projects / feed / packages.git / blob
? search:


eb5e8cf65cc8bb091c4f3cdbdf49327fa3fe5296
[feed/packages.git] / net / banip / files / README.md
1 <!-- markdownlint-disable -->
2
3 # banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables
4
5 ## Description
6 IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh.
7
8 ## Main Features
9 * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
10 **Please note:** By default every feed blocks all supported chains. The columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockpolicy', 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.
11
12 | Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Information |
13 | :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------------------------------------------------------- |
14 | adaway | adaway IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
15 | adguard | adguard IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
16 | adguardtrackers | adguardtracker IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
17 | antipopads | antipopads IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
18 | asn | ASN IPs | | | x | [Link](https://asn.ipinfo.app) |
19 | backscatterer | backscatterer IPs | x | x | | [Link](https://www.uceprotect.net/en/index.php) |
20 | binarydefense | binary defense banlist | x | x | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
21 | bogon | bogon prefixes | x | x | | [Link](https://team-cymru.com) |
22 | bruteforceblock | bruteforceblocker IPs | x | x | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) |
23 | country | country blocks | x | x | | [Link](https://www.ipdeny.com/ipblocks) |
24 | cinsscore | suspicious attacker IPs | x | x | | [Link](https://cinsscore.com/#list) |
25 | darklist | blocks suspicious attacker IPs | x | x | | [Link](https://darklist.de) |
26 | debl | fail2ban IP blacklist | x | x | | [Link](https://www.blocklist.de) |
27 | doh | public DoH-Provider | | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
28 | drop | spamhaus drop compilation | x | x | | [Link](https://www.spamhaus.org) |
29 | dshield | dshield IP blocklist | x | x | | [Link](https://www.dshield.org) |
30 | edrop | spamhaus edrop compilation | x | x | | [Link](https://www.spamhaus.org) |
31 | etcompromised | ET compromised hosts | x | x | | [Link](https://iplists.firehol.org/?ipset=et_compromised) |
32 | feodo | feodo tracker | x | x | x | [Link](https://feodotracker.abuse.ch) |
33 | firehol1 | firehol level 1 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
34 | firehol2 | firehol level 2 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
35 | firehol3 | firehol level 3 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
36 | firehol4 | firehol level 4 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
37 | greensnow | suspicious server IPs | x | x | | [Link](https://greensnow.co) |
38 | iblockads | Advertising IPs | | | x | [Link](https://www.iblocklist.com) |
39 | iblockspy | Malicious spyware IPs | x | x | | [Link](https://www.iblocklist.com) |
40 | ipblackhole | blackhole IPs | x | x | | [Link](https://ip.blackhole.monster) |
41 | ipthreat | hacker and botnet TPs | x | x | | [Link](https://ipthreat.net) |
42 | myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) |
43 | nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) |
44 | oisdbig | OISD-big IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
45 | oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
46 | oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
47 | proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
48 | ssbl | SSL botnet IPs | x | x | | [Link](https://sslbl.abuse.ch) |
49 | stevenblack | stevenblack IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
50 | talos | talos IPs | x | x | | [Link](https://talosintelligence.com/reputation_center) |
51 | threat | emerging threats | x | x | | [Link](https://rules.emergingthreats.net) |
52 | threatview | malicious IPs | x | x | | [Link](https://threatview.io) |
53 | tor | tor exit nodes | x | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
54 | uceprotect1 | spam protection level 1 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
55 | uceprotect2 | spam protection level 2 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
56 | uceprotect3 | spam protection level 3 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
57 | urlhaus | urlhaus IDS IPs | x | x | | [Link](https://urlhaus.abuse.ch) |
58 | urlvir | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=urlvir) |
59 | webclient | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
60 | voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) |
61 | yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
62
63 * Zero-conf like automatic installation & setup, usually no manual changes needed
64 * All Sets are handled in a separate nft table/namespace 'banIP'
65 * Full IPv4 and IPv6 support
66 * Supports nft atomic Set loading
67 * Supports blocking by ASN numbers and by iso country codes
68 * Supports local allow- and blocklist with MAC/IPv4/IPv6 addresses or domain names
69 * Supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments
70 * All local input types support ranges in CIDR notation
71 * Auto-add the uplink subnet or uplink IP to the local allowlist
72 * Provides a small background log monitor to ban unsuccessful login attempts in real-time (like fail2ban, crowdsec etc.)
