Browse Source

banip: update 0.3.0

* new 'ca-bundle' dependency as all https connections
  are now validated by default
* automatically select the download utility: 'aria2', 'curl',
  'uclient-fetch' with libustream-* or wget are supported
* track & ban failed LuCI login attempts as well
* add a small log/banIP background monitor to block
  SSH/LuCI brute force attacks in realtime (disabled by default)
* add a config version check (please update your default config!)
* made the automatic wan detection more stable
* fix the IPv6 logfile parser
* fix the service status message
* update readme

Signed-off-by: Dirk Brenken <dev@brenken.org>
lilik-openwrt-22.03
Dirk Brenken 5 years ago
parent
commit
ff8b853a6d
No known key found for this signature in database GPG Key ID: 9D71CD547BFAE684
6 changed files with 167 additions and 77 deletions
  1. +7
    -6
      net/banip/Makefile
  2. +14
    -13
      net/banip/files/README.md
  3. +2
    -2
      net/banip/files/banip.conf
  4. +6
    -6
      net/banip/files/banip.init
  5. +27
    -0
      net/banip/files/banip.service
  6. +111
    -50
      net/banip/files/banip.sh

+ 7
- 6
net/banip/Makefile View File

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.2.1
PKG_VERSION:=0.3.0
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -17,7 +17,7 @@ define Package/banip
SECTION:=net SECTION:=net
CATEGORY:=Network CATEGORY:=Network
TITLE:=Ban incoming and/or outgoing ip adresses via ipsets TITLE:=Ban incoming and/or outgoing ip adresses via ipsets
DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables
DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables +ca-bundle
PKGARCH:=all PKGARCH:=all
endef endef
@ -45,7 +45,7 @@ endef
define Package/banip/install define Package/banip/install
$(INSTALL_DIR) $(1)/usr/bin $(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) ./files/banip.sh $(1)/usr/bin/
$(INSTALL_BIN) ./files/banip.sh $(1)/usr/bin
$(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/banip.init $(1)/etc/init.d/banip $(INSTALL_BIN) ./files/banip.init $(1)/etc/init.d/banip
@ -54,9 +54,10 @@ define Package/banip/install
$(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip $(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip
$(INSTALL_DIR) $(1)/etc/banip $(INSTALL_DIR) $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.blacklist $(1)/etc/banip/
$(INSTALL_CONF) ./files/banip.whitelist $(1)/etc/banip/
$(INSTALL_BIN) ./files/banip.service $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.blacklist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.whitelist $(1)/etc/banip
$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall $(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
$(INSTALL_DATA) ./files/banip.hotplug $(1)/etc/hotplug.d/firewall/30-banip $(INSTALL_DATA) ./files/banip.hotplug $(1)/etc/hotplug.d/firewall/30-banip
endef endef


