banIP support thread

Update: The ssh auto-ban for failed attempt still broken here, tests;

  1. (failed attempt on lan, adds correctly but does not block)
  2. 08:47:08 (failed attempt over net, seems to just grab the time)
  3. 08:47:11 (second attempt over net)

Edit: seems to added remote ip address now. Is it supposed to just auto-ad but not apply block?

To disable auto-ban-ssh is this the setting; disable the auto ssh option ban_automatic '1'

Please make sure, that during your tests your whitelist is disabled or at least set to "dst" (outgoing) only ... otherwise your whitelist always "wins" (with your uplink subnet) and allows the traffic.

If you find examples, where the ip is in the log but not in your IPSet, please provide me the logfile excerpt via PM, maybe I have to further refine the search patterns for IPv4 & IPv6.

No, that's the parm for automatic uplink detection, which is enabled by default.

Thanks for your testing efforts. :+1:

1 Like

Been using your packages for a while, great stuff. It just works.

I have it reload the lists every 5 AM, also adblock lists every 4 AM, both living together peacefully and easy on RAM/CPU.

1 Like

Hi dibdot,

Trust all is well:)

How to prevent lockout or workaround lockout if accidental with too many failed login attempts?


well, quite simple - you have to use a different external IP for further login attempts. :wink:
Of course I could make this logfile parsing for failed login attempts optional. Thoughts?

This looks really good - unfortunately the ipset-loopup & ripe-lookup pages under luci don't return any results. How can I help debug?

Are the select boxes on these pages correctly pre-filled or empty, too? Please enable debug (ban_debug) and send back the logs to my maintainers email address plus the output of /etc/init.d/banip status

Edit: Please provide the tested browser/os, too.


FYI, banIP is now on release level 0.0.5 and part of the official snapshot repo, I've updated the download links accordingly.

Happy testing! :wink:

1 Like

@ldir found a javascript bug with chromium ... will fix it.

Edit: fixed in latest LuCI trunk! :wink:

Indeed it is! macos, safari - excellent, thank you!

Is it presently possible to define multiple "WAN" interfaces?

Previously I generated ipsets after aggregating the ranges with a Perl module. I've been looking at changing that to using aggregate as it would be more suitable on embedded devices, it only handles IPv4, and I am not aware of something comparative to it covering IPv6.

No, not yet. Could you please elaborate on the use case for that? Thanks!

I may be misunderstanding, I don't think it's uncommon to have multiple upstream interfaces.

I usually have 3, 1 DSL account with a dynamic IP, 1 DSL account with a static IP from a different ISP, and mobile data as a backup should my DSL go down. I have static routes so that some traffic only ever goes out the static interface, otherwise it is also used as a fallback should the dynamic DSL account disconnect.

At least for me ... in my "small world" setup I use only one simple uplink to my cable provider ... :wink:
Anyway I've added support for multiple WANs in 0.0.6 once the PR get's merged (

Edit: BTW, banIP will be triggered by firewall events - whenever a firewall event occurs the banIP firewallchains & ipsets will be re-applied as well (with the current / maybe changed WAN).

Thanks for your input!

Hi just installed on my wrt3200acm Thanks for a good app. All is working fine so far I will let you know if I can find a way of brakeing anything! :smiley: Is there a way of making descriptions for the lists a bit more explanatry. Or adding links to the lists in the webinterface.

@tapper thanks for the feedback. The source list (description) will be refined in one of the next updates.

BTW, update 0.0.6 is now in snapshots with the following changes:

  • support multiple WAN interfaces in iptables rules, set 'ban_iface' option accordingly (as space separated list)
    or use the LuCI frontend
  • add a new "refresh" mode while triggered by fw changes (no download)
  • add required ip dependency
  • fix wrong 'settype' definition for firehol1 in config

To get the latest config during package update please use the opkg option "--force-maintainer"

Have fun!

1 Like

Thank you for adding this! I rebuilt my firmware last night with the updated package so busy running with it, and will look more deeply into it after work.

1 Like

Hi This package is running grate now. I updated to latest and it's all good thanks.

1 Like

I think the version 0.6 might not be working as intended, send traffic to private IP ranges passes through, as well as attempting to send traffic to what should be blocked IP addresses. (Easiest for myself was to tracepath/traceroute.)
I have checked that the IP's are listed in the the ipsets. I have also tried with all of src, dst, src+dst, and a single interface, or multiple.

I did come across an issue which cropped up while using the UI, and changing the selected blocklists. One of the blocklists in the config had ended up having "net_inet" as the ipset type. I can't find the cause after a bit of looking. Which prevented the affected list from being loaded.

I know this is not the most useful feedback without further information, I'll take a deeper look once I am on leave.

I haven't tested IPv6 as I don't have a IPv6 connection.

And thanks!

1 Like

Probably a Double-NAT situation where your private uplink subnet is in the whitelist IP-Set (that happens automatically!). If not, please provide more information to reproduce your issue.

That was a development left over and has been fixed in 0.0.6. You need to update config - to get the latest config during package update please use the opkg option "--force-maintainer".

1 Like