73 * Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
74 * Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP
75 * Fast feed processing as they are handled in parallel as background jobs (on capable multi-core hardware)
76 * Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains)
77 * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
78 * Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget
79 * Provides HTTP ETag or entity tag support to download only ressources that have been updated on the server side, to save bandwith and speed up banIP reloads
80 * Supports an 'allowlist only' mode, this option restricts internet access from/to a given number of secure websites/IPs
81 * Deduplicate IPs accross all Sets (single IPs only, no intervals)
82 * Provides comprehensive runtime information
83 * Provides a detailed Set report
84 * Provides a Set search engine for certain IPs
85 * Feed parsing by fast & flexible regex rulesets
86 * Minimal status & error logging to syslog, enable debug logging to receive more output
87 * Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup)
88 * Procd network interface trigger support
89 * Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor
90 * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
91 * Supports allowing / blocking of certain VLAN forwards
92
93 ## Prerequisites
94 * **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
95 * A download utility with SSL support: 'aria2c', 'curl', full 'wget' or 'uclient-fetch' with one of the 'libustream-*' SSL libraries, the latter one doesn't provide support for ETag HTTP header
96 * A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
97 * For E-Mail notifications you need to install and setup the additional 'msmtp' package
98
99 **Please note the following:**
100 * Devices with less than 256Mb of RAM are **_not_** supported
101 * Any previous installation of ancient banIP 0.7.x must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)
102
103 ## Installation & Usage
104 * Update your local opkg repository (_opkg update_)
105 * Install banIP (_opkg install banip_) - the banIP service is disabled by default
106 * Install the LuCI companion package 'luci-app-banip' (opkg install luci-app-banip)
107 * It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
108 * If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
109 * Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status'
110
111 ## banIP CLI interface
112 * All important banIP functions are accessible via CLI.
113 ```
114 ~# /etc/init.d/banip
115 Syntax: /etc/init.d/banip [command]
116
117 Available commands:
118 start Start the service
119 stop Stop the service
120 restart Restart the service
121 reload Reload configuration files (or restart if service does not implement reload)
122 enable Enable service autostart
123 disable Disable service autostart
124 enabled Check if service is started on boot
125 report [text|json|mail] Print banIP related Set statistics
126 search [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set
127 survey [<Set name>] List all elements of a given banIP Set
128 lookup Lookup the IPs of domain names in the local lists and update them
129 running Check if service is running
130 status Service status
131 trace Start with syscall trace
132 info Dump procd service info
133 ```
134
135 ## banIP config options
136
137 | Option | Type | Default | Description |
138 | :---------------------- | :----- | :---------------------------- | :---------------------------------------------------------------------------------------------------------------- |
139 | ban_enabled | option | 0 | enable the banIP service |
140 | ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) |
141 | ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) |
142 | ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor |
143 | ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious |
144 | ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
145 | ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
146 | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
147 | ban_debug | option | 0 | enable banIP related debug logging |
148 | ban_loginput | option | 1 | log drops in the wan-input chain |
149 | ban_logforwardwan | option | 1 | log drops in the wan-forward chain |
150 | ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
151 | ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
152 | ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
153 | ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
154 | ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
155 | ban_allowlistonly | option | 0 | restrict the internet access from/to a given number of secure websites/IPs |
156 | ban_basedir | option | /tmp | base working directory while banIP processing |
157 | ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
158 | ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files |
159 | ban_protov4 | option | - / autodetect | enable IPv4 support |
160 | ban_protov6 | option | - / autodetect | enable IPv4 support |
161 | ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' |
162 | ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' |
163 | ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' |
164 | ban_vlanallow | list | - | always allow certain VLAN forwards, e.g. br-lan.20 |
