projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
banip: update 0.9.5-4
[feed/packages.git] / net / banip / files / README.md
1 <!-- markdownlint-disable -->
2
3 # banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables
4
5 ## Description
6 IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh.
7
8 ## Main Features
9 * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
10 **Please note:** By default every feed blocks all supported chains. The columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockpolicy', 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.
11
12 | Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Port-Limit | Information |
13 | :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------: | :----------------------------------------------------------- |
14 | adaway | adaway IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
15 | adguard | adguard IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
16 | adguardtrackers | adguardtracker IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
17 | antipopads | antipopads IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
18 | asn | ASN segments | x | x | x | | [Link](https://asn.ipinfo.app) |
19 | backscatterer | backscatterer IPs | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
20 | becyber | malicious attacker IPs | x | x | | | [Link](https://github.com/duggytuxy/malicious_ip_addresses) |
21 | binarydefense | binary defense banlist | x | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
22 | bogon | bogon prefixes | x | x | | | [Link](https://team-cymru.com) |
23 | bruteforceblock | bruteforceblocker IPs | x | x | | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) |
24 | country | country blocks | x | x | | | [Link](https://www.ipdeny.com/ipblocks) |
25 | cinsscore | suspicious attacker IPs | x | x | | | [Link](https://cinsscore.com/#list) |
26 | debl | fail2ban IP blacklist | x | x | | | [Link](https://www.blocklist.de) |
27 | doh | public DoH-Provider | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
28 | drop | spamhaus drop compilation | x | x | | | [Link](https://www.spamhaus.org) |
29 | dshield | dshield IP blocklist | x | x | | | [Link](https://www.dshield.org) |
30 | edrop | spamhaus edrop compilation | x | x | | | [Link](https://www.spamhaus.org) |
31 | etcompromised | ET compromised hosts | x | x | | | [Link](https://iplists.firehol.org/?ipset=et_compromised) |
32 | feodo | feodo tracker | x | x | | | [Link](https://feodotracker.abuse.ch) |
33 | firehol1 | firehol level 1 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
34 | firehol2 | firehol level 2 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
35 | firehol3 | firehol level 3 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
36 | firehol4 | firehol level 4 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
37 | greensnow | suspicious server IPs | x | x | | | [Link](https://greensnow.co) |
38 | iblockads | Advertising IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
39 | iblockspy | Malicious spyware IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
40 | ipblackhole | blackhole IPs | x | x | | | [Link](https://github.com/BlackHoleMonster/IP-BlackHole) |
41 | ipsum | malicious IPs | x | x | | | [Link](https://github.com/stamparm/ipsum) |
42 | ipthreat | hacker and botnet TPs | x | x | | | [Link](https://ipthreat.net) |
43 | myip | real-time IP blocklist | x | x | | | [Link](https://myip.ms) |
44 | nixspam | iX spam protection | x | x | | | [Link](http://www.nixspam.org) |
45 | oisdbig | OISD-big IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
46 | oisdnsfw | OISD-nsfw IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
47 | oisdsmall | OISD-small IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
48 | pallebone | curated IP blocklist | x | x | | | [Link](https://github.com/pallebone/StrictBlockPAllebone) |
49 | proxy | open proxies | x | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
50 | ssbl | SSL botnet IPs | x | x | | | [Link](https://sslbl.abuse.ch) |
51 | stevenblack | stevenblack IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
52 | talos | talos IPs | x | x | | | [Link](https://talosintelligence.com/reputation_center) |
53 | threat | emerging threats | x | x | | | [Link](https://rules.emergingthreats.net) |
54 | threatview | malicious IPs | x | x | | | [Link](https://threatview.io) |
55 | tor | tor exit nodes | x | x | | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
56 | turris | turris sentinel blocklist | x | x | | | [Link](https://view.sentinel.turris.cz) |
57 | uceprotect1 | spam protection level 1 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
58 | uceprotect2 | spam protection level 2 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
59 | uceprotect3 | spam protection level 3 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
60 | urlhaus | urlhaus IDS IPs | x | x | | | [Link](https://urlhaus.abuse.ch) |
61 | urlvir | malware related IPs | x | x | | | [Link](https://iplists.firehol.org/?ipset=urlvir) |
62 | webclient | malware related IPs | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
63 | voip | VoIP fraud blocklist | x | x | | | [Link](https://voipbl.org) |
64 | yoyo | yoyo IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
65
66 * Zero-conf like automatic installation & setup, usually no manual changes needed
67 * All Sets are handled in a separate nft table/namespace 'banIP'
68 * Full IPv4 and IPv6 support
69 * Supports nft atomic Set loading
70 * Supports blocking by ASN numbers and by iso country codes
71 * Block countries dynamically by Regional Internet Registry (RIR), e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE
72 * Supports local allow- and blocklist with MAC/IPv4/IPv6 addresses or domain names
73 * Supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments
74 * All local input types support ranges in CIDR notation
75 * Auto-add the uplink subnet or uplink IP to the local allowlist
76 * Prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets (DDoS attacks) in an additional prerouting chain
77 * Provides a small background log monitor to ban unsuccessful login attempts in real-time (like fail2ban, crowdsec etc.)
