projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge pull request #20521 from mhei/libgpiod-update-1.6.4
[feed/packages.git] / net / banip / files / README.md
1 <!-- markdownlint-disable -->
2
3 # banIP - ban incoming and outgoing IP addresses/subnets via sets in nftables
4
5 ## Description
6 IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IP addresses that make too many password failures, e.g. via ssh.
7
8 ## Main Features
9 * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
10 **Please note:** the columns "INP" and "FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to forward chain - see the config options 'ban\_blockforward' and 'ban\_blockinput' below.
11
12 | Feed | Focus | INP | FWD | Information |
13 | :------------------ | :----------------------------: | :-: | :-: | :-------------------------------------------------------------------- |
14 | adaway | adaway IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
15 | adguard | adguard IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
16 | adguardtrackers | adguardtracker IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
17 | antipopads | antipopads IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
18 | asn | ASN IPs | | x | [Link](https://asn.ipinfo.app) |
19 | backscatterer | backscatterer IPs | x | x | [Link](https://www.uceprotect.net/en/index.php) |
20 | bogon | bogon prefixes | x | x | [Link](https://team-cymru.com) |
21 | country | country blocks | x | | [Link](https://www.ipdeny.com/ipblocks) |
22 | cinsscore | suspicious attacker IPs | x | x | [Link](https://cinsscore.com/#list) |
23 | darklist | blocks suspicious attacker IPs | x | x | [Link](https://darklist.de) |
24 | debl | fail2ban IP blacklist | x | x | [Link](https://www.blocklist.de) |
25 | doh | public DoH-Provider | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
26 | drop | spamhaus drop compilation | x | x | [Link](https://www.spamhaus.org) |
27 | dshield | dshield IP blocklist | x | x | [Link](https://www.dshield.org) |
28 | edrop | spamhaus edrop compilation | x | x | [Link](https://www.spamhaus.org) |
29 | feodo | feodo tracker | x | x | [Link](https://feodotracker.abuse.ch) |
30 | firehol1 | firehol level 1 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
31 | firehol2 | firehol level 2 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
32 | firehol3 | firehol level 3 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
33 | firehol4 | firehol level 4 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
34 | greensnow | suspicious server IPs | x | x | [Link](https://greensnow.co) |
35 | iblockads | Advertising IPs | | x | [Link](https://www.iblocklist.com) |
36 | iblockspy | Malicious spyware IPs | x | x | [Link](https://www.iblocklist.com) |
37 | myip | real-time IP blocklist | x | x | [Link](https://myip.ms) |
38 | nixspam | iX spam protection | x | x | [Link](http://www.nixspam.org) |
39 | oisdnsfw | OISD-nsfw IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
40 | oisdsmall | OISD-small IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
41 | proxy | open proxies | x | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
42 | ssbl | SSL botnet IPs | x | x | [Link](https://sslbl.abuse.ch) |
43 | stevenblack | stevenblack IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
44 | talos | talos IPs | x | x | [Link](https://talosintelligence.com/reputation_center) |
45 | threat | emerging threats | x | x | [Link](https://rules.emergingthreats.net) |
46 | threatview | malicious IPs | x | x | [Link](https://threatview.io) |
47 | tor | tor exit nodes | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
48 | uceprotect1 | spam protection level 1 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
49 | uceprotect2 | spam protection level 2 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
50 | uceprotect3 | spam protection level 3 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
51 | urlhaus | urlhaus IDS IPs | x | x | [Link](https://urlhaus.abuse.ch) |
52 | urlvir | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) |
53 | webclient | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
54 | voip | VoIP fraud blocklist | x | x | [Link](https://voipbl.org) |
55 | yoyo | yoyo IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
56
57 * zero-conf like automatic installation & setup, usually no manual changes needed
58 * all sets are handled in a separate nft table/namespace 'banIP'
59 * full IPv4 and IPv6 support
60 * supports nft atomic set loading
61 * supports blocking by ASN numbers and by iso country codes
62 * supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
63 * auto-add the uplink subnet to the local allowlist
64 * provides a small background log monitor to ban unsuccessful login attempts in real-time
65 * auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
66 * fast feed processing as they are handled in parallel as background jobs
67 * per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
68 * automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
69 * automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
70 * supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
71 * provides comprehensive runtime information
72 * provides a detailed set report
73 * provides a set search engine for certain IPs
74 * feed parsing by fast & flexible regex rulesets
75 * minimal status & error logging to syslog, enable debug logging to receive more output
76 * procd based init system support (start/stop/restart/reload/status/report/search)
77 * procd network interface trigger support
78 * ability to add new banIP feeds on your own
79
80 ## Prerequisites
81 * **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
82 * a download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' SSL libraries, 'aria2c' or 'curl' is required
83 * a certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
84 * for E-Mail notifications you need to install and setup the additional 'msmtp' package
85
86 **Please note the following:**
87 * Devices with less than 256Mb of RAM are **_not_** supported
88 * Any previous installation of banIP must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)
89 * There is no LuCI frontend at this time
90
91 ## Installation & Usage
92 * update your local opkg repository (_opkg update_)
93 * install banIP (_opkg install banip_) - the banIP service is disabled by default
94 * edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the config options below)
95 * start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status'
96
97 ## banIP CLI interface
98 * All important banIP functions are accessible via CLI. A LuCI frontend will be available in due course.