165 | ban_vlanblock | list | - | always block certain VLAN forwards, e.g. br-lan.10 |
166 | ban_trigger | list | - | logical reload trigger interface(s), e.g. 'wan' |
167 | ban_triggerdelay | option | 10 | trigger timeout during interface reload and boot |
168 | ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets |
169 | ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
170 | ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
171 | ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug |
172 | ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) |
173 | ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance |
174 | ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
175 | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
176 | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
177 | ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
178 | ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' |
179 | ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic |
180 | ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' |
181 | ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' |
182 | ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' |
183 | ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
184 | ban_fetchparm | option | - / autodetect | set the config options for the selected download utility |
185 | ban_fetchretry | option | 5 | number of download attempts in case of an error (not supported by uclient-fetch) |
186 | ban_fetchinsecure | option | 0 | don't check SSL server certificates during download |
187 | ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails |
188 | ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails |
189 | ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails |
190 | ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails |
191 | ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run |
192 | ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly |
193 | ban_resolver | option | - | external resolver used for DNS lookups |
194
195 ## Examples
196 **banIP report information**
197 ```
198 ~# /etc/init.d/banip report
199 :::
200 ::: banIP Set Statistics
201 :::
202 Timestamp: 2023-06-21 07:03:23
203 ------------------------------
204 auto-added to allowlist today: 0
205 auto-added to blocklist today: 0
206
207 Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets)
208 ---------------------+--------------+-----------------------+-----------------------+------------------------
209 allowlistv4MAC | 0 | - | - | OK: 0
210 allowlistv6MAC | 0 | - | - | OK: 0
211 allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0
212 allowlistv6 | 1 | OK: 0 | OK: 0 | OK: 0
213 cinsscorev4 | 13115 | OK: 142 | OK: 0 | -
214 deblv4 | 8076 | OK: 5 | OK: 0 | OK: 0
215 countryv6 | 37313 | OK: 0 | OK: 1 | -
216 countryv4 | 36155 | OK: 33 | OK: 0 | -
217 deblv6 | 15 | OK: 0 | OK: 0 | OK: 0
218 dropv6 | 35 | OK: 0 | OK: 0 | OK: 0
219 dropv4 | 620 | OK: 0 | OK: 0 | OK: 0
220 dohv6 | 598 | - | - | OK: 0
221 dohv4 | 902 | - | - | OK: 0
222 edropv4 | 247 | OK: 0 | OK: 0 | OK: 0
223 threatviewv4 | 571 | OK: 0 | OK: 0 | OK: 0
224 firehol1v4 | 877 | OK: 8 | OK: 0 | OK: 0
225 ipthreatv4 | 5751 | OK: 0 | OK: 0 | OK: 0
226 urlvirv4 | 169 | OK: 0 | OK: 0 | OK: 0
227 blocklistv4MAC | 0 | - | - | OK: 0
228 blocklistv6MAC | 0 | - | - | OK: 0
229 blocklistv4 | 3 | OK: 0 | OK: 0 | OK: 0
230 blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0
231 ---------------------+--------------+-----------------------+-----------------------+------------------------
232 22 | 104449 | 16 (188) | 16 (1) | 19 (0)
233 ```
234
235 **banIP runtime information**
236 ```
237 root@blackhole:/etc/config$ /etc/init.d/banip status
238 ::: banIP runtime information
239 + status : active (nft: ✔, monitor: ✔)
240 + version : 0.9.0-1
241 + element_count : 111094
242 + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dropv4, dohv6, dohv4, threatviewv4, firehol1v4, ipthreatv4, firehol2v4, urlvirv4, urlhausv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
243 + active_devices : wan: br-wan, 10g-1 / wan-if: wan, wan6 / vlan-allow: - / vlan-block: -
244 + active_uplink : 91.63.198.120, 2a12:810c:0:80:a20d:52c3:5cf:f4f
245 + nft_info : priority: -200, policy: performance, loglevel: warn, expiry: -
246 + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report
247 + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
248 + last_run : action: reload, fetch: curl, duration: 0m 36s, date: 2023-07-16 06:59:28
249 + system_info : cores: 4, memory: 1663, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r23565-8fb0c196e8
250 ```
251
252 **banIP search information**
253 ```
254 ~# /etc/init.d/banip search 221.228.105.173
255 :::
256 ::: banIP Search
257 :::
258 Looking for IP '221.228.105.173' on 2023-02-08 22:12:48
259 ---
260 IP found in Set 'oisdbasicv4'
261 ```
262
263 **banIP survey information**
264 ```
265 ~# /etc/init.d/banip survey cinsscorev4
266 :::
267 ::: banIP Survey
268 :::
269 List of elements in the Set 'cinsscorev4' on 2023-03-06 14:07:58
270 ---
271 1.10.187.179
272 1.10.203.30
273 1.10.255.58
274 1.11.67.53
275 1.11.114.211
276 1.11.208.29
277 1.12.75.87
278 1.12.231.227
279 1.12.247.134
280 1.12.251.141
281 1.14.96.156
282 1.14.250.37
283 1.15.40.79
284 1.15.71.140
285 1.15.77.237
286 [...]
