PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_BUILD_DEPENDS:=icu/host
+HOST_BUILD_DEPENDS:=python3/host
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/host-build.mk
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
-PKG_VERSION:=0.2.1
+PKG_VERSION:=0.3.0
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
SECTION:=net
CATEGORY:=Network
TITLE:=Ban incoming and/or outgoing ip adresses via ipsets
- DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables
+ DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables +ca-bundle
PKGARCH:=all
endef
define Package/banip/install
$(INSTALL_DIR) $(1)/usr/bin
- $(INSTALL_BIN) ./files/banip.sh $(1)/usr/bin/
+ $(INSTALL_BIN) ./files/banip.sh $(1)/usr/bin
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/banip.init $(1)/etc/init.d/banip
$(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip
$(INSTALL_DIR) $(1)/etc/banip
- $(INSTALL_CONF) ./files/banip.blacklist $(1)/etc/banip/
- $(INSTALL_CONF) ./files/banip.whitelist $(1)/etc/banip/
-
+ $(INSTALL_BIN) ./files/banip.service $(1)/etc/banip
+ $(INSTALL_CONF) ./files/banip.blacklist $(1)/etc/banip
+ $(INSTALL_CONF) ./files/banip.whitelist $(1)/etc/banip
+
$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
$(INSTALL_DATA) ./files/banip.hotplug $(1)/etc/hotplug.d/firewall/30-banip
endef
# banIP - ban incoming and/or outgoing ip adresses via ipsets
## Description
-IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unautherized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.
+IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.
## Main Features
* support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses):
* zero-conf like automatic installation & setup, usually no manual changes needed
-* supports four different download utilities: uclient-fetch, wget, curl, aria2c
+* automatically selects one of the following download utilities: aria2c, curl, uclient-fetch, wget
* Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
* full IPv4 and IPv6 support
* ipsets (one per source) are used to ban a large number of IP addresses
* supports blocking by ASN numbers
* supports blocking by iso country codes
* supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist
-* auto-add unsuccessful ssh login attempts to 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
+* auto-add unsuccessful LuCI and ssh login attempts via 'dropbear' or 'sshd' to local blacklist (see 'ban_autoblacklist' option)
* auto-add the uplink subnet to local whitelist (see 'ban_autowhitelist' option)
+* provides a small background log monitor to ban unsuccessful login attempts in real-time
* per source configuration of SRC (incoming) and DST (outgoing)
* integrated IPSet-Lookup
* integrated RIPE-Lookup
## Prerequisites
* [OpenWrt](https://openwrt.org), tested with the stable release series (19.07) and with the latest snapshot
-* a download utility:
- * to support all blocklist sources a full version with ssl support of 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
+* download utility: 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'wget', 'aria2c' or 'curl' is required
## Installation & Usage
* install 'banip' (_opkg install banip_)
* the following options apply to the 'global' config section:
* ban\_enabled => main switch to enable/disable banIP service (bool/default: '0', disabled)
* ban\_automatic => determine the L2/L3 WAN network device automatically (bool/default: '1', enabled)
- * ban\_fetchutil => name of the used download utility: 'uclient-fetch', 'wget', 'curl', 'aria2c', 'wget-nossl'. 'busybox' (default: 'uclient-fetch')
