mirror/openwrt-packages
1
0
Fork 0
mirror of https://git.openwrt.org/feed/packages.git synced 2024-06-20 07:38:40 +02:00
Code Releases Activity
58f79231ed
openwrt-packages/net/banip/files
History
Dirk Brenken b17588a856 banip: new package to block incoming & outgoing ip addresses 
a new script based package called "banIP" to block
incoming & outgoing ip adresses/subnets via ipset.

Features:
* a shell script which uses ipset and iptables
  to ban a large number of IP addresses
  published in various IP blacklists (bogon, firehol etc.)
* support blocking by ASN numbers
* support blocking by iso country codes
* support local white & blacklist (IPv4, IPv6 & CIDR notation)
* auto-add unsuccessful ssh login attempts to local blacklist
* auto-add the uplink subnet to local whitelist
* per source configuration of SRC (incoming) and DST (outgoing)
* supports IPv4 & IPv6

Strong LuCI support:
* easy interface to track & change all aspects of your ipset
  configuration on the fly
* integrated IPSet-Lookup
* integrated RIPE-Lookup
* Log-Viewer & online configuration of white- & blacklist

LuCI-Screenshots will follow in the second post.
Forum discussion:
https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985

Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-11-10 11:01:45 +01:00
..
banip.blacklist banip: new package to block incoming & outgoing ip addresses 2018-11-10 11:01:45 +01:00
banip.conf banip: new package to block incoming & outgoing ip addresses 2018-11-10 11:01:45 +01:00
banip.hotplug banip: new package to block incoming & outgoing ip addresses 2018-11-10 11:01:45 +01:00
banip.init banip: new package to block incoming & outgoing ip addresses 2018-11-10 11:01:45 +01:00
banip.sh banip: new package to block incoming & outgoing ip addresses 2018-11-10 11:01:45 +01:00
banip.whitelist banip: new package to block incoming & outgoing ip addresses 2018-11-10 11:01:45 +01:00
README.md banip: new package to block incoming & outgoing ip addresses 2018-11-10 11:01:45 +01:00

README.md

banIP - ban incoming and/or outgoing ip adresses via ipsets

Description

IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unautherized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.

Main Features

  • support many IP blocklist sources (free for private usage, for commercial use please check their individual licenses):
  • zero-conf like automatic installation & setup, usually no manual changes needed
  • supports six different download utilities: uclient-fetch, wget, curl, aria2c, wget-nossl, busybox-wget
  • Really fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
  • provides 'http only' mode without installed ssl library for all non-SSL blocklist sources
  • full IPv4 and IPv6 support
  • ipsets (one per source) are used to ban a large number of IP addresses
  • supports blocking by ASN numbers
  • supports blocking by iso country codes
  • supports local white & blacklist (IPv4, IPv6 & CIDR notation), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist
  • auto-add unsuccessful ssh login attempts to local blacklist
  • auto-add the uplink subnet to local whitelist
  • per source configuration of SRC (incoming) and DST (outgoing)
  • integrated IPSet-Lookup
  • integrated RIPE-Lookup
  • blocklist source parsing by fast & flexible regex rulesets
  • minimal status & error logging to syslog, enable debug logging to receive more output
  • procd based init system support (start/stop/restart/reload/status)
  • procd network interface trigger support
  • output comprehensive runtime information via LuCI or via 'status' init command
  • strong LuCI support
  • optional: add new banIP sources on your own

Prerequisites

  • OpenWrt, tested with the stable release series (18.06) and with the latest snapshot
  • a download utility:
    • to support all blocklist sources a full version (with ssl support) of 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
    • for limited devices with real memory constraints, banIP provides also a 'http only' option and supports wget-nossl and uclient-fetch (without libustream-ssl) as well

Installation & Usage

  • install 'banip' (opkg install banip)
  • at minimum configure the needed IP blocklist sources, the download utility and enable the banIP service in /etc/config/banip
  • control the banip service manually with /etc/init.d/banip start/stop/restart/reload/status or use the LuCI frontend

LuCI banIP companion package

  • it's recommended to use the provided LuCI frontend to control all aspects of banIP
  • install 'luci-app-banip' (opkg install luci-app-banip)
  • the application is located in LuCI under 'Services' menu

Examples

receive banIP runtime information:


/etc/init.d/banip status
::: banIP runtime information
  + status     : enabled
  + version    : 0.0.5
  + fetch_info : /bin/uclient-fetch (libustream-ssl)
  + ipset_info : 3 IPSets with overall 29510 IPs/Prefixes
  + last_run   : 08.11.2018 15:03:50
  + system     : GL-AR750S, OpenWrt SNAPSHOT r8419-860de2e1aa

cronjob for a regular block list update (/etc/crontabs/root):


0 06 * * *    /etc/init.d/banip reload

Support

Please join the banIP discussion in this forum thread or contact me by mail dev@brenken.org

Removal

  • stop all banIP related services with /etc/init.d/banip stop
  • optional: remove the banip package (opkg remove banip)

Have fun!
Dirk