From c4e814074003a1d45bb583e98cac435575e09ca4 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Sun, 5 Nov 2023 09:19:55 +0100 Subject: [PATCH] banip: release 0.9.2-1 * the log file monitor now supports standard log files used by other log daemons like syslog-ng Set 'ban_logreadfile' accordingly, by default it points to /var/log/messages * removed logd dependency, closes #21932 Signed-off-by: Dirk Brenken --- net/banip/Makefile | 4 +- net/banip/files/README.md | 115 +++++++++++++++-------------- net/banip/files/banip-functions.sh | 38 +++++++--- 3 files changed, 89 insertions(+), 68 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 0c9f4460fa..ceadbc0fd8 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.9.1 +PKG_VERSION:=0.9.2 PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken @@ -16,7 +16,7 @@ define Package/banip SECTION:=net CATEGORY:=Network TITLE:=banIP blocks IPs via named nftables Sets - DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys + DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +rpcd +rpcd-mod-rpcsys PKGARCH:=all endef diff --git a/net/banip/files/README.md b/net/banip/files/README.md index d65e6e391f..eb5e8cf65c 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -91,7 +91,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Supports allowing / blocking of certain VLAN forwards ## Prerequisites -* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 and logd/logread support +* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support * A download utility with SSL support: 'aria2c', 'curl', full 'wget' or 'uclient-fetch' with one of the 'libustream-*' SSL libraries, the latter one doesn't provide support for ETag HTTP header * A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default * For E-Mail notifications you need to install and setup the additional 'msmtp' package @@ -134,62 +134,63 @@ Available commands: ## banIP config options -| Option | Type | Default | Description | -| :---------------------- | :----- | :---------------------------- | :----------------------------------------------------------------------------------------------------------- | -| ban_enabled | option | 0 | enable the banIP service | -| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) | -| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) | -| ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor | -| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious | -| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | -| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | -| ban_debug | option | 0 | enable banIP related debug logging | -| ban_loginput | option | 1 | log drops in the wan-input chain | -| ban_logforwardwan | option | 1 | log drops in the wan-forward chain | -| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | -| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | -| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | -| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP | -| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all | -| ban_allowlistonly | option | 0 | restrict the internet access from/to a given number of secure websites/IPs | -| ban_basedir | option | /tmp | base working directory while banIP processing | -| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | -| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files | -| ban_protov4 | option | - / autodetect | enable IPv4 support | -| ban_protov6 | option | - / autodetect | enable IPv4 support | -| ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' | -| ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' | -| ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' | -| ban_vlanallow | list | - | always allow certain VLAN forwards, e.g. br-lan.20 | -| ban_vlanblock | list | - | always block certain VLAN forwards, e.g. br-lan.10 | -| ban_trigger | list | - | logical reload trigger interface(s), e.g. 'wan' | -| ban_triggerdelay | option | 10 | trigger timeout during interface reload and boot | -| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets | -| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) | -| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | -| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug | -| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) | -| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance | -| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | -| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | -| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | -| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | -| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' | -| ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic | -| ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' | -| ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' | -| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' | -| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | -| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | -| ban_fetchretry | option | 5 | number of download attempts in case of an error (not supported by uclient-fetch) | -| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | -| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails | -| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails | -| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | -| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | -| ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | -| ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly | -| ban_resolver | option | - | external resolver used for DNS lookups | +| Option | Type | Default | Description | +| :---------------------- | :----- | :---------------------------- | :---------------------------------------------------------------------------------------------------------------- | +| ban_enabled | option | 0 | enable the banIP service | +| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) | +| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) | +| ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor | +| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious | +| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | +| ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread | +| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | +| ban_debug | option | 0 | enable banIP related