- * ban\_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: automatically set by banIP ('ban_automatic'))
+ * ban\_iface => space separated list of WAN network interface(s)/device(s) used by banIP (default: not set, automatically detected)
+ * ban\_realtime => a small log/banIP background monitor to block SSH/LuCI brute force attacks in realtime (bool/default: 'false', disabled)
* the following options apply to the 'extra' config section:
* ban\_debug => enable/disable banIP debug output (bool/default: '0', disabled)
* ban\_triggerdelay => additional trigger delay in seconds before banIP processing begins (int/default: '2')
* ban\_backupdir => target directory for banIP backups (default: '/tmp')
* ban\_sshdaemon => select the SSH daemon for logfile parsing, 'dropbear' or 'sshd' (default: 'dropbear')
- * ban\_starttype => select the used start type during boot, 'start' or 'reload' (default: 'start')
+ * ban\_starttype => select the used start type during boot, 'start', 'refresh' or 'reload' (default: 'start')
* ban\_maxqueue => size of the download queue to handle downloads & IPSet processing in parallel (int/default: '4')
+ * ban\_fetchutil => name of the used download utility: 'uclient-fetch', 'wget', 'curl', 'aria2c' (default: not set, automatically detected)
* ban\_fetchparm => special config options for the download utility (default: not set)
* ban\_autoblacklist => store auto-addons temporary in ipset and permanently in local blacklist as well (bool/default: '1', enabled)
* ban\_autowhitelist => store auto-addons temporary in ipset and permanently in local whitelist as well (bool/default: '1', enabled)
/etc/init.d/banip status
::: banIP runtime information
+ status : enabled
- + version : 0.2.0
- + fetch_info : /bin/uclient-fetch (libustream-ssl)
- + ipset_info : 11 IPSets with overall 118359 IPs/Prefixes
+ + version : 0.3.0
+ + util_info : /usr/bin/aria2c, true
+ + ipset_info : 10 IPSets with overall 106729 IPs/Prefixes
+ backup_dir : /tmp
- + last_run : 09.09.2019 16:49:40
- + system : UBNT-ERX, OpenWrt SNAPSHOT r10962-c19b9f9a26
+ + last_run : 03.10.2019 19:15:25
+ + system : UBNT-ERX, OpenWrt SNAPSHOT r11102-ced4c0e635
</code></pre>
**cronjob for a regular IPSet blocklist update (/etc/crontabs/root):**
config banip 'global'
option ban_enabled '0'
+ option ban_basever '0.3'
option ban_automatic '1'
- option ban_fetchutil 'uclient-fetch'
- option ban_iface 'wan'
+ option ban_realtime 'false'
config banip 'extra'
option ban_debug '0'
USE_PROCD=1
EXTRA_COMMANDS="refresh status"
-EXTRA_HELP=" refresh Refresh ipsets only (no new download!)
+EXTRA_HELP=" refresh Refresh ipsets without new list downloads
status Print runtime information"
ban_init="/etc/init.d/banip"
rc_procd "${ban_script}" stop
}
-status()
+status_service()
{
- local key keylist value
+ local key keylist value
local rtfile="$(uci_get banip global ban_rtfile "/tmp/ban_runtime.json")"
json_load_file "${rtfile}" >/dev/null 2>&1
service_triggers()
{
- local ban_iface="$(uci_get banip global ban_iface)"
+ local iface iface_list="$(uci_get banip global ban_iface)"
local delay="$(uci_get banip extra ban_triggerdelay "2")"
local type="$(uci_get banip extra ban_starttype "start")"
PROCD_RELOAD_DELAY=$((${delay}*1000))
- if [ -n "${ban_iface}" ]
+ if [ -n "${iface_list}" ]
then
- for iface in ${ban_iface}
+ for iface in ${iface_list}
do
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "${type}"
done
--- /dev/null
+#!/bin/sh
+# log service to trace failed ssh/luci logins and conditionally refresh banIP
+# written by Dirk Brenken (dev@brenken.org)
+
+# This is free software, licensed under the GNU General Public License v3.