+ 14
- 13
net/banip/files/README.md View File

@ -1,20 +1,21 @@
# banIP - ban incoming and/or outgoing ip adresses via ipsets # banIP - ban incoming and/or outgoing ip adresses via ipsets
## Description ## Description
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unautherized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.
## Main Features ## Main Features
* support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses): * support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses):
* zero-conf like automatic installation & setup, usually no manual changes needed * zero-conf like automatic installation & setup, usually no manual changes needed
* supports four different download utilities: uclient-fetch, wget, curl, aria2c
* automatically selects one of the following download utilities: aria2c, curl, uclient-fetch, wget
* Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue' * Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
* full IPv4 and IPv6 support * full IPv4 and IPv6 support
* ipsets (one per source) are used to ban a large number of IP addresses * ipsets (one per source) are used to ban a large number of IP addresses
* supports blocking by ASN numbers * supports blocking by ASN numbers
* supports blocking by iso country codes * supports blocking by iso country codes
* supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist * supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist
* auto-add unsuccessful ssh login attempts to 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
* auto-add unsuccessful LuCI and ssh login attempts via 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
* auto-add the uplink subnet to local whitelist (see 'ban_autowhitelist' option) * auto-add the uplink subnet to local whitelist (see 'ban_autowhitelist' option)
* provides a small background log monitor to ban unsuccessful login attempts in real-time
* per source configuration of SRC (incoming) and DST (outgoing) * per source configuration of SRC (incoming) and DST (outgoing)
* integrated IPSet-Lookup * integrated IPSet-Lookup
* integrated RIPE-Lookup * integrated RIPE-Lookup
@ -29,8 +30,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
## Prerequisites ## Prerequisites
* [OpenWrt](https://openwrt.org), tested with the stable release series (19.07) and with the latest snapshot * [OpenWrt](https://openwrt.org), tested with the stable release series (19.07) and with the latest snapshot
* a download utility:
* to support all blocklist sources a full version with ssl support of 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
* download utility: 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'wget', 'aria2c' or 'curl' is required
## Installation & Usage ## Installation & Usage
* install 'banip' (_opkg install banip_) * install 'banip' (_opkg install banip_)
@ -47,8 +47,8 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* the following options apply to the 'global' config section: * the following options apply to the 'global' config section:
* ban\_enabled => main switch to enable/disable banIP service (bool/default: '0', disabled) * ban\_enabled => main switch to enable/disable banIP service (bool/default: '0', disabled)
* ban\_automatic => determine the L2/L3 WAN network device automatically (bool/default: '1', enabled) * ban\_automatic => determine the L2/L3 WAN network device automatically (bool/default: '1', enabled)
* ban\_fetchutil => name of the used download utility: 'uclient-fetch', 'wget', 'curl', 'aria2c', 'wget-nossl'. 'busybox' (default: 'uclient-fetch')
* ban\_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: automatically set by banIP ('ban_automatic'))
* ban\_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: not set, automatically detected)
* ban\_realtime => a small log/banIP background monitor to block SSH/LuCI brute force attacks in realtime (bool/default: 'false', disabled)
* the following options apply to the 'extra' config section: * the following options apply to the 'extra' config section:
* ban\_debug => enable/disable banIP debug output (bool/default: '0', disabled) * ban\_debug => enable/disable banIP debug output (bool/default: '0', disabled)
@ -56,8 +56,9 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* ban\_triggerdelay => additional trigger delay in seconds before banIP processing begins (int/default: '2') * ban\_triggerdelay => additional trigger delay in seconds before banIP processing begins (int/default: '2')
* ban\_backupdir => target directory for banIP backups (default: '/tmp') * ban\_backupdir => target directory for banIP backups (default: '/tmp')
* ban\_sshdaemon => select the SSH daemon for logfile parsing, 'dropbear' or 'sshd' (default: 'dropbear') * ban\_sshdaemon => select the SSH daemon for logfile parsing, 'dropbear' or 'sshd' (default: 'dropbear')
* ban\_starttype => select the used start type during boot, 'start' or 'reload' (default: 'start')
* ban\_starttype => select the used start type during boot, 'start', 'refresh' or 'reload' (default: 'start')
* ban\_maxqueue => size of the download queue to handle downloads & IPSet processing in parallel (int/default: '4') * ban\_maxqueue => size of the download queue to handle downloads & IPSet processing in parallel (int/default: '4')
* ban\_fetchutil => name of the used download utility: 'uclient-fetch', 'wget', 'curl', 'aria2c' (default: not set, automatically detected)
* ban\_fetchparm => special config options for the download utility (default: not set) * ban\_fetchparm => special config options for the download utility (default: not set)
* ban\_autoblacklist => store auto-addons temporary in ipset and permanently in local blacklist as well (bool/default: '1', enabled) * ban\_autoblacklist => store auto-addons temporary in ipset and permanently in local blacklist as well (bool/default: '1', enabled)
* ban\_autowhitelist => store auto-addons temporary in ipset and permanently in local whitelist as well (bool/default: '1', enabled) * ban\_autowhitelist => store auto-addons temporary in ipset and permanently in local whitelist as well (bool/default: '1', enabled)
@ -69,12 +70,12 @@ IP address blocking is commonly used to protect against brute force attacks, pre
/etc/init.d/banip status /etc/init.d/banip status
::: banIP runtime information ::: banIP runtime information
+ status : enabled + status : enabled
+ version : 0.2.0
+ fetch_info : /bin/uclient-fetch (libustream-ssl)
+ ipset_info : 11 IPSets with overall 118359 IPs/Prefixes
+ version : 0.3.0
+ util_info : /usr/bin/aria2c, true
+ ipset_info : 10 IPSets with overall 106729 IPs/Prefixes
+ backup_dir : /tmp + backup_dir : /tmp
+ last_run : 09.09.2019 16:49:40
+ system : UBNT-ERX, OpenWrt SNAPSHOT r10962-c19b9f9a26
+ last_run : 03.10.2019 19:15:25
+ system : UBNT-ERX, OpenWrt SNAPSHOT r11102-ced4c0e635
</code></pre> </code></pre>
**cronjob for a regular IPSet blocklist update (/etc/crontabs/root):** **cronjob for a regular IPSet blocklist update (/etc/crontabs/root):**


