banIP support thread

Community Builds, Projects & Packages
1

Hi,

in OpenWrt snapshot package repo you'll find the banIP package:

stable OpenWrt version 23.05.x.: banIP 0.9.4-3 plus luci companion package
latest snapshot version: banIP 0.9.4-3 plus luci companion package

Link to the latest banIP documentation

Feel free to test, ask questions or make suggestions.

Changelog

---
update 0.9.4-3

  • fix another logical glitch in the logfile monitor
    ---
    update 0.9.4-2
  • fix a long standing problem in the logfile-parser with dropbear and compressed IPv6 addresses
    ---
    release 0.9.4-1
  • add support for destination port & protocol limitations for external feeds (see readme for details), useful for lan-forward ad- or DoH-blocking, e.g. only tcp ports 80 and 443
  • add turris sentinel blocklist feed
  • update readme
    ---
    update 0.9.3-5
  • fix the nft Set survey function
    ---
    update 0.9.3-4
  • made the default mail template "responsive" to get a better view esp. on mobile devices
    ---
    update 0.9.3-3
  • more init fixes
    ---
    update 0.9.3-2
  • rework the device/interface auto-detection (only layer-3 network devices will be detected correctly), disable the auto-detection e.g. for special tunnel interfaces
  • supports now full gawk (preferred, if installed) and busybox awk
  • raise the default boot timeout to 20 seconds (if 'ban_triggerdelay' is not set)
  • various small fixes and improvements
  • readme update
    ---
    release 0.9.3-1
  • provides an option to transfer log events on remote servers via cgi interface (disabled by default), see readme for details
  • refine the allowlist check to support IP intervals as well before adding an IP to the blocklist
    ---
    update 0.9.2-4
  • fix the urlhaus regex
  • fix a possible init race condition
    ---
    update 0.9.2-2
  • support backup/restore for remote allowlists
  • report the used log variant in status message
    ---
    release 0.9.2-1
  • the log file monitor now supports standard log files used by other log daemons like syslog-ng. Set 'ban_logreadfile' accordingly, by default it points to /var/log/messages
  • removed logd dependency
    ---
    update 0.9.1-1
  • drop packets silently on input and forwardwan chains or actively reject the traffic, set 'ban_blocktype' accordingly
  • optimized banIP boot/reload handling
  • removed pppoe quirk in device detection
  • small fixes and optimizations
    ---
    update 0.9.0-1
  • supports allowing / blocking of certain VLAN forwards in segregated network environments, set 'ban_vlanallow', ''ban_vlanblock' accordingly
  • simplified the code/JSON to generate/parse the banIP status
  • enclose nft related devices in quotation marks , e.g. to handle devices which starts with a number '10g-1'
  • made the new vlan options available to LuCI (separate commit)
    ---
    update 0.8.9-4
  • made the etag id parsing more bulletproof (to catch unverified etags as well)
    ---
    update 0.8.9-3
  • prevent superflous etag function calls during start action (on start backups will be used anyway)
  • changed the ipthreat feed download URL (load a compressed file variant to save bandwidth)
    ---
    update 0.8.9-2
  • fix a corner case backup issue with empty feed downloads
    ---
    release 0.8.9-1
  • added HTTP ETag or entity tag support to download only ressources that have been updated on the server side, to save bandwidth and speed up banIP reloads
  • added 4 new feeds: binarydefense, bruteforceblock, etcompromised, ipblackhole (see readme)
  • updated the readme
    ---
    update 0.8.8-2
  • process local lists in strict sequential order to prevent possible race conditions
  • support ranges in the IP search, too
  • fix some minor search issues
    ---
    release 0.8.8-1
  • Support MAC-/IPv4/IPv6 ranges in CIDR notation
  • Support concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments (see readme)
  • small fixes & cosmetics
  • update readme
    ---
    release 0.8.7-1
  • Optionally auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP, set 'ban_autoblocksubnet' accordingly (disabled by default). For more information regarding RDAP see https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap for reference.
  • small fixes & cosmetics
  • update readme
    ---
    update 0.8.6-2
  • fix/rework no-op loop
  • small fixes & cosmetics
  • update readme
    ---
    release 0.8.6-1
  • made the fetch utility function/autodetection more bullet proof
  • no longer add suspicious IPs to the local blocklist when the nft set timeout has been set
  • restructure internal functions & small fixes
    ---
    update 0.8.5-2
  • fixed a log parser regression introduced in latest 0.8.4 update
    ---
    release 0.8.5-1
  • add support for external allowlist URLs to reference additional IPv4/IPv6 feeds, set 'ban_allowurl' accordingly
  • make download retries in case of an error configurable, set 'ban_fetchretry' accordingly (default 5)
  • small fixes
  • readme update
  • LuCI update (separate commit)
    ---
    update 0.8.4-5
  • fix remaining small issues
  • standardize log wording
  • polished up for branch 23.x
    ---
    update 0.8.4-4
  • add housekeeping to the autoallow function, only the current uplink will be held
  • fix small issues
  • cosmetics
    ---
    update 0.8.4-3
