2 # banIP - ban incoming and outgoing ip adresses/subnets via ipset
3 # written by Dirk Brenken (dev@brenken.org)
5 # This is free software, licensed under the GNU General Public License v3.
6 # You should have received a copy of the GNU General Public License
7 # along with this program. If not, see <http://www.gnu.org/licenses/>.
9 # (s)hellcheck exceptions
10 # shellcheck disable=1091 disable=2039 disable=2143 disable=2181 disable=2188
12 # set initial defaults
15 PATH
="/usr/sbin:/usr/bin:/sbin:/bin"
29 ban_ip
="$(command -v ip)"
30 ban_ipt
="$(command -v iptables)"
31 ban_ipt_save
="$(command -v iptables-save)"
32 ban_ipt_restore
="$(command -v iptables-restore)"
33 ban_ipt6
="$(command -v ip6tables)"
34 ban_ipt6_save
="$(command -v ip6tables-save)"
35 ban_ipt6_restore
="$(command -v ip6tables-restore)"
36 ban_ipset
="$(command -v ipset)"
38 ban_action
="${1:-"start"}"
39 ban_pidfile
="/var/run/banip.pid"
40 ban_rtfile
="/tmp/ban_runtime.json"
41 ban_logservice
="/etc/banip/banip.service"
42 ban_sshdaemon
="dropbear"
50 # get system information
52 ban_sysver
="$(ubus -S call system board 2>/dev/null | jsonfilter -e '@.model' -e '@.release.description' | \
53 awk 'BEGIN{ORS=", "}{print $0}' | awk '{print substr($0,1,length($0)-2)}')"
55 # parse 'global' and 'extra' section by callback
60 if [ "${type}" = "banip" ]
66 eval "${option}=\"${value}\""
73 # parse 'source' typed sections
77 local value opt section
="${1}" options
="ban_src ban_src_6 ban_src_rset ban_src_rset_6 ban_src_settype ban_src_ruletype ban_src_on ban_src_on_6 ban_src_cat"
80 config_get value
"${section}" "${opt}"
83 eval "${opt}_${section}=\"${value}\""
84 if [ "${opt}" = "ban_src" ]
86 eval "ban_sources=\"${ban_sources} ${section}\""
87 elif [ "${opt}" = "ban_src_6" ]
89 eval "ban_sources=\"${ban_sources} ${section}_6\""
98 config_foreach parse_config
source
102 if [ -z "${ban_basever}" ] || [ "${ban_ver%.*}" != "${ban_basever}" ]
104 f_log
"info" "your banIP config seems to be too old, please update your config with the '--force-maintainer' opkg option"
108 # create temp directory & files
114 if [ "${ban_enabled}" -eq 0 ]
121 f_log
"info" "banIP is currently disabled, please set ban_enabled to '1' to use this service"
130 local util utils packages iface tmp cnt
=0 cnt_max
=0
132 # check backup directory
134 if [ ! -d "${ban_backupdir}" ]
136 f_log
"err" "the backup directory '${ban_backupdir}' does not exist/is not mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start"
139 # check fetch utility
141 if [ -z "${ban_fetchutil}" ]
143 utils
="aria2c curl wget uclient-fetch"
144 packages
="$(opkg list-installed 2>/dev/null)"
147 if { [ "${util}" = "uclient-fetch" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^libustream-")" ]; } || \
148 { [ "${util}" = "wget" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^wget -")" ]; } || \
149 { [ "${util}" != "uclient-fetch" ] && [ "${util}" != "wget" ]; }
151 ban_fetchutil="$
(command -v "${util}")"
152 if [ -x "${ban_fetchutil}" ]
157 unset ban_fetchutil util
160 util="${ban_fetchutil}"
161 ban_fetchutil="$
(command -v "${util}")"
162 if [ ! -x "${ban_fetchutil}" ]
164 unset ban_fetchutil util
169 ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=true --dir=" " -o"}"
172 ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 -o"}"
175 ban_fetchparm="${ban_fetchparm:-"--timeout=20 -O"}"
178 ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