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+LC_ALL=C
+PATH="/usr/sbin:/usr/bin:/sbin:/bin"
+
+if [ -r "/lib/functions.sh" ]
+then
+ . "/lib/functions.sh"
+ ban_sshdaemon="$(uci_get banip extra ban_sshdaemon "dropbear")"
+fi
+ban_ver="${1}"
+ban_log="$(command -v logread)"
+
+if [ -x "${ban_log}" ]
+then
+ logger -p "info" -t "banIP-${ban_ver}[${$}]" "log/banIP service started"
+ "${ban_log}" -f -e "${ban_sshdaemon}\|luci: failed login" | \
+ { grep -qE "Exit before auth|luci: failed login|[0-9]+ \[preauth\]$"; [ $? -eq 0 ] && /etc/init.d/banip refresh; }
+else
+ logger -p "err" -t "banIP-${ban_ver}[${$}]" "can't start log/banIP service"
+fi
#
LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin"
-ban_ver="0.2.1"
+ban_ver="0.3.0"
+ban_basever=""
ban_enabled=0
ban_automatic="1"
ban_sources=""
ban_maxqueue=4
ban_autoblacklist=1
ban_autowhitelist=1
-ban_fetchutil="uclient-fetch"
+ban_realtime="false"
+ban_fetchutil=""
ban_ip="$(command -v ip)"
ban_ipt="$(command -v iptables)"
ban_ipt_save="$(command -v iptables-save)"
ban_action="${1:-"start"}"
ban_pidfile="/var/run/banip.pid"
ban_rtfile="/tmp/ban_runtime.json"
+ban_logservice="/etc/banip/banip.service"
ban_sshdaemon="dropbear"
ban_setcnt=0
ban_cnt=0
config_load banip
config_foreach parse_config source
+ # version check
+ #
+ if [ -z "${ban_basever}" ] || [ "${ban_ver%.*}" != "${ban_basever}" ]
+ then
+ f_log "info" "your banIP config seems to be too old, please update your config with the '--force-maintainer' opkg option"
+ exit 0
+ fi
+
# create temp directory & files
#
f_temp
#
if [ "${ban_enabled}" -eq 0 ]
then
+ f_bgserv "stop"
f_jsnup disabled
f_ipset destroy
f_rmbackup
#
f_envcheck()
{
- local ssl_lib tmp
+ local util utils packages tmp cnt=0
# check backup directory
#
# check fetch utility
#
- case "${ban_fetchutil}" in
- "uclient-fetch")
- if [ -f "/lib/libustream-ssl.so" ]
+ if [ -z "${ban_fetchutil}" ]
+ then
+ utils="aria2c curl wget uclient-fetch"
+ packages="$(opkg list-installed 2>/dev/null)"
+ for util in ${utils}
+ do
+ if { [ "${util}" = "uclient-fetch" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^libustream-")" ]; } || \
+ { [ "${util}" = "wget" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^wget -")" ]; } || \
+ { [ "${util}" != "uclient-fetch" ] && [ "${util}" != "wget" ]; }
then
- ban_fetchparm="${ban_fetchparm:-"--timeout=20 --no-check-certificate -O"}"
- ssl_lib="libustream-ssl"
+ ban_fetchutil="$(command -v "${util}")"
+ if [ -x "${ban_fetchutil}" ]
+ then
+ break
+ fi
fi
- ;;
- "wget")
- ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 --no-check-certificate -O"}"
- ssl_lib="built-in"
+ unset ban_fetchutil util
+ done
+ else
+ util="${ban_fetchutil}"
+ ban_fetchutil="$(command -v "${util}")"
+ if [ ! -x "${ban_fetchutil}" ]
+ then
+ unset ban_fetchutil util
+ fi
+ fi
+ case "${util}" in
+ "aria2c")
+ ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=true --dir=" " -o"}"
;;
"curl")
- ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 --insecure -o"}"
- ssl_lib="built-in"
+ ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 -o"}"
;;
- "aria2c")
- ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=false -o"}"
- ssl_lib="built-in"
+ "uclient-fetch")
+ ban_fetchparm="${ban_fetchparm:-"--timeout=20 -O"}"
+ ;;
+ "wget")
+ ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
;;
esac
- ban_fetchutil="$(command -v "${ban_fetchutil}")"
- ban_fetchinfo="${ban_fetchutil:-"-"} (${ssl_lib:-"-"})"
-
- if [ ! -x "${ban_fetchutil}" ] || [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
+ if [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
then
- f_log "err" "download utility not found, please install 'uclient-fetch' with the 'libustream-mbedtls' ssl library or the full 'wget' package"
+ f_log "err" "download utility with SSL support not found, please install 'uclient-fetch' with a 'libustream-*' variant or another download utility like 'wget', 'curl' or 'aria2'"
fi
# get wan device and wan subnets
#
if [ "${ban_automatic}" = "1" ]
