<!-- markdownlint-disable -->
-# banIP - ban incoming and outgoing IP addresses/subnets via sets in nftables
+# banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables
## Description
-IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IP addresses that make too many password failures, e.g. via ssh.
+IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh.
## Main Features
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
| yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
* Zero-conf like automatic installation & setup, usually no manual changes needed
-* All sets are handled in a separate nft table/namespace 'banIP'
+* All Sets are handled in a separate nft table/namespace 'banIP'
* Full IPv4 and IPv6 support
-* Supports nft atomic set loading
+* Supports nft atomic Set loading
* Supports blocking by ASN numbers and by iso country codes
-* Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
-* Auto-add the uplink subnet to the local allowlist
-* Provides a small background log monitor to ban unsuccessful login attempts in real-time
+* Supports local allow- and blocklist with MAC/IPv4/IPv6 addresses or domain names
+* Supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments
+* All local input types support ranges in CIDR notation
+* Auto-add the uplink subnet or uplink IP to the local allowlist
+* Provides a small background log monitor to ban unsuccessful login attempts in real-time (like fail2ban, crowdsec etc.)
* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
-* Fast feed processing as they are handled in parallel as background jobs
+* Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP
+* Fast feed processing as they are handled in parallel as background jobs (on capable multi-core hardware)
* Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains)
* Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
-* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
+* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget
* Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
-* Deduplicate IPs accross all sets (single IPs only, no intervals)
+* Deduplicate IPs accross all Sets (single IPs only, no intervals)
* Provides comprehensive runtime information
-* Provides a detailed set report
-* Provides a set search engine for certain IPs
+* Provides a detailed Set report
+* Provides a Set search engine for certain IPs
* Feed parsing by fast & flexible regex rulesets
* Minimal status & error logging to syslog, enable debug logging to receive more output
* Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup)
* Procd network interface trigger support
-* Add new or edit existing banIP feeds on your own with the integrated custom feed editor
+* Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor
+* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
## Prerequisites
-* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
-* A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' SSL libraries, 'aria2c' or 'curl' is required
+* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 and logd/logread support
+* A download utility with SSL support: 'aria2c', 'curl', full 'wget' or 'uclient-fetch' with one of the 'libustream-*' SSL libraries
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
* For E-Mail notifications you need to install and setup the additional 'msmtp' package
* Install the LuCI companion package 'luci-app-banip' (opkg install luci-app-banip)
* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
-* Start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status'
+* Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status'
## banIP CLI interface
* All important banIP functions are accessible via CLI.
enable Enable service autostart
disable Disable service autostart
enabled Check if service is started on boot
- report [text|json|mail] Print banIP related set statistics
- search [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP set
- survey [<set name>] List all elements of a given banIP set
+ report [text|json|mail] Print banIP related Set statistics
+ search [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set
+ survey [<Set name>] List all elements of a given banIP Set
lookup Lookup the IPs of domain names in the local lists and update them
running Check if service is running
status Service status
| ban_enabled | option | 0 | enable the banIP service |
| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) |
| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) |
-| ban_loglimit | option | 100 | scan only the last n log entries permanently. Set it to '0' to disable the monitor |
+| ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor |
| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious |
| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
+| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
+| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
| ban_basedir | option | /tmp | base working directory while banIP processing |
| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
| ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' |
| ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins |
| ban_triggeraction | option | start | trigger action on ifup events, e.g. start, restart or reload |
-| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets |
-| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) |
+| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets |
+| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug |
| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) |
-| ban_nftpolicy | option | memory | nft policy for banIP-related sets, values: memory, performance |
+| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance |
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' |
| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility |
+| ban_fetchretry | option | 5 | number of download attempts in case of an error (not supported by uclient-fetch) |
| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download |
| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails |
| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails |
| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails |
| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails |
| ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run |
-| ban_reportelements | option | 1 | list set elements in the report, disable this to speed up the report significantly |
+| ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly |
| ban_resolver | option | - | external resolver used for DNS lookups |
## Examples
:::
::: banIP Set Statistics
:::
- Timestamp: 2023-02-25 08:35:37
+ Timestamp: 2023-06-21 07:03:23
------------------------------
- auto-added to allowlist: 0
- auto-added to blocklist: 4
+ auto-added to allowlist today: 0
+ auto-added to blocklist today: 0
Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets)
---------------------+--------------+-----------------------+-----------------------+------------------------
- allowlistvMAC | 0 | - | - | OK: 0
- allowlistv4 | 15 | OK: 0 | OK: 0 | OK: 0
+ allowlistv4MAC | 0 | - | - | OK: 0
+ allowlistv6MAC | 0 | - | - | OK: 0
+ allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0
allowlistv6 | 1 | OK: 0 | OK: 0 | OK: 0
- torv4 | 800 | OK: 0 | OK: 0 | OK: 0
- torv6 | 432 | OK: 0 | OK: 0 | OK: 0
- countryv6 | 34282 | OK: 0 | OK: 1 | -
- countryv4 | 35508 | OK: 1872 | OK: 0 | -
- dohv6 | 343 | - | - | OK: 0
- dohv4 | 540 | - | - | OK: 3
- firehol1v4 | 1670 | OK: 296 | OK: 0 | OK: 16
- deblv4 | 12402 | OK: 4 | OK: 0 | OK: 0
- deblv6 | 41 | OK: 0 | OK: 0 | OK: 0
- adguardv6 | 12742 | - | - | OK: 161
- adguardv4 | 23183 | - | - | OK: 212
- adguardtrackersv6 | 169 | - | - | OK: 0
- adguardtrackersv4 | 633 | - | - | OK: 0
- adawayv6 | 2737 | - | - | OK: 15
- adawayv4 | 6542 | - | - | OK: 137
- oisdsmallv6 | 10569 | - | - | OK: 0
- oisdsmallv4 | 18800 | - | - | OK: 74
- stevenblackv6 | 11901 | - | - | OK: 4
- stevenblackv4 | 16776 | - | - | OK: 139
- yoyov6 | 215 | - | - | OK: 0
- yoyov4 | 309 | - | - | OK: 0
- antipopadsv4 | 1872 | - | - | OK: 0
- urlhausv4 | 7431 | OK: 0 | OK: 0 | OK: 0
- antipopadsv6 | 2081 | - | - | OK: 2
- blocklistvMAC | 0 | - | - | OK: 0
- blocklistv4 | 1174 | OK: 1 | OK: 0 | OK: 0
- blocklistv6 | 40 | OK: 0 | OK: 0 | OK: 0
+ cinsscorev4 | 13115 | OK: 142 | OK: 0 | -
+ deblv4 | 8076 | OK: 5 | OK: 0 | OK: 0
+ countryv6 | 37313 | OK: 0 | OK: 1 | -
+ countryv4 | 36155 | OK: 33 | OK: 0 | -
+ deblv6 | 15 | OK: 0 | OK: 0 | OK: 0
+ dropv6 | 35 | OK: 0 | OK: 0 | OK: 0
+ dropv4 | 620 | OK: 0 | OK: 0 | OK: 0
+ dohv6 | 598 | - | - | OK: 0
+ dohv4 | 902 | - | - | OK: 0
+ edropv4 | 247 | OK: 0 | OK: 0 | OK: 0
+ threatviewv4 | 571 | OK: 0 | OK: 0 | OK: 0
+ firehol1v4 | 877 | OK: 8 | OK: 0 | OK: 0
+ ipthreatv4 | 5751 | OK: 0 | OK: 0 | OK: 0
+ urlvirv4 | 169 | OK: 0 | OK: 0 | OK: 0
+ blocklistv4MAC | 0 | - | - | OK: 0
+ blocklistv6MAC | 0 | - | - | OK: 0
+ blocklistv4 | 3 | OK: 0 | OK: 0 | OK: 0
+ blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0
---------------------+--------------+-----------------------+-----------------------+------------------------
- 30 | 203208 | 12 (2173) | 12 (1) | 28 (763)
+ 22 | 104449 | 16 (188) | 16 (1) | 19 (0)
```
**banIP runtime information**
```
-~# /etc/init.d/banip status
+root@blackhole:~# /etc/init.d/banip status
::: banIP runtime information
+ status : active (nft: ✔, monitor: ✔)
- + version : 0.8.3-1
- + element_count : 281161
- + active_feeds : allowlistvMAC, allowlistv6, allowlistv4, adawayv4, adguardtrackersv4, adawayv6, adguardv6, adguardv4, adguardtrackersv6, antipopadsv6, antipopadsv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dohv4, dohv6, iblockadsv4, firehol1v4, oisdbigv4, yoyov6, threatviewv4, yoyov4, oisdbigv6, blocklistvMAC, blocklistv4, blocklistv6
+ + version : 0.8.8-1
+ + element_count : 104449
+ + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dropv4, dohv6, dohv4, edropv4, threatviewv4, firehol1v4, ipthreatv4, urlvirv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