181 if [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
183 f_log "err
" "download utility with SSL support not found
, please
install 'uclient-fetch' with a
'libustream-*' variant or another download utility like
'wget', 'curl' or
'aria2'"
186 # get wan device and wan subnets
188 if [ "${ban_automatic}" = "1" ]
190 while [ "${cnt}" -le 30 ]
192 network_find_wan iface
193 if [ -n "${iface}" ] && [ -z "$(printf "%s\\n" "${ban_iface}" | grep -F "${iface}")" ]
195 ban_iface
="${ban_iface} ${iface}"
196 if [ "${cnt_max}" -eq 0 ]
201 network_find_wan6 iface
202 if [ -n "${iface}" ] && [ -z "$(printf "%s\\n" "${ban_iface}" | grep -F "${iface}")" ]
204 ban_iface="${ban_iface} ${iface}"
205 if [ "${cnt_max}" -eq 0 ]
210 if [ -z "${ban_iface}" ] || [ "${cnt}" -le "${cnt_max}" ]
221 for iface in ${ban_iface}
223 network_get_device tmp "${iface}"
224 if [ -n "${tmp}" ] && [ -z "$(printf "%s\\n" "${ban_dev}" | grep -F "${tmp}")" ]
226 ban_dev
="${ban_dev} ${tmp}"
228 network_get_physdev tmp
"${iface}"
229 if [ -n "${tmp}" ] && [ -z "$(printf "%s\\n" "${ban_dev}" | grep -F "${tmp}")" ]
231 ban_dev="${ban_dev} ${tmp}"
234 network_get_subnets tmp "${iface}"
235 if [ -n "${tmp}" ] && [ -z "$(printf "%s\\n" "${ban_subnets}" | grep -F "${tmp}")" ]
237 ban_subnets
="${ban_subnets} ${tmp}"
239 network_get_subnets6 tmp
"${iface}"
240 if [ -n "${tmp}" ] && [ -z "$(printf "%s\\n" "${ban_subnets6}" | grep -F "${tmp}")" ]
242 ban_subnets6="${ban_subnets6} ${tmp}"
246 if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ]
248 f_log "err
" "wan interface
(s
)/device
(s
) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found
, please please check your configuration
"
250 ban_dev_all="$
(${ban_ip} link show |
awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if($3!="lo"){print $3}}')"
252 f_log "info
" "start banIP processing
(${ban_action})"
256 # create temporary files and directories
260 if [ -d "/tmp
" ] && [ -z "${ban_tmpdir}" ]
262 ban_tmpdir="$
(mktemp
-p /tmp
-d)"
263 ban_tmpload="$
(mktemp
-p "${ban_tmpdir}" -tu)"
264 ban_tmpfile="$
(mktemp
-p "${ban_tmpdir}" -tu)"
267 f_log "err
" "the temp directory
'/tmp' does not exist
/is not mounted yet
, please create the directory or raise the
'ban_triggerdelay' to defer the banIP start
"
270 if [ ! -s "${ban_pidfile}" ]
272 printf "%s
" "${$}" > "${ban_pidfile}"
276 # remove temporary files and directories
280 if [ -d "${ban_tmpdir}" ]
282 rm -rf "${ban_tmpdir}"
287 # remove backup files
291 if [ -d "${ban_backupdir}" ]
293 rm -f "${ban_backupdir}"/banIP.*.gz
297 # iptables rules engine
301 local rc timeout="-w 5" action="${1}" rule="${2}"
303 if [ "${src_name##*_}" = "6" ]
305 if [ -x "${ban_ipt6}" ]
307 rc="$
("${ban_ipt6}" "${timeout}" -C ${rule} 2>/dev/null; printf "%u" ${?})"
309 if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
310 { [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
312 "${ban_ipt6}" "${timeout}" "${action}" ${rule}
316 if [ -x "${ban_ipt}" ]
318 rc="$
("${ban_ipt}" "${timeout}" -C ${rule} 2>/dev/null; printf "%u" ${?})"
320 if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
321 { [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
323 "${ban_ipt}" "${timeout}" "${action}" ${rule}
329 # remove/add iptables rules
335 for dev in ${ban_dev_all}
337 f_iptrule "-D" "${ban_chain} -i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
338 f_iptrule "-D" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
341 if [ -z "${rm}" ] && [ "${cnt}" -gt 0 ]