then
- network_find_wan ban_iface
- if [ -z "${ban_iface}" ]
- then
- network_find_wan6 ban_iface
- fi
+ while [ "${cnt}" -le 30 ]
+ do
+ network_find_wan ban_iface
+ if [ -z "${ban_iface}" ]
+ then
+ network_find_wan6 ban_iface
+ fi
+ if [ -z "${ban_iface}" ]
+ then
+ network_flush_cache
+ cnt=$((cnt+1))
+ sleep 1
+ else
+ break
+ fi
+ done
fi
for iface in ${ban_iface}
if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ]
then
f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
+ else
+ ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
+ f_jsnup "running"
+ f_log "info" "start banIP processing (${ban_action})"
fi
- ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
- uci_set banip global ban_iface "${ban_iface}"
- uci_commit banip
-
- f_jsnup "running"
- f_log "info" "start banIP processing (${ban_action})"
}
# create temporary files and directories
if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" -eq 1 ]; }
then
- logger -p "${class}" -t "banIP-[${ban_ver}]" "${log_msg}"
+ logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}"
if [ "${class}" = "err" ]
then
f_jsnup error
f_ipset destroy
f_rmbackup
f_rmtemp
- logger -p "${class}" -t "banIP-[${ban_ver}]" "Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'"
+ logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'"
exit 1
fi
fi
}
+# start log service to trace failed ssh/luci logins
+#
+f_bgserv()
+{
+ local bg_pid status="${1}"
+
+ bg_pid="$(pgrep -f "^/bin/sh ${ban_logservice}.*|^logread -f -e ${ban_sshdaemon}\|luci: failed login|^grep -qE Exit before auth|luci: failed login|[0-9]+ \[preauth\]$" | awk '{ORS=" "; print $1}')"
+ if [ -z "${bg_pid}" ] && [ "${status}" = "start" ] \
+ && [ -x "${ban_logservice}" ] && [ "${ban_realtime}" = "true" ]
+ then
+ ( "${ban_logservice}" "${ban_ver}" &)
+ elif [ -n "${bg_pid}" ] && [ "${status}" = "stop" ]
+ then
+ kill -HUP "${bg_pid}" 2>/dev/null
+ fi
+ f_log "debug" "f_bgserv ::: status: ${status:-"-"}, bg_pid: ${bg_pid:-"-"}, ban_realtime: ${ban_realtime:-"-"}, log_service: ${ban_logservice:-"-"}"
+}
+
# main function for banIP processing
#
f_main()
{
local pid pid_list start_ts end_ts ip tmp_raw tmp_cnt tmp_load tmp_file mem_total mem_free cnt=1
- local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon src_rc
- local wan_input wan_forward lan_input lan_forward target_src target_dst log_content
+ local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon src_ts src_rc
+ local wan_input wan_forward lan_input lan_forward target_src target_dst ssh_log luci_log
- log_content="$(logread -e "${ban_sshdaemon}")"
+ ssh_log="$(logread -e "${ban_sshdaemon}" | grep -o "${ban_sshdaemon}.*" | sed 's/:[0-9]*$//g')"
+ luci_log="$(logread -e "luci: failed login" | grep -o "luci:.*")"
mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
- f_log "debug" "f_main ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
-
- f_ipset initial
+ f_log "debug" "f_main ::: fetch_util: ${ban_fetchutil:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
# main loop
#
+ f_ipset initial
for src_name in ${ban_sources}
do
unset src_on
"blacklist")
if [ "${ban_sshdaemon}" = "dropbear" ]
then
- pid_list="$(printf "%s\\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
+ pid_list="$(printf "%s\\n" "${ssh_log}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
for pid in ${pid_list}
do
- src_addon="${src_addon} $(printf "%s\\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
+ src_addon="${src_addon} $(printf "%s\\n" "${ssh_log}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH);exit}')"
done
elif [ "${ban_sshdaemon}" = "sshd" ]
then
- src_addon="$(printf "%s\\n" "${log_content}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
+ src_addon="$(printf "%s\\n" "${ssh_log}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
fi
+ src_addon="${src_addon} $(printf "%s\\n" "${luci_log}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}$/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
;;
