banIP support thread

Use vanilla OpenWrt and dump Turris OS - IMHO it's heavily outdated (there is still no testing branch with a working 23.05 code base available) ... banIP 0.7.x has never been tested with Turris OS and most probably not working and it's no longer supported at least by me.

Enable LAN-Forward logging and check the firewall log to find the culprit.

Sure, just did and also unchecked all the feeds. Will circle back if i see anything.

Thanks for the feedback and pointers. It seems I need to get out of the Turris OS bubble I guess... I like the stability they provide (and the rollback feature) but it is a few (!) versions and kernels behind.

Enabled banIP debug logging but nothing pops up regarding the log monitor.

I'll give it another shot once I manage to upgrade my Omnia to a more recent version of OpenWRT/banIP.

It turned out it is not BanIP. I turned it off and run into the same issues...

Do I need to enable ban_loginput, ban_logforwardwan, ban_logforwardlan for ban_logterm to work? Thanks.

No, that's unrelated.

Hi guys.

I am using banip to basically block all incomming connections from all countries except mine and aso use some feeds as extra protection.
My config is this:

config banip 'global'
        option ban_enabled '1'
        option ban_debug '0'
        option ban_autodetect '1'
        list ban_logterm 'Exit before auth from'
        list ban_logterm 'luci: failed login'
        list ban_logterm 'error: maximum authentication attempts exceeded'
        list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
        list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
        list ban_logterm 'received a suspicious remote IP '\''.*'\'''
        option ban_deduplicate '1'
        option ban_loginput '1'
        option ban_logforwardwan '1'
        option ban_logforwardlan '0'
        option ban_autoallowlist '1'
        option ban_autoblocklist '1'
        option ban_allowlistonly '0'
        option ban_fetchretry '5'
        option ban_fetchcmd 'uclient-fetch'
        option ban_protov4 '1'
        list ban_ifv4 'wan'
        list ban_dev 'eth0'
        list ban_trigger 'wan'
        option ban_blockpolicy 'input'
        list ban_blockinput 'country'
        list ban_blockinput 'darklist'
        list ban_blockinput 'debl'
        list ban_blockinput 'drop'
        list ban_blockinput 'feodo'
        list ban_blockinput 'firehol1'
        list ban_blockinput 'greensnow'
        list ban_blockinput 'iblockspy'
        list ban_blockinput 'myip'
        list ban_blockinput 'nixspam'
        list ban_blockinput 'proxy'
        list ban_blockinput 'sslbl'
        list ban_blockinput 'talos'
        list ban_blockinput 'threat'
        list ban_blockinput 'tor'
        list ban_blockinput 'uceprotect1'
        list ban_blockforwardwan 'country'
        list ban_blockforwardwan 'darklist'
        list ban_blockforwardwan 'debl'
        list ban_blockforwardwan 'drop'
        list ban_blockforwardwan 'feodo'
        list ban_blockforwardwan 'firehol1'
        list ban_blockforwardwan 'greensnow'
        list ban_blockforwardwan 'iblockspy'
        list ban_blockforwardwan 'myip'
        list ban_blockforwardwan 'nixspam'
        list ban_blockforwardwan 'sslbl'
        list ban_blockforwardwan 'talos'
        list ban_blockforwardwan 'threat'
        list ban_blockforwardwan 'tor'
        list ban_blockforwardwan 'uceprotect1'
        list ban_feed 'country'
        list ban_feed 'darklist'
        list ban_feed 'debl'
        list ban_feed 'drop'
        list ban_feed 'feodo'
        list ban_feed 'firehol1'
        list ban_feed 'greensnow'
        list ban_feed 'iblockspy'
        list ban_feed 'myip'
        list ban_feed 'nixspam'
        list ban_feed 'proxy'
        list ban_feed 'sslbl'
        list ban_feed 'talos'
        list ban_feed 'threat'
        list ban_feed 'tor'
        list ban_feed 'uceprotect1'
        list ban_country 'af'
        list ban_country 'ax'
        list ban_country 'al'
        list ban_country 'dz'
        list ban_country 'as'
        list ban_country 'ad'
        list ban_country 'ao'
        list ban_country 'ai'
        list ban_country 'aq'
        list ban_country 'ag'
        list ban_country 'ar'
        list ban_country 'am'
        list ban_country 'aw'
        list ban_country 'au'
        list ban_country 'az'
        list ban_country 'bs'
        list ban_country 'bh'
        list ban_country 'bd'
        list ban_country 'bb'
        list ban_country 'by'
        list ban_country 'be'
        list ban_country 'bz'
        list ban_country 'bj'
        list ban_country 'bm'
        list ban_country 'bt'
        list ban_country 'bo'
        list ban_country 'ba'
        list ban_country 'bw'
        list ban_country 'bv'
        list ban_country 'br'
        list ban_country 'io'
        list ban_country 'vg'
        list ban_country 'bn'
        list ban_country 'bg'
        list ban_country 'bf'
        list ban_country 'bi'
        list ban_country 'kh'
        list ban_country 'cm'
        list ban_country 'ca'
        list ban_country 'cv'
        list ban_country 'bq'
        list ban_country 'ky'
        list ban_country 'cf'
        list ban_country 'td'
        list ban_country 'cl'
        list ban_country 'cn'
        list ban_country 'cx'
        list ban_country 'cc'
        list ban_country 'co'
        list ban_country 'km'
        list ban_country 'cg'
        list ban_country 'cd'
        list ban_country 'ck'
        list ban_country 'cr'
        list ban_country 'ci'
        list ban_country 'hr'
        list ban_country 'cu'
        list ban_country 'cw'
        list ban_country 'cy'