343 if [ "${src_ruletype}" != "dst
" ]
345 if [ "${src_name##*_}" = "6" ]
347 # dummy, special IPv6 rules
350 f_iptrule "-I" "${wan_input} -p udp
--dport 67:68 --sport 67:68 -j RETURN
"
352 f_iptrule "-A" "${wan_input} -j ${ban_chain}"
353 f_iptrule "-A" "${wan_forward} -j ${ban_chain}"
354 for dev in ${ban_dev}
356 f_iptrule "${action:-"-A"}" "${ban_chain} -i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
359 if [ "${src_ruletype}" != "src
" ]
361 if [ "${src_name##*_}" = "6" ]
363 # dummy, special IPv6 rules
366 f_iptrule "-I" "${lan_input} -p udp
--dport 67:68 --sport 67:68 -j RETURN
"
368 f_iptrule "-A" "${lan_input} -j ${ban_chain}"
369 f_iptrule "-A" "${lan_forward} -j ${ban_chain}"
370 for dev in ${ban_dev}
372 f_iptrule "${action:-"-A"}" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
376 if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${src_name}")" ]
378 "${ban_ipset}" -q destroy
"${src_name}"
383 # ipset/iptables actions
387 local out_rc
source action ruleset ruleset_6 rule cnt
=0 cnt_ip
=0 cnt_cidr
=0 timeout
="-w 5" mode
="${1}" in_rc
="${src_rc:-0}"
389 if [ "${src_name%_6*}" = "whitelist" ]
398 gzip -cf "${tmp_load}" 2>/dev/null > "${ban_backupdir}/banIP.${src_name}.gz"
399 out_rc
="${?:-"${in_rc}"}"
400 f_log
"debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}"
404 if [ -f "${ban_backupdir}/banIP.${src_name}.gz" ]
406 zcat
"${ban_backupdir}/banIP.${src_name}.gz" 2>/dev/null > "${tmp_load}"
409 out_rc
="${out_rc:-"${in_rc}"}"
410 f_log
"debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}"
414 if [ -f "${ban_backupdir}/banIP.${src_name}.gz" ]
416 rm -f "${ban_backupdir}/banIP.${src_name}.gz"
419 out_rc
="${out_rc:-"${in_rc}"}"
420 f_log
"debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}"
424 if [ -x "${ban_ipt}" ] && [ -z "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev
/null
)" ]
426 "${ban_ipt}" "${timeout}" -N "${ban_chain}"
427 elif [ -x "${ban_ipt}" ]
430 ruleset="${ban_wan_input_chain:-"input_wan_rule"} ${ban_wan_forward_chain:-"forwarding_wan_rule"} ${ban_lan_input_chain:-"input_lan_rule"} ${ban_lan_forward_chain:-"forwarding_lan_rule"}"
431 for rule in ${ruleset}
433 f_iptrule "-D" "${rule} -j ${ban_chain}"
436 if [ -x "${ban_ipt6}" ] && [ -z "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
438 "${ban_ipt6}" "${timeout}" -N "${ban_chain}"
439 elif [ -x "${ban_ipt6}" ]
442 ruleset_6
="${ban_wan_input_chain_6:-"input_wan_rule"} ${ban_wan_forward_chain_6:-"forwarding_wan_rule"} ${ban_lan_input_chain_6:-"input_lan_rule"} ${ban_lan_forward_chain_6:-"forwarding_lan_rule"}"
443 for rule
in ${ruleset_6}
445 f_iptrule
"-D" "${rule} -j ${ban_chain}"
448 f_log
"debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}"
451 if [ -x "${ban_ipset}" ]
453 if [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset}" -q -n list "${src_name}")" ]
455 "${ban_ipset}" -q create "${src_name}" hash:"${src_settype}" hashsize 64 maxelem 262144 family "${src_setipv}" counters
457 "${ban_ipset}" -q flush "${src_name}"
459 if [ -s "${tmp_file}" ]
461 "${ban_ipset}" -! restore < "${tmp_file}"
463 "${ban_ipset}" -q save "${src_name}" > "${tmp_file}"
464 cnt="$
(($
(wc -l 2>/dev
/null
< "${tmp_file}")-1))"
465 cnt_cidr="$
(grep -cF "/" "${tmp_file}")"
466 cnt_ip="$
((cnt-cnt_cidr
))"
467 printf "%s
\\n
" "1" > "${tmp_set}"
468 printf "%s
\\n
" "${cnt}" > "${tmp_cnt}"
473 out_rc="${out_rc:-"${in_rc}"}"
474 f_log "debug
" "f_ipset
::: name
