From 710b2cdca2dae6889252006cf6b0d74e8f89aa20 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Fri, 11 Oct 2024 19:46:16 +0200 Subject: [PATCH] banIP: update to 1.0.0-8 * supports comments (introduced with a #), for MAC addresses in the allow and block list, e.g. 26:5e:a0:6a:9c:da # Test * added hagezi threat ip feed * added an adguard logterm to the readme * removed the broken talos feed Signed-off-by: Dirk Brenken (cherry picked from commit 270e6f12644eb0ba3b1596cb73e267edf3980570) --- net/banip/Makefile | 2 +- net/banip/files/README.md | 3 ++- net/banip/files/banip-functions.sh | 8 ++++---- net/banip/files/banip.feeds | 11 ++++++----- 4 files changed, 13 insertions(+), 11 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index c423f13406..1c231bbbe6 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=1.0.0 -PKG_RELEASE:=7 +PKG_RELEASE:=8 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 0fe6b4ba5a..d7c4781768 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -38,6 +38,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre | firehol3 | firehol level 3 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) | | firehol4 | firehol level 4 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) | | greensnow | suspicious server IPs | x | x | | | [Link](https://greensnow.co) | +| hagezi | Threat IP blocklist | | | x | tcp: 80, 443 | [Link](https://github.com/hagezi/dns-blocklists) | | iblockads | Advertising IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) | | iblockspy | Malicious spyware IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) | | ipblackhole | blackhole IPs | x | x | | | [Link](https://github.com/BlackHoleMonster/IP-BlackHole) | @@ -52,7 +53,6 @@ IP address blocking is commonly used to protect against brute force attacks, pre | proxy | open proxies | x | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) | | ssbl | SSL botnet IPs | x | x | | | [Link](https://sslbl.abuse.ch) | | stevenblack | stevenblack IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| talos | talos IPs | x | x | | | [Link](https://talosintelligence.com/reputation_center) | | threat | emerging threats | x | x | | | [Link](https://rules.emergingthreats.net) | | threatview | malicious IPs | x | x | | | [Link](https://threatview.io) | | tor | tor exit nodes | x | x | x | | [Link](https://www.dan.me.uk) | @@ -333,6 +333,7 @@ sshd2 : 'sshd.*Connection closed by.*\[preauth\]' asterisk : 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' nginx : 'received a suspicious remote IP '\''.*'\''' openvpn : 'TLS Error: could not determine wrapping from \[AF_INET\]' +AdGuard : 'AdGuardHome.*\[error\].*/control/login: from ip' ``` You find the 'Log Terms' option in LuCI under the 'Log Settings' tab. Feel free to add more log terms to meet your needs and protect additional services. diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 35201afafa..4daddf642c 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -873,11 +873,11 @@ f_down() { printf "%s\n\n" "#!/usr/sbin/nft -f" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" if [ "${proto}" = "4MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$|[[:space:]]+$|$)/{if(!$2)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${tmp_allow}" >"${tmp_file}" + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${tmp_allow}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip saddr @${feed} counter accept" elif [ "${proto}" = "6MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?[[:space:]]*$|[[:space:]]+$|$)/{if(!$2)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${tmp_allow}" >"${tmp_file}" + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${tmp_allow}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip6 saddr @${feed} counter accept" elif [ "${proto}" = "4" ]; then @@ -938,11 +938,11 @@ f_down() { printf "%s\n\n" "#!/usr/sbin/nft -f" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" if [ "${proto}" = "4MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$|[[:space:]]+$|$)/{if(!$2)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}" + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip saddr @${feed} counter goto reject-chain" elif [ "${proto}" = "6MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?[[:space:]]*$|[[:space:]]+$|$)/{if(!$2)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}" + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip6 saddr @${feed} counter goto reject-chain" elif [ "${proto}" = "4" ]; then diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index 801639de1d..da93ece0c4 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -142,6 +142,12 @@ "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "suspicious server IPs" }, + "hagezi":{ + "url_4": "https://raw.githubusercontent.com/hagezi/dns-blocklists/refs/heads/main/ips/tif.txt", + "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "descr": "Threat IP blocklist", + "flag": "tcp 80 443" + }, "iblockads":{ "url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", @@ -230,11 +236,6 @@ "descr": "stevenblack IPs", "flag": "tcp 80 443" }, - "talos":{ - "url_4": "https://www.talosintelligence.com/documents/ip-blacklist", - "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", - "descr": "talos IPs" - }, "threat":{ "url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", -- 2.30.2