banIP support thread

Use vanilla OpenWrt and dump Turris OS - IMHO it's heavily outdated (there is still no testing branch with a working 23.05 code base available) ... banIP 0.7.x has never been tested with Turris OS and most probably not working and it's no longer supported at least by me.

Enable LAN-Forward logging and check the firewall log to find the culprit.

Sure, just did and also unchecked all the feeds. Will circle back if i see anything.

Thanks for the feedback and pointers. It seems I need to get out of the Turris OS bubble I guess... I like the stability they provide (and the rollback feature) but it is a few (!) versions and kernels behind.

Enabled banIP debug logging but nothing pops up regarding the log monitor.

I'll give it another shot once I manage to upgrade my Omnia to a more recent version of OpenWRT/banIP.

It turned out it is not BanIP. I turned it off and run into the same issues...

Do I need to enable ban_loginput, ban_logforwardwan, ban_logforwardlan for ban_logterm to work? Thanks.

No, that's unrelated.

Hi guys.

I am using banip to basically block all incomming connections from all countries except mine and aso use some feeds as extra protection.
My config is this:

config banip 'global'
        option ban_enabled '1'
        option ban_debug '0'
        option ban_autodetect '1'
        list ban_logterm 'Exit before auth from'
        list ban_logterm 'luci: failed login'
        list ban_logterm 'error: maximum authentication attempts exceeded'
        list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
        list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
        list ban_logterm 'received a suspicious remote IP '\''.*'\'''
        option ban_deduplicate '1'
        option ban_loginput '1'
        option ban_logforwardwan '1'
        option ban_logforwardlan '0'
        option ban_autoallowlist '1'
        option ban_autoblocklist '1'
        option ban_allowlistonly '0'
        option ban_fetchretry '5'
        option ban_fetchcmd 'uclient-fetch'
        option ban_protov4 '1'
        list ban_ifv4 'wan'
        list ban_dev 'eth0'
        list ban_trigger 'wan'
        option ban_blockpolicy 'input'
        list ban_blockinput 'country'
        list ban_blockinput 'darklist'
        list ban_blockinput 'debl'
        list ban_blockinput 'drop'
        list ban_blockinput 'feodo'
        list ban_blockinput 'firehol1'
        list ban_blockinput 'greensnow'
        list ban_blockinput 'iblockspy'
        list ban_blockinput 'myip'
        list ban_blockinput 'nixspam'
        list ban_blockinput 'proxy'
        list ban_blockinput 'sslbl'
        list ban_blockinput 'talos'
        list ban_blockinput 'threat'
        list ban_blockinput 'tor'
        list ban_blockinput 'uceprotect1'
        list ban_blockforwardwan 'country'
        list ban_blockforwardwan 'darklist'
        list ban_blockforwardwan 'debl'
        list ban_blockforwardwan 'drop'
        list ban_blockforwardwan 'feodo'
        list ban_blockforwardwan 'firehol1'
        list ban_blockforwardwan 'greensnow'
        list ban_blockforwardwan 'iblockspy'
        list ban_blockforwardwan 'myip'
        list ban_blockforwardwan 'nixspam'
        list ban_blockforwardwan 'sslbl'
        list ban_blockforwardwan 'talos'
        list ban_blockforwardwan 'threat'
        list ban_blockforwardwan 'tor'
        list ban_blockforwardwan 'uceprotect1'
        list ban_feed 'country'
        list ban_feed 'darklist'
        list ban_feed 'debl'
        list ban_feed 'drop'
        list ban_feed 'feodo'
        list ban_feed 'firehol1'
        list ban_feed 'greensnow'
        list ban_feed 'iblockspy'
        list ban_feed 'myip'
        list ban_feed 'nixspam'
        list ban_feed 'proxy'
        list ban_feed 'sslbl'
        list ban_feed 'talos'
        list ban_feed 'threat'
        list ban_feed 'tor'
        list ban_feed 'uceprotect1'
        list ban_country 'af'
        list ban_country 'ax'
        list ban_country 'al'
        list ban_country 'dz'
        list ban_country 'as'
        list ban_country 'ad'
        list ban_country 'ao'
        list ban_country 'ai'
        list ban_country 'aq'
        list ban_country 'ag'
        list ban_country 'ar'
        list ban_country 'am'
        list ban_country 'aw'
        list ban_country 'au'
        list ban_country 'az'
        list ban_country 'bs'
        list ban_country 'bh'
        list ban_country 'bd'
        list ban_country 'bb'
        list ban_country 'by'
        list ban_country 'be'
        list ban_country 'bz'
        list ban_country 'bj'
        list ban_country 'bm'
        list ban_country 'bt'
        list ban_country 'bo'
        list ban_country 'ba'
        list ban_country 'bw'
        list ban_country 'bv'
        list ban_country 'br'
        list ban_country 'io'
        list ban_country 'vg'
        list ban_country 'bn'
        list ban_country 'bg'
        list ban_country 'bf'
        list ban_country 'bi'
        list ban_country 'kh'
        list ban_country 'cm'
        list ban_country 'ca'
        list ban_country 'cv'
        list ban_country 'bq'
        list ban_country 'ky'
        list ban_country 'cf'
        list ban_country 'td'
        list ban_country 'cl'
        list ban_country 'cn'
        list ban_country 'cx'
        list ban_country 'cc'
        list ban_country 'co'
        list ban_country 'km'
        list ban_country 'cg'
        list ban_country 'cd'
        list ban_country 'ck'
        list ban_country 'cr'
        list ban_country 'ci'
        list ban_country 'hr'
        list ban_country 'cu'
        list ban_country 'cw'
        list ban_country 'cy'