99 ```
100 ~# /etc/init.d/banip
101 Syntax: /etc/init.d/banip [command]
102
103 Available commands:
104 start Start the service
105 stop Stop the service
106 restart Restart the service
107 reload Reload configuration files (or restart if service does not implement reload)
108 enable Enable service autostart
109 disable Disable service autostart
110 enabled Check if service is started on boot
111 report [text|json|mail] Print banIP related set statistics
112 search [<IPv4 address>|<IPv6 address>] Check if an element exists in the banIP sets
113 running Check if service is running
114 status Service status
115 trace Start with syscall trace
116 info Dump procd service info
117 ```
118
119 ## banIP config options
120
121 | Option | Type | Default | Description |
122 | :---------------------- | :----- | :---------------------------- | :------------------------------------------------------------------------------------ |
123 | ban_enabled | option | 0 | enable the banIP service |
124 | ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) |
125 | ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) |
126 | ban_loglimit | option | 100 | the logread monitor scans only the last n lines of the logfile |
127 | ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious |
128 | ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
129 | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
130 | ban_debug | option | 0 | enable banIP related debug logging |
131 | ban_loginput | option | 1 | log drops in the input chain |
132 | ban_logforward | option | 0 | log rejects in the forward chain |
133 | ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist |
134 | ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist |
135 | ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
136 | ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
137 | ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files |
138 | ban_protov4 | option | - / autodetect | enable IPv4 support |
139 | ban_protov6 | option | - / autodetect | enable IPv4 support |
140 | ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' |
141 | ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' |
142 | ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' |
143 | ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' |
144 | ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins |
145 | ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets |
146 | ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) |
147 | ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
148 | ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
149 | ban_nftpriority | option | -200 | nft banIP table priority (default is the prerouting table priority) |
150 | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
151 | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
152 | ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
153 | ban_blockinput | list | - | limit a feed to the input chain, e.g. 'country' |
154 | ban_blockforward | list | - | limit a feed to the forward chain, e.g. 'doh' |
155 | ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
156 | ban_fetchparm | option | - / autodetect | set the config options for the selected download utility |
157 | ban_fetchinsecure | option | 0 | don't check SSL server certificates during download |
158 | ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails |
159 | ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails |
160 | ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails |
161 | ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails |
162 | ban_resolver | option | - | external resolver used for DNS lookups |
163 | ban_feedarchive | option | /etc/banip/banip.feeds.gz | full path to the compressed feed archive file used by banIP |
164
165 ## Examples
166 **banIP report information**
167 ```
168 ~# /etc/init.d/banip report
169 :::
170 ::: banIP Set Statistics
171 :::
172 Timestamp: 2023-02-08 22:12:40
173 ------------------------------
174 auto-added to allowlist: 1
175 auto-added to blocklist: 0
176
177 Set | Set Elements | Chain Input | Chain Forward | Input Packets | Forward Packets
178 ---------------------+---------------+---------------+---------------+---------------+----------------
179 allowlistvMAC | 0 | n/a | OK | n/a | 0
180 allowlistv4 | 1 | OK | OK | 0 | 0
181 allowlistv6 | 0 | OK | OK | 0 | 0
182 blocklistvMAC | 0 | n/a | OK | n/a | 0
183 blocklistv4 | 0 | OK | OK | 0 | 0
184 blocklistv6 | 0 | OK | OK | 0 | 0
185 dohv4 | 542 | n/a | OK | n/a | 22
