From: Dirk Brenken Date: Mon, 11 Dec 2023 16:35:13 +0000 (+0100) Subject: banip: bump to release 0.9.3-1 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=6435e15a21cdcf7f07562172313437b6b17f8b7d;p=feed%2Fpackages.git banip: bump to release 0.9.3-1 * provides an option to transfer log events on remote servers via cgi interface (disabled by default), see readme for details * refine the allowlist check to support IP intervals as well before adding an IP to the blocklist Signed-off-by: Dirk Brenken (cherry picked from commit df81585cea0c0b35f01f978e7dc245ad9de32a07) --- diff --git a/net/banip/Makefile b/net/banip/Makefile index 28b76bc86a..00803da00c 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.9.2 -PKG_RELEASE:=4 +PKG_VERSION:=0.9.3 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken @@ -63,6 +63,9 @@ define Package/banip/install $(INSTALL_CONF) ./files/banip.countries $(1)/etc/banip $(INSTALL_CONF) ./files/banip.feeds $(1)/etc/banip $(INSTALL_CONF) ./files/banip.custom.feeds $(1)/etc/banip + + $(INSTALL_DIR) $(1)/www/cgi-bin + $(INSTALL_BIN) ./files/banip.cgi $(1)/www/cgi-bin/banip endef $(eval $(call BuildPackage,banip)) diff --git a/net/banip/files/README.md b/net/banip/files/README.md index eb5e8cf65c..299a2cae8e 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -89,6 +89,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds * Supports allowing / blocking of certain VLAN forwards +* Provides an option to transfer logging events on remote servers via cgi interface ## Prerequisites * **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support @@ -141,7 +142,7 @@ Available commands: | ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) | | ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor | | ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious | -| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | +| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk and cgi-remote events) | | ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | | ban_debug | option | 0 | enable banIP related debug logging | @@ -191,6 +192,8 @@ Available commands: | ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | | ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly | | ban_resolver | option | - | external resolver used for DNS lookups | +| ban_remotelog | option | 0 | enable the cgi interface to receive remote logging events | +| ban_remotetoken | option | - | unique token to communicate with the cgi interface | ## Examples **banIP report information** @@ -292,6 +295,7 @@ list ban_logterm 'luci: failed login' list ban_logterm 'error: maximum authentication attempts exceeded' list ban_logterm 'sshd.*Connection closed by.*\[preauth\]' list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' +list ban_logterm 'received a suspicious remote IP '\''.*'\''' ``` **allow-/blocklist handling** @@ -324,6 +328,18 @@ MAC-address with IPv4 and IPv6 wildcard concatenation: C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0 ``` +**enable the cgi interface to receive remote logging events** +banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options: + + * set 'ban_remotelog' to '1' to enbale the cgi interface + * set 'ban_remotetoken' to a secret transfer token, allowed token characters consist of '[A-Za-z]', '[0-9]', '.' and ':' + + Examples to transfer remote logging events from an internal server to banIP via cgi interface: + + * POST request: curl --insecure --data "=" https://192.168.1.1/cgi-bin/banip + * GET request: wget --no-check-certificate https://192.168.1.1/cgi-bin/banip?= + +Please note: for security reasons use this cgi interface only internally and only encrypted via https transfer protocol. **redirect Asterisk security logs to lodg/logread** banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration. diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 1a1266d035..f075eb6b13 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -43,6 +43,8 @@ ban_mailtopic="banIP notification" ban_mailprofile="ban_notify" ban_mailnotification="0" ban_reportelements="1" +ban_remotelog="0" +ban_remotetoken="" ban_nftloglevel="warn" ban_nftpriority="-200" ban_nftpolicy="memory" @@ -1526,7 +1528,7 @@ f_monitor() { ip="${ip##* }" [ -n "${ip}" ] && proto="v6" fi - if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_grepcmd}" -q "^${ip}" "${ban_allowlist}"; then + if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP allowlist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then f_log "info" "suspicious IP '${ip}'" log_raw="$(eval ${loglimit_cmd})" log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")" diff --git a/net/banip/files/banip.cgi b/net/banip/files/banip.cgi new file mode 100644 index 0000000000..2ac5ef0d4f --- /dev/null +++ b/net/banip/files/banip.cgi @@ -0,0 +1,36 @@ +#!/bin/sh +# banIP cgi remote logging script - ban incoming and outgoing IPs via named nftables Sets +# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) +# This is free software, licensed under the GNU General Public License v3. + +# (s)hellcheck exceptions +# shellcheck disable=all + +# handle post/get requests +# +post_string="$(cat)" +request="${post_string//[^[:alnum:]=\.\:]/}" +[ -z "${request}" ] && request="${QUERY_STRING//[^[:alnum:]=\.\:]/}" + +request_decode() { + local key value token + + key="${request%=*}" + value="${request#*=}" + token="$(uci -q get banip.global.ban_remotetoken)" + + if [ -n "${key}" ] && [ -n "${value}" ] && [ "${key}" = "${token}" ] && /etc/init.d/banip running; then + [ -r "/usr/lib/banip-functions.sh" ] && { . "/usr/lib/banip-functions.sh"; f_conf; } + if [ "${ban_remotelog}" = "1" ] && [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then + f_log "info" "received a suspicious remote IP '${value}'" + fi + fi +} + +cat <