  • add the option 'ban_autoallowuplink' to limit the uplink autoallow function: 'subnet' (default), 'ip' or 'disable'
    ---
    update 0.8.4-2
  • fix domain lookup function (parse banIP config vars)
  • update readme
    ---
    release 0.8.4-1
  • add support for a custom feeds file (/etc/banip/banip.custom.feeds). Add new or edit existing banIP feeds on your own with the integrated custom feed editor (LuCI-component
  • add a new option 'ban_blockpolicy' to overrule the default bblock policy (block all chains), see readme for details
  • change the feed file format and add a new ipthreat feed, see readme
  • refine (debug) logging
  • multiple small fixes and improvements
  • readme update
  • luci update (separate commit)
    ---
    update 0.8.3-2
  • more init fixes
    ---
    release 0.8.3-1
  • add the new init command 'lookup', to lookup the IPs of domain names in the local lists and update them
  • significant acceleration of the domain lookup function
  • multiple small fixes and improvements
  • readme update
  • luci update (separate commit)
    ---
    update 0.8.2-6
  • restored some accidently removed init stuff in last commit
    ---
    update 0.8.2-5
  • fixed missing version number when installed as separate package (not in build)
  • fixed cornercase init and mailing issues
  • sorted Country list by country names ascending
  • fixed some shellcheck findings
    ---
    update 0.8.2-4
  • fixed a race condition if the service is in a disabled state
  • luci frontend sync
    ---
    update 0.8.2-3
  • raise max. timeouts from 10 to 30 seconds to stabilize the autodetection on slow hardware
  • made interface trigger action configurable, set 'ban_triggeraction' accordingly (default: 'start')
  • made E-Mail notifications configurable to receive status E-Mais with every banIP run, set 'ban_mailnotification' accordingly (default: disabled)
  • small fixes & optimizations
  • readme update
    ---
    update 0.8.2-2
  • fix the auto-detection for pppoe and 6in4 tunnel interfaces
  • add the new 'ban_nftpolicy' option to expose the nft set policy, values: memory (default), performance
  • add the new 'ban_nftlogevel' option to expose the nft syslog level, values: emerg, alert, crit, err, warn (default), notice, info, debug, audit
  • status optimizations
  • logging optimizations
  • update the readme
    ---
    release 0.8.2-1
  • major performance improvements: clean-up/optimize all nft calls
  • add a new "ban_reportelements" option, to disable the (time consuming) Set element count in the report (enabled by default)
  • update the readme
    ---
    update 0.8.1-3
  • finalized the LuCI frontend preparation (this is the minmal version to use the forthcoming LuCI frontend)
  • added a Set survey, to list all elements of a certain set
  • changed the default logterm for asterisk
  • update the readme
    ---
    update 0.8.1-2
  • add oisdbig as new feed
  • LuCI frontend preparation:
    • the json feed file points always to /etc/banip/banip.feeds (and is no longer compressed)
    • supply country list in /etc/banip/banip.countries
  • update readme
    ---
    release 0.8.1-1
  • add missing wan-forward chain (incl. report/mail adaption)
  • changed options:
    • old: ban_blockforward, new: ban_blockforwardwan and ban_blockforwardlan
    • old: ban_logforward, new: ban_logforwardwan and ban_logforwardlan
  • add missing dhcp(v6) rules/exceptions
  • update readme
    ---
    update 0.8.0-4
  • remove bogus log limit
    ---
    update 0.8.0-3
  • properly initialize the 'proto' variable in the log service
    ---
    update 0.8.0-2
  • fix a potential race condition during initial startup (after flash) which leads to a "disabled" service
    ---
    release 0.8.0-1
  • complete rewrite of banIP to support nftables
  • all sets are handled in a separate nft table/namespace 'banIP'
  • for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
  • full IPv4 and IPv6 support
  • supports nft atomic set loading
  • supports blocking by ASN numbers and by iso country codes
  • 42 preconfigured external feeds are available, plus local allow- and blocklist
  • supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
  • auto-add the uplink subnet to the local allowlist
  • provides a small background log monitor to ban unsuccessful login attempts in real-time
  • the logterms for the log monitor service can be freely defined via regex
  • auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
  • fast feed processing as they are handled in parallel as background jobs
  • per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
  • automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
  • automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
  • supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
  • provides comprehensive runtime information
  • provides a detailed set report
  • provides a set search engine for certain IPs
  • feed parsing by fast & flexible regex rulesets
  • minimal status & error logging to syslog, enable debug logging to receive more output
  • procd based init system support (start/stop/restart/reload/status/report/search)
  • procd network interface trigger support
  • ability to add new banIP feeds on your own
  • add a readme with all available options/feeds to customize your installation to your needs
  • a new LuCI frontend will be available in due course

