From 185a717e195b8e7d2269174d6794f1882d3d10b7 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Sat, 20 Feb 2021 10:26:16 +0100 Subject: [PATCH] banip: update to 0.7.3 * fix search string/pipe preparation for the background service * fix IPSet maxelem limitation, made it more flexible * fix potential error during resume action * add Cisco Talos IP blacklist * update readme Signed-off-by: Dirk Brenken (cherry picked from commit b65353b4f76f89c11a8e7f2c6307d461e0dce696) --- net/banip/Makefile | 2 +- net/banip/files/README.md | 2 ++ net/banip/files/banip.sh | 57 +++++++++++++++++++---------------- net/banip/files/banip.sources | 6 ++++ 4 files changed, 40 insertions(+), 27 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 69f3cee774..dea787b9e2 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.7.2 +PKG_VERSION:=0.7.3 PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 498c95baa6..83fbf40811 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -31,6 +31,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre | nixspam | iX spam protection | [Link](http://www.nixspam.org) | | proxy | Firehol list of open proxies | [Link](https://iplists.firehol.org/?ipset=proxylists) | | ssbl | SSL botnet IP blacklist | [Link](https://sslbl.abuse.ch) | +| talos | Cisco Talos IP Blacklist | [Link](https://talosintelligence.com/reputation_center) | | threat | Emerging Threats | [Link](https://rules.emergingthreats.net) | | tor | Tor exit nodes | [Link](https://fissionrelays.net/lists) | | uceprotect1 | Spam protection level 1 | [Link](http://www.uceprotect.net/en/index.php) | @@ -68,6 +69,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * [OpenWrt](https://openwrt.org), tested with the stable release series (19.07.x) and with the latest rolling snapshot releases. On turris devices it has been successfully tested with TurrisOS 5.2.x Please note: Older OpenWrt releases like 18.06.x or 17.01.x are _not_ supported! Please note: Devices with less than 128 MByte RAM are _not_ supported! + Please note: If you're updating from former banIP 0.3x please manually remove your config (/etc/config/banip) before you start! * A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required * A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default * Optional E-Mail notification support: for E-Mail notifications you need to install the additional 'msmtp' package diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh index 179f6f4583..ed1bfad051 100755 --- a/net/banip/files/banip.sh +++ b/net/banip/files/banip.sh @@ -12,7 +12,7 @@ export LC_ALL=C export PATH="/usr/sbin:/usr/bin:/sbin:/bin" set -o pipefail -ban_ver="0.7.2" +ban_ver="0.7.3" ban_enabled="0" ban_mail_enabled="0" ban_proto4_enabled="0" @@ -93,11 +93,11 @@ f_load() # if [ "${ban_enabled}" = "0" ] then + f_bgsrv "stop" f_ipset "destroy" f_jsnup "disabled" f_rmbckp f_rmtmp - f_bgsrv "stop" f_log "info" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service" exit 0 fi @@ -739,22 +739,24 @@ f_ipset() return "${out_rc}" ;; "create") - if [ "${src_name}" = "maclist" ] && [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] - then - "${ban_ipset_cmd}" create "${src_name}" hash:mac maxelem 262144 counters timeout "${ban_maclist_timeout:-"0"}" - out_rc="${?}" - elif [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] + if [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] then - if [ "${src_name%_*}" = "whitelist" ] + cnt="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)" + cnt=$((cnt+262144)) + if [ "${src_name}" = "maclist" ] + then + "${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${cnt}" counters timeout "${ban_maclist_timeout:-"0"}" + out_rc="${?}" + elif [ "${src_name%_*}" = "whitelist" ] then - "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem 262144 family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}" + "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}" out_rc="${?}" elif [ "${src_name%_*}" = "blacklist" ] then - "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem 262144 family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}" + "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}" out_rc="${?}" else - "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem 262144 family "${src_ipver}" counters + "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters out_rc="${?}" fi else @@ -821,19 +823,22 @@ f_ipset() f_log "debug" "f_ipset ::: name: ${src:-"-"}, mode: ${mode:-"-"}" ;; "resume") - "${ban_ipset_cmd}" -q -! restore < "${ban_backupdir}/${src_name}.file" - out_rc="${?}" - if [ "${out_rc}" = "0" ] + if [ -f "${ban_backupdir}/${src_name}.file" ] then - rm -f "${ban_backupdir}/${src_name}.file" - src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" - cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" - cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")" - cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")" - cnt_ip=$((cnt-cnt_cidr-cnt_mac)) - printf "%s\n" "${cnt}" > "${tmp_cnt}" + "${ban_ipset_cmd}" -q -! restore < "${ban_backupdir}/${src_name}.file" + out_rc="${?}" + if [ "${out_rc}" = "0" ] + then + rm -f "${ban_backupdir}/${src_name}.file" + src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" + cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" + cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")" + cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")" + cnt_ip=$((cnt-cnt_cidr-cnt_mac)) + printf "%s\n" "${cnt}" > "${tmp_cnt}" + fi + f_iptables fi - f_iptables end_ts="$(date +%s)" out_rc="${out_rc:-"${in_rc}"}" f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, ipver: ${src_ipver:-"-"}, settype: ${src_settype:-"-"}, count(sum/ip/cidr/mac): ${cnt}/${cnt_ip}/${cnt_cidr}/${cnt_mac}, time: $((end_ts-start_ts)), out_rc: ${out_rc}" @@ -937,9 +942,9 @@ f_bgsrv() fi if [ -n "$(printf "%s\n" "${ban_logterms}" | grep -F "nginx")" ] then - ban_search="${ban_search}nginx\[[0-9]+\]:.*\[error\].*open().*client: [[:alnum:].:]+" + ban_search="${ban_search}nginx\[[0-9]+\]:.*\[error\].*open().*client: [[:alnum:].:]+|" fi - ( "${ban_logservice}" "${ban_ver}" "${ban_search}" & ) + ( "${ban_logservice}" "${ban_ver}" "${ban_search%?}" & ) elif [ "${action}" = "stop" ] && [ -n "${bg_pid}" ] then kill -HUP "${bg_pid}" 2>/dev/null @@ -1750,10 +1755,10 @@ fi f_load case "${ban_action}" in "stop") + f_bgsrv "stop" f_ipset "destroy" f_jsnup "stopped" f_rmbckp - f_bgsrv "stop" ;; "restart") f_ipset "destroy" @@ -1764,10 +1769,10 @@ case "${ban_action}" in "suspend") if [ "${ban_status}" = "enabled" ] then + f_bgsrv "stop" f_jsnup "running" f_ipset "suspend" f_jsnup "paused" - f_bgsrv "stop" fi f_rmtmp ;; diff --git a/net/banip/files/banip.sources b/net/banip/files/banip.sources index 3255e4fa48..9dce5ae35c 100644 --- a/net/banip/files/banip.sources +++ b/net/banip/files/banip.sources @@ -142,6 +142,12 @@ "focus": "SSL botnet IP blacklist", "descurl": "https://sslbl.abuse.ch" }, + "talos": { + "url_4": "https://www.talosintelligence.com/documents/ip-blacklist", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add talos_4 \"$1}", + "focus": "Cisco Talos IP Blacklist", + "descurl": "https://talosintelligence.com/reputation_center" + }, "threat": { "url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add threat_4 \"$1}", -- 2.30.2