+ active_devices : br-wan ::: wan, wan6
- + active_subnets : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128
- + nft_info : priority: -200, policy: memory, loglevel: warn, expiry: -
- + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, feed: /etc/banip/banip.feeds
+ + active_uplink : 91.63.198.120, 2a12:810c:0:80:a20d:52c3:5cf:f4f
+ + nft_info : priority: -200, policy: performance, loglevel: warn, expiry: -
+ + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, custom feed: ✘
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘
- + last_run : action: reload, duration: 1m 0s, date: 2023-04-06 12:34:10
- + system_info : cores: 4, memory: 1822, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r22498-75f7e2d10b
+ + last_run : action: restart, duration: 0m 19s, date: 2023-06-21 06:45:52
+ + system_info : cores: 4, memory: 1634, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r23398-c4be106f4d
```
**banIP search information**
:::
::: banIP Survey
:::
- List the elements of Set 'cinsscorev4' on 2023-03-06 14:07:58
+ List of elements in the Set 'cinsscorev4' on 2023-03-06 14:07:58
---
1.10.187.179
1.10.203.30
```
**allow-/blocklist handling**
-banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.
-Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option.
-Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autoallowlist' option).
-Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
+banIP supports local allow and block lists, MAC/IPv4/IPv6 addresses (incl. ranges in CIDR notation) or domain names. These files are located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.
+Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option.
+Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist.
+Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl').
+Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
+
+**MAC/IP-binding**
+banIP supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
+```
+MAC-address only:
+C8:C2:9B:F7:80:12 => this will be populated to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
+
+MAC-address with IPv4 concatenation:
+C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated only to v4MAC-Set with the certain IP, no entry in the v6MAC-Set
+
+MAC-address with IPv6 concatenation:
+C8:C2:9B:F7:80:12 2a02:810c:0:80:a10e:62c3:5af:f3f => this will be populated only to v6MAC-Set with the certain IP, no entry in the v4MAC-Set
+
+MAC-address with IPv4 and IPv6 concatenation:
+C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
+C8:C2:9B:F7:80:12 2a02:810c:0:80:a10e:62c3:5af:f3f => this will be populated to v6MAC-Set with the certain IP
+
+MAC-address with IPv4 and IPv6 wildcard concatenation:
+C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
+C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0
+```
**allowlist-only mode**
-banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked.
+banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure MACs, IPs or domains, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked.
**redirect Asterisk security logs to lodg/logread**
banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration.
```
**tweaks for low memory systems**
-nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:
+nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:
* point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive
* set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
- * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members
- * set 'ban_reportelements' to '0' to disable the CPU intensive counting of set elements
+ * set 'ban_splitsize' e.g. to '1000' to split the load of an external Set after every 1000 lines/members
+ * set 'ban_reportelements' to '0' to disable the CPU intensive counting of Set elements
**tweak the download options**
By default banIP uses the following pre-configured download options:
```
- * aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
- * curl: --connect-timeout 20 --fail --silent --show-error --location -o
+ * aria2c: --timeout=20 --retry-wait=10 --max-tries=5 --max-file-not-found=5 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
+ * curl: --connect-timeout 20 --retry-delay 10 --retry 5 --retry-all-errors --fail --silent --show-error --location -o
+ * wget: --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=5 --retry-connrefused --max-redirect=0 -O
* uclient-fetch: --timeout=20 -O
- * wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O
```
-To override the default set 'ban_fetchparm' manually to your needs.
+To override the default set 'ban_fetchretry', 'ban_fetchinsecure' or globally 'ban_fetchparm' to your needs.
**send E-Mail notifications via 'msmtp'**
To use the email notification you must install & configure the package 'msmtp'.
A valid JSON source object contains the following information, e.g.:
```
[...]
- "tor": {
+ "tor":{
"url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
projects / feed / packages.git / blobdiff