: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: ${src_setipv:-"-"}, ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt}/${cnt_ip}/${cnt_cidr}, time: $((end_ts-start_ts)), out_rc: ${out_rc}"
477 if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${src_name}")" ]
479 "${ban_ipset}" -q save "${src_name}" > "${tmp_file}"
481 if [ -s "${tmp_file}" ]
483 cnt
="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))"
484 cnt_cidr
="$(grep -cF "/" "${tmp_file}")"
485 cnt_ip
="$((cnt-cnt_cidr))"
486 printf "%s\\n" "1" > "${tmp_set}"
487 printf "%s\\n" "${cnt}" > "${tmp_cnt}"
492 out_rc
="${out_rc:-"${in_rc}"}"
493 f_log
"debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, count: ${cnt}/${cnt_ip}/${cnt_cidr}, time: $((end_ts-start_ts)), out_rc: ${out_rc}"
499 if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${src_name}")" ]
501 "${ban_ipset}" -q flush "${src_name}"
502 "${ban_ipset}" -q destroy "${src_name}"
504 f_log "debug
" "f_ipset
::: name
: ${src_name:-"-"}, mode
: ${mode:-"-"}"
507 if [ -x "${ban_ipt}" ] && [ -x "${ban_ipt_save}" ] && [ -x "${ban_ipt_restore}" ] && \
508 [ -n "$
("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev
/null
)" ]
510 "${ban_ipt_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt_restore}"
511 "${ban_ipt}" "${timeout}" -F "${ban_chain}"
512 "${ban_ipt}" "${timeout}" -X "${ban_chain}"
514 if [ -x "${ban_ipt6}" ] && [ -x "${ban_ipt6_save}" ] && [ -x "${ban_ipt6_restore}" ] && \
515 [ -n "$
("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev
/null
)" ]
517 "${ban_ipt6_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt6_restore}"
518 "${ban_ipt6}" "${timeout}" -F "${ban_chain}"
519 "${ban_ipt6}" "${timeout}" -X "${ban_chain}"
521 for source in ${ban_sources}
523 if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${source}")" ]
525 "${ban_ipset}" -q destroy
"${source}"
528 f_log
"debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}"
537 local class
="${1}" log_msg
="${2}"
539 if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" -eq 1 ]; }
541 logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}"
542 if [ "${class}" = "err
" ]
548 logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "Please also check
'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'"
554 # start log service to trace failed ssh/luci logins
558 local bg_pid status="${1}"
560 bg_pid="$
(pgrep
-f "^/bin/sh ${ban_logservice}.*|^logread -f -e ${ban_sshdaemon}\|luci: failed login|^grep -qE Exit before auth|luci: failed login|[0-9]+ \[preauth\]$" | awk '{ORS=" "; print $1}')"
561 if [ -z "${bg_pid}" ] && [ "${status}" = "start" ] \
562 && [ -x "${ban_logservice}" ] && [ "${ban_realtime}" = "true" ]
564 ( "${ban_logservice}" "${ban_ver}" &)
565 elif [ -n "${bg_pid}" ] && [ "${status}" = "stop" ]
567 kill -HUP "${bg_pid}" 2>/dev
/null
569 f_log
"debug" "f_bgserv ::: status: ${status:-"-"}, bg_pid: ${bg_pid:-"-"}, ban_realtime: ${ban_realtime:-"-"}, log_service: ${ban_logservice:-"-"}"
572 # main function for banIP processing
576 local pid pid_list start_ts end_ts ip tmp_raw tmp_cnt tmp_load tmp_file mem_total mem_free cnt
=1
577 local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon src_ts src_rc
578 local wan_input wan_forward lan_input lan_forward target_src target_dst ssh_log luci_log
580 ssh_log
="$(logread -e "${ban_sshdaemon}" | grep -o "${ban_sshdaemon}.
*" | sed 's/:[0-9]*$//g')"
581 luci_log
="$(logread -e "luci
: failed login
" | grep -o "luci
:.