        list ban_country 'cz'
        list ban_country 'dk'
        list ban_country 'dj'
        list ban_country 'dm'
        list ban_country 'do'
        list ban_country 'ec'
        list ban_country 'eg'
        list ban_country 'sv'
        list ban_country 'gq'
        list ban_country 'er'
        list ban_country 'ee'
        list ban_country 'sz'
        list ban_country 'et'
        list ban_country 'fk'
        list ban_country 'fo'
        list ban_country 'fj'
        list ban_country 'fi'
        list ban_country 'fr'
        list ban_country 'gf'
        list ban_country 'pf'
        list ban_country 'tf'
        list ban_country 'ga'
        list ban_country 'gm'
        list ban_country 'ge'
        list ban_country 'de'
        list ban_country 'gh'
        list ban_country 'gi'
        list ban_country 'gr'
        list ban_country 'gl'
        list ban_country 'gd'
        list ban_country 'gp'
        list ban_country 'gu'
        list ban_country 'gt'
        list ban_country 'gg'
        list ban_country 'gn'
        list ban_country 'gw'
        list ban_country 'gy'
        list ban_country 'ht'
        list ban_country 'hm'
        list ban_country 'hn'
        list ban_country 'hk'
        list ban_country 'hu'
        list ban_country 'is'
        list ban_country 'in'
        list ban_country 'id'
        list ban_country 'ir'
        list ban_country 'iq'
        list ban_country 'ie'
        list ban_country 'im'
        list ban_country 'il'
        list ban_country 'it'
        list ban_country 'jm'
        list ban_country 'jp'
        list ban_country 'je'
        list ban_country 'jo'
        list ban_country 'kz'
        list ban_country 'ke'
        list ban_country 'ki'
        list ban_country 'kw'
        list ban_country 'kg'
        list ban_country 'la'
        list ban_country 'lv'
        list ban_country 'lb'
        list ban_country 'ls'
        list ban_country 'lr'
        list ban_country 'ly'
        list ban_country 'li'
        list ban_country 'lt'
        list ban_country 'lu'
        list ban_country 'mo'
        list ban_country 'mg'
        list ban_country 'mw'
        list ban_country 'my'
        list ban_country 'mv'
        list ban_country 'ml'
        list ban_country 'mt'
        list ban_country 'mh'
        list ban_country 'mq'
        list ban_country 'mr'
        list ban_country 'mu'
        list ban_country 'yt'
        list ban_country 'mx'
        list ban_country 'fm'
        list ban_country 'md'
        list ban_country 'mc'
        list ban_country 'mn'
        list ban_country 'me'
        list ban_country 'ms'
        list ban_country 'ma'
        list ban_country 'mz'
        list ban_country 'mm'
        list ban_country 'na'
        list ban_country 'nr'
        list ban_country 'np'
        list ban_country 'nl'
        list ban_country 'nc'
        list ban_country 'nz'
        list ban_country 'ni'
        list ban_country 'ne'
        list ban_country 'ng'
        list ban_country 'nu'
        list ban_country 'nf'
        list ban_country 'mp'
        list ban_country 'kp'
        list ban_country 'mk'
        list ban_country 'no'
        list ban_country 'om'
        list ban_country 'pk'
        list ban_country 'pw'
        list ban_country 'ps'
        list ban_country 'pa'
        list ban_country 'pg'
        list ban_country 'py'
        list ban_country 'pe'
        list ban_country 'ph'
        list ban_country 'pn'
        list ban_country 'pl'
        list ban_country 'pt'
        list ban_country 'pr'
        list ban_country 'qa'
        list ban_country 're'
        list ban_country 'ro'
        list ban_country 'ru'
        list ban_country 'rw'
        list ban_country 'ws'
        list ban_country 'sm'
        list ban_country 'st'
        list ban_country 'sa'
        list ban_country 'sn'
        list ban_country 'rs'
        list ban_country 'sc'
        list ban_country 'sl'
        list ban_country 'sg'
        list ban_country 'sx'
        list ban_country 'sk'
        list ban_country 'si'
        list ban_country 'sb'
        list ban_country 'so'
        list ban_country 'za'
        list ban_country 'gs'
        list ban_country 'kr'
        list ban_country 'ss'
        list ban_country 'es'
        list ban_country 'lk'
        list ban_country 'bl'
        list ban_country 'sh'
        list ban_country 'kn'
        list ban_country 'lc'
        list ban_country 'mf'
        list ban_country 'pm'
        list ban_country 'vc'
        list ban_country 'sd'
        list ban_country 'sr'
        list ban_country 'sj'
        list ban_country 'se'
        list ban_country 'ch'
        list ban_country 'sy'
        list ban_country 'tw'
        list ban_country 'tj'
        list ban_country 'tz'
        list ban_country 'th'
        list ban_country 'tl'
        list ban_country 'tg'
        list ban_country 'tk'
        list ban_country 'to'
        list ban_country 'tt'
        list ban_country 'tn'
        list ban_country 'tr'
        list ban_country 'tm'
        list ban_country 'tc'
        list ban_country 'tv'
        list ban_country 'ug'
        list ban_country 'ua'
        list ban_country 'ae'
        list ban_country 'gb'
        list ban_country 'us'
        list ban_country 'uy'
        list ban_country 'um'
        list ban_country 'vi'
        list ban_country 'uz'
        list ban_country 'vu'
        list ban_country 'va'
        list ban_country 've'
        list ban_country 'vn'
        list ban_country 'wf'
        list ban_country 'eh'
        list ban_country 'ye'
        list ban_country 'zm'
        list ban_country 'zw'

