From 7ac5f0a3d9505ee11393c6673d9ece663d8c1b60 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Sat, 6 May 2023 22:41:56 +0200 Subject: [PATCH] banip: release 0.8.5-1 * add support for external allowlist URLs to reference additional IPv4/IPv6 feeds, set 'ban_allowurl' accordingly * make download retries in case of an error configurable, set 'ban_fetchretry' accordingly (default 5) * small fixes * readme update * LuCI update (separate commit) Signed-off-by: Dirk Brenken --- net/banip/Makefile | 4 +- net/banip/files/README.md | 19 ++++--- net/banip/files/banip-functions.sh | 79 ++++++++++++++++++++---------- net/banip/files/banip.feeds | 2 +- 4 files changed, 67 insertions(+), 37 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index e29e10eaf6..07bad22134 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.8.4 -PKG_RELEASE:=5 +PKG_VERSION:=0.8.5 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 0a91b82909..ae5a4eedbe 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -62,7 +62,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Supports nft atomic Set loading * Supports blocking by ASN numbers and by iso country codes * Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) -* Auto-add the uplink subnet to the local allowlist +* Auto-add the uplink subnet or uplink IP to the local allowlist * Provides a small background log monitor to ban unsuccessful login attempts in real-time * Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist * Fast feed processing as they are handled in parallel as background jobs @@ -79,6 +79,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup) * Procd network interface trigger support * Add new or edit existing banIP feeds on your own with the integrated custom feed editor +* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds ## Prerequisites * **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support @@ -168,6 +169,7 @@ Available commands: | ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' | | ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | | ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | +| ban_fetchretry | option | 5 | number of download attempts in case of an error (not supported by uclient-fetch) | | ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | | ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails | | ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails | @@ -289,9 +291,10 @@ list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' **allow-/blocklist handling** banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. -Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option. -Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autoallowlist' option). -Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. +Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option. +Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist. +Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl'). +Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. **allowlist-only mode** banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked. @@ -317,12 +320,12 @@ nftables supports the atomic loading of firewall rules (incl. elements), which i **tweak the download options** By default banIP uses the following pre-configured download options: ``` - * aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o - * curl: --connect-timeout 20 --fail --silent --show-error --location -o + * aria2c: --timeout=20 --retry-wait=10 --max-tries=5 --max-file-not-found=5 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o + * curl: --connect-timeout 20 --retry-delay 10 --retry 5 --retry-all-errors --fail --silent --show-error --location -o + * wget: --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=5 --retry-connrefused --max-redirect=0 -O * uclient-fetch: --timeout=20 -O - * wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O ``` -To override the default set 'ban_fetchparm' manually to your needs. +To override the default set 'ban_fetchretry', 'ban_fetchinsecure' or globally 'ban_fetchparm' to your needs. **send E-Mail notifications via 'msmtp'** To use the email notification you must install & configure the package 'msmtp'. diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 7e882f244c..85903d1de8 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -30,6 +30,8 @@ ban_fw4cmd="$(command -v fw4)" ban_awkcmd="$(command -v awk)" ban_grepcmd="$(command -v grep)" ban_sedcmd="$(command -v sed)" +ban_catcmd="$(command -v cat)" +ban_zcatcmd="$(command -v zcat)" ban_lookupcmd="$(command -v nslookup)" ban_mailcmd="$(command -v