        list ban_country 'cz'
        list ban_country 'dk'
        list ban_country 'dj'
        list ban_country 'dm'
        list ban_country 'do'
        list ban_country 'ec'
        list ban_country 'eg'
        list ban_country 'sv'
        list ban_country 'gq'
        list ban_country 'er'
        list ban_country 'ee'
        list ban_country 'sz'
        list ban_country 'et'
        list ban_country 'fk'
        list ban_country 'fo'
        list ban_country 'fj'
        list ban_country 'fi'
        list ban_country 'fr'
        list ban_country 'gf'
        list ban_country 'pf'
        list ban_country 'tf'
        list ban_country 'ga'
        list ban_country 'gm'
        list ban_country 'ge'
        list ban_country 'de'
        list ban_country 'gh'
        list ban_country 'gi'
        list ban_country 'gr'
        list ban_country 'gl'
        list ban_country 'gd'
        list ban_country 'gp'
        list ban_country 'gu'
        list ban_country 'gt'
        list ban_country 'gg'
        list ban_country 'gn'
        list ban_country 'gw'
        list ban_country 'gy'
        list ban_country 'ht'
        list ban_country 'hm'
        list ban_country 'hn'
        list ban_country 'hk'
        list ban_country 'hu'
        list ban_country 'is'
        list ban_country 'in'
        list ban_country 'id'
        list ban_country 'ir'
        list ban_country 'iq'
        list ban_country 'ie'
        list ban_country 'im'
        list ban_country 'il'
        list ban_country 'it'
        list ban_country 'jm'
        list ban_country 'jp'
        list ban_country 'je'
        list ban_country 'jo'
        list ban_country 'kz'
        list ban_country 'ke'
        list ban_country 'ki'
        list ban_country 'kw'
        list ban_country 'kg'
        list ban_country 'la'
        list ban_country 'lv'
        list ban_country 'lb'
        list ban_country 'ls'
        list ban_country 'lr'
        list ban_country 'ly'
        list ban_country 'li'
        list ban_country 'lt'
        list ban_country 'lu'
        list ban_country 'mo'
        list ban_country 'mg'
        list ban_country 'mw'
        list ban_country 'my'
        list ban_country 'mv'
        list ban_country 'ml'
        list ban_country 'mt'
        list ban_country 'mh'
        list ban_country 'mq'
        list ban_country 'mr'
        list ban_country 'mu'
        list ban_country 'yt'
        list ban_country 'mx'
        list ban_country 'fm'
        list ban_country 'md'
        list ban_country 'mc'
        list ban_country 'mn'
        list ban_country 'me'
        list ban_country 'ms'
        list ban_country 'ma'
        list ban_country 'mz'
        list ban_country 'mm'
        list ban_country 'na'
        list ban_country 'nr'
        list ban_country 'np'
        list ban_country 'nl'
        list ban_country 'nc'
        list ban_country 'nz'
        list ban_country 'ni'
        list ban_country 'ne'
        list ban_country 'ng'
        list ban_country 'nu'
        list ban_country 'nf'
        list ban_country 'mp'
        list ban_country 'kp'
        list ban_country 'mk'
        list ban_country 'no'
        list ban_country 'om'
        list ban_country 'pk'
        list ban_country 'pw'
        list ban_country 'ps'
        list ban_country 'pa'
        list ban_country 'pg'
        list ban_country 'py'
        list ban_country 'pe'
        list ban_country 'ph'
        list ban_country 'pn'
        list ban_country 'pl'
        list ban_country 'pt'
        list ban_country 'pr'
        list ban_country 'qa'
        list ban_country 're'
        list ban_country 'ro'
        list ban_country 'ru'
        list ban_country 'rw'
        list ban_country 'ws'
        list ban_country 'sm'
        list ban_country 'st'
        list ban_country 'sa'
        list ban_country 'sn'
        list ban_country 'rs'
        list ban_country 'sc'
        list ban_country 'sl'
        list ban_country 'sg'
        list ban_country 'sx'
        list ban_country 'sk'
        list ban_country 'si'
        list ban_country 'sb'
        list ban_country 'so'
        list ban_country 'za'
        list ban_country 'gs'
        list ban_country 'kr'
        list ban_country 'ss'
        list ban_country 'es'
        list ban_country 'lk'
        list ban_country 'bl'
        list ban_country 'sh'
        list ban_country 'kn'
        list ban_country 'lc'
        list ban_country 'mf'
        list ban_country 'pm'
        list ban_country 'vc'
        list ban_country 'sd'
        list ban_country 'sr'
        list ban_country 'sj'
        list ban_country 'se'
        list ban_country 'ch'
        list ban_country 'sy'
        list ban_country 'tw'
        list ban_country 'tj'
        list ban_country 'tz'
        list ban_country 'th'
        list ban_country 'tl'
        list ban_country 'tg'
        list ban_country 'tk'
        list ban_country 'to'
        list ban_country 'tt'
        list ban_country 'tn'
        list ban_country 'tr'
        list ban_country 'tm'
        list ban_country 'tc'
        list ban_country 'tv'
        list ban_country 'ug'
        list ban_country 'ua'
        list ban_country 'ae'
        list ban_country 'gb'
        list ban_country 'us'
        list ban_country 'uy'
        list ban_country 'um'
        list ban_country 'vi'
        list ban_country 'uz'
        list ban_country 'vu'
        list ban_country 'va'
        list ban_country 've'
        list ban_country 'vn'
        list ban_country 'wf'
        list ban_country 'eh'
        list ban_country 'ye'
        list ban_country 'zm'
        list ban_country 'zw'

