* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
**Please note:** By default every feed blocks all supported chains. The columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockpolicy', 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.
-| Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Information |
-| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------------------------------------------------------- |
-| adaway | adaway IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
-| adguard | adguard IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
-| adguardtrackers | adguardtracker IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
-| antipopads | antipopads IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
-| asn | ASN IPs | | | x | [Link](https://asn.ipinfo.app) |
-| backscatterer | backscatterer IPs | x | x | | [Link](https://www.uceprotect.net/en/index.php) |
-| binarydefense | binary defense banlist | x | x | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
-| bogon | bogon prefixes | x | x | | [Link](https://team-cymru.com) |
-| bruteforceblock | bruteforceblocker IPs | x | x | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) |
-| country | country blocks | x | x | | [Link](https://www.ipdeny.com/ipblocks) |
-| cinsscore | suspicious attacker IPs | x | x | | [Link](https://cinsscore.com/#list) |
-| darklist | blocks suspicious attacker IPs | x | x | | [Link](https://darklist.de) |
-| debl | fail2ban IP blacklist | x | x | | [Link](https://www.blocklist.de) |
-| doh | public DoH-Provider | | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
-| drop | spamhaus drop compilation | x | x | | [Link](https://www.spamhaus.org) |
-| dshield | dshield IP blocklist | x | x | | [Link](https://www.dshield.org) |
-| edrop | spamhaus edrop compilation | x | x | | [Link](https://www.spamhaus.org) |
-| etcompromised | ET compromised hosts | x | x | | [Link](https://iplists.firehol.org/?ipset=et_compromised) |
-| feodo | feodo tracker | x | x | x | [Link](https://feodotracker.abuse.ch) |
-| firehol1 | firehol level 1 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
-| firehol2 | firehol level 2 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
-| firehol3 | firehol level 3 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
-| firehol4 | firehol level 4 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
-| greensnow | suspicious server IPs | x | x | | [Link](https://greensnow.co) |
-| iblockads | Advertising IPs | | | x | [Link](https://www.iblocklist.com) |
-| iblockspy | Malicious spyware IPs | x | x | | [Link](https://www.iblocklist.com) |
-| ipblackhole | blackhole IPs | x | x | | [Link](https://ip.blackhole.monster) |
-| ipthreat | hacker and botnet TPs | x | x | | [Link](https://ipthreat.net) |
-| myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) |
-| nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) |
-| oisdbig | OISD-big IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
-| oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
-| oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
-| proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
-| ssbl | SSL botnet IPs | x | x | | [Link](https://sslbl.abuse.ch) |
-| stevenblack | stevenblack IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
-| talos | talos IPs | x | x | | [Link](https://talosintelligence.com/reputation_center) |
-| threat | emerging threats | x | x | | [Link](https://rules.emergingthreats.net) |
-| threatview | malicious IPs | x | x | | [Link](https://threatview.io) |
-| tor | tor exit nodes | x | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
-| uceprotect1 | spam protection level 1 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
-| uceprotect2 | spam protection level 2 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
-| uceprotect3 | spam protection level 3 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
-| urlhaus | urlhaus IDS IPs | x | x | | [Link](https://urlhaus.abuse.ch) |
-| urlvir | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=urlvir) |
-| webclient | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
-| voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) |
-| yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Port-Limit | Information |
+| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------: | :----------------------------------------------------------- |
+| adaway | adaway IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| adguard | adguard IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| adguardtrackers | adguardtracker IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| antipopads | antipopads IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| asn | ASN segments | | | x | tcp: 80, 443 | [Link](https://asn.ipinfo.app) |
