banIP support thread

dibdot · 2021-01-18T17:14:07.269Z

wireless:

can it really be banIP the cause?

Nope, I doubt that ... seems to be wireless driver related.

dibdot · 2021-01-22T21:58:23.016Z

After much too long time I finally finished a new banIP version. Said that only the backend seems to be ready (it's running for a week in my environment), the luci part is not ready yet.
Major changes:

release 0.7.0-pre0

    major rewrite
    add support for multiple chains
    add mac whitelisting
    add support for multiple ssh daemons in parallel
    add an ipset report engine
    add mail notifications
    add suspend/resume functions
    add a cron wrapper to set an ipset related auto-timer for automatic blocklist updates
    add a list wrapper to add/remove blocklist sources
    add 19.x and Turris OS 5.x compatibility code
    sources stored in an external compressed json file (/etc/banip/banip.sources.gz)
    change Country/ASN download sources (faster/more reliable)
    fix DHCPv6/icmpv6 issues

It's not a drop in update! If you're willing to test this pre-release, please remove the old banIP version first (all components incl. config). After that fetch the current update from my github repo (it's a ready to run ipk package file), see here: https://github.com/dibdot/banip-prereleases.

Still major things are not available, e.g. documentation & luci parts are still missing. Please ask me to get things up & running.

It would be nice to get some feedback from adventurous testers ...

Thanks!

ray308 · 2021-01-23T10:19:26.165Z

@dibdot I removed the previous version, incl config files.

start/reload seems not to be working. (also rebooted the router) I enabled autostart.
any thoughts?

root@ROUTER:~# /etc/init.d/banip status
::: banIP runtime information
  + status          : disabled
  + version         : 0.7.0-pre0
  + ipset_info      : -
  + active_sources  : firehol1
  + active_devs     : -
  + active_ifaces   : -
  + active_logterms : dropbear, sshd, luci
  + active_subnets  : -
  + run_infos       : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
  + run_flags       : protocols (4/6): 0/0, log (src/dst): 0/0, monitor: 0, mail: 0
  + last_run        : -
  + system          : Linksys WRT3200ACM, OpenWrt 19.07.6 r11278-8055e38794
root@ROUTER:~#

ray308 · 2021-01-23T10:42:21.945Z

Don't know if it's related, but in luci systemlog is broken after installing 0.7.0
Unable to load log data: Executable not found

dibdot · 2021-01-23T11:13:52.081Z

ray308:

any thoughts?

Did you enable banIP in the config? It's disabled by default.

dibdot · 2021-01-23T11:18:47.350Z

ray308:

Don't know if it's related,

Worksforme, seems to be unrelated. Maybe you've removed the log daemon by accident!? Check if logread is still available and working

Thanks for testing this early bird, BTW!

ray308 · 2021-01-23T14:47:27.415Z

think I removed it y accident, will repair it shortly.

Working

And for testing..
How do I add a country to the config file?
How do I add a multiple chain?

root@ROUTER:~# /etc/init.d/banip status
::: banIP runtime information
  + status          : enabled
  + version         : 0.7.0-pre0
  + ipset_info      : 3 IPSets with 2770 IPs/Prefixes
  + active_sources  : blacklist, whitelist
  + active_devs     : eth1.2
  + active_ifaces   : wan
  + active_logterms : dropbear, sshd, luci
  + active_subnets  : xx.xx.xx.xx/23
  + run_infos       : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
  + run_flags       : protocols (4/6): 1/0, log (src/dst): 0/0, monitor: 0, mail: 0
  + last_run        : refresh, 0m 2s, 511/292/281, 23.01.2021 15:38:41
  + system          : Linksys WRT3200ACM, OpenWrt 19.07.6 r11278-8055e38794
root@ROUTER:~#

dibdot · 2021-01-23T17:34:13.289Z

Hi,
I've added a preliminary online readme to my github repo (README-pre-Parameters.md). Please check the 'config options' and 'examples' sections. Please also check CLI options if you call /etc/init.d/banip, e.g. the different list options to add sources, asns or countries.

ray308 · 2021-01-24T10:16:20.808Z

thx, start reading today, I'll let you know if anything breaks. (or just works offcourse )

dibdot · 2021-01-24T11:16:23.721Z

Please use the next pre-release for further testing (uploaded to github a few minutes ago):

banip: release 0.7.0-pre1

    add support for compressed blocklists
    add two compressed iblock source variants
    small fixes
    readme update

ray308 · 2021-01-24T11:43:02.519Z

Just installed the pre1 release;

