banIP support thread

Community Builds, Projects & Packages
2925

But the country feed is what I need to allons only FR IP inbound traffic.

Since I have this setup the only IP my crowdsec is banning is some malicous FR IP that I want to ban with banIP with the custom block list.

If I disable banIP I get malicious IP from all over the world…

So it’s working .

But now my question is about blocking some IP FR with custom blocklist alongside allowing only FR IP.

Should I add local blocklist to the inbound feed ?

image
image1290×4127 356 KB

2926

Nope, these allowlist URLs ...

list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/fr-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipv6/ipaddresses/aggregated/fr-aggregated.zone'

are dynamically added to your allowlist, not to an (empty) country Set. Please re-read the online documentation and check the Set reporting which Sets are effectively filled/active.

Again, check the Set reporting. By default local allow- and blocklists are active in all chains. You've limited only the allowlist to your inbound chain (which makes sense), the blocklist is not limited, that means it works in all chains ... and blocks IPs from FR which you've added manually .

BTW, I don't understand the crowdsec part and the manual transfer to the local banIP blocklist as banIP can do that automatically.

2927

Hello, thank you for your reply and explanations.

However, I still don’t really understand…

I apologize — English isn’t my first language, so sometimes I struggle to grasp the overall meaning even if I know the individual words.

I’d appreciate some further explanations (in simple terms) about how banIP works with the lists.

Also, the online documentation isn’t very clear or practical — it doesn’t work like the “how-to” guide I was hoping for.

Let’s get back to my configuration.

I explained what I needed a few months ago, and @tojestzart provided me a how-to (please check the post I replied to): banIP support thread - #2672 by MilesTEG1

Are you saying that the instructions he gave me don’t work?

~~What is the “set reporting”?~~

Ok I see what this is .

As I am on my mobile phone, a screenshot isn’t relevant as the paging is not optimal …

What should I look here?

ok I understand that.

So, you’re saying that what I put in my local allowlist and blocklist are use to allow or block those ip?

On another server — the one running my reverse proxy (SWAG in Docker) — I also have a CrowdSec instance and a Fail2Ban instance.

With my current banIP configuration, only French IP addresses can reach the reverse proxy. However, even with this limited access, CrowdSec sometimes still catches some malicious IPs. After their temporary bans expire, those IPs try again.
So, I’d like to add them permanently to the local banIP blocklist to block them for good.

Could you please explain how to do that, keeping in mind that I only want to allow French IP addresses? :innocent:

Thanks a lot for your time and help!

Have a great day! :slightly_smiling_face:

2928

How often does banIP updates its feeds? And how can I see when it was last updated?
Is it only at boot?
image

2929

As often as you tell it: https://openwrt.lan/cgi-bin/luci/admin/system/crontab - if that's empty then it will update only on boot.

Add following line and it will update every day at midnight.
00 00 * * * /etc/init.d/banip reload

Details: https://github.com/openwrt/packages/blob/master/net/banip/files/README.md or https://en.wikipedia.org/wiki/Cron

2 Likes
2930

Thanks!
I read the readme file but missed it. Since it is quite an important aspect, maybe it should stand out a little bit more ? I don't think most people restarts their routers on daily basis, which would be the "default" update method.

1 Like
2931

Probably you're right, but @dibdot is to decide :grin:

Not sure about banip, but adblock used to come with a small UI part which allowed to add those lines to cron jobs. But it's gone now.

2932

Current situation:

Setup country filter to block all Regional Internet Registry.

Setup External Allowlist Feeds Allowlist Feed URLs with US, UK, CH, SWE, NO and European Union.

…but, when I monitor the loglist I see blocking Netherland, Austia, Spain, Italy, Portugal,….

Any idea??

2933

Without banIP config? No.

Maybe the Allowlist only mode is a better option for you.

2934

Can `banIP` prevent try connecttion like DDoS attacks? The logs show a frequent occurrence of a single IP sending multiple packets at once. Only after `banIP` marks the IP as "suspicious" five times and adds it to the local blacklist is this effective, even though I'm using an x86 architecture and am not afraid of system crashes. Also, the maximum duration for `ban_nftexpiry` is only 1 day. Could you extend this duration, or allow for customization, such as 7 days?

ddos
ddos813×637 22.9 KB

2935

The default is 1 time, doublecheck your settings.