Have fun!
Dirk

45 Likes
2

a new LuCI frontend is currently under construction ... :wink:

7 Likes
4

Can you precise that "current"? Will this be true even in 2 years time from now?
I'm coming from the OpenWrt wiki, where many "current" or "currently" are heavily outdated, years after they have been added and never got removed again...

1 Like
5

Notably the LuCI frontend part requires the latest changes in master, which are not in 17.x or 18.x branch.

1 Like
6

I've been using firehol's ipset lists for some time, finally someone made a frontend for that. Unfortunately there's no IPv6 here. D:

I'll add your packages to my next build. Thank you.

1 Like
7

@dibdot finally a project like sub2rbl but with a LuCI frontend for OpenWRT. Quick question, how is the ram usage with ipsets?
Also, tiny nitpick, it is ransomware, not ransomeware.
Thank you!

1 Like
8

On the netfilter mailing list I found this calculation formula: https://www.spinics.net/lists/netfilter/msg56265.html

banIP always tries to start with a very small hashsize. Anyway, the kernel rounds this up to the first (lowest) valid hashsize during ipset creation. Compared to dns level blocking the RAM usage is very low.

3 Likes
9

@dibdot thanks for this, looks really useful.

I installed and all seems to work except blocking by iso country codes, anything I can do to tweak/test?

Also, I seem my subnet has been auto-added to white list, should it be there? Or does that disable banip on my network?

1 Like
10

Please provide debug logs - thanks!

That's the intended behaviour to keep your uplink/subnet always accessible.

IPv6 testing/feedback would be fine! :wink:

2 Likes
11

Did some more testing; "auto-add unsuccessful ssh login attempts to local blacklist" this feature seems to be non-functional as well for me.

Regarding "except blocking by iso country codes" in situations where multiple countries are added, the most recently added country, seems to be the only one blocked.