When I visit http://government.ru/ (ru is added) it shows up in the report, but doesn't block the website.
I added iblock_ads and iblock_spy, They are on the banip list, but not visible on banip status (active sources) Sorry fixt after refresh. My mistake.

root@ROUTER:~# /etc/init.d/banip status
::: banIP runtime information
  + status          : enabled
  + version         : 0.7.0-pre1
  + ipset_info      : 9 IPSets with 99669 IPs/Prefixes
  + active_sources  : blacklist, country, doh, tor, voip, whitelist, yoyo
  + active_devs     : eth1.2
  + active_ifaces   : wan, wan6
  + active_logterms : dropbear, sshd, luci
  + active_subnets  : 82.xx.xx.xx/23
  + run_infos       : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
  + run_flags       : protocols (4/6): 1/0, log (src/dst): 0/0, monitor: 0, mail: 0
  + last_run        : reload, 0m 22s, 511/268/259, 24.01.2021 12:33:58
  + system          : Linksys WRT3200ACM, OpenWrt 19.07.6 r11278-8055e38794
root@ROUTER:~#

My config so far;

Summary

config banip 'global'
	option ban_enabled '1'
	option ban_mail_enabled '0'
	option ban_monitor_enabled '0'
	option ban_logsrc_enabled '0'
	option ban_logdst_enabled '0'
	option ban_autodetect '1'
	option ban_debug '1'
	option ban_maxqueue '4'
	option ban_nice '0' 
	option ban_countries 'ru gg io cn af bd br gb hk id il in iq ir kp kr pk pl ro sa th tr ua'
	list ban_sources 'firehol1 firehol2 country doh tor voip yoyo iblock_spy iblock_ads'
	option ban_proto4_enabled '1'
	list ban_ifaces 'wan wan6'
	option ban_fetchutil 'uclient-fetch'

banip list

Summary

root@ROUTER:~# /etc/init.d/banip list
::: Available banIP sources
:::
    Name                 Enabled   Focus                               Info URL
    ---------------------------------------------------------------------------
  + doh                  x         Public DoH-Provider                 https://github.com/dibdot/DoH-IP-blocklists
  + country              x         Country blocks                      https://www.ipdeny.com/ipblocks
  + asn                            ASN blocks                          https://asn.ipinfo.app
  + feodo                          Feodo Tracker                       https://feodotracker.abuse.ch
  + bogon                          Bogon prefixes                      https://team-cymru.com
  + tor                  x         Tor exit nodes                      https://www.torproject.org
  + myip                           Myip Live IP blacklist              https://myip.ms
  + debl                           Fail2ban IP blacklist               https://www.blocklist.de
  + threat                         Emerging Threats                    https://rules.emergingthreats.net
  + sslbl                          SSL botnet IP blacklist             https://sslbl.abuse.ch
  + yoyo                 x         Ad IP blacklistby                   https://pgl.yoyo.org/adservers/
  + dshield                        Dshield IP blocklist                https://www.dshield.org
  + proxy                          Firehol list of open proxies        https://iplists.firehol.org/?ipset=proxylists
  + drop                           Spamhaus drop compilation           https://www.spamhaus.org
  + edrop                          Spamhaus edrop compilation          https://www.spamhaus.org
  + firehol1             x         Firehol Level 1 compilation         https://iplists.firehol.org/?ipset=firehol_level1
  + firehol2             x         Firehol Level 2 compilation         https://iplists.firehol.org/?ipset=firehol_level2
  + firehol3                       Firehol Level 3 compilation         https://iplists.firehol.org/?ipset=firehol_level3
  + firehol4                       Firehol Level 4 compilation         https://iplists.firehol.org/?ipset=firehol_level4
  + voip                 x         VoIP fraud blocklist                http://www.voipbl.org/#
  + iblock_ads           x         Advertising blocklist               https://www.iblocklist.com
  + iblock_spy           x         Malicious spyware blocklist         https://www.iblocklist.com
    ---------------------------------------------------------------------------
  + Configured ASNs: -
  + Configured Countries: ru, gg, io, cn, af, bd, br, gb, hk, id, il, in, iq, ir, kp, kr, pk, pl, ro, sa, th, tr, ua
root@ROUTER:~#

