banIP - ban incoming and/or outgoing ip adresses via ipsets

Description

IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.

Main Features

Support of the following fully pre-configured domain blocklist sources (free for private usage, for commercial use please check their individual licenses)

Source	Focus	Information
asn	ASN block	Link
bogon	Bogon prefixes	Link
country	Country blocks	Link
darklist	blocks suspicious attacker IPs	Link
debl	Fail2ban IP blacklist	Link
doh	Public DoH-Provider	Link
drop	Spamhaus drop compilation	Link
dshield	Dshield IP blocklist	Link
edrop	Spamhaus edrop compilation	Link
feodo	Feodo Tracker	Link
firehol1	Firehol Level 1 compilation	Link
firehol2	Firehol Level 2 compilation	Link
firehol3	Firehol Level 3 compilation	Link
firehol4	Firehol Level 4 compilation	Link
greensnow	blocks suspicious server IPs	Link
iblockads	Advertising blocklist	Link
iblockspy	Malicious spyware blocklist	Link
myip	Myip Live IP blacklist	Link
nixspam	iX spam protection	Link
proxy	Firehol list of open proxies	Link
ssbl	SSL botnet IP blacklist	Link
talos	Cisco Talos IP Blacklist	Link
threat	Emerging Threats	Link
tor	Tor exit nodes	Link
uceprotect1	Spam protection level 1	Link
uceprotect2	Spam protection level 2	Link
voip	VoIP fraud blocklist	Link
yoyo	Ad protection blacklist	Link

zero-conf like automatic installation & setup, usually no manual changes needed
automatically selects one of the following supported download utilities: aria2c, curl, uclient-fetch, wget
fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
full IPv4 and IPv6 support
ipsets (one per source) are used to ban a large number of IP addresses
supports blocking by ASN numbers
supports blocking by iso country codes
supports local black- & whitelist (IPv4, IPv6, CIDR notation or domain names)
auto-add unsuccessful LuCI, nginx or ssh login attempts via 'dropbear'/'sshd' to local blacklist
auto-add the uplink subnet to local whitelist
black- and whitelist also accept domain names as input to allow IP filtering based on these names
supports a 'whitelist only' mode, this option allows to restrict Internet access from/to a small number of secure websites/IPs
provides a small background log monitor to ban unsuccessful login attempts in real-time
per source configuration of SRC (incoming) and DST (outgoing)
integrated IPSet-Lookup
integrated bgpview-Lookup
blocklist source parsing by fast & flexible regex rulesets
minimal status & error logging to syslog, enable debug logging to receive more output
procd based init system support (start/stop/restart/reload/refresh/status)
procd network interface trigger support
automatic blocklist backup & restore, they will be used in case of download errors or during startup
provides comprehensive runtime information
provides a detailed IPSet Report
provides a powerful query function to quickly find blocked IPs/CIDR in banIP related IPSets
provides an easily configurable blocklist update scheduler called 'Refresh Timer'
strong LuCI support
optional: add new banIP sources on your own

Prerequisites

OpenWrt, tested with the stable release series (21.02.x) and with the latest rolling snapshot releases. On turris devices it has been successfully tested with TurrisOS 5.2.x
Please note: Ancient OpenWrt releases like 18.06.x or 17.01.x are not supported!
Please note: Devices with less than 128 MByte RAM are not supported!
Please note: If you're updating from former banIP 0.3x please manually remove your config (/etc/config/banip) before you start!
A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
Optional E-Mail notification support: for E-Mail notifications you need to install and setup the additional 'msmtp' package

Installation & Usage

Update your local opkg repository (opkg update)
Install 'banip' (opkg install banip). The banIP service is disabled by default
Install the LuCI companion package 'luci-app-banip' (opkg install luci-app-banip)
It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu

banIP CLI

All important banIP functions are accessible via CLI as well.

banIP config options

Usually the auto pre-configured banIP setup works quite well and no manual overrides are needed

