banIP support thread

30 minutes!? How many countries did you block!? :slight_smile: Maybe it's easier for you to use the undocumented 'ban_allowlistonly' mode where only connection permitted which are defined in your allowlist.

1 Like

The country lists are actually still manageable.
Most of the time is spent on the firehol4 list, which only blocks incoming traffic.

To close everything would actually be a bit overkill :grin:
But thanks for the suggestion.

Thank you by the way for the great work you are doing here! :+1:

1 Like

@dibdot just want to inform you that the tor ban list doesn't work anymore and it seems that the maintainer has stopped updating it as stated in the home page https://fissionrelays.net/. It actually stopped working in the past 2 weeks.

1 Like

Here is a good replacement list
https://www.dan.me.uk/torlist/?exit

the only downside is it ratelimits. you can only access the list once every 30 minutes.

There is also this list

http://rules.emergingthreats.net/blockrules/emerging-tor.rules

it only has ipv4 addresses, and the list would have to have special parsing handlers for this list.

another list:

https://check.torproject.org/exit-addresses

it only has ipv4 addresses, and you would need special parsing handlers for this list.

Here is the list I use:
it is update hourly.
https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst

(which is identical to the dan.me list)

1 Like

BanIP used the Dan.Me list before. What I did (before when Dan.Me was being used) was tweaked it in a way that I've got a cron downloading the list once a day (somewhere it can survive a restart) then BanIP source was mapped to process the download file so just in case you had to restart the router or banip within 30mins or less, banip will still be able to process the file with no errors.

I use the github list which is identical to dan.me. the lists maintainer uses github actions to redownload the list once an hour. The benefit is you wont have to worry about the ratelimit anymore.

1 Like

Is 128MB of RAM a viable option with these optimizations - and a small IP list?

Yes.. that should have enough memory for small IP sets.

1 Like

I agree with @AcidSlide, it should be enough to load a small IP list. But I encourage to fully enjoy BanIP strive for more memory.

With my RAM and use of as many IP sets as I do, my memory shows only a very small portion being used. I think the biggest challenge occurs during the process of loading those entries into memory.

@AcidSlide @jumpsmm7 Thanks, I've added the tor github link/mirror to pre4.

1 Like

Just test it yourself ... :slight_smile:
I have no such device, the smallest of my routers has 256 MByte RAM - and banIP works on this device with a splitsize of '1000' and a limit on one cpu core.

2 Likes

someone could show their banip config to give an idea?
thanks

config banip 'global'
	option ban_enabled '1'                                             # enable the banIP service (disabled by default)
	option ban_debug '1'                                               # enable debug logging
	option ban_autodetect '1'                                          # enable banIPs autodetection for devices/interfaces/download utility
	option ban_autoblocklist '1'                                       # add suspicous IPs to blocklist as well
	option ban_autoallowlist '1'                                       # add uplink IPs to allwolist automatically
	option ban_nicelimit '0'                                           # ulimit: nice level of the banIP service
	option ban_filelimit '1024'                                        # ulimit: max open/number of files
	option ban_loglimit '100'                                          # scan only the last n lines of the logfile
	option ban_logcount '1'                                            # how many times the IP must appear to be considered suspicious
	option ban_logingress '1'                                          # log ingress drops
	option ban_logforward '0'                                          # do not log forward rejects
	option ban_protov4 '1'                                             # enable IPv4 support
	option ban_protov6 '0'                                             # enable IPv6 support
	list ban_logterm 'Exit before auth from'                           # regex for logfile parsing to detect suspicious IPs (dropbear)
	list ban_logterm 'luci: failed login'                              # regex for logfile parsing to detect suspicious IPs (luci)
	list ban_logterm 'error: maximum authentication attempts exceeded' # regex for logfile parsing to detect suspicious IPs (nginx)
	list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'         # regex for logfile parsing to detect suspicious IPs (sshd)
	list ban_logterm '<sip:.*>'\'' failed for '\'''                    # regex for logfile parsing to detect suspicious IPs (asterisk)
	list ban_trigger 'wan'                                             # trigger interface
	list ban_trigger 'VPN'                                             # trigger interface
	list ban_ifv4 'wan'
	list ban_ifv4 'VPN'
#	option ban_deduplicate '1'                                         # deduplicate IP addresses across all active sets
#	option ban_splitsize '500'                                         # split ext. downloaded sets after every n lines/members (saves RAM => no atomic set load!)
#	option ban_cores '1'                                               # overwrite the cpu core autodetection
	option ban_nftexpiry '1h'                                          # expiry time for auto added blocklist members
	option ban_nftpriority '-300'                                      # nft table priority (default is raw table priority (before fw4!))
#	option ban_resolver 'localhost'                                    # default resolver for DNS lookups
#	option ban_triggerdelay '10'                                       # trigger timeout before banIP processing begins
	list ban_blockingress 'country'                                    # limit certain feeds to the incoming/ingress chain
	list ban_blockforward 'doh'                                        # limit certain feeds to the outgoing/forward chain
	list ban_feed 'adguard'                                            # various blocklist feeds
	list ban_feed 'asn'
	list ban_feed 'backscatterer'
	list ban_feed 'bogon'
	list ban_feed 'country'
	list ban_feed 'darklist'
	list ban_feed 'debl'
	list ban_feed 'doh'
	list ban_feed 'drop'
	list ban_feed 'dshield'
	list ban_feed 'edrop'
	list ban_feed 'energized'
	list ban_feed 'feodo'
	list ban_feed 'firehol1'
	list ban_feed 'firehol2'
	list ban_feed 'firehol3'
#	list ban_feed 'firehol4'
	list ban_feed 'greensnow'
	list ban_feed 'iblockads'
	list ban_feed 'iblockspy'
	list ban_feed 'myip'
	list ban_feed 'nixspam'
	list ban_feed 'oisdbasic'
	list ban_feed 'oisdnsfw'
	list ban_feed 'proxy'
	list ban_feed 'sslbl'
	list ban_feed 'talos'
	list ban_feed 'threat'
	list ban_feed 'threatview'
	list ban_feed 'tor'
	list ban_feed 'uceprotect1'
	list ban_feed 'uceprotect2'
	list ban_feed 'uceprotect3'
	list ban_feed 'urlhaus'
	list ban_feed 'urlvir'
	list ban_feed 'voip'
	list ban_feed 'yoyo'
	list ban_asn '32934'
	list ban_country 'ru'
	list ban_country 'cn'