banip report

Summary

root@ROUTER:~# /etc/init.d/banip report
:::
::: report on all banIP related IPSets
:::
  + Report timestamp           ::: 24.01.2021 12:37:57
  + Number of all IPSets       ::: 9
  + Number of all entries      ::: 99669
  + Number of IP entries       ::: 46380
  + Number of CIDR entries     ::: 53289
  + Number of MAC entries      ::: 0
  + Number of accessed entries ::: 8
:::
::: IPSet details
:::
    Name                 Type        Count      Cnt_IP    Cnt_CIDR  Cnt_MAC   Cnt_ACC   Entry details (Entry/Count)
    --------------------------------------------------------------------------------------------------------------------
    blacklist_4          src+dst     4          4         0         0         0
    --------------------------------------------------------------------------------------------------------------------
    whitelist_4          src+dst     2          0         2         0         0
    --------------------------------------------------------------------------------------------------------------------
    firehol1_4           src+dst     2761       403       2358      0         4
                                                                                        89.248.165.0/24          7
                                                                                        45.155.205.0/24          2
                                                                                        194.147.140.0/24         1
                                                                                        78.128.113.0/24          1
    --------------------------------------------------------------------------------------------------------------------
    firehol2_4           src+dst     24285      23990     295       0         1
                                                                                        167.99.66.2              1
    --------------------------------------------------------------------------------------------------------------------
    country_4            src+dst     50418      0         50418     0         3
                                                                                        194.26.25.0/24           1
                                                                                        222.176.0.0/12           1
                                                                                        45.93.200.0/22           1
    --------------------------------------------------------------------------------------------------------------------
    doh_4                src+dst     169        169       0         0         0
    --------------------------------------------------------------------------------------------------------------------
    tor_4                src+dst     1476       1476      0         0         0
    --------------------------------------------------------------------------------------------------------------------
    voip_4               src+dst     10082      9866      216       0         0
    --------------------------------------------------------------------------------------------------------------------
    yoyo_4               src+dst     10472      10472     0         0         0
    --------------------------------------------------------------------------------------------------------------------
root@ROUTER:~#

dibdot · 2021-01-24T11:53:37.581Z

ray308:

option ban_countries

Wrong config, as stated in the readme 'ban_sources' and 'ban_countries' are list options, e.g.:

[...]
	list ban_sources 'country'
	list ban_countries 'ru'
[...]

Just use the CLI wrapper /etc/int.d/banip list [...] for adding sources ...

ray308 · 2021-01-24T11:56:50.363Z

Thanks @dibdot , misunderstood this. Will edit in a moment.

ray308 · 2021-01-24T12:19:39.874Z

Removed config, and did everthing through CLI as suggested.

Active_sources missing iblock_ads and iblock_spy

root@ROUTER:~# /etc/init.d/banip status
::: banIP runtime information
  + status          : enabled
  + version         : 0.7.0-pre1
  + ipset_info      : 8 IPSets with 56218 IPs/Prefixes
  + active_sources  : blacklist, country, doh, voip, whitelist, yoyo
  + active_devs     : eth1.2
  + active_ifaces   : wan, wan6
  + active_logterms : dropbear, sshd, luci
  + active_subnets  : 82.xx.xx.xx/23
  + run_infos       : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
  + run_flags       : protocols (4/6): 1/0, log (src/dst): 0/0, monitor: 0, mail: 0
  + last_run        : start, 0m 9s, 511/271/262, 24.01.2021 13:13:21
  + system          : Linksys WRT3200ACM, OpenWrt 19.07.6 r11278-8055e38794
root@ROUTER:~#

When I refresh

root@ROUTER:~# /etc/init.d/banip status
::: banIP runtime information
  + status          : running
  + version         : 0.7.0-pre1
  + ipset_info      : -
  + active_sources  : doh, yoyo, iblock_ads, voip, iblock_spy, firehol1, firehol2, country
  + active_devs     : -
  + active_ifaces   : wan, wan6
  + active_logterms : dropbear, sshd, luci
  + active_subnets  : -
  + run_infos       : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
  + run_flags       : protocols (4/6): 1/0, log (src/dst): 0/0, monitor: 0, mail: 0
  + last_run        : -
  + system          : Linksys WRT3200ACM, OpenWrt 19.07.6 r11278-8055e38794
root@ROUTER:~#

And after the refresh has finished, it looks like the first status again.

root@ROUTER:~# /etc/init.d/banip status
::: banIP runtime information
  + status          : enabled
  + version         : 0.7.0-pre1
  + ipset_info      : 8 IPSets with 56218 IPs/Prefixes
  + active_sources  : blacklist, country, doh, voip, whitelist, yoyo
  + active_devs     : eth1.2
  + active_ifaces   : wan, wan6
  + active_logterms : dropbear, sshd, luci
  + active_subnets  : 82.xx.xx.xx/23
  + run_infos       : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
  + run_flags       : protocols (4/6): 1/0, log (src/dst): 0/0, monitor: 0, mail: 0
  + last_run        : refresh, 0m 5s, 511/274/264, 24.01.2021 13:15:23
  + system          : Linksys WRT3200ACM, OpenWrt 19.07.6 r11278-8055e38794
root@ROUTER:~#

