banIP support thread

Hi,

in OpenWrt snapshot package repo you'll find the banIP package:

stable OpenWrt version 23.05.x.: banIP 1.0.0-9 plus luci companion package
latest snapshot version: banIP 1.0.0-9 plus luci companion package

Link to the latest banIP documentation

Feel free to test, ask questions or make suggestions.


Changelog

---
update 1.0.0-9

  • fixed gathering/printing of system information in banIP status
  • removed broken iblocklist.com feeds
  • updated readme
    ---
    update 1.0.0-8
  • supports comments (introduced with a #), for MAC addresses in the allow and block list, e.g. 26:5e:a0:6a:9c:da # Test
  • added hagezi threat ip feed
  • added an adguard logterm to the readme
  • removed the broken talos feed
    ---
    update 1.0.0-7
  • fixed auto allow-/blocklist-issue with IPv6 addresses in CIDR notation
  • removed edrop feed from readme (had been removed from feeds for a while)
    ---
    update 1.0.0-6
  • automatic blocking of IP ranges via RDAP request now supports multiple CIDRs
  • cosmetics
    ---
    update 1.0.0-5
  • filter crappy IP entries from urlhaus feed
    ---
    update 1.0.0-4
  • relax the firewall pre-check if fw4 is not running
  • replace former stale tor feed source with 'https://www.dan.me.uk/torlist/?exit'
  • add openvpn log term/search pattern example to the readme
  • the default config now includes only log terms for dropbear and LuCI, all others are optional
  • readme update
    ---
    update 1.0.0-3
  • fixed a regression in the split Set function (reported in the forum)
  • fixed regex for urlhaus feed
    ---
    update 1.0.0-2
  • fixed a possible "Argument list too long" error in the f_log function
  • fixed multiple, incomplete digit character classes
  • fixed/optimized split file handling
  • cosmetics
    ---
    release 1.0.0-1
  • made sure, that the domain lookup always add the found IPs to the underlying allow-/blocklist-Set
  • major readme update
    ---
    update 0.9.6-3
  • fixed concurrent, too high nft loads during feed processing (seen in LuCI frontend)
    ---
    update 0.9.6-2
  • fix regex for nixspam and sslbl feed
  • list the pre-routing limits in the banIP status
  • small fixes and log improvements
    ---
    release 0.9.6-1
  • refine IPv4 parsing, skip rough feed entries like loopback addresses
  • better error logging during banIP nftables initialization and Set loading
  • cosmetics
    ---
    update 0.9.5-5
  • fix a processing race condition
  • it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.
    ---
    update 0.9.5-4
  • optimized adding suspicious IPs to Sets in the log monitor
  • re-added ipblackhole feed
    ---
    update 0.9.5-3
  • allow multiple protocol/port definitions per feed, e.g. 'tcp udp 80 443 50000'
  • removed the default protocol/port limitation from asn feed
    ---
    update 0.9.5-2
  • fixed possible Set search race condition (initiated from LuCI frontend)
  • fixed the "no result" Set search problem in LuCI
  • removed abandoned feeds: spamhaus edrop (was merged with spamhaus drop)
    ---
    release 0.9.5-1
  • added DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s)
  • the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly
  • block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly
  • it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445'
  • filter/convert possible windows line endings of external feeds during processing
  • the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation
  • set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150)
  • update readme
  • a couple of bugfixes & performance improvements
  • removed abandoned feeds: darklist, ipblackhole
  • added new feeds: becyber, ipsum, pallebone, debl (changed URL)
  • requires a LuCI frontend update as well (separate PR/commit)
    ---
    update 0.9.4-3
  • fix another logical glitch in the logfile monitor
    ---
    update 0.9.4-2
  • fix a long standing problem in the logfile-parser with dropbear and compressed IPv6 addresses
    ---
    release 0.9.4-1
  • add support for destination port & protocol limitations for external feeds (see readme for details), useful for lan-forward ad- or DoH-blocking, e.g. only tcp ports 80 and 443
  • add turris sentinel blocklist feed
  • update readme
    ---
    update 0.9.3-5
  • fix the nft Set survey function
    ---
    update 0.9.3-4
  • made the default mail template "responsive" to get a better view esp. on mobile devices
    ---
    update 0.9.3-3
  • more init fixes
    ---
    update 0.9.3-2
  • rework the device/interface auto-detection (only layer-3 network devices will be detected correctly), disable the auto-detection e.g. for special tunnel interfaces