78 * Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
79 * Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP
80 * Fast feed processing as they are handled in parallel as background jobs (on capable multi-core hardware)
81 * Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains)
82 * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
83 * Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget
84 * Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith
85 * Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments
86 * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
87 * Optionally always allow certain protocols/destination ports in wan-input and wan-forward chains
88 * Deduplicate IPs accross all Sets (single IPs only, no intervals)
89 * Provides comprehensive runtime information
90 * Provides a detailed Set report
91 * Provides a Set search engine for certain IPs
92 * Feed parsing by fast & flexible regex rulesets
93 * Minimal status & error logging to syslog, enable debug logging to receive more output
94 * Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup)
95 * Procd network interface trigger support
96 * Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor
97 * Supports destination port & protocol limitations for external feeds (see the feed list above). To change the default assignments just use the feed editor
98 * Supports allowing / blocking of certain VLAN forwards
99 * Provides an option to transfer logging events on remote servers via cgi interface
100
101 ## Prerequisites
102 * **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
103 * A download utility with SSL support: 'aria2c', 'curl', full 'wget' or 'uclient-fetch' with one of the 'libustream-*' SSL libraries, the latter one doesn't provide support for ETag HTTP header
104 * A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
105 * For E-Mail notifications you need to install and setup the additional 'msmtp' package
106
107 **Please note:**
108 * Devices with less than 256Mb of RAM are **_not_** supported
109 * Any previous installation of ancient banIP 0.7.x must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)
110
111 ## Installation & Usage
112 * Update your local opkg repository (_opkg update_)
113 * Install banIP (_opkg install banip_) - the banIP service is disabled by default
114 * Install the LuCI companion package 'luci-app-banip' (opkg install luci-app-banip)
115 * It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
116 * If you're using a complex network setup, e.g. special tunnel interfaces, than untick the 'Auto Detection' option under the 'General Settings' tab and set the required options manually
117 * Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status' and also check the 'Firewall Log' and 'Processing Log' tabs
118 * If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs, see the options reference table below
119
120 ## banIP CLI interface
121 * All important banIP functions are accessible via CLI.
122 ```
123 ~# /etc/init.d/banip
124 Syntax: /etc/init.d/banip [command]
125
126 Available commands:
127 start Start the service
128 stop Stop the service
129 restart Restart the service
130 reload Reload configuration files (or restart if service does not implement reload)
131 enable Enable service autostart
132 disable Disable service autostart
133 enabled Check if service is started on boot
134 report [text|json|mail] Print banIP related Set statistics
135 search [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set
136 survey [<Set name>] List all elements of a given banIP Set
137 lookup Lookup the IPs of domain names in the local lists and update them
138 running Check if service is running
139 status Service status
140 trace Start with syscall trace
141 info Dump procd service info
142 ```
143
144 ## banIP config options
145
146 | Option | Type | Default | Description |
147 | :---------------------- | :----- | :---------------------------- | :---------------------------------------------------------------------------------------------------------------- |
148 | ban_enabled | option | 0 | enable the banIP service |
149 | ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) |
150 | ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) |
151 | ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor |
152 | ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious |
153 | ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk and cgi-remote events) |
154 | ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
155 | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
