banip: update 0.3.0

* new 'ca-bundle' dependency as all https connections are now validated by default * automatically select the download utility: 'aria2', 'curl', 'uclient-fetch' with libustream-* or wget are supported * track & ban failed LuCI login attempts as well * add a small log/banIP background monitor to block SSH/LuCI brute force attacks in realtime (disabled by default) * add a config version check (please update your default config!) * made the automatic wan detection more stable * fix the IPv6 logfile parser * fix the service status message * update readme Signed-off-by: Dirk Brenken <dev@brenken.org> (cherry picked from commit ff8b853a6d)
2026-04-30 15:38:40 +01:00 · 2019-10-04 09:12:11 +02:00
parent 6b8870a353
commit bfdbf137ea
6 changed files with 167 additions and 77 deletions
@@ -13,7 +13,8 @@
 #
 LC_ALL=C
 PATH="/usr/sbin:/usr/bin:/sbin:/bin"
-ban_ver="0.2.1"
+ban_ver="0.3.0"
+ban_basever=""
 ban_enabled=0
 ban_automatic="1"
 ban_sources=""
@@ -23,7 +24,8 @@ ban_backupdir="/mnt"
 ban_maxqueue=4
 ban_autoblacklist=1
 ban_autowhitelist=1
-ban_fetchutil="uclient-fetch"
+ban_realtime="false"
+ban_fetchutil=""
 ban_ip="$(command -v ip)"
 ban_ipt="$(command -v iptables)"
 ban_ipt_save="$(command -v iptables-save)"
@@ -36,6 +38,7 @@ ban_chain="banIP"
 ban_action="${1:-"start"}"
 ban_pidfile="/var/run/banip.pid"
 ban_rtfile="/tmp/ban_runtime.json"
+ban_logservice="/etc/banip/banip.service"
 ban_sshdaemon="dropbear"
 ban_setcnt=0
 ban_cnt=0
@@ -94,6 +97,14 @@ f_envload()
 	config_load banip
 	config_foreach parse_config source

+	# version check
+	#
+	if [ -z "${ban_basever}" ] || [ "${ban_ver%.*}" != "${ban_basever}" ]
+	then
+		f_log "info" "your banIP config seems to be too old, please update your config with the '--force-maintainer' opkg option"
+		exit 0
+	fi
+
 	# create temp directory & files
 	#
 	f_temp
@@ -102,6 +113,7 @@ f_envload()
 	#
 	if [ "${ban_enabled}" -eq 0 ]
 	then
+		f_bgserv "stop"
 		f_jsnup disabled
 		f_ipset destroy
 		f_rmbackup
@@ -115,7 +127,7 @@ f_envload()
 #
 f_envcheck()
 {
-	local ssl_lib tmp
+	local util utils packages tmp cnt=0

 	# check backup directory
 	#
@@ -126,44 +138,71 @@ f_envcheck()

 	# check fetch utility
 	#
-	case "${ban_fetchutil}" in
-		"uclient-fetch")
-			if [ -f "/lib/libustream-ssl.so" ]
+	if [ -z "${ban_fetchutil}" ]
+	then
+		utils="aria2c curl wget uclient-fetch"
+		packages="$(opkg list-installed 2>/dev/null)"
+		for util in ${utils}
+		do
+			if { [ "${util}" = "uclient-fetch" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^libustream-")" ]; } || \
+				{ [ "${util}" = "wget" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^wget -")" ]; } || \
+				{ [ "${util}" != "uclient-fetch" ] && [ "${util}" != "wget" ]; }
 			then
-				ban_fetchparm="${ban_fetchparm:-"--timeout=20 --no-check-certificate -O"}"
-				ssl_lib="libustream-ssl"
+				ban_fetchutil="$(command -v "${util}")"
+				if [ -x "${ban_fetchutil}" ]
+				then
+					break
+				fi
 			fi
-		;;
-		"wget")
-			ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 --no-check-certificate -O"}"
-			ssl_lib="built-in"
+			unset ban_fetchutil util
+		done
+	else
+		util="${ban_fetchutil}"
+		ban_fetchutil="$(command -v "${util}")"
+		if [ ! -x "${ban_fetchutil}" ]
+		then
+			unset ban_fetchutil util
+		fi
+	fi
+	case "${util}" in
+		"aria2c")
+			ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=true --dir=" " -o"}"
 		;;
 		"curl")
-			ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 --insecure -o"}"
-			ssl_lib="built-in"
+			ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 -o"}"
 		;;
-		"aria2c")
-			ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=false -o"}"
-			ssl_lib="built-in"
+		"uclient-fetch")
+			ban_fetchparm="${ban_fetchparm:-"--timeout=20 -O"}"
+		;;
+		"wget")
+			ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
 		;;
 	esac
-	ban_fetchutil="$(command -v "${ban_fetchutil}")"
-	ban_fetchinfo="${ban_fetchutil:-"-"} (${ssl_lib:-"-"})"
-
-	if [ ! -x "${ban_fetchutil}" ] || [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
+	if [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
 	then
-		f_log "err" "download utility not found, please install 'uclient-fetch' with the 'libustream-mbedtls' ssl library or the full 'wget' package"
+		f_log "err" "download utility with SSL support not found, please install 'uclient-fetch' with a 'libustream-*' variant or another download utility like 'wget', 'curl' or 'aria2'"
 	fi