Nope, just use the default and it's "unlimited", e.g.

image

1 Like
2936

Hello,

Im new to the forum, joined to see if anyone could shed any insight on something odd that is happening to me. It appears that lists downloaded from the internet (using the bundled in feeds) are being loaded, however they are not used for blocking. Though if I add a IP to my local list through the UI that gets blocked correctly. It odd as I see the ip sets grew via the status page. Im running the latest release as a fresh install and am looking to see if anyone else is seeing similar behavior.

2937

Please be more specific—what are you trying to achieve, what does your configuration look like (contents of /etc/config/banip)?

2938

Hi dibdot,
My config is

config banip 'global'                        
        option ban_enabled '1'                  
        option ban_debug '0'                    
        option ban_autodetect '1'               
        list ban_logterm 'Exit before auth from'
        list ban_logterm 'luci: failed login'
        option ban_fetchretry '5'  
        option ban_nicelimit '0'     
        option ban_filelimit '1024'  
        option ban_deduplicate '1'   
        option ban_nftpriority '-100'
        option ban_icmplimit '25'    
        option ban_synlimit '10'     
        option ban_udplimit '100'    
        option ban_nftpolicy 'memory'
        option ban_nftretry '5'      
        option ban_blockpolicy 'drop'
        option ban_nftloglevel 'warn'
        option ban_logprerouting '0'       
        option ban_loginbound '0'   
        option ban_logoutbound '0'         
        option ban_loglimit '100'          
        option ban_autoallowlist '1'       
        option ban_autoallowuplink 'subnet'
        option ban_autoblocklist '1'       
        option ban_allowlistonly '0'       
        option ban_fetchcmd 'uclient-fetch'
        option ban_protov4 '1'
        list ban_ifv4 'wan'
        option ban_protov6 '1'      
        list ban_ifv6 'wan6'        
        list ban_dev 'eth1'                
        list ban_feed 'hagezi'

This is a fresh setup so everything is running defaults. I am just testing to validate that things are working correctly. I have enabled hagezi, restarted the service and see that there are lots of elements loaded (54 888 (chains: 7, sets: 9, rules: 36))

however if I attempt to ping the first address in the hagezi list (found by looking in the list file in /tmp/banIP-backup), after seeing the updated element count, I can ping the address. However if I add the first entry in hagezi to my local blocklist and reload the service ping fails as expected.

For now I can probably just make a daily cron to build the local blocklist programatically since that list is working as expected.

Let me know if you see anything odd in my config, but it is just the default with the hagezi list added. Thanks for taking the time to look it over, really appreciate it.

2939

Please consult the readme (again). By default hagezi blocks outbound, limited to udp/tcp on ports 80/443 ... therefore ping is not blocked, e.g. a random IP from hagezi:

ping 109.111.155.60
PING 109.111.155.60 (109.111.155.60) 56(84) bytes of data.
64 bytes from 109.111.155.60: icmp_seq=1 ttl=55 time=41.1 ms
64 bytes from 109.111.155.60: icmp_seq=2 ttl=55 time=40.8 ms
64 bytes from 109.111.155.60: icmp_seq=3 ttl=55 time=40.8 ms

Same IP from a browser session:

Screenshot From 2025-11-09 21-57-05
Screenshot From 2025-11-09 21-57-05614×440 14.2 KB

If you copy this IP to your local blocklist, the port/protocol limitation is no longer in place ... therefore a ping is blocked as well.

Port/protocol limitations, Set details etc. are available on the "Set Reporting" tab as well.

Hope this helps!

3 Likes
2940

Thanks so much, that really helps. Ill definitely read over the readme. I didn't know that the feeds could be restricted to specific ports.

Thanks again for taking the time to explain it to me.

2 Likes
2941

Is it possible to use either /dev/kmsg or /proc/kmsg as a log file source to parse for creating blocklist entries in the event of repeated instances of “reject wan in” and “reject wan forward” by firewall4?

2942

What do you expect from such raw log sources? logread or logd should provide everything.

2943

Hi @dibdot, I’m using syslog-ng on OpenWRT acting as a syslog server for my whole network at the moment. Currently I’ve got it filtering all the firewall logs though because I’ve found it cannot keep up (i.e. entries are missing in syslog-ng vs the raw kernel log), and it duplicates the output of the kernel log via the serial port anyway.

It’s not a huge issue, just curious if it was a possibility.

2944

Thanks for clarification .. and "no", it's not planned to parse additional log sources.

1 Like