banip: bump to release 0.9.3-1

* provides an option to transfer log events on remote servers via cgi interface (disabled by default), see readme for details
* refine the allowlist check to support IP intervals as well before adding an IP to the blocklist

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit df81585cea0c0b35f01f978e7dc245ad9de32a07)

diff --git a/net/banip/Makefile b/net/banip/Makefile
index 28b76bc86aa0de6bbfc18afe59cbe9763af18c52..00803da00cd43705fb7d6e9ffec08343c8bb6fce 100644 (file)
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@@ -5,8 +5,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
-PKG_VERSION:=0.9.2
-PKG_RELEASE:=4
+PKG_VERSION:=0.9.3
+PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
 
@@ -63,6 +63,9 @@ define Package/banip/install
        $(INSTALL_CONF) ./files/banip.countries $(1)/etc/banip
        $(INSTALL_CONF) ./files/banip.feeds $(1)/etc/banip
        $(INSTALL_CONF) ./files/banip.custom.feeds $(1)/etc/banip
+
+       $(INSTALL_DIR) $(1)/www/cgi-bin
+       $(INSTALL_BIN) ./files/banip.cgi $(1)/www/cgi-bin/banip
 endef
 
 $(eval $(call BuildPackage,banip))

diff --git a/net/banip/files/README.md b/net/banip/files/README.md
index eb5e8cf65cc8bb091c4f3cdbdf49327fa3fe5296..299a2cae8ee2611fad28bc6bd2f617a92d9882fb 100644 (file)
--- a/net/banip/files/README.md
+++ b/net/banip/files/README.md
@@ -89,6 +89,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 * Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor
 * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
 * Supports allowing / blocking of certain VLAN forwards
+* Provides an option to transfer logging events on remote servers via cgi interface
 
 ## Prerequisites
 * **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
@@ -141,7 +142,7 @@ Available commands:
 | ban_filelimit           | option | 1024                          | ulimit max open/number of files (range 1024-4096)                                                                 |
 | ban_loglimit            | option | 100                           | scan only the last n log entries permanently. A value of '0' disables the monitor                                 |
 | ban_logcount            | option | 1                             | how many times the IP must appear in the log to be considered as suspicious                                       |
-| ban_logterm             | list   | regex                         | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk)                                |
+| ban_logterm             | list   | regex                         | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk and cgi-remote events)          |
 | ban_logreadfile         | option | /var/log/messages             | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
 | ban_autodetect          | option | 1                             | auto-detect wan interfaces, devices and subnets                                                                   |
 | ban_debug               | option | 0                             | enable banIP related debug logging                                                                                |
@@ -191,6 +192,8 @@ Available commands:
 | ban_mailnotification    | option | 0                             | receive E-Mail notifications with every banIP run                                                                 |
 | ban_reportelements      | option | 1                             | count Set elements in the report, disable this option to speed up the report significantly                        |
 | ban_resolver            | option | -                             | external resolver used for DNS lookups                                                                            |
+| ban_remotelog           | option | 0                             | enable the cgi interface to receive remote logging events                                                         |
+| ban_remotetoken         | option | -                             | unique token to communicate with the cgi interface                                                                |
 
 ## Examples
 **banIP report information**  
@@ -292,6 +295,7 @@ list ban_logterm 'luci: failed login'
 list ban_logterm 'error: maximum authentication attempts exceeded'
 list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
 list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
+list ban_logterm 'received a suspicious remote IP '\''.*'\'''
 ```
 
 **allow-/blocklist handling**  
@@ -324,6 +328,18 @@ MAC-address with IPv4 and IPv6 wildcard concatenation:
 C8:C2:9B:F7:80:12 192.168.1.10                     => this will be populated to v4MAC-Set with the certain IP
 C8:C2:9B:F7:80:12                                  => this will be populated to v6MAC-Set with the IP-wildcard ::/0
 ```
+**enable the cgi interface to receive remote logging events**  
+banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options:  
+
+    * set 'ban_remotelog' to '1' to enbale the cgi interface
+    * set 'ban_remotetoken' to a secret transfer token, allowed token characters consist of '[A-Za-z]', '[0-9]', '.' and ':'
+
+  Examples to transfer remote logging events from an internal server to banIP via cgi interface:  
+
+    * POST request: curl --insecure --data "<ban_remotetoken>=<suspicious IP>" https://192.168.1.1/cgi-bin/banip
+    * GET request: wget --no-check-certificate https://192.168.1.1/cgi-bin/banip?<ban_remotetoken>=<suspicious IP>
+
+Please note: for security reasons use this cgi interface only internally and only encrypted via https transfer protocol.
 