Wed Aug  1 22:20:25 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: country, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 8711/0/8711, time(s): 12
Wed Aug  1 22:20:25 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: country_6, mode: create, settype: net, setipv: inet6, ruletype: src+dst, count(sum/ip/cidr): 1771/0/1771, time(s): 12
Wed Aug  1 22:20:25 2018 user.info banIP-[0.0.1]: 18 IPSets with overall 165102 IPs/Prefixes loaded successfully (Linksys WRT1900ACS, Cantenna_22-06-18 v.1.15- Lede SNAPSHOT r6865+1-419238f)
Wed Aug  1 22:20:25 2018 user.debug banIP-[0.0.1]: f_jsnup ::: status: enabled, setcnt: 18, cnt: 165102
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_jsnup ::: status: running, setcnt: 0, cnt: 0
Wed Aug  1 22:20:46 2018 user.info banIP-[0.0.1]: start banIP processing (start)
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: fetch_util: /usr/bin/curl (built-in), iface: lan, dev: br-lan, mem_total: 511, mem_free: 336, max_queue: 32
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: -, mode: initial, chain: banIP, ruleset: input_wan_rule forwarding_wan_rule input_lan_rule forwarding_lan_rule, ruleset_6: input_wan_rule forwarding_wan_rule input_lan_rule forwarding_lan_rule
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: whitelist, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: whitelist_6, src_on: 0
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: whitelist_6, mode: flush
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: blacklist, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: blacklist_6, src_on: 0
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: blacklist_6, mode: flush
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: tor, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: threat, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: debl, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: debl_6, src_on: 0
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: debl_6, mode: flush
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: blacklist, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 0/0/0, time(s): 0
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: myip, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: myip_6, src_on: 0
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: myip_6, mode: flush
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: bogon, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: bogon_6, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: yoyo, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: zeus, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: sslbl, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: ransomeware, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: feodo, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: dshield, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: proxy, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: iblocklist, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: drop, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: drop_6, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: drop_6, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: edrop, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: firehol1, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: whitelist, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 1/0/1, time(s): 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: firehol1, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: firehol2, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: firehol2, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: firehol3, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: firehol3, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: firehol4, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: firehol4, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: country, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: country_6, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: asn, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: asn, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: asn_6, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: asn_6, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: iblocklist, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 0/0/0, time(s): 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: edrop, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 112/0/112, time(s): 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: dshield, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 20/0/20, time(s): 0
Wed Aug  1 22:20:48 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: threat, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 2412/1567/845, time(s): 2
Wed Aug  1 22:20:50 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: drop, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 825/0/825, time(s): 3
Wed Aug  1 22:20:50 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: ransomeware, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 304/304/0, time(s): 3
Wed Aug  1 22:20:50 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: zeus, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 108/108/0, time(s): 3
Wed Aug  1 22:20:50 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: feodo, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 1464/1464/0, time(s): 3
Wed Aug  1 22:20:50 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: proxy, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 2749/2749/0, time(s): 3
Wed Aug  1 22:20:51 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: yoyo, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 11843/11843/0, time(s): 5
Wed Aug  1 22:20:51 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: sslbl, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 99/99/0, time(s): 4
Wed Aug  1 22:20:51 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: tor, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 920/920/0, time(s): 5
Wed Aug  1 22:20:52 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: bogon, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 3239/0/3239, time(s): 6
Wed Aug  1 22:20:52 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: myip, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 3692/3692/0, time(s): 6
Wed Aug  1 22:20:52 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: debl, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 27287/27287/0, time(s): 6
Wed Aug  1 22:20:56 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: country_6, mode: create, settype: net, setipv: inet6, ruletype: src+dst, count(sum/ip/cidr): 1771/0/1771, time(s): 9
Wed Aug  1 22:20:58 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: country, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 8711/0/8711, time(s): 11
Wed Aug  1 22:20:59 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: bogon_6, mode: create, settype: net, setipv: inet6, ruletype: src+dst, count(sum/ip/cidr): 99545/0/99545, time(s): 13
Wed Aug  1 22:20:59 2018 user.info banIP-[0.0.1]: 18 IPSets with overall 165102 IPs/Prefixes loaded successfully (Linksys WRT1900ACS, Cantenna_22-06-18 v.1.15- Lede SNAPSHOT r6865+1-419238f)
Wed Aug  1 22:20:59 2018 user.debug banIP-[0.0.1]: f_jsnup ::: status: enabled, setcnt: 18, cnt: 165102
2 Likes
12

Thanks for testing! :wink:
What's your testcase? Currently only lines like below will be auto-added (whenever you've reached the max-attempts):

Exit before auth (user 'root', 3 fails): Max auth tries reached - user 'root' from 10.168.1.103:53372

Regarding iso codes: which country codes did you use for testing?

Thanks again!

1 Like
13

confirmed & fixed with the next update (same bug applied to dynamic ASN IPsets, too) - thanks!

2 Likes
14

(sorry for late reply, was asleep)

I use ssh key+pass dropbear.

Country codes DE, RU, CN

But I see you made progress anyways :wink: Looking forward to you next update.

1 Like
15

Could you please send me a logfile/logread excerpt from the intentionally failed login via PM?

Thanks!

1 Like
16

@cantenna I've reproduced & fixed that issue, too. I need no further logs ... thanks.

1 Like
17

banIP v 0.0.2 is now in my google drive folder (see first post), with the following changes:

  • fix auto-add function of failed ssh logins
  • fix dynamic ASN & Country IPSet creation where multiple sources are selected
  • fix "ransomware" typo
  • updated LuCI components - should work with 18.06 release & latest snapshots

Please remove the old version before you update and reset the LuCI cache (rm -rf /tmp/luci-*)

Happy testing! :wink:

4 Likes
18

Literally just working on getting that log to you now, came here to double check what you were asking for again. Awesome that you got it done anyways. Will give the update a go, thanks again:)

1 Like
19

Thanks for the update. Country block does seem to work but for some reason, occasionally after a reboot, country ipset fails to be known to banip i.e.) Country is missing from IPSet-Lookup. EDIT: increasing/adding trigger delay of 10 seconds seems to have helped

Haven't tested ssh block yet, will do next.

Is it possible to o stuff via console? I know it's early days.

1 Like
20

Check the debug log regarding failed downloads ... usually you can fine tune this with a reduced number of parallel processes (you've raised this to 32 if I remember right :wink: ) plus a higher trigger delay (default: 2).

/etc/init.d/banip start

to refresh your IPSets ... or did you mean something different!?

1 Like
21

That's great. Wasn't sure if restart would be same as refresh, thanks again, really useful package for LEDE