debug logging | +| ban_loginput | option | 1 | log drops in the wan-input chain | +| ban_logforwardwan | option | 1 | log drops in the wan-forward chain | +| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | +| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | +| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | +| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP | +| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all | +| ban_allowlistonly | option | 0 | restrict the internet access from/to a given number of secure websites/IPs | +| ban_basedir | option | /tmp | base working directory while banIP processing | +| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | +| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files | +| ban_protov4 | option | - / autodetect | enable IPv4 support | +| ban_protov6 | option | - / autodetect | enable IPv4 support | +| ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' | +| ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' | +| ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' | +| ban_vlanallow | list | - | always allow certain VLAN forwards, e.g. br-lan.20 | +| ban_vlanblock | list | - | always block certain VLAN forwards, e.g. br-lan.10 | +| ban_trigger | list | - | logical reload trigger interface(s), e.g. 'wan' | +| ban_triggerdelay | option | 10 | trigger timeout during interface reload and boot | +| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets | +| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) | +| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | +| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug | +| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) | +| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance | +| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | +| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | +| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | +| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | +| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' | +| ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic | +| ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' | +| ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' | +| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' | +| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | +| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | +| ban_fetchretry | option | 5 | number of download attempts in case of an error (not supported by uclient-fetch) | +| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | +| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails | +| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails | +| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | +| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | +| ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | +| ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly | +| ban_resolver | option | - | external resolver used for DNS lookups | ## Examples **banIP report information** diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index c0c4ea9595..c75a2b5648 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -23,7 +23,8 @@ ban_rtfile="/var/run/banip_runtime.json" ban_rdapfile="/var/run/banip_rdap.json" ban_rdapurl="https://rdap.db.ripe.net/ip/" ban_lock="/var/run/banip.lock" -ban_logreadcmd="$(command -v logread)" +ban_logreadfile="/var/log/messages" +ban_logreadcmd="" ban_logcmd="$(command -v logger)" ban_ubuscmd="$(command -v ubus)" ban_nftcmd="$(command -v nft)" @@ -188,7 +189,12 @@ f_rmpid() { local ppid pid pids ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" - [ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" + if [ -n "${ppid}" ]; then + pids="$(pgrep -P "${ppid}" 2>/dev/null)" + for pid in ${pids}; do + pids="${pids} $(pgrep -P "${pid}" 2>/dev/null)" + done + fi for pid in ${pids}; do kill -INT "${pid}" >/dev/null 2>&1 done @@ -283,19 +289,25 @@ f_conf() { } } config_load banip + [ -f "${ban_logreadfile}" ] && ban_logreadcmd="$(command -v tail)" || ban_logreadcmd="$(command -v logread)" } # get nft/monitor actuals # f_actual() { - local nft monitor + local nft monitor ppid pid if "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then nft="$(f_char "1")" else nft="$(f_char "0")" fi - if pgrep -f "${ban_logreadcmd##*/}" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then + + ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" + if [ -n "${ppid}" ]; then + pid="$(pgrep -oP "${ppid}" 2>/dev/null)" + fi + if pgrep -f "${ban_logreadcmd##*/}" -P "${pid}" >/dev/null 2>&1; then monitor="$(f_char "1")" else monitor="$(f_char "0")" @@ -1471,12 +1483,20 @@ f_mail() { # log monitor # f_monitor() { - local nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info + local logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info + + if [ -f "${ban_logreadfile}" ]; then + logread_cmd="${ban_logreadcmd} -qf ${ban_logreadfile} 2>/dev/null | ${ban_grepcmd} -e \"${ban_logterm%%??}\" 2>/dev/null" + loglimit_cmd="${ban_logreadcmd} -qn ${ban_loglimit} ${ban_logreadfile} 2>/dev/null" + elif printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"logd'; then + logread_cmd="${ban_logreadcmd} -fe \"${ban_logterm%%??}\" 2>/dev/null" + loglimit_cmd="${ban_logreadcmd} -l ${ban_loglimit} 2>/dev/null" + fi - if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then - f_log "info" "start detached banIP log service" + if [ -x "${ban_logreadcmd}" ] && [ -n "${logread_cmd}" ] && [ -n "${loglimit_cmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then + f_log "info" "start detached banIP log service (${ban_logreadcmd})" [ -n "${ban_nftexpiry}" ] && nft_expiry="timeout $(printf "%s" "${ban_nftexpiry}" | "${ban_grepcmd}" -oE "([0-9]+[d|h|m|s])+$")" - "${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null | + eval "${logread_cmd}" | while read -r line; do : >"${ban_rdapfile}" proto="" @@ -1492,7 +1512,7 @@ f_monitor() { fi if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_grepcmd}" -q "^${ip}" "${ban_allowlist}"; then f_log "info" "suspicious IP '${ip}'" - log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" + log_raw="$(eval ${loglimit_cmd})" log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")" if [ "${log_count}" -ge "${ban_logcount}" ]; then if [ "${ban_autoblocksubnet}" = "1" ]; then -- 2.30.2