| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
| |
* provides an option to transfer log events on remote servers via cgi interface (disabled by default), see readme for details
* refine the allowlist check to support IP intervals as well before adding an IP to the blocklist
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |
|
|
|
|
|
|
|
| |
* finalized the LuCI frontend preparation (this is the minmal version to use the forthcoming LuCI frontend)
* added a Set survey, to list all elements of a certain set
* changed the default logterm for asterisk
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* major rewrite
* add support for multiple chains
* add mac whitelisting
* add support for multiple ssh daemons in parallel
* add an ipset report engine
* add mail notifications
* add suspend/resume functions
* add a cron wrapper to set an ipset related auto-timer for
automatic blocklist updates
* add a list wrapper to add/remove blocklist sources
* add 19.x and Turris OS 5.x compatibility code
* sources stored in an external compressed json file
(/etc/banip/banip.sources.gz)
* change Country/ASN download sources (faster/more reliable)
* fix DHCPv6/icmpv6 issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |
|
|
| |
Signed-off-by: Richard Gering <rg4github@dutchies.us>
|
| |
|
|
|
|
|
|
|
| |
* the WAN auto detection now supports multiple interfaces, too
* no longer filter out possible LAN devices
* add a new DoH (DNS over HTTPS) blocklist source with public
DoH DNS server addresses, to effectively block client side DoH
communication, e.g. via Firefox or Chrome
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* new 'ca-bundle' dependency as all https connections
are now validated by default
* automatically select the download utility: 'aria2', 'curl',
'uclient-fetch' with libustream-* or wget are supported
* track & ban failed LuCI login attempts as well
* add a small log/banIP background monitor to block
SSH/LuCI brute force attacks in realtime (disabled by default)
* add a config version check (please update your default config!)
* made the automatic wan detection more stable
* fix the IPv6 logfile parser
* fix the service status message
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* remove 'http-only' mode, all sources are now fetched from https sites
* the backup mode is now mandatory ('/tmp' is the default backup
directory), always create and re-use backups if available.
To force a re-download take the 'reload' action.
* support 'sshd' in addition to 'dropbear' for logfile parsing
to detect break-in events
* always update the black-/whitelist with logfile parsing results
in 'refresh' mode (no new downloads)
* rework the return code handling
* tweak procd trigger
* various small fixes
* (s)hellsheck cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* add extra options to control auto-addons to
blacklist & whitelist ('ban_autoblacklist' & 'ban_autowhitelist',
both enabled by default). If disabled auto-addons are only stored
temporary in the black/whitelist ipset but not in the list itself,
fixes #9631
* remove old, no longer needed procd workaround
* remove 'zeus' source from default config (discontinued)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |
|
|
|
|
|
|
|
| |
* refine 'refresh' mode, add normal processing/download as fallback
* remove needless reload trigger
* fix various ipset warnings
* fix timer in 'refresh' mode
* adapt ssbl regex to new source list format
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |
|
|
|
|
|
|
| |
* remove needless sort step to reduce system load
* change maxqueue default in backend and LuCI frontend
to '4' to reduce (default) system load
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* add automatic blocklist backup & restore, they will be used
in case of download errors or during startup in backup mode
* add a 'backup mode' to re-use blocklist backups during startup,
get fresh lists via reload or restart action
* procd interface trigger now supports multiple WAN interfaces
* change URL for abuse.ch/feodo list source in default config
* small fixes
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |
|
|
|
|
|
|
|
|
| |
* support multiple WAN interfaces in iptables rules,
set 'ban_iface' option accordingly (as space separated list)
or use the LuCI frontend
* add new "refresh" mode while triggered by fw changes (no download)
* add required ip dependency
* fix wrong 'settype' definition for firehol1 in config
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
|
|
a new script based package called "banIP" to block
incoming & outgoing ip adresses/subnets via ipset.
Features:
* a shell script which uses ipset and iptables
to ban a large number of IP addresses
published in various IP blacklists (bogon, firehol etc.)
* support blocking by ASN numbers
* support blocking by iso country codes
* support local white & blacklist (IPv4, IPv6 & CIDR notation)
* auto-add unsuccessful ssh login attempts to local blacklist
* auto-add the uplink subnet to local whitelist
* per source configuration of SRC (incoming) and DST (outgoing)
* supports IPv4 & IPv6
Strong LuCI support:
* easy interface to track & change all aspects of your ipset
configuration on the fly
* integrated IPSet-Lookup
* integrated RIPE-Lookup
* Log-Viewer & online configuration of white- & blacklist
LuCI-Screenshots will follow in the second post.
Forum discussion:
https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985
Signed-off-by: Dirk Brenken <dev@brenken.org>
|