"blacklist_6")
if [ "${ban_sshdaemon}" = "dropbear" ]
then
- pid_list="$(printf "%s\\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
+ pid_list="$(printf "%s\\n" "${ssh_log}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
for pid in ${pid_list}
do
- src_addon="${src_addon} $(printf "%s\\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
+ src_addon="${src_addon} $(printf "%s\\n" "${ssh_log}" | grep -F "${pid}" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH);exit}')"
done
elif [ "${ban_sshdaemon}" = "sshd" ]
then
- src_addon="$(printf "%s\\n" "${log_content}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
+ src_addon="$(printf "%s\\n" "${ssh_log}" | grep -E "[0-9]+ \[preauth\]$" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
fi
+ src_addon="${src_addon} $(printf "%s\\n" "${luci_log}" | awk 'match($0,/(([0-9A-f]{0,4}::?){1,7}[0-9A-f]{0,4}$)/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
;;
esac
for ip in ${src_addon}
if { [ "${src_name//_*/}" = "blacklist" ] && [ "${ban_autoblacklist}" -eq 1 ]; } || \
{ [ "${src_name//_*/}" = "whitelist" ] && [ "${ban_autowhitelist}" -eq 1 ]; }
then
- printf "%s\\n" "${ip}" >> "${src_url}"
+ src_ts="# auto-added $(date "+%d.%m.%Y %H:%M:%S")"
+ printf "%s %s\\n" "${ip}" "${src_ts}" >> "${src_url}"
fi
fi
done
ban_cnt="$((ban_cnt+cnt))"
done
f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
+ f_bgserv "start"
f_jsnup
f_rmtemp
}
{
local rundate status="${1:-"enabled"}"
- rundate="$(/bin/date "+%d.%m.%Y %H:%M:%S")"
+ rundate="$(date "+%d.%m.%Y %H:%M:%S")"
ban_cntinfo="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes"
> "${ban_rtfile}"
json_add_object "data"
json_add_string "status" "${status}"
json_add_string "version" "${ban_ver}"
- json_add_string "fetch_info" "${ban_fetchinfo:-"-"}"
+ json_add_string "util_info" "${ban_fetchutil:-"-"}, ${ban_realtime:-"-"}"
json_add_string "ipset_info" "${ban_cntinfo:-"-"}"
json_add_string "backup_dir" "${ban_backupdir}"
json_add_string "last_run" "${rundate:-"-"}"
f_envload
case "${ban_action}" in
"stop")
+ f_bgserv "stop"
f_jsnup stopped
f_ipset destroy
f_rmbackup
f_rmtemp
;;
"start"|"restart"|"reload"|"refresh")
+ f_bgserv "stop"
f_envcheck
f_main
;;
PKG_NAME:=simple-adblock
PKG_VERSION:=1.8.1
-PKG_RELEASE:=7
+PKG_RELEASE:=11
PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>
PKG_LICENSE:=GPL-3.0-or-later
In general, whatever domain is specified to be whitelisted; it, along with with its subdomains will be whitelisted, but not any fake domains containing it.
+## How It Does Not Work
+
+For most of the [DNS Resolution Options](#dns-resolution-option) to work, your local LAN clients need to be set to use your router's DNS (by default ```192.168.1.1```). The ```dnsmasq.addnhosts``` is the only option which can help you block ads if your local LAN clients are NOT using your router's DNS. There are multiple ways your local LAN clients can be set to NOT use your router's DNS:
+
+ 1. Hardcoded on the device. Some Android Lollipop 5.0 phones, some media-centric tablets and some streaming devices for example are known to have hardcoded DNS servers and they ignore your router's DNS settings. You can fix this by either:
+ - Rooting your device and changing it from hardcoded DNS servers to obtaining DNS servers from DHCP.
+ - Enabling ```simple-adblock```'s ```force_dns``` setting to override the hardcoded DNS on your device.
+ 2. Manually set on the device. Instead of setting your device to obtain the DNS settings via DHCP, you can set the DNS servers manually. There are some guides online which recommend manually changing the DNS servers on your computer to Google's (8.8.8.8) or Cloudflare's (1.1.1.1) or OpenDNS (208.67.222.222). You can fix this by either:
+ - Changing the on-device DNS settings from manual to obtaining DNS servers from DHCP and changing your [router's DNS settings](https://openwrt.org/docs/guide-user/base-system/dhcp#all_options) to use the DNS from Google, Cloudflare or OpenDNS respectively.