  • supports now full gawk (preferred, if installed) and busybox awk
  • raise the default boot timeout to 20 seconds (if 'ban_triggerdelay' is not set)
  • various small fixes and improvements
  • readme update
    ---
    release 0.9.3-1
  • provides an option to transfer log events on remote servers via cgi interface (disabled by default), see readme for details
  • refine the allowlist check to support IP intervals as well before adding an IP to the blocklist
    ---
    update 0.9.2-4
  • fix the urlhaus regex
  • fix a possible init race condition
    ---
    update 0.9.2-2
  • support backup/restore for remote allowlists
  • report the used log variant in status message
    ---
    release 0.9.2-1
  • the log file monitor now supports standard log files used by other log daemons like syslog-ng. Set 'ban_logreadfile' accordingly, by default it points to /var/log/messages
  • removed logd dependency
    ---
    update 0.9.1-1
  • drop packets silently on input and forwardwan chains or actively reject the traffic, set 'ban_blocktype' accordingly
  • optimized banIP boot/reload handling
  • removed pppoe quirk in device detection
  • small fixes and optimizations
    ---
    update 0.9.0-1
  • supports allowing / blocking of certain VLAN forwards in segregated network environments, set 'ban_vlanallow', ''ban_vlanblock' accordingly
  • simplified the code/JSON to generate/parse the banIP status
  • enclose nft related devices in quotation marks , e.g. to handle devices which starts with a number '10g-1'
  • made the new vlan options available to LuCI (separate commit)
    ---
    update 0.8.9-4
  • made the etag id parsing more bulletproof (to catch unverified etags as well)
    ---
    update 0.8.9-3
  • prevent superflous etag function calls during start action (on start backups will be used anyway)
  • changed the ipthreat feed download URL (load a compressed file variant to save bandwidth)
    ---
    update 0.8.9-2
  • fix a corner case backup issue with empty feed downloads
    ---
    release 0.8.9-1
  • added HTTP ETag or entity tag support to download only ressources that have been updated on the server side, to save bandwidth and speed up banIP reloads
  • added 4 new feeds: binarydefense, bruteforceblock, etcompromised, ipblackhole (see readme)
  • updated the readme
    ---
    update 0.8.8-2
  • process local lists in strict sequential order to prevent possible race conditions
  • support ranges in the IP search, too
  • fix some minor search issues
    ---
    release 0.8.8-1
  • Support MAC-/IPv4/IPv6 ranges in CIDR notation
  • Support concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments (see readme)
  • small fixes & cosmetics
  • update readme
    ---
    release 0.8.7-1
  • Optionally auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP, set 'ban_autoblocksubnet' accordingly (disabled by default). For more information regarding RDAP see https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap for reference.
  • small fixes & cosmetics
  • update readme
    ---
    update 0.8.6-2
  • fix/rework no-op loop
  • small fixes & cosmetics
  • update readme
    ---
    release 0.8.6-1
  • made the fetch utility function/autodetection more bullet proof
  • no longer add suspicious IPs to the local blocklist when the nft set timeout has been set
  • restructure internal functions & small fixes
    ---
    update 0.8.5-2
  • fixed a log parser regression introduced in latest 0.8.4 update
    ---
    release 0.8.5-1
  • add support for external allowlist URLs to reference additional IPv4/IPv6 feeds, set 'ban_allowurl' accordingly
  • make download retries in case of an error configurable, set 'ban_fetchretry' accordingly (default 5)
  • small fixes
  • readme update
  • LuCI update (separate commit)
    ---
    update 0.8.4-5
  • fix remaining small issues
  • standardize log wording
  • polished up for branch 23.x
    ---
    update 0.8.4-4
  • add housekeeping to the autoallow function, only the current uplink will be held
  • fix small issues
  • cosmetics
    ---
    update 0.8.4-3
  • add the option 'ban_autoallowuplink' to limit the uplink autoallow function: 'subnet' (default), 'ip' or 'disable'
    ---
    update 0.8.4-2
  • fix domain lookup function (parse banIP config vars)
  • update readme
    ---
    release 0.8.4-1
  • add support for a custom feeds file (/etc/banip/banip.custom.feeds). Add new or edit existing banIP feeds on your own with the integrated custom feed editor (LuCI-component
  • add a new option 'ban_blockpolicy' to overrule the default bblock policy (block all chains), see readme for details
  • change the feed file format and add a new ipthreat feed, see readme
  • refine (debug) logging
  • multiple small fixes and improvements
