banIP support thread


#42

Great work so far! I've been using adblock for a while now and this new banIp project seems promising as well.

@dibdot: Just something cosmatic, since you're also the maintainer of Adblock. Wouldn't it be nice to name this project IPblock instead? This way they use a similar naming standard.


#43

It wasn't Double-NAT, I think I found the issue though.
The banIP chain uses eth0.2 for the interface, my wan traffic goes over pppoe-wan, or similar, as with the vast majority of xDSL. So the only packets going over eth0.2 are pppoe encapsulated.


#44

The configuration issue arose as I (idioitically) either built the firmware with the old configuration, or restored it after building the firmware.

I'll have time this week to test more in depth/attempt fixing the issue I'm running into. Though, my shell script skill is somewhat, sub-par compared to yours.

I did try using only the one upstream interface starting from a clean flash, but the banip chain still ends up with eth0.2 as the upstream instead of the pppoe connection. Manually setting it, or leaving it as autodetect has the same result.

I've found pppoe to be an issue with other packages before, such as BCP38, where the UI would not allow selecting a working config, but manual configuration with uci allowed setting a pppoe interface which worked.


#45

Hello,

From what I understand reading the thread, banIP can't run on Openwrt 18.06 because of new features in LuCI. But can I install the GUIless package only and use it from the command line?

I'm running Openwrt 18.06 presently and I can't see the banIP ipk from the version repository. Can you confirm my understanding?

Thanks


#46

banIP is currently only in snapshot repo - just use the provided ipks (backend & frontend) even with 18.06.x. Should work ootb. :wink:


#47

with the great help of @phizev, banIP release 0.0.7 has been released. This version correctly determine L3 and L2 network devices to support pppoe interfaces, too.

Many thanks!


#48

thank you for this nice package.
But i have some problems with it.

I have 2 wan interfaces.
One for IPv4 (wan) and one for IPv6 (wan6).
I disabled automatic wan interface selection and choose both interfaces (wan and wan6).
But then the automatic startup doesn't work.
Running banip manually through init.d works fine.
Both interface networks/IPs get correctly white listed .
However to make the automatic startup work, i have to select only one interface.
But then, only one interface network/IP gets white listed.

Also when the interface IPs change alot the whitelist file gets a bit spammy.
Maybe its better to store them in a separate file and clear it on every startup?

Can you also implement a global whitelist mode (or more like an inverted mode) please?
For example, block everything and only allow certain ipsets?

Thank you very much.


#49

Thanks for the report - I've fixed this in banIP 0.1.0 which is now in latest snapshot (Frontend & Backend).

@phizev
This version also includes the 'backup mode'. :wink:

Please use the fresh package config (the feodo URL has been changed) and reset your LuCI caches (rm -rf /tmp/luci-*) after updating the frontend part - thanks.


#50

Unfortunately, I can only like a post once! Thanks muchly.

I've rebuilt my firmware with the new version, and it seems good thus far, I can't give it too much of a shake out right now. I'm hoping to get an IPv6 over IPv4 tunnel going in the next week or two in order to test IPv6, but it may take me longer to have any useful feedback given limited experience, and lack of native IPv6...

Thank you very much for your work! :smiley:


#51

first many thanks @dibdot
@phizev
You can try HE.net IPv6 tunneling, it's free and easy to setup until you get official ipv6 from your isp etc.


#52

Hi thanks for this great application. It's similar to the pfblockerng-package for pfsense (but ip-based not DNSBl, if I understood correctly). I am using Wireguard on my (x64 openwrt machine). Do I have to use the Wireguard or the WLAN interface to get banip working? How can I test if it's working. This is a lot easier to do with the adblock package. Is there an ip that is definitely blocked by banip?
And just an idea: pfblockerng incorporates a special http page (just a black dot on white ground actually) to indicate a page was blocked by the package. Something similar would be useful for banip/adblock as well imho.


#53

Just start with the WAN autodetection (enabled by default).

Outgoing tests are quite simple ... e.g. block by country 'de' and try to reach 'www.heise.de', same applies to incoming tests. Please keep in mind that whitelist entries always "wins", e.g. if you test in a double NAT environment.

Nope, adblock doesn't redirect to any pixel server.


#54

Is there a way to determine to which IP Block List source a specific IP belongs? I did not load all the IP Block Lists and I tried to be selective in order to save memory on my router. It seems that my sources selection is not enough as I still see hackers trying to scan my server. How can I find the best set of IP Block List sources for me?

Thanks


#55

Hi!

If I add to the blocklist the format from iblock list ips will banip understand it?
ex. a descriptions goes here:x.x.x.x-x.x.x.x

or I have to add it like this?
x.x.x.x-x.x.x.x


#56

Unfortunately, it's also too slow to bear with. I can get a VPS which is much closer to my location, and set up a VPN to that.

There is a tab "IPSet-Lookup" which will show you how many times a match has been made on an IP range. This is the closest you will get without manually checking the IP against blocklists. (As for stopping all scanning with blocklists, I don't think this is possible.)

If you have a look at the advanced configuration, you'll see snippets which are tailored to handling each blocklist. There is one for iblocklist, but not in the range format. The format which banip needs is x.x.x.x/xx, it uses IP ranges with CIDR notation. In my experience, P2P-type range notation (x.x.x.x-x.x.x.x) is awful to work with as that format is not accepted by iptables. Converting the range notation to CIDR notation is not straightforward.


#57

I understand that I won't stop all scans with the blocklists, but I don't want to load all the blocklists in memory, only the optimal set.

Let's say that I want to find the minimal set of blocklists that will block the usual hackers that try to break into my network. The first day, I pick a few IP addresses and type them in a field and banIP tells me in which lists they appear. So I enable these blocklists. The following day, I get new IP addresses that haven't been blocked by the previous blocklists. I type them again in the field and banIP shows me the new blocklists where they appear. Etc. Doing that process a few days, I should be able to select a minimal set of blocklists tuned for my network, even if it does not block 100% of the attacks, it will be minimal in terms of memory usage.

I think it would be a useful feature for banIP. I'm not sure it can be done automatically, the reason why the user has to input IP samples to block.


#58

There are online IP blacklist checkers which may help you, such as https://www.whatismyip.com/blacklist-check/ or many others available with a search.

Blocklists are not static, an IP range may only be on a blocklist for a very short period, and then off it again. Something like Dshield may have the entire set of ranges change in an hour. Determining the optimal set of blocklists is best done by taking into account what the list aims to achieve.

Downloading a large number of lists to check for the presence of an IP will in itself use a lot of memory on a memory constrained device. I don't think the increase in the size of the package would be worth the functionality either. Automating such a check would defeat the point of using blocklists from the point of being a low overhead solution.

In short, I too would have thought such a feature to be very useful at one point, until I researched the topic further.

The vast majority of scans are automated, and if any attack is launched, it's very likely to be automated too. If you have something important to protect, or feel you are being heavily targeted, I highly recommend researching the topic of internet security.


#59

Thanks. Your link was helpful for tuning the blocklists selection.
Perhaps having such a link as a help tip for the IP Blocklist Sources section in banIP could be a start.


#60

Thank you @phizev, will have a look on how to do the conversion.