banIP - ban incoming and/or outgoing ip adresses via ipsets
Description
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.
Main Features
- support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses):
- zero-conf like automatic installation & setup, usually no manual changes needed
- automatically selects one of the following download utilities: aria2c, curl, uclient-fetch, wget
- Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
- full IPv4 and IPv6 support
- ipsets (one per source) are used to ban a large number of IP addresses
- supports blocking by ASN numbers
- supports blocking by iso country codes
- supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist
- auto-add unsuccessful LuCI and ssh login attempts via 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
- auto-add the uplink subnet to local whitelist (see 'ban_autowhitelist' option)
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- per source configuration of SRC (incoming) and DST (outgoing)
- integrated IPSet-Lookup
- integrated RIPE-Lookup
- blocklist source parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/refresh/status)
- procd network interface trigger support
- automatic blocklist backup & restore, they will be used in case of download errors or during startup
- output comprehensive runtime information via LuCI or via 'status' init command
- strong LuCI support
- optional: add new banIP sources on your own
- optional: log banned inbound and/or outbound IP to syslog.
Prerequisites
- OpenWrt, tested with the stable release series (19.07) and with the latest snapshot
- download utility: 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'wget', 'aria2c' or 'curl' is required
Installation & Usage
- install 'banip' (opkg install banip)
- at minimum configure the needed IP blocklist sources, the download utility and enable the banIP service in /etc/config/banip
- control the banip service manually with /etc/init.d/banip start/stop/restart/reload/refresh/status or use the LuCI frontend
LuCI banIP companion package
- it's recommended to use the provided LuCI frontend to control all aspects of banIP
- install 'luci-app-banip' (opkg install luci-app-banip)
- the application is located in LuCI under 'Services' menu
banIP config options
-
usually the pre-configured banIP setup works quite well and no manual overrides are needed
-
the following options apply to the 'global' config section:
- ban_enabled => main switch to enable/disable banIP service (bool/default: '0', disabled)
- ban_automatic => determine the L2/L3 WAN network device automatically (bool/default: '1', enabled)
- ban_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: not set, automatically detected)
- ban_realtime => a small log/banIP background monitor to block SSH/LuCI brute force attacks in realtime (bool/default: 'false', disabled)
- ban_target_src => action to perform when banning inbound IPv4 packets ('DROP'/'REJECT', default: 'DROP')
- ban_target_src_6 => action to perform when banning inbound IPv6 packets ('DROP'/'REJECT', default: 'DROP')
- ban_target_dst => action to perform when banning outbound IPv4 packets ('DROP'/'REJECT', default: 'REJECT')
- ban_target_dst_6 => action to perform when banning outbound IPv6 packets ('DROP'/'REJECT', default: 'REJECT')
- ban_log_src => switch to enable/disable logging of banned inbound IPv4 packets (bool/default: '0', disabled)
- ban_log_dst => switch to enable/disable logging of banned outbound IPv4 packets (bool/default: '0', disabled)
-
the following options apply to the 'extra' config section:
- ban_debug => enable/disable banIP debug output (bool/default: '0', disabled)
- ban_nice => set the nice level of the banIP process and all sub-processes (int/default: '0', standard priority)
- ban_triggerdelay => additional trigger delay in seconds before banIP processing begins (int/default: '2')
- ban_backupdir => target directory for banIP backups (default: '/tmp')
- ban_sshdaemon => select the SSH daemon for logfile parsing, 'dropbear' or 'sshd' (default: 'dropbear')
- ban_starttype => select the used start type during boot, 'start', 'refresh' or 'reload' (default: 'start')
- ban_maxqueue => size of the download queue to handle downloads & IPSet processing in parallel (int/default: '4')
- ban_fetchutil => name of the used download utility: 'uclient-fetch', 'wget', 'curl', 'aria2c' (default: not set, automatically detected)
- ban_fetchparm => special config options for the download utility (default: not set)
- ban_autoblacklist => store auto-addons temporary in ipset and permanently in local blacklist as well (bool/default: '1', enabled)
- ban_autowhitelist => store auto-addons temporary in ipset and permanently in local whitelist as well (bool/default: '1', enabled)
Logging of banned packets
- by setting ban_log_src=1 / ban_log_dst=1 in the config options, banIP will log banned inbound / outbound packets to syslog.
- example of a logged inbound (dst) and outbound (src) packet:
Oct 2 12:49:14 gateway kernel: [434134.855130] REJECT(dst banIP) IN=br-lan OUT=br-wan MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=x.x.x.x DST=x.x.x.x LEN=100 TOS=0x00 PREC=0x00 TTL=63 ID=7938 PROTO=UDP SPT=16393 DPT=16393 LEN=80
Oct 3 14:11:13 gateway kernel: [11290.429712] DROP(src banIP) IN=br-wan OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=x.x.x.x DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=63275 PROTO=TCP SPT=48246 DPT=37860 WINDOW=1024 RES=0x00 SYN URGP=0
- to change the default logging behavior, the following options can be added to the 'global' config section:
- ban_log_src_opts => IPv4 iptables LOG options for banned inbound packets (default: '-m limit --limit 10/sec')
- ban_log_src_opts_6 => IPv6 iptables LOG options for banned inbound packets (default: '-m limit --limit 10/sec')
- ban_log_src_prefix (default: '<ban_target_src>(src banIP) ', typically 'DROP(src banIP) ')
- ban_log_src_prefix_6 (default: '<ban_target_src_6>(src banIP) ', typically 'DROP('src banIP)' )
- ban_log_dst_opts => IPv4 iptables LOG options for banned outbound packets (default: '-m limit --limit 10/sec')
- ban_log_dst_opts_6 => IPv6 iptables LOG options for banned outbound packets (default: '-m limit --limit 10/sec')
- ban_log_dst_prefix (default: '<ban_target_dst>(dst banIP) ', typically 'REJECT(dst banIP) ')
- ban_log_dst_prefix_6 (default: '<ban_target_dst_6>(dst banIP) ', typically 'REJECT('dst banIP)' )
Examples
receive banIP runtime information:
# /etc/init.d/banip status
::: banIP runtime information
+ status : enabled
+ version : 0.3.0
+ util_info : /usr/bin/aria2c, true
+ ipset_info : 10 IPSets with overall 106729 IPs/Prefixes
+ backup_dir : /tmp
+ last_run : 03.10.2019 19:15:25
+ system : UBNT-ERX, OpenWrt SNAPSHOT r11102-ced4c0e635
cronjob for a regular IPSet blocklist update (/etc/crontabs/root):
# Every day at 06:00, update the IPSets of banIP
00 06 * * * /etc/init.d/banip reload
Support
Please join the banIP discussion in this forum thread or contact me by mail dev@brenken.org
Removal
- stop all banIP related services with /etc/init.d/banip stop
- optional: remove the banip package (opkg remove banip)
Have fun!
Dirk