My config after using CLI

Summary

config banip 'global'
	option ban_enabled '1'
	option ban_mail_enabled '0'
	option ban_monitor_enabled '0'
	option ban_logsrc_enabled '0'
	option ban_logdst_enabled '0'
	option ban_autodetect '1'
	option ban_debug '1'
	option ban_maxqueue '4'
	option ban_nice '0'
	option ban_proto4_enabled '1'
	list ban_sources 'doh'
	list ban_sources 'yoyo'
	list ban_sources 'iblock_ads'
	list ban_sources 'voip'
	list ban_sources 'iblock_spy'
	list ban_sources 'firehol1'
	list ban_sources 'firehol2'
	list ban_sources 'country'
	list ban_ifaces 'wan wan6'
	option ban_fetchutil 'uclient-fetch'
	list ban_countries 'ru'
	list ban_countries 'gg'
	list ban_countries 'io'
	list ban_countries 'cn'
	list ban_countries 'af'
	list ban_countries 'bd'
	list ban_countries 'br'
	list ban_countries 'gb'
	list ban_countries 'hk'
	list ban_countries 'id'
	list ban_countries 'il'
	list ban_countries 'in'
	list ban_countries 'iq'
	list ban_countries 'ir'
	list ban_countries 'kp'
	list ban_countries 'kr'
	list ban_countries 'pk'
	list ban_countries 'pl'
	list ban_countries 'ro'
	list ban_countries 'sa'
	list ban_countries 'th'
	list ban_countries 'tr'
	list ban_countries 'ua'

I can still open an .ru website

/etc/init.d/banip report

root@ROUTER:~# /etc/init.d/banip report
:::
::: report on all banIP related IPSets
:::
  + Report timestamp           ::: 24.01.2021 13:20:30
  + Number of all IPSets       ::: 8
  + Number of all entries      ::: 56218
  + Number of IP entries       ::: 44904
  + Number of CIDR entries     ::: 11314
  + Number of MAC entries      ::: 0
  + Number of accessed entries ::: 14
:::
::: IPSet details
:::
    Name                 Type        Count      Cnt_IP    Cnt_CIDR  Cnt_MAC   Cnt_ACC   Entry details (Entry/Count)
    --------------------------------------------------------------------------------------------------------------------
    blacklist_4          src+dst     4          4         0         0         0
    --------------------------------------------------------------------------------------------------------------------
    whitelist_4          src+dst     2          0         2         0         0
    --------------------------------------------------------------------------------------------------------------------
    doh_4                src+dst     169        169       0         0         0
    --------------------------------------------------------------------------------------------------------------------
    yoyo_4               src+dst     10472      10472     0         0         0
    --------------------------------------------------------------------------------------------------------------------
    voip_4               src+dst     10082      9866      216       0         4
                                                                                        209.141.39.140           1
                                                                                        45.154.35.236            4
                                                                                        23.129.64.200/31         4
                                                                                        185.220.102.240/30       4
    --------------------------------------------------------------------------------------------------------------------
    firehol1_4           src+dst     2761       403       2358      0         9
                                                                                        94.232.46.0/24           1
                                                                                        45.146.165.0/24          1
                                                                                        92.63.197.0/24           1
                                                                                        78.128.113.0/24          5
                                                                                        45.155.205.0/24          4
                                                                                        89.248.165.0/24          14
                                                                                        193.27.229.0/24          1
                                                                                        94.102.51.0/24           1
                                                                                        194.147.140.0/24         4
    --------------------------------------------------------------------------------------------------------------------
    firehol2_4           src+dst     24285      23990     295       0         0
    --------------------------------------------------------------------------------------------------------------------
    country_4            src+dst     8443       0         8443      0         1
                                                                                        45.93.200.0/22           2
    --------------------------------------------------------------------------------------------------------------------
root@ROUTER:~#

By the way, the ru domain is just for testing banip, no rush It's fun to help where I can.

ray308 · 2021-01-24T13:19:18.936Z

@dibdot, don't know why, but after a reboot of the router the country domains are working as should be.

dibdot · 2021-01-24T14:09:02.022Z

ray308:

Active_sources missing iblock_ads and iblock_spy

Hi,
thanks - it might be not the best idea to include hyphens in the source names. I've re-uploaded pre1 without hyphens in the json source file, use the "--force-reinstall" opkg switch to apply this version again.

ray308:

When I refresh

"Refresh" is a special/very fast mode, e.g. intended for a firewall restart to refresh your black/whitelist and apply all banIP related IPsets again. If you make any changes to the external sources, please always use a 'start', 'restart' or 'reload' action. Whenever you use the CLI for such changes, a 'start' action takes place automatically ...