/etc/init.d/banip "command"

Available commands:
        start           Start the service
        stop            Stop the service
        restart         Restart the service
        reload          Reload configuration files (or restart if service does not implement reload)
        enable          Enable service autostart
        disable         Disable service autostart
        enabled         Check if service is started on boot
        report          [<cli>|<mail>|<gen>|<json>] Print banIP related set statistics
        running         Check if service is running
        status          Service status
        trace           Start with syscall trace
        info            Dump procd service info

1 Like

Hi,
a few minutes ago I hopefully uploaded the last pre-release to my github account (pre4, see first post) with the following changes:

 banIP_0.8.0pre4:

- replaced the ingress chain with the input chain (much more effective with reduced system load),
  changed the config options 'ban_blockingress' with 'ban_blockinput' and 'ban_logingress' with 'ban_loginput'
- add a set report engine, supported output formats: text, json and mail
- add a set search engine (search for single ipv4 or ipv6 addresses)
- optimized the download handler, only one file will be downloaded when both feed URLs are pointing to the same file
  (as with the new tor feed)
- replaced/updated the tor feed
- various optimizations & fixes

Signed-off-by: Dirk Brenken <dev@brenken.org>

A few screenshots from the latest pre-release:
- current status:

- report output:

- mail output:

- firewall overview (optimized input chain and forward chain):


Happy testing! :slight_smile:
Dirk

10 Likes

Hi,

I'm a complete newbie on banip, running OpenWrt 22.03.
Just uploaded and installed banIP_0.8.0pre4 and it's not doing anything,
I'm mean it's not reacting to any command on /etc/init.d/banip status, start, stop...etc
It's just giving back nothing.
Tried to straight execute /usr/bin/banip-service.sh but's it also doing nothing.
process is not running and there is no any error at execution but also not doing anything on any command.

Am I doing something wrong ?

Did you edit config file?

Nope as I said I'm newbie. I have read through the original banip installation piece but doesn't say to edit the config file it just says install and start it it's all automatic.

Where is it ? Under /etc somewhere I guess ?

2 Likes

yes should be edit /etc/config /banip

enabled = 1

then restart banip and

check banip status

1 Like

To be precise, the option is called ...

option ban_enabled '0' 

...and should be enabled with the value '1' ... :wink:

3 Likes

@MonsterVic

example of my config

config banip 'global'
	option ban_enabled '1'
	option ban_debug '1'
	option ban_autodetect '1'
	option ban_autoblocklist '1'
	option ban_autoallowlist '1'
	option ban_nicelimit '0'
	option ban_filelimit '1024'
	option ban_loglimit '100'
	option ban_logcount '1'
	option ban_loginput '1'
	option ban_logforward '0'
	option ban_protov4 '1'
	option ban_protov6 '1'
	list ban_logterm 'Exit before auth from'
	list ban_logterm 'luci: failed login'
	list ban_logterm 'error: maximum authentication attempts exceeded'
	list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
	list ban_logterm '<sip:.*>'\'' failed for '\'''
	option ban_deduplicate '1'
	list ban_trigger 'wan'
	list ban_trigger 'wan6'
	list ban_blockinput 'country'
	list ban_ifv4 'wan'
	list ban_ifv6 'wan6'
	list ban_dev 'wan'
	list ban_feed 'country'
	list ban_country 'fr' block server xample location paris in my game 
	list ban_country 'gb'
	list ban_country 'lu'
	list ban_country 'it'
	list ban_country 'us'
	list ban_country 'es'
	option ban_fetchcmd 'uclient-fetch'


I would like to block all servers of a game and play only in Germany but I don't know if banip can do it

only authorise "de" for deutchland
@dibdot

it seems to me that once I managed to do it in my game but since the last release I don't know what happened if I want to play only in Germany

::: banIP runtime information
  + status            : active
  + version           : 0.8.0pre4-1
  + element_count     : 35742
  + active_feeds      : allowlistvMAC, allowlistv4, allowlistv6, blocklistvMAC, blocklistv6, blocklistv4, countryv6, count
                        ryv4
  + active_devices    : wan
  + active_interfaces : wan, wan6

 banIP Set Statistics (28.01.2023 17:19:33)
:::
    Set                  | Set Elements  | Chain Input   | Chain Forward | Input Packets | Forward Packets
    ---------------------+---------------+---------------+---------------+---------------+----------------
    allowlistvMAC        | 0             | n/a           | OK            | n/a           | 0
    allowlistv4          | 1             | OK            | OK            | 6             | 0
    allowlistv6          | 1             | OK            | OK            | 0             | 0
    blocklistvMAC        | 0             | n/a           | OK            | n/a           | 0
    blocklistv6          | 0             | OK            | OK            | 0             | 0
    blocklistv4          | 0             | OK            | OK            | 0             | 0
    countryv6            | 13571         | OK            | n/a           | 0             | n/a
    countryv4            | 22169         | OK            | n/a           | 4             | n/a
    ---------------------+---------------+---------------+---------------+---------------+----------------
    8                    | 35742         | 6             | 6             | 10            | 0

1 Like