+ 2
- 2
net/banip/files/banip.conf View File

@ -1,9 +1,9 @@
config banip 'global' config banip 'global'
option ban_enabled '0' option ban_enabled '0'
option ban_basever '0.3'
option ban_automatic '1' option ban_automatic '1'
option ban_fetchutil 'uclient-fetch'
option ban_iface 'wan'
option ban_realtime 'false'
config banip 'extra' config banip 'extra'
option ban_debug '0' option ban_debug '0'


+ 6
- 6
net/banip/files/banip.init View File

@ -5,7 +5,7 @@ START=30
USE_PROCD=1 USE_PROCD=1
EXTRA_COMMANDS="refresh status" EXTRA_COMMANDS="refresh status"
EXTRA_HELP=" refresh Refresh ipsets only (no new download!)
EXTRA_HELP=" refresh Refresh ipsets without new list downloads
status Print runtime information" status Print runtime information"
ban_init="/etc/init.d/banip" ban_init="/etc/init.d/banip"
@ -53,9 +53,9 @@ stop_service()
rc_procd "${ban_script}" stop rc_procd "${ban_script}" stop
} }
status()
status_service()
{ {
local key keylist value
local key keylist value
local rtfile="$(uci_get banip global ban_rtfile "/tmp/ban_runtime.json")" local rtfile="$(uci_get banip global ban_rtfile "/tmp/ban_runtime.json")"
json_load_file "${rtfile}" >/dev/null 2>&1 json_load_file "${rtfile}" >/dev/null 2>&1
@ -76,14 +76,14 @@ status()
service_triggers() service_triggers()
{ {
local ban_iface="$(uci_get banip global ban_iface)"
local iface iface_list="$(uci_get banip global ban_iface)"
local delay="$(uci_get banip extra ban_triggerdelay "2")" local delay="$(uci_get banip extra ban_triggerdelay "2")"
local type="$(uci_get banip extra ban_starttype "start")" local type="$(uci_get banip extra ban_starttype "start")"
PROCD_RELOAD_DELAY=$((${delay}*1000)) PROCD_RELOAD_DELAY=$((${delay}*1000))
if [ -n "${ban_iface}" ]
if [ -n "${iface_list}" ]
then then
for iface in ${ban_iface}
for iface in ${iface_list}
do do
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "${type}" procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "${type}"
done done


+ 27
- 0
net/banip/files/banip.service View File

@ -0,0 +1,27 @@
#!/bin/sh
# log service to trace failed ssh/luci logins and conditionally refresh banIP
# written by Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin"
if [ -r "/lib/functions.sh" ]
then
. "/lib/functions.sh"
ban_sshdaemon="$(uci_get banip extra ban_sshdaemon "dropbear")"
fi
ban_ver="${1}"
ban_log="$(command -v logread)"
if [ -x "${ban_log}" ]
then
logger -p "info" -t "banIP-${ban_ver}[${$}]" "log/banIP service started"
"${ban_log}" -f -e "${ban_sshdaemon}\|luci: failed login" | \
{ grep -qE "Exit before auth|luci: failed login|[0-9]+ \[preauth\]$"; [ $? -eq 0 ] && /etc/init.d/banip refresh; }
else
logger -p "err" -t "banIP-${ban_ver}[${$}]" "can't start log/banIP service"
fi