+ - Enabling ```simple-adblock```'s ```force_dns``` setting to override the hardcoded DNS on your device.
+ 3. Sent to your device from router via [DHCP Options](https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options). You can fix this by either:
+ - Removing [DHCP Options](https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options) 5 and 6 from your router's ```/etc/config/dhcp``` file.
+ - Enabling ```simple-adblock```'s ```force_dns``` setting to override the hardcoded DNS on your device.
+ 4. By using the DNS-over-TLS, DNS-over-HTTPS or DNSCrypt on your local device or (if supported) by browser on your local device. You can fix this only by:
+ - Stopping/removing/disabling DNS-over-TLS, DNS-over-HTTPS or DNSCrypt on your local device and using the secure DNS on your router instead. There are merits to all three of the options above, I can recommend the ```https_dns_proxy``` and ```luci-app-https_dns_proxy``` packages for enabling DNS-over-HTTPS on your router.
+
## Documentation / Discussion
Please head to [OpenWrt Forum](https://forum.openwrt.org/t/simple-adblock-fast-lean-and-fully-uci-luci-configurable-adblocking/1327/) for discussion of this package.
option debug '0'
option compressed_cache '0'
list whitelist_domain 'raw.githubusercontent.com'
-# list blacklist_hosts_url 'http://support.it-mate.co.uk/downloads/hosts.txt'
-# list blacklist_hosts_url 'https://hostsfile.mine.nu/Hosts'
-# list blacklist_hosts_url 'https://hosts-file.net/ad_servers.txt'
-# list blacklist_hosts_url 'http://sysctl.org/cameleon/hosts'
- list blacklist_hosts_url 'http://winhelp2002.mvps.org/hosts.txt'
- list blacklist_hosts_url 'https://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext'
- list blacklist_hosts_url 'https://www.malwaredomainlist.com/hostslist/hosts.txt'
- list blacklist_hosts_url 'https://adaway.org/hosts.txt'
- list blacklist_hosts_url 'https://someonewhocares.org/hosts/hosts'
- list blacklist_hosts_url 'https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt'
- list blacklist_domains_url 'https://mirror1.malwaredomains.com/files/justdomains'
- list blacklist_domains_url 'https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt'
- list blacklist_domains_url 'https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt'
- list blacklist_domains_url 'https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt'
- list blacklist_domains_url 'https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt'
- list blacklist_domains_url 'https://ssl.bblck.me/blacklists/domain-list.txt'
- list blacklist_domains_url 'https://dshield.org/feeds/suspiciousdomains_High.txt'
-# list blacklist_domains_url 'https://dshield.org/feeds/suspiciousdomains_Medium.txt'
-# list blacklist_domains_url 'https://dshield.org/feeds/suspiciousdomains_Low.txt'
+
+# Thu Oct 3 17:54:04 PDT 2019
+# File size: 4.0K
+ list blacklist_domains_url 'https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt'
+
+# File size: 4.0K
+ list blacklist_domains_url 'https://dshield.org/feeds/suspiciousdomains_High.txt'
+
+# File size: 12.0K
+ list blacklist_domains_url 'https://ssl.bblck.me/blacklists/domain-list.txt'
+
+# File size: 44.0K
+ list blacklist_domains_url 'https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt'
+
+# File size: 44.0K
+ list blacklist_domains_url 'https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt'
+
+# File size: 52.0K
+ list blacklist_domains_url 'https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt'
+
+# File size: 60.0K
+# use just one of the dshield.org blocklists
+# list blacklist_domains_url 'https://dshield.org/feeds/suspiciousdomains_Medium.txt'
+
+# File size: 64.0K
