banIP support thread

remdale · August 4, 2019, 7:26am

Just installed banIP, but I get an error when trying to enable it. Also the interface looks broken. How can I fix that?

dibdot · August 4, 2019, 3:38pm

I don't know. Probably you are using an ancient firmware release from gl.inet!? Please provide the output of cat /etc/openwrt_release and the output of uclient-fetch.

jeff · August 4, 2019, 5:10pm

Try upgrading to the v3 firmware from GL.iNet ("testing") -- based on the host name and 192.168.8.1

remdale · August 4, 2019, 5:34pm

DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='Chaos Calmer'
DISTRIB_REVISION='r47065'
DISTRIB_CODENAME='chaos_calmer'
DISTRIB_TARGET='ar71xx/generic'
DISTRIB_DESCRIPTION='OpenWrt Chaos Calmer 15.05'
DISTRIB_TAINTS='busybox'

Ah, it wasn't installed. Thanks. Now banIP is running, but the interface is still broken and the test IP (104.31.67.136
) from the blacklist can still be accessed. See the screenshot

I've tried, but it worked very slow. So I had to revert back to the latest non-testing version of v2.

dibdot · August 4, 2019, 7:04pm

The LuCI part of banIP is not compatible with Chaos Calmer based distributions, that's for sure. Regarding your blacklist problem. Did you refresh/reload the lists after adding this IP to your blacklist? Anyway, to debug any banIP problems, please enable debug in banIP and send back the log of a full run (logread -e "banIP").

remdale · August 4, 2019, 8:12pm

Here's the log

Mon Aug  5 00:10:27 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:27 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:27 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:27 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:27 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:27 2019 daemon.err banip.sh[14582]: ipset v6.24: Error in line 1: Syntax error: cannot parse 21:14:07: resolving to IPv6 address failed
Mon Aug  5 00:10:27 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:27 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:28 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:28 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:28 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:28 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:28 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:28 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:28 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:28 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:28 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:28 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: ip6tables v1.4.21: unknown option "/usr/sbin/ip6tables"
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: Try `ip6tables -h' or 'ip6tables --help' for more information.
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: ip6tables v1.4.21: unknown option "/usr/sbin/ip6tables"
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: Try `ip6tables -h' or 'ip6tables --help' for more information.
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: ip6tables v1.4.21: unknown option "/usr/sbin/ip6tables"
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: Try `ip6tables -h' or 'ip6tables --help' for more information.
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:29 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: ip6tables v1.4.21: unknown option "/usr/sbin/ip6tables"
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: Try `ip6tables -h' or 'ip6tables --help' for more information.
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: ip6tables v1.4.21: unknown option "/usr/sbin/ip6tables"
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: Try `ip6tables -h' or 'ip6tables --help' for more information.
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: ip6tables v1.4.21: unknown option "/usr/sbin/ip6tables"
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: Try `ip6tables -h' or 'ip6tables --help' for more information.
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: ip6tables v1.4.21: unknown option "/usr/sbin/ip6tables"
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: Try `ip6tables -h' or 'ip6tables --help' for more information.
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: ip6tables v1.4.21: unknown option "/usr/sbin/ip6tables"
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: Try `ip6tables -h' or 'ip6tables --help' for more information.
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:30 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: ip6tables v1.4.21: unknown option "/usr/sbin/ip6tables"
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: Try `ip6tables -h' or 'ip6tables --help' for more information.
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: ip6tables v1.4.21: unknown option "/usr/sbin/ip6tables"
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: Try `ip6tables -h' or 'ip6tables --help' for more information.
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: ip6tables v1.4.21: unknown option "/usr/sbin/ip6tables"
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: Try `ip6tables -h' or 'ip6tables --help' for more information.
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: ip6tables v1.4.21: unknown option "/usr/sbin/ip6tables"
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: Try `ip6tables -h' or 'ip6tables --help' for more information.
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: iptables v1.4.21: unknown option "/usr/sbin/iptables"
Mon Aug  5 00:10:31 2019 daemon.err banip.sh[14582]: Try `iptables -h' or 'iptables --help' for more information.

thencein · August 5, 2019, 7:24pm

Just recently discovered this package and I've got it set up just fine, it just works! Very pleased with it and I really like the number of sources we can select from.

I might have missed this but do the source lists auto-update? Or is that something I have to do (and could possibly therefore automate using a cron job)?

dibdot · August 7, 2019, 7:09am

Then banIP is not compatible with your ancient firmware release - I can't help. In master iptables is v1.8.3 and ipset is v7.3.

dibdot · August 7, 2019, 7:11am

Please define a simple cron job for this, you'll find an example in the online readme (see first post).

thencein · August 7, 2019, 6:16pm

Perfect, thank you!

eggplanter · August 18, 2019, 11:24am

Hi dibdot, great app as always!

Quick question regarding country blocking:
If I only want to allow remote access from my country, would you advise to block all other countries?
Would this have a negative impact on my internet performance somehow?

My plan is to add all countries of this list, excluding my own country:

If a feature request is allowed: A country whitelisting option would be awesome!

dibdot · August 19, 2019, 1:39pm

If you ask me I would clearly say "No"!
IMHO the automatic blacklist of actual break-in attempts is much more useful ... even if they come from my own country.

Sounds doable, I'll put it on my todo list.

eggplanter · August 25, 2019, 7:17am

Hi dibdot, what exactly do you mean with the "automatic blacklist of actual break-in attempts"? Probably the other blocklists (firehol1, firehol2, etc.)?

I would feel really secure with this setup, I guess:

Whitelisting only the countries from which I access my WAN interface (Guess this blocks many potential attempts)
Adding Firehol1 and Firehol2 with a cronjob to update each 24 hours
Using custom ports for services, for which I configured Port Forwarding

There was a time when I did not do this. Oh boy, that was a bad time.
So thumbs up to BanIP, it's an awesome little tool for securing my network.

dibdot · August 25, 2019, 12:39pm

With every run banIP scans the log buffer for unsuccessful ssh login attempts and add those ips to your local blacklist.

Koldur · August 26, 2019, 12:15pm

When someone does more than 4 unsuccessful attempts, it doesn't block that IP immediately on my side, it does block it after I restart banip (through "service banip restart"). Is that as expected? I know that Arokh used a fail2ban script waaaaay back and that blocked the IP right after the last incorrect attempt. Hence my question.

I tested this with my mobile phone.

dibdot · August 26, 2019, 12:37pm

banIP runs via cron (no daemon), when it runs it inspects the log for ssh brute force attacks and blocks via ipset.

shm0 · August 26, 2019, 4:16pm

Maybe it would be better then to a have extra argument for banip like fail2ban:
/etc/init.d banip fail2ban - Updates Fail2Ban entries.
So it is possible to update the fail2ban entries without updating the block lists?
Or is possible already? with reload?

dibdot · August 26, 2019, 6:07pm

At this stage it isn't that flexible ... I'll put it on the todo list as well, it's always a pleasure to have a big backlog ...

Strykar · August 28, 2019, 6:50pm

I've installed banip as a fail2ban replacement but it appears to have many more features.
How do I setup the ban_autoblacklist option? The docs make mention of it, but I couldn't find more information on enabling/configuring it?

dibdot · August 29, 2019, 12:55pm

No setup, it's always active/enabled.
Of course, you could fine tune this option, e.g. if auto addons will be saved permanently (which is the default) or only temporary in the current ipset.