+| backscatterer | backscatterer IPs | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
+| becyber | malicious attacker IPs | x | x | | | [Link](https://github.com/duggytuxy/malicious_ip_addresses) |
+| binarydefense | binary defense banlist | x | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
+| bogon | bogon prefixes | x | x | | | [Link](https://team-cymru.com) |
+| bruteforceblock | bruteforceblocker IPs | x | x | | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) |
+| country | country blocks | x | x | | | [Link](https://www.ipdeny.com/ipblocks) |
+| cinsscore | suspicious attacker IPs | x | x | | | [Link](https://cinsscore.com/#list) |
+| debl | fail2ban IP blacklist | x | x | | | [Link](https://www.blocklist.de) |
+| doh | public DoH-Provider | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
+| drop | spamhaus drop compilation | x | x | | | [Link](https://www.spamhaus.org) |
+| dshield | dshield IP blocklist | x | x | | | [Link](https://www.dshield.org) |
+| edrop | spamhaus edrop compilation | x | x | | | [Link](https://www.spamhaus.org) |
+| etcompromised | ET compromised hosts | x | x | | | [Link](https://iplists.firehol.org/?ipset=et_compromised) |
+| feodo | feodo tracker | x | x | | | [Link](https://feodotracker.abuse.ch) |
+| firehol1 | firehol level 1 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
+| firehol2 | firehol level 2 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
+| firehol3 | firehol level 3 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
+| firehol4 | firehol level 4 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
+| greensnow | suspicious server IPs | x | x | | | [Link](https://greensnow.co) |
+| iblockads | Advertising IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
+| iblockspy | Malicious spyware IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
+| ipsum | malicious IPs | x | x | | | [Link](https://github.com/stamparm/ipsum) |
+| ipthreat | hacker and botnet TPs | x | x | | | [Link](https://ipthreat.net) |
+| myip | real-time IP blocklist | x | x | | | [Link](https://myip.ms) |
+| nixspam | iX spam protection | x | x | | | [Link](http://www.nixspam.org) |
+| oisdbig | OISD-big IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| oisdnsfw | OISD-nsfw IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| oisdsmall | OISD-small IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| pallebone | curated IP blocklist | x | x | | | [Link](https://github.com/pallebone/StrictBlockPAllebone) |
+| proxy | open proxies | x | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
+| ssbl | SSL botnet IPs | x | x | | | [Link](https://sslbl.abuse.ch) |
+| stevenblack | stevenblack IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| talos | talos IPs | x | x | | | [Link](https://talosintelligence.com/reputation_center) |
+| threat | emerging threats | x | x | | | [Link](https://rules.emergingthreats.net) |
+| threatview | malicious IPs | x | x | | | [Link](https://threatview.io) |
+| tor | tor exit nodes | x | x | | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
+| turris | turris sentinel blocklist | x | x | | | [Link](https://view.sentinel.turris.cz) |
+| uceprotect1 | spam protection level 1 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
+| uceprotect2 | spam protection level 2 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
+| uceprotect3 | spam protection level 3 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
+| urlhaus | urlhaus IDS IPs | x | x | | | [Link](https://urlhaus.abuse.ch) |
+| urlvir | malware related IPs | x | x | | | [Link](https://iplists.firehol.org/?ipset=urlvir) |
+| webclient | malware related IPs | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
+| voip | VoIP fraud blocklist | x | x | | | [Link](https://voipbl.org) |
+| yoyo | yoyo IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
* Zero-conf like automatic installation & setup, usually no manual changes needed
* All Sets are handled in a separate nft table/namespace 'banIP'
* Full IPv4 and IPv6 support
* Supports nft atomic Set loading
* Supports blocking by ASN numbers and by iso country codes
+* Block countries dynamically by Regional Internet Registry (RIR), e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE
* Supports local allow- and blocklist with MAC/IPv4/IPv6 addresses or domain names
* Supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments
* All local input types support ranges in CIDR notation
* Auto-add the uplink subnet or uplink IP to the local allowlist
+* Prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets (DDoS attacks) in an additional prerouting chain
* Provides a small background log monitor to ban unsuccessful login attempts in real-time (like fail2ban, crowdsec etc.)
* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
* Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP
* Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains)
* Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget
-* Provides HTTP ETag or entity tag support to download only ressources that have been updated on the server side, to save bandwith and speed up banIP reloads
-* Supports an 'allowlist only' mode, this option restricts internet access from/to a given number of secure websites/IPs
+* Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith
+* Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments
+* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
+* Optionally always allow certain protocols/destination ports in wan-input and wan-forward chains
* Deduplicate IPs accross all Sets (single IPs only, no intervals)
* Provides comprehensive runtime information
* Provides a detailed Set report
* Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup)
* Procd network interface trigger support
* Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor
-* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
+* Supports destination port & protocol limitations for external feeds (see the feed list above). To change the default assignments just use the feed editor
* Supports allowing / blocking of certain VLAN forwards
+* Provides an option to transfer logging events on remote servers via cgi interface
## Prerequisites
* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
* For E-Mail notifications you need to install and setup the additional 'msmtp' package
-**Please note the following:**
+**Please note:**
* Devices with less than 256Mb of RAM are **_not_** supported
* Any previous installation of ancient banIP 0.7.x must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)
* Install banIP (_opkg install banip_) - the banIP service is disabled by default
* Install the LuCI companion package 'luci-app-banip' (opkg install luci-app-banip)
* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
+* If you're using a complex network setup, e.g. special tunnel interfaces, than untick the 'Auto Detection' option under the 'General Settings' tab and set the required options manually
+* Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status' and also check the 'Firewall Log' and 'Processing Log' tabs
* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
-* Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status'
## banIP CLI interface
* All important banIP functions are accessible via CLI.
| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) |
| ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor |
| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious |
-| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
+| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk and cgi-remote events) |
| ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
| ban_debug | option | 0 | enable banIP related debug logging |
-| ban_loginput | option | 1 | log drops in the wan-input chain |
-| ban_logforwardwan | option | 1 | log drops in the wan-forward chain |
-| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
+| ban_icmplimit | option | 10 | treshold in number of packets to detect icmp DDoS in prerouting chain |
+| ban_synlimit | option | 10 | treshold in number of packets to detect syn DDoS in prerouting chain |
+| ban_udplimit | option | 100 | treshold in number of packets to detect udp DDoS in prerouting chain |
+| ban_logprerouting | option | 0 | log supsicious packets in the prerouting chain |
+| ban_loginput | option | 0 | log supsicious packets in the wan-input chain |
+| ban_logforwardwan | option | 0 | log supsicious packets in the wan-forward chain |
+| ban_logforwardlan | option | 0 | log supsicious packets in the lan-forward chain |
| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
-| ban_allowlistonly | option | 0 | restrict the internet access from/to a given number of secure websites/IPs |
+| ban_allowlistonly | option | 0 | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments |
+| ban_allowflag | option | - | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445' |
+| ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists |
| ban_basedir | option | /tmp | base working directory while banIP processing |
| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files |
| ban_vlanallow | list | - | always allow certain VLAN forwards, e.g. br-lan.20 |
| ban_vlanblock | list | - | always block certain VLAN forwards, e.g. br-lan.10 |
| ban_trigger | list | - | logical reload trigger interface(s), e.g. 'wan' |
-| ban_triggerdelay | option | 10 | trigger timeout during interface reload and boot |