+ 111
- 50
net/banip/files/banip.sh View File

@ -13,7 +13,8 @@
# #
LC_ALL=C LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin" PATH="/usr/sbin:/usr/bin:/sbin:/bin"
ban_ver="0.2.1"
ban_ver="0.3.0"
ban_basever=""
ban_enabled=0 ban_enabled=0
ban_automatic="1" ban_automatic="1"
ban_sources="" ban_sources=""
@ -23,7 +24,8 @@ ban_backupdir="/mnt"
ban_maxqueue=4 ban_maxqueue=4
ban_autoblacklist=1 ban_autoblacklist=1
ban_autowhitelist=1 ban_autowhitelist=1
ban_fetchutil="uclient-fetch"
ban_realtime="false"
ban_fetchutil=""
ban_ip="$(command -v ip)" ban_ip="$(command -v ip)"
ban_ipt="$(command -v iptables)" ban_ipt="$(command -v iptables)"
ban_ipt_save="$(command -v iptables-save)" ban_ipt_save="$(command -v iptables-save)"
@ -36,6 +38,7 @@ ban_chain="banIP"
ban_action="${1:-"start"}" ban_action="${1:-"start"}"
ban_pidfile="/var/run/banip.pid" ban_pidfile="/var/run/banip.pid"
ban_rtfile="/tmp/ban_runtime.json" ban_rtfile="/tmp/ban_runtime.json"
ban_logservice="/etc/banip/banip.service"
ban_sshdaemon="dropbear" ban_sshdaemon="dropbear"
ban_setcnt=0 ban_setcnt=0
ban_cnt=0 ban_cnt=0
@ -94,6 +97,14 @@ f_envload()
config_load banip config_load banip
config_foreach parse_config source config_foreach parse_config source
# version check
#
if [ -z "${ban_basever}" ] || [ "${ban_ver%.*}" != "${ban_basever}" ]
then
f_log "info" "your banIP config seems to be too old, please update your config with the '--force-maintainer' opkg option"
exit 0
fi
# create temp directory & files # create temp directory & files
# #
f_temp f_temp
@ -102,6 +113,7 @@ f_envload()
# #
if [ "${ban_enabled}" -eq 0 ] if [ "${ban_enabled}" -eq 0 ]
then then
f_bgserv "stop"
f_jsnup disabled f_jsnup disabled
f_ipset destroy f_ipset destroy
f_rmbackup f_rmbackup
@ -115,7 +127,7 @@ f_envload()
# #
f_envcheck() f_envcheck()
{ {
local ssl_lib tmp
local util utils packages tmp cnt=0
# check backup directory # check backup directory
# #
@ -126,44 +138,71 @@ f_envcheck()
# check fetch utility # check fetch utility
# #
case "${ban_fetchutil}" in
"uclient-fetch")
if [ -f "/lib/libustream-ssl.so" ]
if [ -z "${ban_fetchutil}" ]
then
utils="aria2c curl wget uclient-fetch"
packages="$(opkg list-installed 2>/dev/null)"
for util in ${utils}
do
if { [ "${util}" = "uclient-fetch" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^libustream-")" ]; } || \
{ [ "${util}" = "wget" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^wget -")" ]; } || \
{ [ "${util}" != "uclient-fetch" ] && [ "${util}" != "wget" ]; }
then then
ban_fetchparm="${ban_fetchparm:-"--timeout=20 --no-check-certificate -O"}"
ssl_lib="libustream-ssl"
ban_fetchutil="$(command -v "${util}")"
if [ -x "${ban_fetchutil}" ]
then
break
fi
fi fi
;;
"wget")
ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 --no-check-certificate -O"}"
ssl_lib="built-in"
unset ban_fetchutil util
done
else
util="${ban_fetchutil}"
ban_fetchutil="$(command -v "${util}")"
if [ ! -x "${ban_fetchutil}" ]
then
unset ban_fetchutil util
fi
fi
case "${util}" in
"aria2c")
ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=true --dir=" " -o"}"
;; ;;
"curl") "curl")
ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 --insecure -o"}"
ssl_lib="built-in"
ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 -o"}"
;; ;;
"aria2c")
ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=false -o"}"
ssl_lib="built-in"
"uclient-fetch")
ban_fetchparm="${ban_fetchparm:-"--timeout=20 -O"}"
;;
"wget")
ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
;; ;;
esac esac
ban_fetchutil="$(command -v "${ban_fetchutil}")"
ban_fetchinfo="${ban_fetchutil:-"-"} (${ssl_lib:-"-"})"
if [ ! -x "${ban_fetchutil}" ] || [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
if [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
then then
f_log "err" "download utility not found, please install 'uclient-fetch' with the 'libustream-mbedtls' ssl library or the full 'wget' package"
f_log "err" "download utility with SSL support not found, please install 'uclient-fetch' with a 'libustream-*' variant or another download utility like 'wget', 'curl' or 'aria2'"