287 ```
288 **default regex for logfile parsing**
289 ```
290 list ban_logterm 'Exit before auth from'
291 list ban_logterm 'luci: failed login'
292 list ban_logterm 'error: maximum authentication attempts exceeded'
293 list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
294 list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
295 ```
296
297 **allow-/blocklist handling**
298 banIP supports local allow and block lists, MAC/IPv4/IPv6 addresses (incl. ranges in CIDR notation) or domain names. These files are located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.
299 Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option.
300 Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist.
301 Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl').
302 Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
303
304 **allowlist-only mode**
305 banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure MACs, IPs or domains, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist (plus the external Allowlist URLs) are blocked.
306
307 **MAC/IP-binding**
308 banIP supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
309 ```
310 MAC-address only:
311 C8:C2:9B:F7:80:12 => this will be populated to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
312
313 MAC-address with IPv4 concatenation:
314 C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated only to v4MAC-Set with the certain IP, no entry in the v6MAC-Set
315
316 MAC-address with IPv6 concatenation:
317 C8:C2:9B:F7:80:12 2a02:810c:0:80:a10e:62c3:5af:f3f => this will be populated only to v6MAC-Set with the certain IP, no entry in the v4MAC-Set
318
319 MAC-address with IPv4 and IPv6 concatenation:
320 C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
321 C8:C2:9B:F7:80:12 2a02:810c:0:80:a10e:62c3:5af:f3f => this will be populated to v6MAC-Set with the certain IP
322
323 MAC-address with IPv4 and IPv6 wildcard concatenation:
324 C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
325 C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0
326 ```
327
328 **redirect Asterisk security logs to lodg/logread**
329 banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration.
330
331 **send status E-Mails and update the banIP lists via cron job**
332 For a regular, automatic status mailing and update of the used lists on a daily basis set up a cron job, e.g.
333 ```
334 55 03 * * * /etc/init.d/banip report mail
335 00 04 * * * /etc/init.d/banip reload
336 ```
337
338 **tweaks for low memory systems**
339 nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:
340
341 * point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive
342 * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
343 * set 'ban_splitsize' e.g. to '1000' to split the load of an external Set after every 1000 lines/members
344 * set 'ban_reportelements' to '0' to disable the CPU intensive counting of Set elements
345
346 **tweak the download options**
347 By default banIP uses the following pre-configured download options:
348 ```
349 * aria2c: --timeout=20 --retry-wait=10 --max-tries=5 --max-file-not-found=5 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
350 * curl: --connect-timeout 20 --retry-delay 10 --retry 5 --retry-all-errors --fail --silent --show-error --location -o
351 * wget: --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=5 --retry-connrefused --max-redirect=0 -O
352 * uclient-fetch: --timeout=20 -O
353 ```
354 To override the default set 'ban_fetchretry', 'ban_fetchinsecure' or globally 'ban_fetchparm' to your needs.
355
356 **send E-Mail notifications via 'msmtp'**
357 To use the email notification you must install & configure the package 'msmtp'.
358 Modify the file '/etc/msmtprc', e.g.:
359 ```
360 [...]
361 defaults
362 auth on
363 tls on
364 tls_certcheck off
365 timeout 5
366 syslog LOG_MAIL
367 [...]
368 account ban_notify
369 host smtp.gmail.com
370 port 587
371 from <address>@gmail.com
372 user <gmail-user>
373 password <password>
374 ```
375 Finally add a valid E-Mail receiver address.
376
377 **change existing banIP feeds or add a new one**
378 The banIP default blocklist feeds are stored in an external JSON file '/etc/banip/banip.feeds'. All custom changes should be stored in an external JSON file '/etc/banip/banip.custom.feeds' (empty by default). It's recommended to use the LuCI based Custom Feed Editor to make changes to this file.
379 A valid JSON source object contains the following information, e.g.:
380 ```
381 [...]
382 "tor":{
383 "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
384 "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
385 "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
386 "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
387 "descr": "tor exit nodes",
388 "flag": ""
389 },
390 [...]
391 ```
392 Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed. The flag is optional, currently only 'gz' is supported to process archive downloads.
393
394 ## Support
395 Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
396
397 ## Removal
398 * stop all banIP related services with _/etc/init.d/banip stop_
399 * remove the banip package (_opkg remove banip_)
400
401 Have fun!
402 Dirk
Mirror of packages feed