msmtp)" ban_mailsender="no-reply@banIP" @@ -50,6 +52,7 @@ ban_asn="" ban_loginput="1" ban_logforwardwan="1" ban_logforwardlan="0" +ban_allowurl="" ban_allowlistonly="0" ban_autoallowlist="1" ban_autoallowuplink="subnet" @@ -69,6 +72,7 @@ ban_ifv6="" ban_dev="" ban_uplink="" ban_fetchinsecure="" +ban_fetchretry="5" ban_cores="" ban_memory="" ban_trigger="" @@ -197,7 +201,7 @@ f_log() { # load config # f_conf() { - unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn + unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn config_cb() { option_cb() { local option="${1}" @@ -220,6 +224,9 @@ f_conf() { "ban_feed") eval "${option}=\"$(printf "%s" "${ban_feed}")${value} \"" ;; + "ban_allowurl") + eval "${option}=\"$(printf "%s" "${ban_allowurl}")${value} \"" + ;; "ban_blockinput") eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \"" ;; @@ -251,7 +258,7 @@ f_conf() { f_fetch() { local item utils packages insecure - if [ -z "${ban_fetchcmd}" ] || [ ! -x "${ban_fetchcmd}" ]; then + if [ -z "${ban_fetchcmd}" ] || [ ! -x "$(command -v "${ban_fetchcmd}")" ]; then packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" [ -z "${packages}" ] && f_log "err" "no local package repository" utils="aria2c curl wget uclient-fetch" @@ -267,16 +274,18 @@ f_fetch() { fi fi done + else + ban_fetchcmd="$(command -v "${ban_fetchcmd}")" fi [ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support" case "${ban_fetchcmd##*/}" in "aria2c") [ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false" - ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}" + ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --retry-wait=10 --max-tries=${ban_fetchretry} --max-file-not-found=${ban_fetchretry} --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}" ;; "curl") [ "${ban_fetchinsecure}" = "1" ] && insecure="--insecure" - ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --fail --silent --show-error --location -o"}" + ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --retry-delay 10 --retry ${ban_fetchretry} --retry-all-errors --fail --silent --show-error --location -o"}" ;; "uclient-fetch") [ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate" @@ -284,7 +293,7 @@ f_fetch() { ;; "wget") [ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate" - ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}" + ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=${ban_fetchretry} --retry-connrefused --max-redirect=0 -O"}" ;; esac @@ -296,7 +305,7 @@ f_fetch() { f_rmpid() { local ppid pid pids - ppid="$(cat "${ban_pidfile}" 2>/dev/null)" + ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" [ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0 for pid in ${pids}; do kill -INT "${pid}" >/dev/null 2>&1 @@ -314,7 +323,7 @@ f_actual() { else nft="$(f_char "0")" fi - if pgrep -f "logread" -P "$(cat "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then + if pgrep -f "logread" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then monitor="$(f_char "1")" else monitor="$(f_char "0")" @@ -468,7 +477,7 @@ f_getfeed() { f_getelements() { local file="${1}" - [ -s "${file}" ] && printf "%s" "elements={ $(cat "${file}" 2>/dev/null) };" + [ -s "${file}" ] && printf "%s" "elements={ $("${ban_catcmd}" "${file}" 2>/dev/null) };" } # build initial nft file with base table, chains and rules @@ -533,6 +542,7 @@ f_down() { tmp_file="${ban_tmpfile}.${feed}.file" tmp_flush="${ban_tmpfile}.${feed}.flush" tmp_nft="${ban_tmpfile}.${feed}.nft" + tmp_allow="${ban_tmpfile}.${feed%v*}" [ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/drp/${feed}: \"" [ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/drp/${feed}: \"" @@ -592,18 +602,33 @@ f_down() { feed_rc="${restore_rc}" fi - # handle local lists + # prepare local allowlist + # + if [ "${feed%v*}" = "allowlist" ] && [ ! -f "${tmp_allow}" ]; then + "${ban_catcmd}" "${ban_allowlist}" 2>/dev/null >"${tmp_allow}" + for feed_url in ${ban_allowurl}; do + feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" 2>&1)" + feed_rc="${?}" + if [ "${feed_rc}" = "0" ] && [ -s "${tmp_load}" ]; then + "${ban_catcmd}" "${tmp_load}" 2>/dev/null >>"${tmp_allow}" + else + f_log "info" "download for feed '${feed%v*}' failed (rc: ${feed_rc:-"-"}/log: ${feed_log})" + fi + done + fi + + # handle local feeds # if [ "${feed%v*}" = "allowlist" ]; then { printf "%s\n\n" "#!