156 | ban_debug | option | 0 | enable banIP related debug logging |
157 | ban_icmplimit | option | 10 | treshold in number of packets to detect icmp DDoS in prerouting chain |
158 | ban_synlimit | option | 10 | treshold in number of packets to detect syn DDoS in prerouting chain |
159 | ban_udplimit | option | 100 | treshold in number of packets to detect udp DDoS in prerouting chain |
160 | ban_logprerouting | option | 0 | log supsicious packets in the prerouting chain |
161 | ban_loginput | option | 0 | log supsicious packets in the wan-input chain |
162 | ban_logforwardwan | option | 0 | log supsicious packets in the wan-forward chain |
163 | ban_logforwardlan | option | 0 | log supsicious packets in the lan-forward chain |
164 | ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
165 | ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
166 | ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
167 | ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
168 | ban_allowlistonly | option | 0 | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments |
169 | ban_allowflag | option | - | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445' |
170 | ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists |
171 | ban_basedir | option | /tmp | base working directory while banIP processing |
172 | ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
173 | ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files |
174 | ban_protov4 | option | - / autodetect | enable IPv4 support |
175 | ban_protov6 | option | - / autodetect | enable IPv4 support |
176 | ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' |
177 | ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' |
178 | ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' |
179 | ban_vlanallow | list | - | always allow certain VLAN forwards, e.g. br-lan.20 |
180 | ban_vlanblock | list | - | always block certain VLAN forwards, e.g. br-lan.10 |
181 | ban_trigger | list | - | logical reload trigger interface(s), e.g. 'wan' |
182 | ban_triggerdelay | option | 20 | trigger timeout during interface reload and boot |
183 | ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets |
184 | ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
185 | ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
186 | ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug |
187 | ban_nftpriority | option | -100 | nft priority for the banIP table (the prerouting table is fixed to priority -150) |
188 | ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance |
189 | ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
190 | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
191 | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
192 | ban_region | list | - | Regional Internet Registry (RIR) country selection. Supported regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE |
193 | ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
194 | ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' |
195 | ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic |
196 | ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' |
197 | ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' |
198 | ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' |
199 | ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
200 | ban_fetchparm | option | - / autodetect | set the config options for the selected download utility |
201 | ban_fetchretry | option | 5 | number of download attempts in case of an error (not supported by uclient-fetch) |
202 | ban_fetchinsecure | option | 0 | don't check SSL server certificates during download |
203 | ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails |
204 | ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails |
205 | ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails |
206 | ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails |
207 | ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run |
208 | ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly |
209 | ban_resolver | option | - | external resolver used for DNS lookups |
210 | ban_remotelog | option | 0 | enable the cgi interface to receive remote logging events |
211 | ban_remotetoken | option | - | unique token to communicate with the cgi interface |
212
213 ## Examples
214 **banIP report information**
215 ```
216 ~# /etc/init.d/banip report
217 :::
218 ::: banIP Set Statistics
219 :::
220 Timestamp: 2024-04-17 23:02:15
221 ------------------------------
222 blocked syn-flood packets in prerouting : 5
223 blocked udp-flood packets in prerouting : 11
224 blocked icmp-flood packets in prerouting : 6