*")"
582 mem_total
="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc
/meminfo
" 2>/dev/null)"
583 mem_free
="$(awk '/^MemFree/ {print int($2/1000)}' "/proc
/meminfo
" 2>/dev/null)"
584 f_log
"debug" "f_main ::: fetch_util: ${ban_fetchutil:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
589 for src_name
in ${ban_sources}
592 if [ "${src_name##*_}" = "6" ]
594 if [ -x "${ban_ipt6}" ]
596 src_on
="$(eval printf "%s
" \"\$\{ban_src_on_6_${src_name%_6*}\}\")"
597 src_url
="$(eval printf "%s
" \"\$\{ban_src_6_${src_name%_6*}\}\")"
598 src_rset
="$(eval printf "%s
" \"\$\{ban_src_rset_6_${src_name%_6*}\}\")"
600 wan_input
="${ban_wan_input_chain_6:-"input_wan_rule"}"
601 wan_forward
="${ban_wan_forward_chain_6:-"forwarding_wan_rule"}"
602 lan_input
="${ban_lan_input_chain_6:-"input_lan_rule"}"
603 lan_forward
="${ban_lan_forward_chain_6:-"forwarding_lan_rule"}"
604 target_src
="${ban_target_src_6:-"DROP"}"
605 target_dst
="${ban_target_dst_6:-"REJECT"}"
608 if [ -x "${ban_ipt}" ]
610 src_on
="$(eval printf "%s
" \"\$\{ban_src_on_${src_name}\}\")"
611 src_url
="$(eval printf "%s
" \"\$\{ban_src_${src_name}\}\")"
612 src_rset
="$(eval printf "%s
" \"\$\{ban_src_rset_${src_name}\}\")"
614 wan_input
="${ban_wan_input_chain:-"input_wan_rule"}"
615 wan_forward
="${ban_wan_forward_chain:-"forwarding_wan_rule"}"
616 lan_input
="${ban_lan_input_chain:-"input_lan_rule"}"
617 lan_forward
="${ban_lan_forward_chain:-"forwarding_lan_rule"}"
618 target_src
="${ban_target_src:-"DROP"}"
619 target_dst
="${ban_target_dst:-"REJECT"}"
622 src_settype
="$(eval printf "%s
" \"\$\{ban_src_settype_${src_name%_6*}\}\")"
623 src_ruletype
="$(eval printf "%s
" \"\$\{ban_src_ruletype_${src_name%_6*}\}\")"
624 src_cat
="$(eval printf "%s
" \"\$\{ban_src_cat_${src_name%_6*}\}\")"
627 tmp_load
="${ban_tmpload}.${src_name}"
628 tmp_file
="${ban_tmpfile}.${src_name}"
629 tmp_raw
="${tmp_load}.raw"
630 tmp_cnt
="${tmp_file}.cnt"
631 tmp_set
="${tmp_file}.setcnt"
635 f_log
"debug" "f_main ::: name: ${src_name}, src_on: ${src_on:-"-"}"
637 if [ -z "${src_on}" ] || [ "${src_on}" != "1" ] || [ -z "${src_url}" ] || \
638 [ -z "${src_rset}" ] || [ -z "${src_settype}" ] || [ -z "${src_ruletype}" ]
643 elif [ "${ban_action}" = "refresh" ] && [ ! -f "${src_url}" ]
645 start_ts
="$(date +%s)"
653 # download queue processing
656 start_ts
="$(date +%s)"
657 if [ "${ban_action}" = "start" ] && [ ! -f "${src_url}" ]
662 if [ "${src_rc}" -ne 0 ] ||
[ ! -s "${tmp_load}" ]
664 if [ -f "${src_url}" ]
666 src_log
="$(cat "${src_url}" 2>/dev/null > "${tmp_load}")"
668 case "${src_name}" in
670 src_addon
="${ban_subnets}"
673 src_addon
="${ban_subnets6}"
676 if [ "${ban_sshdaemon}" = "dropbear" ]
678 pid_list
="$(printf "%s
\\n
" "${ssh_log}" | grep -F "Exit before auth
" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
679 for pid
in ${pid_list}
681 src_addon
="${src_addon} $(printf "%s\\n" "${ssh_log}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH);exit}')"
683 elif [ "${ban_sshdaemon}" = "sshd" ]
685 src_addon
="$(printf "%s
\\n
" "${ssh_log}" | grep -E "[0-9]+ \
[preauth\
]$
" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
687 src_addon
="${src_addon} $(printf "%s\\n" "${luci_log}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
690 if [ "${ban_sshdaemon}" = "dropbear" ]
692 pid_list
="$(printf "%s
\\n
" "${ssh_log}" | grep -F "Exit before auth
" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
693 for pid
in ${pid_list}
695 src_addon
="${src_addon} $(printf "%s\\n" "${ssh_log}" | grep -F "${pid}" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH);exit}')"
697 elif [ "${ban_sshdaemon}" = "sshd" ]
699 src_addon
="$(printf "%s
\\n
" "${ssh_log}" | grep -E "[0-9]+ \
[preauth\
]$
" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
701 src_addon
="${src_addon} $(printf "%s\\n" "${luci_log}" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
704 for ip
in ${src_addon}
706 if [ -z "$(grep -F "${ip}" "${src_url}")" ]
708 printf "%s\\n" "${ip}" >> "${tmp_load}"
709 if { [ "${src_name//_*/}" = "blacklist" ] && [ "${ban_autoblacklist}" -eq 1 ]; } || \
710 { [ "${src_name//_*/}" = "whitelist" ] && [ "${ban_autowhitelist}" -eq 1 ]; }
712 src_ts
="# auto-added $(date "+%d.