+| ban_triggerdelay | option | 20 | trigger timeout during interface reload and boot |
| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets |
| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug |
-| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) |
+| ban_nftpriority | option | -100 | nft priority for the banIP table (the prerouting table is fixed to priority -150) |
| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance |
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
+| ban_region | list | - | Regional Internet Registry (RIR) country selection. Supported regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE |
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' |
| ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic |
| ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run |
| ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly |
| ban_resolver | option | - | external resolver used for DNS lookups |
+| ban_remotelog | option | 0 | enable the cgi interface to receive remote logging events |
+| ban_remotetoken | option | - | unique token to communicate with the cgi interface |
## Examples
**banIP report information**
:::
::: banIP Set Statistics
:::
- Timestamp: 2023-06-21 07:03:23
+ Timestamp: 2024-04-17 23:02:15
------------------------------
- auto-added to allowlist today: 0
- auto-added to blocklist today: 0
-
- Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets)
- ---------------------+--------------+-----------------------+-----------------------+------------------------
- allowlistv4MAC | 0 | - | - | OK: 0
- allowlistv6MAC | 0 | - | - | OK: 0
- allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0
- allowlistv6 | 1 | OK: 0 | OK: 0 | OK: 0
- cinsscorev4 | 13115 | OK: 142 | OK: 0 | -
- deblv4 | 8076 | OK: 5 | OK: 0 | OK: 0
- countryv6 | 37313 | OK: 0 | OK: 1 | -
- countryv4 | 36155 | OK: 33 | OK: 0 | -
- deblv6 | 15 | OK: 0 | OK: 0 | OK: 0
- dropv6 | 35 | OK: 0 | OK: 0 | OK: 0
- dropv4 | 620 | OK: 0 | OK: 0 | OK: 0
- dohv6 | 598 | - | - | OK: 0
- dohv4 | 902 | - | - | OK: 0
- edropv4 | 247 | OK: 0 | OK: 0 | OK: 0
- threatviewv4 | 571 | OK: 0 | OK: 0 | OK: 0
- firehol1v4 | 877 | OK: 8 | OK: 0 | OK: 0
- ipthreatv4 | 5751 | OK: 0 | OK: 0 | OK: 0
- urlvirv4 | 169 | OK: 0 | OK: 0 | OK: 0
- blocklistv4MAC | 0 | - | - | OK: 0
- blocklistv6MAC | 0 | - | - | OK: 0
- blocklistv4 | 3 | OK: 0 | OK: 0 | OK: 0
- blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0
- ---------------------+--------------+-----------------------+-----------------------+------------------------
- 22 | 104449 | 16 (188) | 16 (1) | 19 (0)
+ blocked syn-flood packets in prerouting : 5
+ blocked udp-flood packets in prerouting : 11
+ blocked icmp-flood packets in prerouting : 6
+ blocked invalid ct packets in prerouting : 277
+ blocked invalid tcp packets in prerouting: 0
+ ----------
+ auto-added IPs to allowlist today: 0
+ auto-added IPs to blocklist today: 0
+
+ Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) | Port/Protocol Limit
+ ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
+ allowlistv4MAC | 0 | - | - | ON: 0 | -
+ allowlistv6MAC | 0 | - | - | ON: 0 | -
+ allowlistv4 | 1 | ON: 0 | ON: 0 | ON: 0 | -
+ allowlistv6 | 2 | ON: 0 | ON: 0 | ON: 0 | -
+ adguardtrackersv6 | 105 | - | - | ON: 0 | tcp: 80, 443
+ adguardtrackersv4 | 816 | - | - | ON: 0 | tcp: 80, 443
+ becyberv4 | 229006 | ON: 2254 | ON: 0 | - | -
+ cinsscorev4 | 7135 | ON: 1630 | ON: 2 | - | -
+ deblv4 | 10191 | ON: 23 | ON: 0 | - | -
+ countryv6 | 38233 | ON: 7 | ON: 0 | - | -
+ countryv4 | 37169 | ON: 2323 | ON: 0 | - | -
+ deblv6 | 65 | ON: 0 | ON: 0 | - | -
+ dropv6 | 66 | ON: 0 | ON: 0 | - | -
+ dohv4 | 1219 | - | - | ON: 0 | tcp: 80, 443
+ dropv4 | 895 | ON: 75 | ON: 0 | - | -
+ dohv6 | 832 | - | - | ON: 0 | tcp: 80, 443
+ threatv4 | 20 | ON: 0 | ON: 0 | - | -
+ firehol1v4 | 753 | ON: 1 | ON: 0 | - | -
+ ipthreatv4 | 1369 | ON: 20 | ON: 0 | - | -
+ firehol2v4 | 2216 | ON: 1 | ON: 0 | - | -
+ turrisv4 | 5613 | ON: 179 | ON: 0 | - | -
+ blocklistv4MAC | 0 | - | - | ON: 0 | -
+ blocklistv6MAC | 0 | - | - | ON: 0 | -
+ blocklistv4 | 0 | ON: 0 | ON: 0 | ON: 0 | -
+ blocklistv6 | 0 | ON: 0 | ON: 0 | ON: 0 | -
+ ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
+ 25 | 335706 | 17 (6513) | 17 (2) | 12 (0)
```
**banIP runtime information**
```
-root@blackhole:/etc/config$ /etc/init.d/banip status
+~# /etc/init.d/banip status
::: banIP runtime information
+ status : active (nft: ✔, monitor: ✔)
- + version : 0.9.0-1
- + element_count : 111094
- + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dropv4, dohv6, dohv4, threatviewv4, firehol1v4, ipthreatv4, firehol2v4, urlvirv4, urlhausv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
