blob: 7fedfd168461bd18acd537df4ec6300986e9dd63 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
#!/bin/sh
# banIP cgi remote logging script - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2018-2026 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=all
# output HTTP response header
#
cat <<EOF
Status: 202 Accepted
Content-Type: text/plain; charset=UTF-8
EOF
# read up to 256 bytes from POST data, otherwise use QUERY_STRING, and filter out unwanted characters
#
post_string="$(head -c 256)"
request="${post_string//[^[:alnum:]=\.\:]/}"
[ -z "${request}" ] && request="${QUERY_STRING//[^[:alnum:]=\.\:]/}"
# decode the request
#
request_decode() {
local key value token
# parse request
#
key="${request%%=*}"
value="${request#*=}"
token="$(uci -q get banip.global.ban_remotetoken)"
# validate value as an IP address, otherwise ignore the request
#
case "${value}" in
[0-9]*.[0-9]*.[0-9]*.[0-9]*)
;;
[0-9A-Fa-f]*:*[0-9A-Fa-f])
;;
*)
return
;;
esac
# only log if token matches and banip is running, otherwise ignore the request
#
if [ -n "${token}" ] && [ -n "${key}" ] && [ -n "${value}" ] && [ "${key}" = "${token}" ] && /etc/init.d/banip running; then
if [ -r "/usr/lib/banip-functions.sh" ]; then
. "/usr/lib/banip-functions.sh"
f_conf
if [ "${ban_remotelog}" = "1" ] && [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm}" ] && [ "${ban_loglimit}" != "0" ]; then
f_log "info" "received a suspicious remote IP '${value}'"
fi
fi
fi
}
# call the request decoder
#
request_decode
|