Many thanks for your time!

ray308 · 2021-01-24T16:40:29.141Z

root@ROUTER:~# /etc/init.d/banip list
::: Available banIP sources
:::
    Name                 Enabled   Focus                               Info URL
    ---------------------------------------------------------------------------
  + doh                  x         Public DoH-Provider                 https://github.com/dibdot/DoH-IP-blocklists
  + country              x         Country blocks                      https://www.ipdeny.com/ipblocks
  + asn                            ASN blocks                          https://asn.ipinfo.app
  + feodo                          Feodo Tracker                       https://feodotracker.abuse.ch
  + bogon                          Bogon prefixes                      https://team-cymru.com
  + tor                            Tor exit nodes                      https://www.torproject.org
  + myip                           Myip Live IP blacklist              https://myip.ms
  + debl                           Fail2ban IP blacklist               https://www.blocklist.de
  + threat                         Emerging Threats                    https://rules.emergingthreats.net
  + sslbl                          SSL botnet IP blacklist             https://sslbl.abuse.ch
  + yoyo                 x         Ad IP blacklistby                   https://pgl.yoyo.org/adservers/
  + dshield                        Dshield IP blocklist                https://www.dshield.org
  + proxy                          Firehol list of open proxies        https://iplists.firehol.org/?ipset=proxylists
  + drop                           Spamhaus drop compilation           https://www.spamhaus.org
  + edrop                          Spamhaus edrop compilation          https://www.spamhaus.org
  + firehol1             x         Firehol Level 1 compilation         https://iplists.firehol.org/?ipset=firehol_level1
  + firehol2             x         Firehol Level 2 compilation         https://iplists.firehol.org/?ipset=firehol_level2
  + firehol3                       Firehol Level 3 compilation         https://iplists.firehol.org/?ipset=firehol_level3
  + firehol4                       Firehol Level 4 compilation         https://iplists.firehol.org/?ipset=firehol_level4
  + voip                 x         VoIP fraud blocklist                http://www.voipbl.org/#
  + iblockads            x         Advertising blocklist               https://www.iblocklist.com
  + iblockspy            x         Malicious spyware blocklist         https://www.iblocklist.com
    ---------------------------------------------------------------------------
  + Configured ASNs: -
  + Configured Countries: ru, gg, io, cn, af, bd, br, gb, hk, id, il, in, iq, ir, kp, kr, pk, pl, ro, sa, th, tr, ua
    ---------------------------------------------------------------------------
    Sources without valid configuration
    ---------------------------------------------------------------------------
  - iblock_ads
  - iblock_spy
root@ROUTER:~# /etc/init.d/banip status
::: banIP runtime information
  + status          : enabled
  + version         : 0.7.0-pre1
  + ipset_info      : 10 IPSets with 105267 IPs/Prefixes
  + active_sources  : blacklist, country, doh, iblockads, iblockspy, voip, whitelist, yoyo
  + active_devs     : tun0
  + active_ifaces   : wan, vpnclient
  + active_logterms : dropbear, sshd, luci
  + active_subnets  : 82.xx.xx.xx/23
  + run_infos       : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
  + run_flags       : protocols (4/6): 1/0, log (src/dst): 0/0, monitor: 0, mail: 0
  + last_run        : start, 0m 10s, 511/266/257, 24.01.2021 17:39:38
  + system          : Linksys WRT3200ACM, OpenWrt 19.07.6 r11278-8055e38794
root@ROUTER:~#

ray308 · 2021-01-24T18:25:32.435Z

banip 0.7.0-pre1 is working ok now for my active_ifaces wan and vpnclient.
It's not working for my guest network, but al traffic is going through wan and/or vpnclient at the end.
Can I add my guest network to banip in any way? I know it wasn't possible in the 0.3 version.

wireless · 2021-01-24T21:56:08.779Z

I thought the same, but as soon as banIP started, wife phone seems to deauthenticate. I'll try to give you more feedback related to this.

dibdot · 2021-01-25T19:59:41.138Z

I've uploaded 0.7.0-pre2:

0.7.0-pre2

    add more compressed sources (nixspam and two uceprotect variants)
    fix/implement list housekeeping/removal, e.g. when you disable source lists
    re-order json source file in alphabetical order