%m.
%Y
%H
:%M
:%S
")"
713 printf "%s %s\\n" "${ip}" "${src_ts}" >> "${src_url}"
717 elif [ -n "${src_cat}" ]
719 if [ "${src_cat//[0-9]/}" != "${src_cat}" ]
723 src_log
="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}AS${as}" 2>&1)"
725 if [ "${src_rc}" -eq 0 ]
727 jsonfilter
-i "${tmp_raw}" -e '@.data.prefixes.*.prefix' 2>/dev
/null
>> "${tmp_load}"
732 if [ "${src_rc}" -eq 0 ]
735 elif [ "${ban_action}" != "start" ]
742 src_log
="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}${co}&v4_format
=prefix
" 2>&1)"
744 if [ "${src_rc}" -eq 0 ]
746 if [ "${src_name##*_}" = "6" ]
748 jsonfilter
-i "${tmp_raw}" -e '@.data.resources.ipv6.*' 2>/dev
/null
>> "${tmp_load}"
750 jsonfilter
-i "${tmp_raw}" -e '@.data.resources.ipv4.*' 2>/dev
/null
>> "${tmp_load}"
756 if [ "${src_rc}" -eq 0 ]
759 elif [ "${ban_action}" != "start" ]
765 src_log
="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}" 2>&1)"
767 if [ "${src_rc}" -eq 0 ]
769 zcat
"${tmp_raw}" 2>/dev
/null
> "${tmp_load}"
771 if [ "${src_rc}" -ne 0 ]
773 mv -f "${tmp_raw}" "${tmp_load}"
776 if [ "${src_rc}" -eq 0 ]
781 elif [ "${ban_action}" != "start" ]
789 if [ "${src_rc}" -eq 0 ]
791 awk "${src_rset}" "${tmp_load}" 2>/dev/null > "${tmp_file}"
793 if [ "${src_rc}" -eq 0 ]
797 elif [ "${ban_action}" != "refresh" ]
803 src_log
="$(printf "%s
" "${src_log}" | awk '{ORS=" ";print $0}')"
804 if [ "${ban_action}" != "refresh" ]
809 f_log
"debug" "f_main ::: name: ${src_name}, url: ${src_url}, rc: ${src_rc}, log: ${src_log:-"-"}"
812 hold
="$((cnt%ban_maxqueue))"
813 if [ "${hold}" -eq 0 ]
821 for cnt
in $
(cat "${ban_tmpfile}".
*.setcnt
2>/dev
/null
)
823 ban_setcnt
="$((ban_setcnt+cnt))"
825 for cnt
in $
(cat "${ban_tmpfile}".
*.cnt
2>/dev
/null
)
827 ban_cnt
="$((ban_cnt+cnt))"
829 f_log
"info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
835 # update runtime information
839 local rundate status
="${1:-"enabled"}"
841 rundate
="$(date "+%d.
%m.
%Y
%H
:%M
:%S
")"
842 ban_cntinfo
="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes"
845 json_load_file
"${ban_rtfile}" >/dev
/null
2>&1
847 json_add_object
"data"
848 json_add_string
"status" "${status}"
849 json_add_string
"version" "${ban_ver}"
850 json_add_string
"util_info" "${ban_fetchutil:-"-"}, ${ban_realtime:-"-"}"
851 json_add_string
"ipset_info" "${ban_cntinfo:-"-"}"
852 json_add_string
"backup_dir" "${ban_backupdir}"
853 json_add_string
"last_run" "${rundate:-"-"}"
854 json_add_string
"system" "${ban_sysver}"
856 json_dump
> "${ban_rtfile}"
857 f_log
"debug" "f_jsnup ::: status: ${status}, setcnt: ${ban_setcnt}, cnt: ${ban_cnt}"
860 # source required system libraries
862 if [ -r "/lib/functions.sh" ] && [ -r "/lib/functions/network.sh" ] && [ -r "/usr/share/libubox/jshn.sh" ]
864 .
"/lib/functions.sh"
865 .
"/lib/functions/network.sh"
866 .
"/usr/share/libubox/jshn.sh"
868 f_log
"err" "system libraries not found"
871 # handle different banIP actions
874 case "${ban_action}" in
882 "start"|
"restart"|
"reload"|
"refresh")