 	# get wan device and wan subnets
 	#
 	if [ "${ban_automatic}" = "1" ]
 	then
-		network_find_wan ban_iface
-		if [ -z "${ban_iface}" ]
-		then
-			network_find_wan6 ban_iface
-		fi
+		while [ "${cnt}" -le 30 ]
+		do
+			network_find_wan ban_iface
+			if [ -z "${ban_iface}" ]
+			then
+				network_find_wan6 ban_iface
+			fi
+			if [ -z "${ban_iface}" ]
+			then
+				network_flush_cache
+				cnt=$((cnt+1))
+				sleep 1
+			else
+				break
+			fi
+		done
 	fi

 	for iface in ${ban_iface}
@@ -194,13 +233,11 @@ f_envcheck()
 	if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ]
 	then
 		f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
+	else
+		ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
+		f_jsnup "running"
+		f_log "info" "start banIP processing (${ban_action})"
 	fi
-	ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
-	uci_set banip global ban_iface "${ban_iface}"
-	uci_commit banip
-
-	f_jsnup "running"
-	f_log "info" "start banIP processing (${ban_action})"
 }

 # create temporary files and directories
@@ -488,36 +525,54 @@ f_log()

 	if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" -eq 1 ]; }
 	then
-		logger -p "${class}" -t "banIP-[${ban_ver}]" "${log_msg}"
+		logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}"
 		if [ "${class}" = "err" ]
 		then
 			f_jsnup error
 			f_ipset destroy
 			f_rmbackup
 			f_rmtemp
-			logger -p "${class}" -t "banIP-[${ban_ver}]" "Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'"
+			logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'"
 			exit 1
 		fi
 	fi
 }

+# start log service to trace failed ssh/luci logins
+#
+f_bgserv()
+{
+	local bg_pid status="${1}"
+
+	bg_pid="$(pgrep -f "^/bin/sh ${ban_logservice}.*|^logread -f -e ${ban_sshdaemon}\|luci: failed login|^grep -qE Exit before auth|luci: failed login|[0-9]+ \[preauth\]$" | awk '{ORS=" "; print $1}')"
+	if [ -z "${bg_pid}" ] && [ "${status}" = "start" ] \
+		&& [ -x "${ban_logservice}" ] && [ "${ban_realtime}" = "true" ]
+	then
+		( "${ban_logservice}" "${ban_ver}" &)
+	elif [ -n "${bg_pid}" ] && [ "${status}" = "stop" ] 
+	then
+		kill -HUP "${bg_pid}" 2>/dev/null
+	fi
+	f_log "debug" "f_bgserv ::: status: ${status:-"-"}, bg_pid: ${bg_pid:-"-"}, ban_realtime: ${ban_realtime:-"-"}, log_service: ${ban_logservice:-"-"}"
+}
+
 # main function for banIP processing
 #
 f_main()
 {
 	local pid pid_list start_ts end_ts ip tmp_raw tmp_cnt tmp_load tmp_file mem_total mem_free cnt=1
-	local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon src_rc
-	local wan_input wan_forward lan_input lan_forward target_src target_dst log_content
+	local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon src_ts src_rc
+	local wan_input wan_forward lan_input lan_forward target_src target_dst ssh_log luci_log