225 blocked invalid ct packets in prerouting : 277
226 blocked invalid tcp packets in prerouting: 0
227 ----------
228 auto-added IPs to allowlist today: 0
229 auto-added IPs to blocklist today: 0
230
231 Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) | Port/Protocol Limit
232 ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
233 allowlistv4MAC | 0 | - | - | ON: 0 | -
234 allowlistv6MAC | 0 | - | - | ON: 0 | -
235 allowlistv4 | 1 | ON: 0 | ON: 0 | ON: 0 | -
236 allowlistv6 | 2 | ON: 0 | ON: 0 | ON: 0 | -
237 adguardtrackersv6 | 105 | - | - | ON: 0 | tcp: 80, 443
238 adguardtrackersv4 | 816 | - | - | ON: 0 | tcp: 80, 443
239 becyberv4 | 229006 | ON: 2254 | ON: 0 | - | -
240 cinsscorev4 | 7135 | ON: 1630 | ON: 2 | - | -
241 deblv4 | 10191 | ON: 23 | ON: 0 | - | -
242 countryv6 | 38233 | ON: 7 | ON: 0 | - | -
243 countryv4 | 37169 | ON: 2323 | ON: 0 | - | -
244 deblv6 | 65 | ON: 0 | ON: 0 | - | -
245 dropv6 | 66 | ON: 0 | ON: 0 | - | -
246 dohv4 | 1219 | - | - | ON: 0 | tcp: 80, 443
247 dropv4 | 895 | ON: 75 | ON: 0 | - | -
248 dohv6 | 832 | - | - | ON: 0 | tcp: 80, 443
249 threatv4 | 20 | ON: 0 | ON: 0 | - | -
250 firehol1v4 | 753 | ON: 1 | ON: 0 | - | -
251 ipthreatv4 | 1369 | ON: 20 | ON: 0 | - | -
252 firehol2v4 | 2216 | ON: 1 | ON: 0 | - | -
253 turrisv4 | 5613 | ON: 179 | ON: 0 | - | -
254 blocklistv4MAC | 0 | - | - | ON: 0 | -
255 blocklistv6MAC | 0 | - | - | ON: 0 | -
256 blocklistv4 | 0 | ON: 0 | ON: 0 | ON: 0 | -
257 blocklistv6 | 0 | ON: 0 | ON: 0 | ON: 0 | -
258 ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
259 25 | 335706 | 17 (6513) | 17 (2) | 12 (0)
260 ```
261
262 **banIP runtime information**
263 ```
264 ~# /etc/init.d/banip status
265 ::: banIP runtime information
266 + status : active (nft: ✔, monitor: ✔)
267 + version : 0.9.5-r1
268 + element_count : 335706
269 + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, becyberv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dohv4, dropv4, dohv6, threatv4, firehol1v4, ipthreatv4, firehol2v4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
270 + active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: -
271 + active_uplink : 217.83.205.130, fe80::9cd6:12e9:c4df:75d3, 2003:ed:b5ff:43bd:9cd5:12e7:c3ef:75d8
272 + nft_info : priority: 0, policy: performance, loglevel: warn, expiry: 2h
273 + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report
274 + run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/inp/fwd/lan): ✔/✘/✘/✘, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
275 + last_run : action: reload, log: logread, fetch: curl, duration: 2m 33s, date: 2024-04-17 05:57:56
276 + system_info : cores: 4, memory: 1573, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25932-338b463e1e
277 ```
278
279 **banIP search information**
280 ```
281 ~# /etc/init.d/banip search 221.228.105.173
282 :::
283 ::: banIP Search
284 :::
285 Looking for IP '221.228.105.173' on 2023-02-08 22:12:48
286 ---
287 IP found in Set 'oisdbasicv4'
288 ```
289
290 **banIP survey information**
291 ```
292 ~# /etc/init.d/banip survey cinsscorev4
293 :::
294 ::: banIP Survey
295 :::
296 List of elements in the Set 'cinsscorev4' on 2023-03-06 14:07:58
297 ---
298 1.10.187.179
299 1.10.203.30
300 1.10.255.58
301 1.11.67.53
302 1.11.114.211
303 1.11.208.29
304 1.12.75.87
305 1.12.231.227
306 1.12.247.134
307 1.12.251.141
308 1.14.96.156
309 1.14.250.37
310 1.15.40.79
311 1.15.71.140
312 1.15.77.237
313 [...]
314 ```
315 **default regex for logfile parsing**
316 ```
317 list ban_logterm 'Exit before auth from'
318 list ban_logterm 'luci: failed login'
319 list ban_logterm 'error: maximum authentication attempts exceeded'
320 list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
321 list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
322 list ban_logterm 'received a suspicious remote IP '\''.*'\'''
323 ```
324
325 **allow-/blocklist handling**
326 banIP supports local allow and block lists, MAC/IPv4/IPv6 addresses (incl. ranges in CIDR notation) or domain names. These files are located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.
327 Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option.
328 Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist.
329 Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl').
330 Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
331
332 **allowlist-only mode**
333 banIP supports an "allowlist only" mode. This option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments - and block access to the rest of the internet. All IPs which are _not_ listed in the allowlist (plus the external Allowlist URLs) are blocked.