fi fi
# get wan device and wan subnets # get wan device and wan subnets
# #
if [ "${ban_automatic}" = "1" ] if [ "${ban_automatic}" = "1" ]
then then
network_find_wan ban_iface
if [ -z "${ban_iface}" ]
then
network_find_wan6 ban_iface
fi
while [ "${cnt}" -le 30 ]
do
network_find_wan ban_iface
if [ -z "${ban_iface}" ]
then
network_find_wan6 ban_iface
fi
if [ -z "${ban_iface}" ]
then
network_flush_cache
cnt=$((cnt+1))
sleep 1
else
break
fi
done
fi fi
for iface in ${ban_iface} for iface in ${ban_iface}
@ -194,13 +233,11 @@ f_envcheck()
if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ] if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ]
then then
f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration" f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
else
ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
f_jsnup "running"
f_log "info" "start banIP processing (${ban_action})"
fi fi
ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
uci_set banip global ban_iface "${ban_iface}"
uci_commit banip
f_jsnup "running"
f_log "info" "start banIP processing (${ban_action})"
} }
# create temporary files and directories # create temporary files and directories
@ -488,36 +525,54 @@ f_log()
if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" -eq 1 ]; } if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" -eq 1 ]; }
then then
logger -p "${class}" -t "banIP-[${ban_ver}]" "${log_msg}"
logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}"
if [ "${class}" = "err" ] if [ "${class}" = "err" ]
then then
f_jsnup error f_jsnup error
f_ipset destroy f_ipset destroy
f_rmbackup f_rmbackup
f_rmtemp f_rmtemp
logger -p "${class}" -t "banIP-[${ban_ver}]" "Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'"
logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'"
exit 1 exit 1
fi fi
fi fi
} }
# start log service to trace failed ssh/luci logins
#
f_bgserv()
{
local bg_pid status="${1}"
bg_pid="$(pgrep -f "^/bin/sh ${ban_logservice}.*|^logread -f -e ${ban_sshdaemon}\|luci: failed login|^grep -qE Exit before auth|luci: failed login|[0-9]+ \[preauth\]$" | awk '{ORS=" "; print $1}')"
if [ -z "${bg_pid}" ] && [ "${status}" = "start" ] \
&& [ -x "${ban_logservice}" ] && [ "${ban_realtime}" = "true" ]
then
( "${ban_logservice}" "${ban_ver}" &)
elif [ -n "${bg_pid}" ] && [ "${status}" = "stop" ]
then
kill -HUP "${bg_pid}" 2>/dev/null
fi
f_log "debug" "f_bgserv ::: status: ${status:-"-"}, bg_pid: ${bg_pid:-"-"}, ban_realtime: ${ban_realtime:-"-"}, log_service: ${ban_logservice:-"-"}"
}
# main function for banIP processing # main function for banIP processing
# #
f_main() f_main()
{ {
local pid pid_list start_ts end_ts ip tmp_raw tmp_cnt tmp_load tmp_file mem_total mem_free cnt=1 local pid pid_list start_ts end_ts ip tmp_raw tmp_cnt tmp_load tmp_file mem_total mem_free cnt=1
local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon src_rc
local wan_input wan_forward lan_input lan_forward target_src target_dst log_content
local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon src_ts src_rc
local wan_input wan_forward lan_input lan_forward target_src target_dst ssh_log luci_log
log_content="$(logread -e "${ban_sshdaemon}")"
ssh_log="$(logread -e "${ban_sshdaemon}" | grep -o "${ban_sshdaemon}.*" | sed 's/:[0-9]*$//g')"
luci_log="$(logread -e "luci: failed login" | grep -o "luci:.*")"
mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)" mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)" mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
f_log "debug" "f_main ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
f_ipset initial
f_log "debug" "f_main ::: fetch_util: ${ban_fetchutil:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
# main loop # main loop
# #
f_ipset initial
for src_name in ${ban_sources} for src_name in ${ban_sources}
do do
unset src_on unset src_on
@ -607,28 +662,30 @@ f_main()
"blacklist") "blacklist")
if [ "${ban_sshdaemon}" = "dropbear" ] if [ "${ban_sshdaemon}" = "dropbear" ]
then then
