mirror of
https://github.com/novatiq/packages.git
synced 2026-04-30 15:38:40 +01:00
banip: update 0.2.1
* remove 'http-only' mode, all sources are now fetched from https sites
* the backup mode is now mandatory ('/tmp' is the default backup
directory), always create and re-use backups if available.
To force a re-download take the 'reload' action.
* support 'sshd' in addition to 'dropbear' for logfile parsing
to detect break-in events
* always update the black-/whitelist with logfile parsing results
in 'refresh' mode (no new downloads)
* rework the return code handling
* tweak procd trigger
* various small fixes
* (s)hellsheck cosmetics
* Change .*GPL.*+ licenses to SPDX compatible identifier
Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken
+21
-21
@@ -6,39 +6,36 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
||||
## Main Features
|
||||
* support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses):
|
||||
* zero-conf like automatic installation & setup, usually no manual changes needed
|
||||
* supports six different download utilities: uclient-fetch, wget, curl, aria2c, wget-nossl, busybox-wget
|
||||
* supports four different download utilities: uclient-fetch, wget, curl, aria2c
|
||||
* Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
|
||||
* provides 'http only' mode without installed ssl library for all non-SSL blocklist sources
|
||||
* full IPv4 and IPv6 support
|
||||
* ipsets (one per source) are used to ban a large number of IP addresses
|
||||
* supports blocking by ASN numbers
|
||||
* supports blocking by iso country codes
|
||||
* supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist
|
||||
* auto-add unsuccessful ssh login attempts to local blacklist
|
||||
* auto-add the uplink subnet to local whitelist
|
||||
* auto-add unsuccessful ssh login attempts to 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
|
||||
* auto-add the uplink subnet to local whitelist (see 'ban_autowhitelist' option)
|
||||
* per source configuration of SRC (incoming) and DST (outgoing)
|
||||
* integrated IPSet-Lookup
|
||||
* integrated RIPE-Lookup
|
||||
* blocklist source parsing by fast & flexible regex rulesets
|
||||
* minimal status & error logging to syslog, enable debug logging to receive more output
|
||||
* procd based init system support (start/stop/restart/reload/status)
|
||||
* procd based init system support (start/stop/restart/reload/refresh/status)
|
||||
* procd network interface trigger support
|
||||
* automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode
|
||||
* 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action
|
||||
* automatic blocklist backup & restore, they will be used in case of download errors or during startup
|
||||
* output comprehensive runtime information via LuCI or via 'status' init command
|
||||
* strong LuCI support
|
||||
* optional: add new banIP sources on your own
|
||||
|
||||
## Prerequisites
|
||||
* [OpenWrt](https://openwrt.org), tested with the stable release series (18.06) and with the latest snapshot
|
||||
* [OpenWrt](https://openwrt.org), tested with the stable release series (19.07) and with the latest snapshot
|
||||
* a download utility:
|
||||
* to support all blocklist sources a full version (with ssl support) of 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
|
||||
* for limited devices with real memory constraints, banIP provides also a 'http only' option and supports wget-nossl and uclient-fetch (without libustream-ssl) as well
|
||||
* to support all blocklist sources a full version with ssl support of 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
|
||||
|
||||
## Installation & Usage
|
||||
* install 'banip' (_opkg install banip_)
|
||||
* at minimum configure the needed IP blocklist sources, the download utility and enable the banIP service in _/etc/config/banip_
|
||||
* control the banip service manually with _/etc/init.d/banip_ start/stop/restart/reload/status or use the LuCI frontend
|
||||
* control the banip service manually with _/etc/init.d/banip_ start/stop/restart/reload/refresh/status or use the LuCI frontend
|
||||
|
||||
## LuCI banIP companion package
|
||||
* it's recommended to use the provided LuCI frontend to control all aspects of banIP
|
||||
@@ -54,14 +51,16 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
||||
* ban\_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: automatically set by banIP ('ban_automatic'))
|
||||
|
||||
* the following options apply to the 'extra' config section:
|
||||
* ban\_debug => enable/disable banIP debug output (default: '0', disabled)
|
||||
* ban\_debug => enable/disable banIP debug output (bool/default: '0', disabled)
|
||||
* ban\_nice => set the nice level of the banIP process and all sub-processes (int/default: '0', standard priority)
|
||||
* ban\_triggerdelay => additional trigger delay in seconds before banIP processing begins (int/default: '2')
|
||||
* ban\_backup => create compressed blocklist backups, they will be used in case of download errors or during startup in 'backup mode' (bool/default: '0', disabled)
|
||||
* ban\_backupdir => target directory for adblock backups (default: not set)
|
||||
* ban\_backupboot => do not automatically update blocklists during startup, use their backups instead (bool/default: '0', disabled)
|
||||
* ban\_maxqueue => size of the download queue to handle downloads & IPSet processing in parallel (int/default: '8')
|
||||
* ban\_backupdir => target directory for banIP backups (default: '/tmp')
|
||||
* ban\_sshdaemon => select the SSH daemon for logfile parsing, 'dropbear' or 'sshd' (default: 'dropbear')
|
||||
* ban\_starttype => select the used start type during boot, 'start' or 'reload' (default: 'start')
|
||||
* ban\_maxqueue => size of the download queue to handle downloads & IPSet processing in parallel (int/default: '4')
|
||||
* ban\_fetchparm => special config options for the download utility (default: not set)
|
||||
* ban\_autoblacklist => store auto-addons temporary in ipset and permanently in local blacklist as well (bool/default: '1', enabled)
|
||||
* ban\_autowhitelist => store auto-addons temporary in ipset and permanently in local whitelist as well (bool/default: '1', enabled)
|
||||
|
||||
## Examples
|
||||
**receive banIP runtime information:**
|
||||
@@ -70,14 +69,15 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
||||
/etc/init.d/banip status
|
||||
::: banIP runtime information
|
||||
+ status : enabled
|
||||
+ version : 0.1.0
|
||||
+ version : 0.2.0
|
||||
+ fetch_info : /bin/uclient-fetch (libustream-ssl)
|
||||
+ ipset_info : 1 IPSets with overall 516 IPs/Prefixes (backup mode)
|
||||
+ last_run : 05.01.2019 14:48:18
|
||||
+ system : TP-LINK RE450, OpenWrt SNAPSHOT r8910+72-25d8aa7d02
|
||||
+ ipset_info : 11 IPSets with overall 118359 IPs/Prefixes
|
||||
+ backup_dir : /tmp
|
||||
+ last_run : 09.09.2019 16:49:40
|
||||
+ system : UBNT-ERX, OpenWrt SNAPSHOT r10962-c19b9f9a26
|
||||
</code></pre>
|
||||
|
||||
**cronjob for a regular block list update (/etc/crontabs/root):**
|
||||
**cronjob for a regular IPSet blocklist update (/etc/crontabs/root):**
|
||||
|
||||
<pre><code>
|
||||
0 06 * * * /etc/init.d/banip reload
|
||||
|
||||
Reference in New Issue
Block a user