From 804249a5719c3ecdb49e64ea1329d37dace094fb Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Sat, 13 Mar 2021 21:08:25 +0100 Subject: [PATCH] banip: bump to 0.7.5 * black- and whitelist now supporting domain names as well - the corresponding IPs (IPv4 & IPv6) will be resolved in a detached background process and added to the IPsets Signed-off-by: Dirk Brenken --- net/banip/Makefile | 3 +- net/banip/files/banip.dns | 79 +++++++++++++++++++++++++++++++++++++++ net/banip/files/banip.sh | 23 ++++++++++-- 3 files changed, 100 insertions(+), 5 deletions(-) create mode 100755 net/banip/files/banip.dns diff --git a/net/banip/Makefile b/net/banip/Makefile index dea787b9e2..a43b67d960 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.7.3 +PKG_VERSION:=0.7.5 PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken @@ -55,6 +55,7 @@ define Package/banip/install $(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip $(INSTALL_DIR) $(1)/etc/banip + $(INSTALL_BIN) ./files/banip.dns $(1)/etc/banip $(INSTALL_BIN) ./files/banip.mail $(1)/etc/banip $(INSTALL_BIN) ./files/banip.service $(1)/etc/banip $(INSTALL_CONF) ./files/banip.maclist $(1)/etc/banip diff --git a/net/banip/files/banip.dns b/net/banip/files/banip.dns new file mode 100755 index 0000000000..c5b2b9a635 --- /dev/null +++ b/net/banip/files/banip.dns @@ -0,0 +1,79 @@ +#!/bin/sh +# helper script to resolve domains for adding to banIP-related IPSets +# written by Dirk Brenken (dev@brenken.org) +# +# This is free software, licensed under the GNU General Public License v3. +# +# (s)hellcheck exceptions +# shellcheck disable=1091,2030,2031,2034,2039,2086,2129,2140,2143,2154,2181,2183,2188 + +export LC_ALL=C +export PATH="/usr/sbin:/usr/bin:/sbin:/bin" +set -o pipefail + +if [ -r "/lib/functions.sh" ] +then + . "/lib/functions.sh" + ban_debug="$(uci_get banip global ban_debug "0")" +fi +ban_ver="${1}" +ban_src_name="${2}" +ban_src_file="${3}" +ban_ipset_cmd="$(command -v ipset)" +ban_lookup_cmd="$(command -v nslookup)" +ban_logger_cmd="$(command -v logger)" +ban_rc=1 + +f_log() +{ + local class="${1}" log_msg="${2}" + + if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; } + then + if [ -x "${ban_logger_cmd}" ] + then + "${ban_logger_cmd}" -p "${class}" -t "banIP-${ban_ver%-*}[${$}]" "${log_msg}" + else + printf "%s %s %s\n" "${class}" "banIP-${ban_ver%-*}[${$}]" "${log_msg}" + fi + fi +} + +while read -r domain +do + update_ips="" + result="$("${ban_lookup_cmd}" "${domain}" 2>/dev/null; printf "%s" "${?}")" + if [ "$(printf "%s" "${result}" | tail -1)" = "0" ] + then + ips="$(printf "%s" "${result}" | awk '/^Address[ 0-9]*: /{ORS=" ";print $NF}')" + for ip in ${ips} + do + for proto in "4" "6" + do + if { [ "${proto}" = "4" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && [ -n "$(printf "%s" "${ip}" | awk '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print $1}')" ]; } || \ + { [ "${proto}" = "6" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && [ -z "$(printf "%s" "${ip}" | awk '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print $1}')" ]; } + then + "${ban_ipset_cmd}" add "${ban_src_name}_${proto}" "${ip}" 2>/dev/null + if [ "${?