pid_list="$(printf "%s\\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
pid_list="$(printf "%s\\n" "${ssh_log}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
for pid in ${pid_list} for pid in ${pid_list}
do do
src_addon="${src_addon} $(printf "%s\\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
src_addon="${src_addon} $(printf "%s\\n" "${ssh_log}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH);exit}')"
done done
elif [ "${ban_sshdaemon}" = "sshd" ] elif [ "${ban_sshdaemon}" = "sshd" ]
then then
src_addon="$(printf "%s\\n" "${log_content}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
src_addon="$(printf "%s\\n" "${ssh_log}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
fi fi
src_addon="${src_addon} $(printf "%s\\n" "${luci_log}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
;; ;;
"blacklist_6") "blacklist_6")
if [ "${ban_sshdaemon}" = "dropbear" ] if [ "${ban_sshdaemon}" = "dropbear" ]
then then
pid_list="$(printf "%s\\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
pid_list="$(printf "%s\\n" "${ssh_log}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
for pid in ${pid_list} for pid in ${pid_list}
do do
src_addon="${src_addon} $(printf "%s\\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
src_addon="${src_addon} $(printf "%s\\n" "${ssh_log}" | grep -F "${pid}" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH);exit}')"
done done
elif [ "${ban_sshdaemon}" = "sshd" ] elif [ "${ban_sshdaemon}" = "sshd" ]
then then
src_addon="$(printf "%s\\n" "${log_content}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
src_addon="$(printf "%s\\n" "${ssh_log}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
fi fi
src_addon="${src_addon} $(printf "%s\\n" "${luci_log}" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
;; ;;
esac esac
for ip in ${src_addon} for ip in ${src_addon}
@ -639,7 +696,8 @@ f_main()
if { [ "${src_name//_*/}" = "blacklist" ] && [ "${ban_autoblacklist}" -eq 1 ]; } || \ if { [ "${src_name//_*/}" = "blacklist" ] && [ "${ban_autoblacklist}" -eq 1 ]; } || \
{ [ "${src_name//_*/}" = "whitelist" ] && [ "${ban_autowhitelist}" -eq 1 ]; } { [ "${src_name//_*/}" = "whitelist" ] && [ "${ban_autowhitelist}" -eq 1 ]; }
then then
printf "%s\\n" "${ip}" >> "${src_url}"
src_ts="# auto-added $(date "+%d.%m.%Y %H:%M:%S")"
printf "%s %s\\n" "${ip}" "${src_ts}" >> "${src_url}"
fi fi
fi fi
done done
@ -756,6 +814,7 @@ f_main()
ban_cnt="$((ban_cnt+cnt))" ban_cnt="$((ban_cnt+cnt))"
done done
f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})" f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
f_bgserv "start"
f_jsnup f_jsnup
f_rmtemp f_rmtemp
} }
@ -766,7 +825,7 @@ f_jsnup()
{ {
local rundate status="${1:-"enabled"}" local rundate status="${1:-"enabled"}"
rundate="$(/bin/date "+%d.%m.%Y %H:%M:%S")"
rundate="$(date "+%d.%m.%Y %H:%M:%S")"
ban_cntinfo="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes" ban_cntinfo="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes"
> "${ban_rtfile}" > "${ban_rtfile}"
@ -775,7 +834,7 @@ f_jsnup()
json_add_object "data" json_add_object "data"
json_add_string "status" "${status}" json_add_string "status" "${status}"
json_add_string "version" "${ban_ver}" json_add_string "version" "${ban_ver}"
json_add_string "fetch_info" "${ban_fetchinfo:-"-"}"
json_add_string "util_info" "${ban_fetchutil:-"-"}, ${ban_realtime:-"-"}"
json_add_string "ipset_info" "${ban_cntinfo:-"-"}" json_add_string "ipset_info" "${ban_cntinfo:-"-"}"
json_add_string "backup_dir" "${ban_backupdir}" json_add_string "backup_dir" "${ban_backupdir}"
json_add_string "last_run" "${rundate:-"-"}" json_add_string "last_run" "${rundate:-"-"}"
@ -801,12 +860,14 @@ fi
f_envload f_envload
case "${ban_action}" in case "${ban_action}" in
"stop") "stop")
f_bgserv "stop"
f_jsnup stopped f_jsnup stopped
f_ipset destroy f_ipset destroy
f_rmbackup f_rmbackup
f_rmtemp f_rmtemp
;; ;;
"start"|"restart"|"reload"|"refresh") "start"|"restart"|"reload"|"refresh")
f_bgserv "stop"
f_envcheck f_envcheck
f_main f_main
;; ;;


Loading…
Cancel
Save