 **redirect Asterisk security logs to lodg/logread**  
 banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration.

diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh
index 1a1266d03554897813d0fe15110bb9825de9a2b6..f075eb6b1385ed5e29c63a6cfb34e0fe7e1e50e5 100644 (file)
--- a/net/banip/files/banip-functions.sh
+++ b/net/banip/files/banip-functions.sh
@@ -43,6 +43,8 @@ ban_mailtopic="banIP notification"
 ban_mailprofile="ban_notify"
 ban_mailnotification="0"
 ban_reportelements="1"
+ban_remotelog="0"
+ban_remotetoken=""
 ban_nftloglevel="warn"
 ban_nftpriority="-200"
 ban_nftpolicy="memory"
@@ -1526,7 +1528,7 @@ f_monitor() {
                                        ip="${ip##* }"
                                        [ -n "${ip}" ] && proto="v6"
                                fi
-                               if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_grepcmd}" -q "^${ip}" "${ban_allowlist}"; then
+                               if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP allowlist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
                                        f_log "info" "suspicious IP '${ip}'"
                                        log_raw="$(eval ${loglimit_cmd})"
                                        log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")"

diff --git a/net/banip/files/banip.cgi b/net/banip/files/banip.cgi
new file mode 100644 (file)
index 0000000..2ac5ef0
--- /dev/null
+++ b/net/banip/files/banip.cgi
@@ -0,0 +1,36 @@
+#!/bin/sh
+# banIP cgi remote logging script - ban incoming and outgoing IPs via named nftables Sets
+# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
+# This is free software, licensed under the GNU General Public License v3.
+
+# (s)hellcheck exceptions
+# shellcheck disable=all
+
+# handle post/get requests
+#
+post_string="$(cat)"
+request="${post_string//[^[:alnum:]=\.\:]/}"
+[ -z "${request}" ] && request="${QUERY_STRING//[^[:alnum:]=\.\:]/}"
+
+request_decode() {
+       local key value token
+
+       key="${request%=*}"
+       value="${request#*=}"
+       token="$(uci -q get banip.global.ban_remotetoken)"
+
+       if [ -n "${key}" ] && [ -n "${value}" ] && [ "${key}" = "${token}" ] && /etc/init.d/banip running; then
+               [ -r "/usr/lib/banip-functions.sh" ] && { . "/usr/lib/banip-functions.sh"; f_conf; }
+               if [ "${ban_remotelog}" = "1" ] && [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then
+                       f_log "info" "received a suspicious remote IP '${value}'"
+               fi
+       fi
+}
+
+cat <<EOF
+Status: 202 Accepted
+Content-Type: text/plain; charset=UTF-8
+
+EOF
+
+request_decode

diff --git a/net/banip/files/banip.conf b/net/banip/files/banip.conf
index eaa30989eaa38a6ef47d968bc9ab4dc4823c0c5c..3bb5bc96c710e3b8437f06aa92c864f3bbfd46bf 100644 (file)
--- a/net/banip/files/banip.conf
+++ b/net/banip/files/banip.conf
@@ -7,3 +7,4 @@ config banip 'global'
        list ban_logterm 'error: maximum authentication attempts exceeded'
        list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
        list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
+       list ban_logterm 'received a suspicious remote IP '\''.*'\'''