}" = "0" ] + then + if [ -z "${update_ips}" ] + then + update_ips="${ip}" + else + update_ips="${update_ips}, ${ip}" + fi + fi + break + fi + done + done + if [ -n "${update_ips}" ] + then + ban_rc=0 + f_log "debug" "dns_imp ::: source '${ban_src_name}' supplemented by '${domain}' (${update_ips})" + fi + fi +done < "${ban_src_file}" +rm -f "${ban_src_file}" +f_log "info" "banIP domain import for source '${ban_src_name}' has been finished with rc '${ban_rc}'" +exit ${ban_rc} diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh index ed1bfad051..5e045a748d 100755 --- a/net/banip/files/banip.sh +++ b/net/banip/files/banip.sh @@ -12,7 +12,7 @@ export LC_ALL=C export PATH="/usr/sbin:/usr/bin:/sbin:/bin" set -o pipefail -ban_ver="0.7.3" +ban_ver="0.7.5" ban_enabled="0" ban_mail_enabled="0" ban_proto4_enabled="0" @@ -44,7 +44,7 @@ ban_ipt6_savecmd="$(command -v ip6tables-save)" ban_ipt6_restorecmd="$(command -v ip6tables-restore)" ban_ipset_cmd="$(command -v ipset)" ban_logger_cmd="$(command -v logger)" -ban_logread="$(command -v logread)" +ban_logread_cmd="$(command -v logread)" ban_allsources="" ban_sources="" ban_asns="" @@ -68,6 +68,7 @@ ban_srcfile="${ban_tmpbase}/ban_sources.json" ban_reportdir="${ban_tmpbase}/banIP-Report" ban_backupdir="${ban_tmpbase}/banIP-Backup" ban_srcarc="/etc/banip/banip.sources.gz" +ban_dnsservice="/etc/banip/banip.dns" ban_mailservice="/etc/banip/banip.mail" ban_logservice="/etc/banip/banip.service" ban_maclist="/etc/banip/banip.maclist" @@ -921,7 +922,7 @@ f_bgsrv() { local bg_pid action="${1}" - bg_pid="$(pgrep -f "^/bin/sh ${ban_logservice}|${ban_logread}|^grep -qE Exit before auth|^grep -qE error: maximum|^grep -qE luci: failed|^grep -qE nginx" | awk '{ORS=" "; print $1}')" + bg_pid="$(pgrep -f "^/bin/sh ${ban_logservice}|${ban_logread_cmd}|^grep -qE Exit before auth|^grep -qE error: maximum|^grep -qE luci: failed|^grep -qE nginx" | awk '{ORS=" "; print $1}')" if [ "${action}" = "start" ] && [ -x "${ban_logservice}" ] && [ "${ban_monitor_enabled}" = "1" ] then if [ -n "${bg_pid}" ] @@ -1004,6 +1005,20 @@ f_down() if [ "${src_rc}" = "0" ] then f_ipset "create" + src_name="${src_name%_*}" + tmp_dns="${ban_tmpbase}/${src_name}.dns" + if [ ! -f "${tmp_dns}" ] && [ "${proto}" = "4" ] + then + src_rule="/^([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}" + awk "${src_rule}" "${src_url}" > "${tmp_dns}" + src_rc="${?}" + if [ "${src_rc}" = "0" ] && [ -s "${tmp_dns}" ] + then + ( "${ban_dnsservice}" "${ban_ver}" "${src_name}" "${tmp_dns}" & ) + else + rm -f "${tmp_dns}" + fi + fi else f_log "debug" "f_down ::: name: ${src_name}, url: ${src_url}, rule: ${src_rule}, rc: ${src_rc}" fi @@ -1160,7 +1175,7 @@ f_main() # if [ "${ban_autoblacklist}" = "1" ] || [ "${ban_monitor_enabled}" = "1" ] then - log_raw="$(${ban_logread} -l "${ban_loglimit}")" + log_raw="$(${ban_logread_cmd} -l "${ban_loglimit}")" if [ -n "$(printf "%s\n" "${ban_logterms}" | grep -F "dropbear")" ] then log_ips="$(printf "%s\n" "${log_raw}" | grep -E "Exit before auth from" | \