- + active_devices : wan: br-wan, 10g-1 / wan-if: wan, wan6 / vlan-allow: - / vlan-block: -
- + active_uplink : 91.63.198.120, 2a12:810c:0:80:a20d:52c3:5cf:f4f
- + nft_info : priority: -200, policy: performance, loglevel: warn, expiry: -
+ + version : 0.9.5-r1
+ + element_count : 335706
+ + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, becyberv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dohv4, dropv4, dohv6, threatv4, firehol1v4, ipthreatv4, firehol2v4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
+ + active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: -
+ + active_uplink : 217.83.205.130, fe80::9cd6:12e9:c4df:75d3, 2003:ed:b5ff:43bd:9cd5:12e7:c3ef:75d8
+ + nft_info : priority: 0, policy: performance, loglevel: warn, expiry: 2h
+ run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report
- + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
- + last_run : action: reload, fetch: curl, duration: 0m 36s, date: 2023-07-16 06:59:28
- + system_info : cores: 4, memory: 1663, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r23565-8fb0c196e8
+ + run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/inp/fwd/lan): ✔/✘/✘/✘, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
+ + last_run : action: reload, log: logread, fetch: curl, duration: 2m 33s, date: 2024-04-17 05:57:56
+ + system_info : cores: 4, memory: 1573, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25932-338b463e1e
```
**banIP search information**
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
+list ban_logterm 'received a suspicious remote IP '\''.*'\'''
```
**allow-/blocklist handling**
Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
**allowlist-only mode**
-banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure MACs, IPs or domains, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist (plus the external Allowlist URLs) are blocked.
+banIP supports an "allowlist only" mode. This option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments - and block access to the rest of the internet. All IPs which are _not_ listed in the allowlist (plus the external Allowlist URLs) are blocked.
**MAC/IP-binding**
-banIP supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
+banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
```
MAC-address only:
C8:C2:9B:F7:80:12 => this will be populated to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
+MAC-address range:
+C8:C2:9B:F7:80:12/24 => this populate the MAC-range C8:C2:9B:00:00:00", "C8:C2:9B:FF:FF:FF to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
+
MAC-address with IPv4 concatenation:
C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated only to v4MAC-Set with the certain IP, no entry in the v6MAC-Set
C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0
```
+**enable the cgi interface to receive remote logging events**
+banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options:
+
+ * set 'ban_remotelog' to '1' to enbale the cgi interface
+ * set 'ban_remotetoken' to a secret transfer token, allowed token characters consist of '[A-Za-z]', '[0-9]', '.' and ':'
+
+ Examples to transfer remote logging events from an internal server to banIP via cgi interface:
+
+ * POST request: curl --insecure --data "<ban_remotetoken>=<suspicious IP>" https://192.168.1.1/cgi-bin/banip
+ * GET request: wget --no-check-certificate https://192.168.1.1/cgi-bin/banip?<ban_remotetoken>=<suspicious IP>
+
+Please note: for security reasons use this cgi interface only internally and only encrypted via https transfer protocol.
+
**redirect Asterisk security logs to lodg/logread**
banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration.
```
Finally add a valid E-Mail receiver address.
-**change existing banIP feeds or add a new one**
+**change existing banIP feeds or add port limitations**
The banIP default blocklist feeds are stored in an external JSON file '/etc/banip/banip.feeds'. All custom changes should be stored in an external JSON file '/etc/banip/banip.custom.feeds' (empty by default). It's recommended to use the LuCI based Custom Feed Editor to make changes to this file.
A valid JSON source object contains the following information, e.g.:
```
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"descr": "tor exit nodes",
- "flag": ""
+ "flag": "tcp 80-89 443"
},
[...]
```
-Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed. The flag is optional, currently only 'gz' is supported to process archive downloads.
+Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed.
+Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations.
## Support
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>