  • readme update
  • luci update (separate commit)
    ---
    update 0.8.3-2
  • more init fixes
    ---
    release 0.8.3-1
  • add the new init command 'lookup', to lookup the IPs of domain names in the local lists and update them
  • significant acceleration of the domain lookup function
  • multiple small fixes and improvements
  • readme update
  • luci update (separate commit)
    ---
    update 0.8.2-6
  • restored some accidently removed init stuff in last commit
    ---
    update 0.8.2-5
  • fixed missing version number when installed as separate package (not in build)
  • fixed cornercase init and mailing issues
  • sorted Country list by country names ascending
  • fixed some shellcheck findings
    ---
    update 0.8.2-4
  • fixed a race condition if the service is in a disabled state
  • luci frontend sync
    ---
    update 0.8.2-3
  • raise max. timeouts from 10 to 30 seconds to stabilize the autodetection on slow hardware
  • made interface trigger action configurable, set 'ban_triggeraction' accordingly (default: 'start')
  • made E-Mail notifications configurable to receive status E-Mais with every banIP run, set 'ban_mailnotification' accordingly (default: disabled)
  • small fixes & optimizations
  • readme update
    ---
    update 0.8.2-2
  • fix the auto-detection for pppoe and 6in4 tunnel interfaces
  • add the new 'ban_nftpolicy' option to expose the nft set policy, values: memory (default), performance
  • add the new 'ban_nftlogevel' option to expose the nft syslog level, values: emerg, alert, crit, err, warn (default), notice, info, debug, audit
  • status optimizations
  • logging optimizations
  • update the readme
    ---
    release 0.8.2-1
  • major performance improvements: clean-up/optimize all nft calls
  • add a new "ban_reportelements" option, to disable the (time consuming) Set element count in the report (enabled by default)
  • update the readme
    ---
    update 0.8.1-3
  • finalized the LuCI frontend preparation (this is the minmal version to use the forthcoming LuCI frontend)
  • added a Set survey, to list all elements of a certain set
  • changed the default logterm for asterisk
  • update the readme
    ---
    update 0.8.1-2
  • add oisdbig as new feed
  • LuCI frontend preparation:
    • the json feed file points always to /etc/banip/banip.feeds (and is no longer compressed)
    • supply country list in /etc/banip/banip.countries
  • update readme
    ---
    release 0.8.1-1
  • add missing wan-forward chain (incl. report/mail adaption)
  • changed options:
    • old: ban_blockforward, new: ban_blockforwardwan and ban_blockforwardlan
    • old: ban_logforward, new: ban_logforwardwan and ban_logforwardlan
  • add missing dhcp(v6) rules/exceptions
  • update readme
    ---
    update 0.8.0-4
  • remove bogus log limit
    ---
    update 0.8.0-3
  • properly initialize the 'proto' variable in the log service
    ---
    update 0.8.0-2
  • fix a potential race condition during initial startup (after flash) which leads to a "disabled" service
    ---
    release 0.8.0-1
  • complete rewrite of banIP to support nftables
  • all sets are handled in a separate nft table/namespace 'banIP'
  • for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
  • full IPv4 and IPv6 support
  • supports nft atomic set loading
  • supports blocking by ASN numbers and by iso country codes
  • 42 preconfigured external feeds are available, plus local allow- and blocklist
  • supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
  • auto-add the uplink subnet to the local allowlist
  • provides a small background log monitor to ban unsuccessful login attempts in real-time
  • the logterms for the log monitor service can be freely defined via regex
  • auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
  • fast feed processing as they are handled in parallel as background jobs
  • per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
  • automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
  • automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
  • supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
  • provides comprehensive runtime information
  • provides a detailed set report
  • provides a set search engine for certain IPs
  • feed parsing by fast & flexible regex rulesets
  • minimal status & error logging to syslog, enable debug logging to receive more output
  • procd based init system support (start/stop/restart/reload/status/report/search)
  • procd network interface trigger support
  • ability to add new banIP feeds on your own
  • add a readme with all available options/feeds to customize your installation to your needs
  • a new LuCI frontend will be available in due course

