f_log "debug" "f_main ::: fetch_util: ${ban_fetchutil:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
# main loop
#
f_ipset initial
for src_name in ${ban_sources}
do
unset src_on
@ -607,28 +662,30 @@ f_main()
"blacklist")
if [ "${ban_sshdaemon}" = "dropbear" ]
then
pid_list="$(printf "%s\\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
pid_list="$(printf "%s\\n" "${ssh_log}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
for pid in ${pid_list}
do
src_addon="${src_addon} $(printf "%s\\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
src_addon="${src_addon} $(printf "%s\\n" "${ssh_log}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH);exit}')"
done
elif [ "${ban_sshdaemon}" = "sshd" ]
then
src_addon="$(printf "%s\\n" "${log_content}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
src_addon="$(printf "%s\\n" "${ssh_log}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
fi
src_addon="${src_addon} $(printf "%s\\n" "${luci_log}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
;;
"blacklist_6")
if [ "${ban_sshdaemon}" = "dropbear" ]
then
pid_list="$(printf "%s\\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
pid_list="$(printf "%s\\n" "${ssh_log}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
for pid in ${pid_list}
do
src_addon="${src_addon} $(printf "%s\\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
src_addon="${src_addon} $(printf "%s\\n" "${ssh_log}" | grep -F "${pid}" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH);exit}')"
done
elif [ "${ban_sshdaemon}" = "sshd" ]
then
src_addon="$(printf "%s\\n" "${log_content}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
src_addon="$(printf "%s\\n" "${ssh_log}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
fi
src_addon="${src_addon} $(printf "%s\\n" "${luci_log}" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
;;
esac
for ip in ${src_addon}
@ -639,7 +696,8 @@ f_main()
if { [ "${src_name//_*/}" = "blacklist" ] && [ "${ban_autoblacklist}" -eq 1 ]; } || \
{ [ "${src_name//_*/}" = "whitelist" ] && [ "${ban_autowhitelist}" -eq 1 ]; }
then
printf "%s\\n" "${ip}" >> "${src_url}"
src_ts="# auto-added $(date "+%d.%m.%Y %H:%M:%S")"
printf "%s %s\\n" "${ip}" "${src_ts}" >> "${src_url}"
fi
fi
done
@ -756,6 +814,7 @@ f_main()
ban_cnt="$((ban_cnt+cnt))"
done
f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
f_bgserv "start"
f_jsnup
f_rmtemp
}
@ -766,7 +825,7 @@ f_jsnup()
{
local rundate status="${1:-"enabled"}"
rundate="$(/bin/date "+%d.%m.%Y %H:%M:%S")"
rundate="$(date "+%d.%m.%Y %H:%M:%S")"
ban_cntinfo="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes"
> "${ban_rtfile}"
@ -775,7 +834,7 @@ f_jsnup()
json_add_object "data"
json_add_string "status" "${status}"
json_add_string "version" "${ban_ver}"
json_add_string "fetch_info" "${ban_fetchinfo:-"-"}"
json_add_string "util_info" "${ban_fetchutil:-"-"}, ${ban_realtime:-"-"}"
json_add_string "ipset_info" "${ban_cntinfo:-"-"}"
json_add_string "backup_dir" "${ban_backupdir}"
json_add_string "last_run" "${rundate:-"-"}"
@ -801,12 +860,14 @@ fi
f_envload
case "${ban_action}" in
"stop")
f_bgserv "stop"
f_jsnup stopped
f_ipset destroy
f_rmbackup
f_rmtemp
;;
"start"|"restart"|"reload"|"refresh")
f_bgserv "stop"
f_envcheck
f_main
;;


Loading…
Cancel
Save