OpenWrt
/
packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

banip: update 1.0.0-4 

* relax the firewall pre-check if fw4 is not running
* replace former stale tor feed source with 'https://www.dan.me.uk/torlist/?exit'
* add openvpn log term/search pattern example to the readme
* the default config now includes only log terms for dropbear and LuCI, all others are optional
* readme update

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2024-06-22 10:12:59 +02:00
parent 56d08c2da6
commit d17f661aee
No known key found for this signature in database
GPG Key ID: 9D71CD547BFAE684
6 changed files with 26 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
net/banip/Makefile
View File

@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=1.0.0
PKG_RELEASE:=3
PKG_RELEASE:=4
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

28
net/banip/files/README.md
View File

@ -7,7 +7,11 @@ IP address blocking is commonly used to protect against brute force attacks, pre
## Main Features
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
**Please note:** By default every feed blocks all supported chains. The columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockpolicy', 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.
**Please note:** By default every feed blocks packet traversal in all supported chains, the table columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios:
* WAN-INP chain applies to packets from internet to your router
* WAN-FWD chain applies to packets from internet to other local devices (not your router)
* LAN-FWD chain applies to local packets going out to the internet (not your router)
For instance the first entry should be limited to the LAN forward chain - just set the 'LAN-Forward Chain' option under the 'Feed/Set Seetings' config tab accordingly.
| Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Port-Limit | Information |
| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------: | :----------------------------------------------------------- |
@ -52,7 +56,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
| talos | talos IPs | x | x | | | [Link](https://talosintelligence.com/reputation_center) |
| threat | emerging threats | x | x | | | [Link](https://rules.emergingthreats.net) |
| threatview | malicious IPs | x | x | | | [Link](https://threatview.io) |
| tor | tor exit nodes | x | x | | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
| tor | tor exit nodes | x | x | x | | [Link](https://www.dan.me.uk) |
| turris | turris sentinel blocklist | x | x | | | [Link](https://view.sentinel.turris.cz) |
| uceprotect1 | spam protection level 1 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
| uceprotect2 | spam protection level 2 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
@ -319,17 +323,19 @@ The following feeds are just my personal recommendation as an initial setup:
In total, this feed selection blocks about 20K IP addresses. It may also be useful to include some countries to the country feed in WAN-Input and WAN-Forward chain.
Please note: don't just blindly activate (too) many feeds at once, sooner or later this will lead to OOM conditions.
**Regular expressions for logfile parsing**
Like fail2ban, banIP supports logfile scanning and automatic blocking of suspicious attacker IPs. By default the following regex are in place to detect failed login attempts via dropbear, sshd, nginx, asterisk or LuCI.
**Log Terms for logfile parsing**
Like fail2ban and crowdsec, banIP supports logfile scanning and automatic blocking of suspicious attacker IPs.
In the default config only the log terms to detect failed login attempts via dropbear and LuCI are in place. The following search pattern has been tested as well - just transfer the required regular expression via cut and paste to your config (without quotation marks):
```
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
list ban_logterm 'received a suspicious remote IP '\''.*'\'''
dropbear : 'Exit before auth from'
LuCI : 'luci: failed login'
sshd1 : 'error: maximum authentication attempts exceeded'
sshd2 : 'sshd.*Connection closed by.*\[preauth\]'
asterisk : 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
nginx : 'received a suspicious remote IP '\''.*'\'''
openvpn : 'TLS Error: could not determine wrapping from \[AF_INET\]'
```
Just add more log terms to protect additional services, e.g. an openvpn server.
You find the 'Log Terms' option in LuCI under the 'Log Settings' tab. Feel free to add more log terms to meet your needs and protect additional services.
**Allow-/Blocklist handling**
banIP supports local allow- and block-lists, MAC/IPv4/IPv6 addresses (incl. ranges in CIDR notation) or domain names. These files are located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.

19
net/banip/files/banip-service.sh
View File

@ -27,21 +27,12 @@ f_mkdir "${ban_backupdir}"
f_mkfile "${ban_allowlist}"
f_mkfile "${ban_blocklist}"
# firewall check
# firewall/fw4 pre-check
#
if [ "${ban_action}" != "reload" ]; then
if [ -x "${ban_fw4cmd}" ]; then
cnt="0"
while [ "${cnt}" -lt "30" ] && ! /etc/init.d/firewall status >/dev/null 2>&1; do
cnt="$((cnt + 1))"
sleep 1
done
if ! /etc/init.d/firewall status >/dev/null 2>&1; then
f_log "err" "nftables based firewall error"
fi
else
f_log "err" "nftables based firewall not found"
fi
if [ ! -x "${ban_fw4cmd}" ] || [ ! -x "/etc/init.d/firewall" ]; then
f_log "err" "firewall/fw4 not found"
elif ! /etc/init.d/firewall status >/dev/null 2>&1; then
f_log "info" "firewall/fw4 is not running"
fi
# init banIP nftables namespace

2
net/banip/files/banip.cgi
View File

@ -1,6 +1,6 @@
#!/bin/sh
# banIP cgi remote logging script - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions

4
net/banip/files/banip.conf
View File

@ -4,7 +4,3 @@ config banip 'global'
option ban_autodetect '1'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
list ban_logterm 'received a suspicious remote IP '\''.*'\'''

4
net/banip/files/banip.feeds
View File

@ -246,8 +246,8 @@
"descr": "malicious IPs"
},
"tor":{
"url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"url_4": "https://www.dan.me.uk/torlist/?exit",
"url_6": "https://www.dan.me.uk/torlist/?exit",
"rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"descr": "tor exit nodes"