I want to archive to also block some countries on the output but it's not the same country list as the input.

Is this currently possible?
Havent found anything in the gui how i can archive this.

When i got it right there should be something like:

list ban_country_input 'xx'
list ban_country_input ...

and

list ban_country_output 'xx'
list ban_country_output ...

then configure:

list ban_blockinput 'country_input'
list ban_blockforwardwan 'country_input'

and finally

list ban_blockforwardlan  'country_output'

What do you think about this idea?

@dibdot tailscale.com IP was added to the doh feed.

IP: 76.76.21.21

I can confirm there is no DNS server running in this IP and this the IP of Tail Scale website.

Edit: Ok it seems that arashi.eu.org is also using this IP which is somehow a DoH site/server

Hi everyone,

In my OpenVPN Server config file I have log /tmp/openvpn.log sending all the log related to OpenVPN to a file.
I can read the log with no problems away from default system logread command.

The problem is checking the OpenVPN log some bots or whatever try connect:

2024-02-23 21:23:50 TLS Error: could not determine wrapping from [AF_INET]XXX.XXX.XXX.XXX:34216
2024-02-24 07:35:53 TLS Error: could not determine wrapping from [AF_INET]XXX.XXX.XXX.XXX:52013
2024-02-24 10:42:20 TLS Error: could not determine wrapping from [AF_INET]XXX.XXX.XXX.XXX:44619

Can I add this to list ban_logterm pointing to my OpenVPN log file?
Will this change remove my current configuration?

My idea/goal is to make it work both at same time.

My config now looks like

root@ER605:/etc/config# cat banip

config banip 'global'
        option ban_enabled '1'
        option ban_debug '0'
        option ban_autodetect '1'
        list ban_logterm 'Exit before auth from'
        list ban_logterm 'luci: failed login'
        list ban_logterm 'error: maximum authentication attempts exceeded'
        list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
        list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
        list ban_logterm 'received a suspicious remote IP '\''.*'\'''
        option ban_fetchcmd 'curl'
        option ban_protov4 '1'
        list ban_ifv4 'Internet'
        list ban_dev 'pppoe-Internet'
        option ban_deduplicate '1'
        option ban_loginput '1'
        option ban_logforwardwan '1'
        option ban_logforwardlan '0'
        list ban_country 'by'
        list ban_country 'cn'
        list ban_country 'ir'
        list ban_country 'iq'
        list ban_country 'ru'
        list ban_country 'sg'
        option ban_autoallowlist '1'
        option ban_autoblocklist '1'
        option ban_allowlistonly '0'
        list ban_vlanallow 'br-lan'
        list ban_vlanallow 'br-lan.1'
        list ban_vlanallow 'br-lan.10'
        list ban_feed 'bruteforceblock'
        list ban_feed 'country'

Thanks for your time and help,

Nope.
Maybe it's much easier for you to use the "allowlist only" mode. Just put your country IP segments in the allowlist and you are done.