-	log_content="$(logread -e "${ban_sshdaemon}")"
+	ssh_log="$(logread -e "${ban_sshdaemon}" | grep -o "${ban_sshdaemon}.*" | sed 's/:[0-9]*$//g')"
+	luci_log="$(logread -e "luci: failed login" | grep -o "luci:.*")"
 	mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
 	mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
-	f_log "debug" "f_main  ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
-
-	f_ipset initial
+	f_log "debug" "f_main  ::: fetch_util: ${ban_fetchutil:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"

 	# main loop
 	#
+	f_ipset initial
 	for src_name in ${ban_sources}
 	do
 		unset src_on
@@ -607,28 +662,30 @@ f_main()
 						"blacklist")
 							if [ "${ban_sshdaemon}" = "dropbear" ]
 							then
-								pid_list="$(printf "%s\\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
+								pid_list="$(printf "%s\\n" "${ssh_log}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
 								for pid in ${pid_list}
 								do
-									src_addon="${src_addon} $(printf "%s\\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
+									src_addon="${src_addon} $(printf "%s\\n" "${ssh_log}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH);exit}')"
 								done
 							elif [ "${ban_sshdaemon}" = "sshd" ]
 							then
-								src_addon="$(printf "%s\\n" "${log_content}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
+								src_addon="$(printf "%s\\n" "${ssh_log}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
 							fi
+							src_addon="${src_addon} $(printf "%s\\n" "${luci_log}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
 						;;
 						"blacklist_6")
 							if [ "${ban_sshdaemon}" = "dropbear" ]
 							then
-								pid_list="$(printf "%s\\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
+								pid_list="$(printf "%s\\n" "${ssh_log}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
 								for pid in ${pid_list}
 								do
-									src_addon="${src_addon} $(printf "%s\\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
+									src_addon="${src_addon} $(printf "%s\\n" "${ssh_log}" | grep -F "${pid}" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH);exit}')"
 								done
 							elif [ "${ban_sshdaemon}" = "sshd" ]
 							then
-								src_addon="$(printf "%s\\n" "${log_content}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
+								src_addon="$(printf "%s\\n" "${ssh_log}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
 							fi
+							src_addon="${src_addon} $(printf "%s\\n" "${luci_log}" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
 						;;
 					esac
 					for ip in ${src_addon}
@@ -639,7 +696,8 @@ f_main()
 							if { [ "${src_name//_*/}" = "blacklist" ] && [ "${ban_autoblacklist}" -eq 1 ]; } || \
 								{ [ "${src_name//_*/}" = "whitelist" ] && [ "${ban_autowhitelist}" -eq 1 ]; }
 							then
-								printf "%s\\n" "${ip}" >> "${src_url}"
+								src_ts="# auto-added $(date "+%d.%m.%Y %H:%M:%S")"
+								printf "%s %s\\n" "${ip}" "${src_ts}" >> "${src_url}"
 							fi
 						fi
 					done
@@ -756,6 +814,7 @@ f_main()
 		ban_cnt="$((ban_cnt+cnt))"
 	done
 	f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
+	f_bgserv "start"
 	f_jsnup
 	f_rmtemp
 }
@@ -766,7 +825,7 @@ f_jsnup()
 {
 	local rundate status="${1:-"enabled"}"

-	rundate="$(/bin/date "+%d.%m.%Y %H:%M:%S")"
+	rundate="$(date "+%d.%m.%Y %H:%M:%S")"
 	ban_cntinfo="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes"

 	> "${ban_rtfile}"
@@ -775,7 +834,7 @@ f_jsnup()
 	json_add_object "data"
 	json_add_string "status" "${status}"
 	json_add_string "version" "${ban_ver}"
-	json_add_string "fetch_info" "${ban_fetchinfo:-"-"}"
+	json_add_string "util_info" "${ban_fetchutil:-"-"}, ${ban_realtime:-"-"}"
 	json_add_string "ipset_info" "${ban_cntinfo:-"-"}"
 	json_add_string "backup_dir" "${ban_backupdir}"
 	json_add_string "last_run" "${rundate:-"-"}"
@@ -801,12 +860,14 @@ fi
 f_envload
 case "${ban_action}" in
 	"stop")
+		f_bgserv "stop"
 		f_jsnup stopped
 		f_ipset destroy
 		f_rmbackup
 		f_rmtemp
 	;;
 	"start"|"restart"|"reload"|"refresh")
+		f_bgserv "stop"
 		f_envcheck
 		f_main
 	;;