Have fun!
Dirk

46 Likes

a new LuCI frontend is currently under construction ... :wink:

7 Likes

Can you precise that "current"? Will this be true even in 2 years time from now?
I'm coming from the OpenWrt wiki, where many "current" or "currently" are heavily outdated, years after they have been added and never got removed again...

1 Like

Notably the LuCI frontend part requires the latest changes in master, which are not in 17.x or 18.x branch.

1 Like

I've been using firehol's ipset lists for some time, finally someone made a frontend for that. Unfortunately there's no IPv6 here. D:

I'll add your packages to my next build. Thank you.

1 Like

@dibdot finally a project like sub2rbl but with a LuCI frontend for OpenWRT. Quick question, how is the ram usage with ipsets?
Also, tiny nitpick, it is ransomware, not ransomeware.
Thank you!

1 Like

On the netfilter mailing list I found this calculation formula: https://www.spinics.net/lists/netfilter/msg56265.html

banIP always tries to start with a very small hashsize. Anyway, the kernel rounds this up to the first (lowest) valid hashsize during ipset creation. Compared to dns level blocking the RAM usage is very low.

3 Likes

@dibdot thanks for this, looks really useful.

I installed and all seems to work except blocking by iso country codes, anything I can do to tweak/test?

Also, I seem my subnet has been auto-added to white list, should it be there? Or does that disable banip on my network?

1 Like

Please provide debug logs - thanks!

That's the intended behaviour to keep your uplink/subnet always accessible.

IPv6 testing/feedback would be fine! :wink:

2 Likes

Did some more testing; "auto-add unsuccessful ssh login attempts to local blacklist" this feature seems to be non-functional as well for me.

Regarding "except blocking by iso country codes" in situations where multiple countries are added, the most recently added country, seems to be the only one blocked.

Wed Aug  1 22:20:25 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: country, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 8711/0/8711, time(s): 12
Wed Aug  1 22:20:25 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: country_6, mode: create, settype: net, setipv: inet6, ruletype: src+dst, count(sum/ip/cidr): 1771/0/1771, time(s): 12
Wed Aug  1 22:20:25 2018 user.info banIP-[0.0.1]: 18 IPSets with overall 165102 IPs/Prefixes loaded successfully (Linksys WRT1900ACS, Cantenna_22-06-18 v.1.15- Lede SNAPSHOT r6865+1-419238f)
Wed Aug  1 22:20:25 2018 user.debug banIP-[0.0.1]: f_jsnup ::: status: enabled, setcnt: 18, cnt: 165102
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_jsnup ::: status: running, setcnt: 0, cnt: 0
Wed Aug  1 22:20:46 2018 user.info banIP-[0.0.1]: start banIP processing (start)
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: fetch_util: /usr/bin/curl (built-in), iface: lan, dev: br-lan, mem_total: 511, mem_free: 336, max_queue: 32
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: -, mode: initial, chain: banIP, ruleset: input_wan_rule forwarding_wan_rule input_lan_rule forwarding_lan_rule, ruleset_6: input_wan_rule forwarding_wan_rule input_lan_rule forwarding_lan_rule
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: whitelist, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: whitelist_6, src_on: 0
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: whitelist_6, mode: flush
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: blacklist, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: blacklist_6, src_on: 0
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: blacklist_6, mode: flush
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: tor, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: threat, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: debl, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: debl_6, src_on: 0
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: debl_6, mode: flush
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: blacklist, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 0/0/0, time(s): 0
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: myip, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: myip_6, src_on: 0
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: myip_6, mode: flush
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: bogon, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: bogon_6, src_on: 1
Wed Aug  1 22:20:46 2018 user.debug banIP-[0.0.1]: f_main  ::: name: yoyo, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: zeus, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: sslbl, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: ransomeware, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: feodo, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: dshield, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: proxy, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: iblocklist, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: drop, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: drop_6, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: drop_6, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: edrop, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: firehol1, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: whitelist, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 1/0/1, time(s): 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: firehol1, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: firehol2, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: firehol2, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: firehol3, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: firehol3, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: firehol4, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: firehol4, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: country, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: country_6, src_on: 1
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: asn, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: asn, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_main  ::: name: asn_6, src_on: 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: asn_6, mode: flush
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: iblocklist, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 0/0/0, time(s): 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: edrop, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 112/0/112, time(s): 0
Wed Aug  1 22:20:47 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: dshield, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 20/0/20, time(s): 0
Wed Aug  1 22:20:48 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: threat, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 2412/1567/845, time(s): 2
Wed Aug  1 22:20:50 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: drop, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 825/0/825, time(s): 3
Wed Aug  1 22:20:50 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: ransomeware, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 304/304/0, time(s): 3
Wed Aug  1 22:20:50 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: zeus, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 108/108/0, time(s): 3
Wed Aug  1 22:20:50 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: feodo, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 1464/1464/0, time(s): 3
Wed Aug  1 22:20:50 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: proxy, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 2749/2749/0, time(s): 3
Wed Aug  1 22:20:51 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: yoyo, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 11843/11843/0, time(s): 5
Wed Aug  1 22:20:51 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: sslbl, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 99/99/0, time(s): 4
Wed Aug  1 22:20:51 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: tor, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 920/920/0, time(s): 5
Wed Aug  1 22:20:52 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: bogon, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 3239/0/3239, time(s): 6
Wed Aug  1 22:20:52 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: myip, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 3692/3692/0, time(s): 6
Wed Aug  1 22:20:52 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: debl, mode: create, settype: ip, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 27287/27287/0, time(s): 6
Wed Aug  1 22:20:56 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: country_6, mode: create, settype: net, setipv: inet6, ruletype: src+dst, count(sum/ip/cidr): 1771/0/1771, time(s): 9
Wed Aug  1 22:20:58 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: country, mode: create, settype: net, setipv: inet, ruletype: src+dst, count(sum/ip/cidr): 8711/0/8711, time(s): 11
Wed Aug  1 22:20:59 2018 user.debug banIP-[0.0.1]: f_ipset ::: name: bogon_6, mode: create, settype: net, setipv: inet6, ruletype: src+dst, count(sum/ip/cidr): 99545/0/99545, time(s): 13
Wed Aug  1 22:20:59 2018 user.info banIP-[0.0.1]: 18 IPSets with overall 165102 IPs/Prefixes loaded successfully (Linksys WRT1900ACS, Cantenna_22-06-18 v.1.15- Lede SNAPSHOT r6865+1-419238f)
Wed Aug  1 22:20:59 2018 user.debug banIP-[0.0.1]: f_jsnup ::: status: enabled, setcnt: 18, cnt: 165102
2 Likes