Please consult the readme. Bottomline you have the following options:

  • use logread (the default)
    or
  • use one logfile (e.g. /var/log/messages as a central syslog file), set ban_logreadfile accordingly
    plus
  • remote logging
1 Like

Hi there,

The Emerging threat (threatv4) doesn't load anymore, although it's there https://rules.emergingthreats.net/fwrules/

Not reproducible:

Thu Feb 29 20:38:50 2024 user.debug banIP-0.9.3-5[26111]: f_down      ::: feed: threatv4, cnt_dl: 1059, cnt_set: 934, split_size: 0, time: 1, rc: 0, log: -

Hmmm.. how come yours have 1K+ cnt_dl?

Mine has only this:

Fri Mar  1 05:10:33 2024 user.debug banIP-0.9.3-5[14055]: f_down      ::: feed: threatv4, cnt_dl: 95, cnt_set: 75, split_size: 4096, time: 4, rc: 0, log: -

Or the duplicates from other feeds have been removed already?

Yep, that's the deduplication effect, e.g. if you process dshield and spamhaus drop before (which are included in the threats list as well) you'll get reduced counts:

Fri Mar  1 05:05:55 2024 user.debug banIP-0.9.3-5[14826]: f_etag      ::: feed: dshieldv4, suffix: -, http_code: 200, etag_id: 65e161fd-8c9
 , etag_rc: 0, rc: 2
Fri Mar  1 05:05:55 2024 user.debug banIP-0.9.3-5[14826]: f_backup    ::: feed: dropv4, file: banIP.dropv4.gz, rc: 0
Fri Mar  1 05:05:55 2024 user.debug banIP-0.9.3-5[14826]: f_down      ::: feed: dropv4, cnt_dl: 988, cnt_set: 876, split_size: 0, time: 1, rc: 0, log: -
Fri Mar  1 05:05:56 2024 user.debug banIP-0.9.3-5[14826]: f_backup    ::: feed: dshieldv4, file: banIP.dshieldv4.gz, rc: 0
Fri Mar  1 05:05:56 2024 user.debug banIP-0.9.3-5[14826]: f_down      ::: feed: dshieldv4, cnt_dl: 17, cnt_set: 14, split_size: 0, time: 2, rc: 0, log: -
Fri Mar  1 05:05:58 2024 user.debug banIP-0.9.3-5[14826]: f_etag      ::: feed: threatv4, suffix: -, http_code: 200, etag_id: 65e01659-48d4
 , etag_rc: 0, rc: 0
Fri Mar  1 05:05:58 2024 user.debug banIP-0.9.3-5[14826]: f_restore   ::: feed: threatv4, file: banIP.threatv4.gz, in_rc: 0, rc: 0
Fri Mar  1 05:05:58 2024 user.debug banIP-0.9.3-5[14826]: f_down      ::: feed: threatv4, cnt_dl: 56, cnt_set: 49, split_size: 0, time: 2, rc: 0, log: -

Ok thanks. I don't use dshield or spamhouse but probably connected to my other enabled feeds. Thanks again.

just a short notice: in master is a new banIP release 0.9.4-1 with the following changes:

  • add support for destination port & protocol limitations for external feeds (see readme for details),
    useful for lan-forward ad- or DoH-blocking, e.g. only tcp ports 80 and 443
  • add turris sentinel blocklist feed
  • update readme

The reporting shows in a new column if port restrictions are enabled for a feed (enabled by default for all ad-related feeds and for the DoH feed, e.g:

6 Likes

Wow! Great new feature! Looking forward on using it.

Thanks @dibdot!

Hi,
I've got question about BanIP IPv6 auto blocklist.
For example I have: dropbear ipv6 attempt from 2001:470:1:332::8:32844 to banIP entry: add IP '2001:470:1:332::8:3284'
Isn't the last part after : src port number, and it gets just truncated by one char? maybe some regex issue

And detailed from logread:

Sat Mar  2 07:32:56 2024 authpriv.info dropbear[20099]: Child connection from 2001:470:1:332::8:32844
Sat Mar  2 07:33:01 2024 authpriv.info dropbear[20099]: Exit before auth from <2001:470:1:332::8:32844>: Exited normally
Sat Mar  2 07:33:01 2024 user.info banIP-0.9.3-5[16307]: suspicious IP '2001:470:1:332::8:3284'
Sat Mar  2 07:33:01 2024 user.info banIP-0.9.3-5[16307]: add IP '2001:470:1:332::8:3284' (expiry: -) to blocklistv6 set
Sat Mar  2 07:33:01 2024 user.info banIP-0.9.3-5[16307]: add IP '2001:470:1:332::8:3284' to local blocklist

and in firewall nft list table inet banIP:

 set blocklistv6 {
                type ipv6_addr
                policy memory
                flags interval,timeout
                auto-merge
                elements = { 2001:470:1:332::2:2147,
                             ... (more similar)
                             2001:470:1:332::8:3284,
 

btw. it's interesting that there are active ipv6 bots/scanners.