/usr/sbin/nft -f" - [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" if [ "${proto}" = "MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}" + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${tmp_allow}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept" elif [ "${proto}" = "4" ]; then - "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}" + "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${tmp_allow}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*input*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then @@ -627,7 +652,7 @@ f_down() { fi fi elif [ "${proto}" = "6" ]; then - "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" | + "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${tmp_allow}" | "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*input*}" ]; then @@ -657,7 +682,7 @@ f_down() { elif [ "${feed%v*}" = "blocklist" ]; then { printf "%s\n\n" "#!/usr/sbin/nft -f" - [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" if [ "${proto}" = "MAC" ]; then "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" @@ -667,7 +692,7 @@ f_down() { "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" - cat "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" + "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" else "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}" fi @@ -682,7 +707,7 @@ f_down() { "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_raw}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" - cat "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" + "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" else "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" | "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}" @@ -695,7 +720,8 @@ f_down() { fi } >"${tmp_nft}" feed_rc="0" - # handle external downloads + + # handle external feeds # elif [ "${restore_rc}" != "0" ] && [ "${feed_url}" != "local" ]; then # handle country downloads @@ -704,7 +730,7 @@ f_down() { for country in ${ban_country}; do feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}${country}-aggregated.zone" 2>&1)" feed_rc="${?}" - [ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}" + [ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" done rm -f "${tmp_raw}" @@ -714,7 +740,7 @@ f_down() { for asn in ${ban_asn}; do feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}AS${asn}" 2>&1)" feed_rc="${?}" - [ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}" + [ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" done rm -f "${tmp_raw}" @@ -726,7 +752,7 @@ f_down() { feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)" feed_rc="${?}" if [ "${feed_rc}" = "0" ]; then - zcat "${tmp_raw}" 2>/dev/null >"${tmp_load}" + "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}" feed_rc="${?}" fi rm -f "${tmp_raw}" @@ -740,6 +766,7 @@ f_down() { feed_rc="${?}" fi fi + [ "${feed_rc}" != "0" ] && f_log "info" "download for feed '${feed}' failed (rc: ${feed_rc:-"-"}/log: ${feed_log})" # backup/restore # @@ -782,7 +809,7 @@ f_down() { # nft header (IPv4 Set) # printf "%s\n\n" "#!/usr/sbin/nft -f" - [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" # input and forward rules @@ -796,7 +823,7 @@ f_down() { # nft header (IPv6 Set) # printf "%s\n\n" "#!/usr/sbin/nft -f" - [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" # input and forward rules @@ -825,7 +852,7 @@ f_down() { rm -f "${split_file}" continue fi - if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $(cat "${split_file}") }" >/dev/null 2>&1; then + if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $("${ban_catcmd}" "${split_file}") }" >/dev/null 2>&1; then f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'" fi rm -f "${split_file}" @@ -864,7 +891,7 @@ f_restore() { [ "${feed_rc}" != "0" ] && restore_rc="${feed_rc}" [ "${feed_url}" = "local" ] && tmp_feed="${feed%v*}v4" || tmp_feed="${feed}" if [ -f "${ban_backupdir}/banIP.${tmp_feed}.gz" ]; then - zcat "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}" + "${ban_zcatcmd}" "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}" restore_rc="${?}" fi @@ -1234,10 +1261,10 @@ f_report() { # case "${output}" in "text") - [ -s "${report_txt}" ] && cat "${report_txt}" + [ -s "${report_txt}" ] && "${ban_catcmd}" "${report_txt}" ;; "json") - [ -s "${report_jsn}" ] && cat "${report_jsn}" + [ -s "${report_jsn}" ] && "${ban_catcmd}" "${report_jsn}" ;; "mail") [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index a5604fc3c1..0565820710 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -69,7 +69,7 @@ "url_6": "https://www.blocklist.de/downloads/export-ips_all.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", - "descr": "fail2ban IP blacklist" + "descr": "fail2ban IP blocklist" }, "doh":{ "url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt", -- 2.30.2