Thanks for testing! :wink:
What's your testcase? Currently only lines like below will be auto-added (whenever you've reached the max-attempts):

Exit before auth (user 'root', 3 fails): Max auth tries reached - user 'root' from 10.168.1.103:53372

Regarding iso codes: which country codes did you use for testing?

Thanks again!

1 Like

confirmed & fixed with the next update (same bug applied to dynamic ASN IPsets, too) - thanks!

2 Likes

(sorry for late reply, was asleep)

I use ssh key+pass dropbear.

Country codes DE, RU, CN

But I see you made progress anyways :wink: Looking forward to you next update.

1 Like

Could you please send me a logfile/logread excerpt from the intentionally failed login via PM?

Thanks!

1 Like

@cantenna I've reproduced & fixed that issue, too. I need no further logs ... thanks.

1 Like

banIP v 0.0.2 is now in my google drive folder (see first post), with the following changes:

  • fix auto-add function of failed ssh logins
  • fix dynamic ASN & Country IPSet creation where multiple sources are selected
  • fix "ransomware" typo
  • updated LuCI components - should work with 18.06 release & latest snapshots

Please remove the old version before you update and reset the LuCI cache (rm -rf /tmp/luci-*)

Happy testing! :wink:

5 Likes

Literally just working on getting that log to you now, came here to double check what you were asking for again. Awesome that you got it done anyways. Will give the update a go, thanks again:)

1 Like

Thanks for the update. Country block does seem to work but for some reason, occasionally after a reboot, country ipset fails to be known to banip i.e.) Country is missing from IPSet-Lookup. EDIT: increasing/adding trigger delay of 10 seconds seems to have helped

Haven't tested ssh block yet, will do next.

Is it possible to o stuff via console? I know it's early days.

1 Like

Check the debug log regarding failed downloads ... usually you can fine tune this with a reduced number of parallel processes (you've raised this to 32 if I remember right :wink: ) plus a higher trigger delay (default: 2).

/etc/init.d/banip start

to refresh your IPSets ... or did you mean something different!?

1 Like

That's great. Wasn't sure if restart would be same as refresh, thanks again, really useful package for LEDE