Mirror of packages feed https://git.openwrt.org/feed/packages/atom?h=master 2023-02-18T20:06:26Z 2023-02-18T20:06:26Z Dirk Brenken 2023-02-13T16:56:57Z urn:sha1:82a491bac85b8d106dc6057c1bd58c8e5dc3ed53 - complete rewrite of banIP to support nftables - all sets are handled in a separate nft table/namespace 'banIP' - for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook - full IPv4 and IPv6 support - supports nft atomic set loading - supports blocking by ASN numbers and by iso country codes - 42 preconfigured external feeds are available, plus local allow- and blocklist - supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) - auto-add the uplink subnet to the local allowlist - provides a small background log monitor to ban unsuccessful login attempts in real-time - the logterms for the log monitor service can be freely defined via regex - auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist - fast feed processing as they are handled in parallel as background jobs - per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains) - automatic blocklist backup & restore, the backups will be used in case of download errors or during startup - automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget - supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs - provides comprehensive runtime information - provides a detailed set report - provides a set search engine for certain IPs - feed parsing by fast & flexible regex rulesets - minimal status & error logging to syslog, enable debug logging to receive more output - procd based init system support (start/stop/restart/reload/status/report/search) - procd network interface trigger support - ability to add new banIP feeds on your own - add a readme with all available options/feeds to customize your installation to your needs - a new LuCI frontend will be available in due course Signed-off-by: Dirk Brenken <dev@brenken.org> 2021-08-29T15:16:59Z Dirk Brenken 2021-08-29T15:16:59Z urn:sha1:8ac0103cbdb74e2ec9ea2986c4b80bf83ba00211 * switch to unencrypted http downloads for ipdeny.com due to persistant certificate issues * compact json generator code (tested with report files > 2MB) * various code cleanups and optimizations Signed-off-by: Dirk Brenken <dev@brenken.org> 2021-02-04T20:18:02Z Dirk Brenken 2021-02-04T14:35:21Z urn:sha1:cadaedbfb2a7b705e2fb930b4cebfdd1dfe10cc2 * major rewrite * add support for multiple chains * add mac whitelisting * add support for multiple ssh daemons in parallel * add an ipset report engine * add mail notifications * add suspend/resume functions * add a cron wrapper to set an ipset related auto-timer for automatic blocklist updates * add a list wrapper to add/remove blocklist sources * add 19.x and Turris OS 5.x compatibility code * sources stored in an external compressed json file (/etc/banip/banip.sources.gz) * change Country/ASN download sources (faster/more reliable) * fix DHCPv6/icmpv6 issues Signed-off-by: Dirk Brenken <dev@brenken.org> 2019-11-09T05:40:40Z Dirk Brenken 2019-11-09T05:40:40Z urn:sha1:0dee2a92de0ffdc5007e41802a43456ce3b5bf22 * limit firewall hotplug trigger to certain wan 'INTERFACE' as well, to prevent possible race conditions during boot Signed-off-by: Dirk Brenken <dev@brenken.org> 2019-11-08T17:40:30Z Dirk Brenken 2019-11-08T17:40:30Z urn:sha1:49b43b81e8a8c32465d3de921d8289541de3e7e1 * fix a logical glitch in the hotplug event handler * properly handle fatal iptables errors - even in subshells Signed-off-by: Dirk Brenken <dev@brenken.org> 2019-09-09T19:11:10Z Dirk Brenken 2019-09-09T15:12:52Z urn:sha1:5f49601e63f2c3b58edbf0732c73f3f51f890e3d * remove 'http-only' mode, all sources are now fetched from https sites * the backup mode is now mandatory ('/tmp' is the default backup directory), always create and re-use backups if available. To force a re-download take the 'reload' action. * support 'sshd' in addition to 'dropbear' for logfile parsing to detect break-in events * always update the black-/whitelist with logfile parsing results in 'refresh' mode (no new downloads) * rework the return code handling * tweak procd trigger * various small fixes * (s)hellsheck cosmetics Signed-off-by: Dirk Brenken <dev@brenken.org> 2018-11-17T15:30:52Z Dirk Brenken 2018-11-16T20:06:48Z urn:sha1:dcaddb5297351b1167912880cba4f3319755aa80 * support multiple WAN interfaces in iptables rules, set 'ban_iface' option accordingly (as space separated list) or use the LuCI frontend * add new "refresh" mode while triggered by fw changes (no download) * add required ip dependency * fix wrong 'settype' definition for firehol1 in config Signed-off-by: Dirk Brenken <dev@brenken.org> 2018-11-10T10:01:45Z Dirk Brenken 2018-11-10T10:01:45Z urn:sha1:b17588a8568a3e23c2a86802b2b8f3dbdbf411dd a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>