186 adguardv4 | 23007 | n/a | OK | n/a | 18
187 yoyov4 | 1936 | n/a | OK | n/a | 1
188 oisdbasicv4 | 26000 | n/a | OK | n/a | 325
189 ---------------------+---------------+---------------+---------------+---------------+----------------
190 10 | 51486 | 4 | 10 | 0 | 366
191 ```
192
193 **banIP runtime information**
194 ```
195 ~# etc/init.d/banip status
196 ::: banIP runtime information
197 + status : active
198 + version : 0.8.0
199 + element_count : 51486
200 + active_feeds : allowlistvMAC, allowlistv4, allowlistv6, blocklistvMAC, blocklistv4, blocklistv6, dohv4, adguardv4
201 , yoyov4, oisdbasicv4
202 + active_devices : eth2
203 + active_interfaces : wan
204 + active_subnets : 192.168.98.107/24
205 + run_info : base_dir: /tmp, backup_dir: /tmp/banIP-backup, report_dir: /tmp/banIP-report, feed_archive: /etc/b
206 anip/banip.feeds.gz
207 + run_flags : protocol (4/6): ✔/✘, log (inp/fwd): ✔/✘, deduplicate: ✔, split: ✘, allowed only: ✘
208 + last_run : action: start, duration: 0m 15s, date: 2023-02-08 22:12:46
209 + system_info : cores: 2, memory: 3614, device: PC Engines apu1, OpenWrt SNAPSHOT r21997-b5193291bd
210 ```
211
212 **banIP search information**
213 ```
214 ~# /etc/init.d/banip search 221.228.105.173
215 :::
216 ::: banIP Search
217 :::
218 Looking for IP 221.228.105.173 on 2023-02-08 22:12:48
219 ---
220 IP found in set oisdbasicv4
221 ```
222
223 **allow-/blocklist handling**
224 banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.
225 Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option.
226 Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autowallowlist' option).
227 Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted in a detached background process and added to the sets.
228
229 **allowlist-only mode**
230 banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked.
231
232 **redirect Asterisk security logs to lodg/logread**
233 banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration.
234
235 **tweaks for low memory systems**
236 nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:
237
238 * point 'ban_reportdir' and 'ban_backupdir' to an external usb drive
239 * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
240 * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members
241
242 **tweak the download options**
243 By default banIP uses the following pre-configured download options:
244 ```
245 * aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
246 * curl: --connect-timeout 20 --silent --show-error --location -o
247 * uclient-fetch: --timeout=20 -O
248 * wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O
249 ```
250 To override the default set 'ban_fetchparm' manually to your needs.
251
252 **send E-Mail notifications via 'msmtp'**
253 To use the email notification you must install & configure the package 'msmtp'.
254 Modify the file '/etc/msmtprc', e.g.:
255 ```
256 [...]
257 defaults
258 auth on
259 tls on
260 tls_certcheck off
261 timeout 5
262 syslog LOG_MAIL
263 [...]
264 account ban_notify
265 host smtp.gmail.com
266 port 587
267 from <address>@gmail.com
268 user <gmail-user>
269 password <password>
270 ```
271 Finally add a valid E-Mail receiver address.
272
273 **add new banIP feeds**
274 The banIP blocklist feeds are stored in an external, compressed JSON file '/etc/banip/banip.feeds.gz'.
275 To add a new or edit an existing feed extract the compressed JSON file _gunzip /etc/banip/banip.feeds.gz_.
276 A valid JSON source object contains the following required information, e.g.:
277 ```
278 [...]
279 "tor": {
280 "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
281 "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
282 "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
283 "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
284 "focus": "tor exit nodes",
285 "descurl": "https://github.com/SecOps-Institute/Tor-IP-Addresses"
286 },
287 [...]
288 ```
289 Add an unique object name, make the required changes and compress the changed JSON file finally with _gzip /etc/banip/banip.feeds_ to use the new feed file in banIP.
290 **Please note:** if you're going to add new feeds, **always** work with a copy of the default file; this file is always overwritten with every banIP update. To reference your own file set the option 'ban\_feedarchive' accordingly
291
292 ## Support
293 Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
294
295 ## Removal
296 * stop all banIP related services with _/etc/init.d/banip stop_
297 * optional: remove the banip package (_opkg remove banip_)
298
299 Have fun!
300 Dirk
Mirror of packages feed