Option	Type	Default	Description
ban_enabled	option	0	enable the banIP service
ban_autodetect	option	1	auto-detect wan interfaces, devices and subnets
ban_debug	option	0	enable banIP related debug logging
ban_mail_enabled	option	0	enable the mail service
ban_monitor_enabled	option	0	enable the log monitor, e.g. to catch failed ssh/luci logins
ban_logsrc_enabled	option	0	enable the src-related logchain
ban_logdst_enabled	option	0	enable the dst-related logchain
ban_autoblacklist	option	1	add suspicious IPs automatically to the local blacklist
ban_autowhitelist	option	1	add wan IPs/subnets automatically to the local whitelist
ban_whitelistonly	option	0	allow to restrict Internet access from/to a small number of secure websites/IPs
ban_maxqueue	option	4	size of the download queue to handle downloads and processing in parallel
ban_reportdir	option	/tmp/banIP-Report	directory where banIP stores the report files
ban_backupdir	option	/tmp/banIP-Backup	directory where banIP stores the compressed backup files
ban_ifaces	list	-	list option to add logical wan interfaces manually
ban_sources	list	-	list option to add banIP sources
ban_countries	list	-	list option to add certain countries as an alpha-2 ISO code, e.g. 'de' for germany
ban_asns	list	-	list option to add certain ASNs (autonomous system number), e.g. '32934' for facebook
ban_chain	option	banIP	name of the root chain used by banIP
ban_global_settype	option	src+dst	global settype as default for all sources
ban_settype_src	list	-	special SRC settype for a certain sources
ban_settype_dst	list	-	special DST settype for a certain sources
ban_settype_all	list	-	special SRC+DST settype for a certain sources
ban_target_src	option	DROP	default src action (used by log chains as well)
ban_target_dst	option	REJECT	default dst action (used by log chains as well)
ban_lan_inputchains_4	list	input_lan_rule	list option to add IPv4 lan input chains
ban_lan_inputchains_6	list	input_lan_rule	list option to add IPv6 lan input chains
ban_lan_forwardchains_4	list	forwarding_lan_rule	list option to add IPv4 lan forward chains
ban_lan_forwardchains_6	list	forwarding_lan_rule	list option to add IPv6 lan forward chains
ban_wan_inputchains_4	list	input_wan_rule	list option to add IPv4 wan input chains
ban_wan_inputchains_6	list	input_wan_rule	list option to add IPv6 wan input chains
ban_wan_forwardchains_4	list	forwarding_wan_rule	list option to add IPv4 wan forward chains
ban_wan_forwardchains_6	list	forwarding_wan_rule	list option to add IPv6 wan forward chains
ban_fetchutil	option	-, auto-detected	'uclient-fetch', 'wget', 'curl' or 'aria2c'
ban_fetchparm	option	-, auto-detected	manually override the config options for the selected download utility
ban_fetchinsecure	option	0, disabled	don't check SSL server certificates during download
ban_mailreceiver	option	-	receiver address for banIP related notification E-Mails
ban_mailsender	option	no-reply@banIP	sender address for banIP related notification E-Mails
ban_mailtopic	option	banIP notification	topic for banIP related notification E-Mails
ban_mailprofile	option	ban_notify	mail profile used in 'msmtp' for banIP related notification E-Mails
ban_srcarc	option	/etc/banip/banip.sources.gz	full path to the compressed source archive file used by banIP
ban_localsources	list	maclist, whitelist, blacklist	limit the selection to certain local sources
ban_extrasources	list	-	add additional, non-banIP related IPSets e.g. for reporting or queries
ban_maclist_timeout	option	-	individual maclist IPSet timeout
ban_whitelist_timeout	option	-	individual whitelist IPSet timeout
ban_blacklist_timeout	option	-	individual blacklist IPSet timeout
ban_logterms	list	dropbear, sshd, luci, nginx	limit the log monitor to certain log terms
ban_loglimit	option	100	parse only the last stated number of log entries for suspicious events
ban_ssh_logcount	option	3	number of the failed ssh login repetitions of the same ip in the log before banning
ban_luci_logcount	option	3	number of the failed luci login repetitions of the same ip in the log before banning
ban_nginx_logcount	option	5	number of the failed nginx requests of the same ip in the log before banning

Examples

list/edit banIP sources:

receive banIP runtime information:

black-/whitelist handling:
banIP supports a local black & whitelist (IPv4, IPv6, CIDR notation or domain names), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist.
Unsuccessful LuCI logins, suspicious nginx request or ssh login attempts via 'dropbear'/'sshd' could be tracked and automatically added to the local blacklist (see the 'ban_autoblacklist' option). Furthermore the uplink subnet could be automatically added to local whitelist (see 'ban_autowhitelist' option). The list behaviour could be further tweaked with different timeout and counter options (see the config options section above).
Last but not least, both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be resolved in a detached background process and added to the IPsets. The detached name lookup takes place only during 'restart' or 'reload' action, 'start' and 'refresh' actions are using an auto-generated backup instead.

whitelist-only mode:
banIP supports a "whitelist only" mode. This option allows to restrict the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are not listed in the whitelist are blocked. Please note: suspend/resume does not work in this mode.

Manually override the download options:
By default banIP uses the following pre-configured download options:

aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
curl: --connect-timeout 20 --silent --show-error --location -o
uclient-fetch: --timeout=20 -O
wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O

To override the default set 'ban_fetchparm' manually to your needs.

generate an IPSet report:

Enable E-Mail notification via 'msmtp':
To use the email notification you have to install & configure the package 'msmtp'.
Modify the file '/etc/msmtprc', e.g.:

Finally enable E-Mail support and add a valid E-Mail receiver address in LuCI.

Edit, add new banIP sources:
The banIP blocklist sources are stored in an external, compressed JSON file '/etc/banip/banip.sources.gz'. This file is directly parsed in LuCI and accessible via CLI, just call /etc/init.d/banip list.

To add new or edit existing sources extract the compressed JSON file gunzip /etc/banip/banip.sources.gz.
A valid JSON source object contains the following required information, e.g.:

Add an unique object name, make the required changes to 'url_4', 'rule_4' (and/or 'url_6', 'rule_6'), 'focus' and 'descurl' and finally compress the changed JSON file gzip /etc/banip/banip.sources.gz to use the new source object in banIP.
Please note: if you're going to add new sources on your own, please make a copy of the default file and work with that copy further on, cause the default will be overwritten with every banIP update. To reference your copy set the option 'ban_srcarc' which points by default to '/etc/banip/banip.sources.gz'

Support

Please join the banIP discussion in this forum thread or contact me by mail dev@brenken.org

Removal

stop all banIP related services with /etc/init.d/banip stop
optional: remove the banip package (opkg remove banip)

Have fun!
Dirk