334
335 **MAC/IP-binding**
336 banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
337 ```
338 MAC-address only:
339 C8:C2:9B:F7:80:12 => this will be populated to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
340
341 MAC-address range:
342 C8:C2:9B:F7:80:12/24 => this populate the MAC-range C8:C2:9B:00:00:00", "C8:C2:9B:FF:FF:FF to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
343
344 MAC-address with IPv4 concatenation:
345 C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated only to v4MAC-Set with the certain IP, no entry in the v6MAC-Set
346
347 MAC-address with IPv6 concatenation:
348 C8:C2:9B:F7:80:12 2a02:810c:0:80:a10e:62c3:5af:f3f => this will be populated only to v6MAC-Set with the certain IP, no entry in the v4MAC-Set
349
350 MAC-address with IPv4 and IPv6 concatenation:
351 C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
352 C8:C2:9B:F7:80:12 2a02:810c:0:80:a10e:62c3:5af:f3f => this will be populated to v6MAC-Set with the certain IP
353
354 MAC-address with IPv4 and IPv6 wildcard concatenation:
355 C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
356 C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0
357 ```
358
359 **enable the cgi interface to receive remote logging events**
360 banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options:
361
362 * set 'ban_remotelog' to '1' to enbale the cgi interface
363 * set 'ban_remotetoken' to a secret transfer token, allowed token characters consist of '[A-Za-z]', '[0-9]', '.' and ':'
364
365 Examples to transfer remote logging events from an internal server to banIP via cgi interface:
366
367 * POST request: curl --insecure --data "<ban_remotetoken>=<suspicious IP>" https://192.168.1.1/cgi-bin/banip
368 * GET request: wget --no-check-certificate https://192.168.1.1/cgi-bin/banip?<ban_remotetoken>=<suspicious IP>
369
370 Please note: for security reasons use this cgi interface only internally and only encrypted via https transfer protocol.
371
372 **redirect Asterisk security logs to lodg/logread**
373 banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration.
374
375 **send status E-Mails and update the banIP lists via cron job**
376 For a regular, automatic status mailing and update of the used lists on a daily basis set up a cron job, e.g.
377 ```
378 55 03 * * * /etc/init.d/banip report mail
379 00 04 * * * /etc/init.d/banip reload
380 ```
381
382 **tweaks for low memory systems**
383 nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:
384
385 * point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive
386 * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
387 * set 'ban_splitsize' e.g. to '1000' to split the load of an external Set after every 1000 lines/members
388 * set 'ban_reportelements' to '0' to disable the CPU intensive counting of Set elements
389
390 **tweak the download options**
391 By default banIP uses the following pre-configured download options:
392 ```
393 * aria2c: --timeout=20 --retry-wait=10 --max-tries=5 --max-file-not-found=5 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
394 * curl: --connect-timeout 20 --retry-delay 10 --retry 5 --retry-all-errors --fail --silent --show-error --location -o
395 * wget: --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=5 --retry-connrefused --max-redirect=0 -O
396 * uclient-fetch: --timeout=20 -O
397 ```
398 To override the default set 'ban_fetchretry', 'ban_fetchinsecure' or globally 'ban_fetchparm' to your needs.
399
400 **send E-Mail notifications via 'msmtp'**
401 To use the email notification you must install & configure the package 'msmtp'.
402 Modify the file '/etc/msmtprc', e.g.:
403 ```
404 [...]
405 defaults
406 auth on
407 tls on
408 tls_certcheck off
409 timeout 5
410 syslog LOG_MAIL
411 [...]
412 account ban_notify
413 host smtp.gmail.com
414 port 587
415 from <address>@gmail.com
416 user <gmail-user>
417 password <password>
418 ```
419 Finally add a valid E-Mail receiver address.
420
421 **change existing banIP feeds or add port limitations**
422 The banIP default blocklist feeds are stored in an external JSON file '/etc/banip/banip.feeds'. All custom changes should be stored in an external JSON file '/etc/banip/banip.custom.feeds' (empty by default). It's recommended to use the LuCI based Custom Feed Editor to make changes to this file.
423 A valid JSON source object contains the following information, e.g.:
424 ```
425 [...]
426 "tor":{
427 "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
428 "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
429 "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
430 "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
431 "descr": "tor exit nodes",
432 "flag": "gz tcp 80-88 udp 50000"
433 },
434 [...]
435 ```
436 Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed.
437 Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations - multiple definitions are possible.
438
439 ## Support
440 Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
441
442 ## Removal
443 * stop all banIP related services with _/etc/init.d/banip stop_
444 * remove the banip package (_opkg remove banip_)
445
446 Have fun!
447 Dirk
Mirror of packages feed