+# use just one of the dshield.org blocklists
+# list blacklist_domains_url 'https://dshield.org/feeds/suspiciousdomains_Low.txt'
+
+# File size: 584.0K
+# blocklist too big for most routers
+# list blacklist_domains_url 'https://mirror1.malwaredomains.com/files/justdomains'
+
+# File size: 20.0K
+ list blacklist_hosts_url 'https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt'
+
+# File size: 36.0K
+ list blacklist_hosts_url 'https://www.malwaredomainlist.com/hostslist/hosts.txt'
+
+# File size: 80.0K
+ list blacklist_hosts_url 'https://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext'
+
+# File size: 388.0K
+# blocklist may be too big for some routers
+ list blacklist_hosts_url 'https://raw.githubusercontent.com/jawz101/MobileAdTrackers/master/hosts'
+
+# File size: 424.0K
+# blocklist may be too big for some routers
+ list blacklist_hosts_url 'http://winhelp2002.mvps.org/hosts.txt'
+
+# File size: 432.0K
+# blocklist may be too big for some routers
+ list blacklist_hosts_url 'https://someonewhocares.org/hosts/hosts'
+
+# File size: 624.0K
+# blocklist too big for most routers
+# list blacklist_hosts_url 'http://sysctl.org/cameleon/hosts'
+
+# File size: 1.7M
+# blocklist too big for most routers
+# list blacklist_hosts_url 'https://hosts-file.net/ad_servers.txt'
+
+# File size: 3.1M
+# blocklist too big for most routers
+# list blacklist_hosts_url 'https://hostsfile.mine.nu/Hosts'
+
+# site was down on last check
+# list blacklist_domains_url 'https://adaway.org/hosts.txt'
+
+# site was down on last check
+# list blacklist_domains_url 'http://support.it-mate.co.uk/downloads/hosts.txt'
+
export USE_PROCD=1
export LC_ALL=C
-export EXTRA_COMMANDS='check dl killcache status'
+export EXTRA_COMMANDS='check dl killcache sizes status'
export EXTRA_HELP=' check Checks if specified domain is found in current blacklist
dl Force-redownloads all the list
+ sizes Shows the file-sizes of enabled block-lists (by downloading them one by one)
status Shows the service last-run status'
readonly packageName='simple-adblock'
case "$1" in
download) action='download';;
restart|*)
- if [ -s "$outputFile" ] && [ -n "$status" ]; then
+ if [ -s "$outputFile" ] && [ -n "$status" ] && [ -z "$error" ]; then
status
exit 0
elif [ ! -s "$outputFile" ] && ! cacheOps 'test' && ! cacheOps 'testGzip'; then
echo "The $string is not found in current blacklist ('$outputFile')."
fi
}
+
+sizes() {
+ local i
+ load_package_config
+ echo "# $(date)"
+
+ for i in $blacklist_domains_urls; do
+ [ "${i//melmac}" != "$i" ] && continue
+ if $dl_command "$i" $dl_flag /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then
+ echo "# File size: $(du -sh /tmp/sast | awk '{print $1}')"
+ if compare_versions "$(du -sk /tmp/sast)" "500"; then
+ echo "# blocklist too big for most routers"
+ elif compare_versions "$(du -sk /tmp/sast)" "100"; then
+ echo "# blocklist may be too big for some routers"
+ fi
+ rm -rf /tmp/sast
+ echo " list blacklist_domains_url '$i'"
+ echo ""
+ else
+ echo "# site was down on last check"
+ echo "# list blacklist_domains_url '$i'"
+ echo ""
+ fi
+ done
+
+ for i in $blacklist_hosts_urls; do
+ if $dl_command "$i" $dl_flag /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then
+ echo "# File size: $(du -sh /tmp/sast | awk '{print $1}')"
+ if compare_versions "$(du -sk /tmp/sast)" "500"; then
+ echo "# blocklist too big for most routers"
+ elif compare_versions "$(du -sk /tmp/sast)" "100"; then
+ echo "# blocklist may be too big for some routers"
+ fi
+ rm -rf /tmp/sast
+ echo " list blacklist_hosts_url '$i'"
+ echo ""
+ else
+ echo "# site was down on last check"
+ echo "# list blacklist_hosts_url '$i'"
+ echo ""
+ fi
+ done
+}