I want to archive to also block some countries on the output but it's not the same country list as the input.

Is this currently possible?
Havent found anything in the gui how i can archive this.

When i got it right there should be something like:

list ban_country_input 'xx'
list ban_country_input ...

and

list ban_country_output 'xx'
list ban_country_output ...

then configure:

list ban_blockinput 'country_input'
list ban_blockforwardwan 'country_input'

and finally

list ban_blockforwardlan  'country_output'

What do you think about this idea?

@dibdot tailscale.com IP was added to the doh feed.

IP: 76.76.21.21

I can confirm there is no DNS server running in this IP and this the IP of Tail Scale website.

Edit: Ok it seems that arashi.eu.org is also using this IP which is somehow a DoH site/server

Hi everyone,

In my OpenVPN Server config file I have log /tmp/openvpn.log sending all the log related to OpenVPN to a file.
I can read the log with no problems away from default system logread command.

The problem is checking the OpenVPN log some bots or whatever try connect:

2024-02-23 21:23:50 TLS Error: could not determine wrapping from [AF_INET]XXX.XXX.XXX.XXX:34216
2024-02-24 07:35:53 TLS Error: could not determine wrapping from [AF_INET]XXX.XXX.XXX.XXX:52013
2024-02-24 10:42:20 TLS Error: could not determine wrapping from [AF_INET]XXX.XXX.XXX.XXX:44619

Can I add this to list ban_logterm pointing to my OpenVPN log file?
Will this change remove my current configuration?

My idea/goal is to make it work both at same time.

My config now looks like

root@ER605:/etc/config# cat banip

config banip 'global'
        option ban_enabled '1'
        option ban_debug '0'
        option ban_autodetect '1'
        list ban_logterm 'Exit before auth from'
        list ban_logterm 'luci: failed login'
        list ban_logterm 'error: maximum authentication attempts exceeded'
        list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
        list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
        list ban_logterm 'received a suspicious remote IP '\''.*'\'''
        option ban_fetchcmd 'curl'
        option ban_protov4 '1'
        list ban_ifv4 'Internet'
        list ban_dev 'pppoe-Internet'
        option ban_deduplicate '1'
        option ban_loginput '1'
        option ban_logforwardwan '1'
        option ban_logforwardlan '0'
        list ban_country 'by'
        list ban_country 'cn'
        list ban_country 'ir'
        list ban_country 'iq'
        list ban_country 'ru'
        list ban_country 'sg'
        option ban_autoallowlist '1'
        option ban_autoblocklist '1'
        option ban_allowlistonly '0'
        list ban_vlanallow 'br-lan'
        list ban_vlanallow 'br-lan.1'
        list ban_vlanallow 'br-lan.10'
        list ban_feed 'bruteforceblock'
        list ban_feed 'country'

Thanks for your time and help,

Nope.
Maybe it's much easier for you to use the "allowlist only" mode. Just put your country IP segments in the allowlist and you are done.

Please consult the readme. Bottomline you have the following options:

  • use logread (the default)
    or
  • use one logfile (e.g. /var/log/messages as a central syslog file), set ban_logreadfile accordingly
    plus
  • remote logging
1 Like

Hi there,

The Emerging threat (threatv4) doesn't load anymore, although it's there https://rules.emergingthreats.net/fwrules/

Not reproducible:

Thu Feb 29 20:38:50 2024 user.debug banIP-0.9.3-5[26111]: f_down      ::: feed: threatv4, cnt_dl: 1059, cnt_set: 934, split_size: 0, time: 1, rc: 0, log: -

Hmmm.. how come yours have 1K+ cnt_dl?

Mine has only this:

Fri Mar  1 05:10:33 2024 user.debug banIP-0.9.3-5[14055]: f_down      ::: feed: threatv4, cnt_dl: 95, cnt_set: 75, split_size: 4096, time: 4, rc: 0, log: -

Or the duplicates from other feeds have been removed already?