Open MadPatrick opened 4 days ago
banIP changed again the defaults: now logging is disabled
To verify current configuration:
uci show banip
To enable the logging (example only for the forwarding chain):
uci set banip.global.ban_logforwardwan='1'
uci commit banip
/etc/init.d/banip restart
Relevant options are:
Ok.
This is config
uci show banip
banip.global=banip
banip.global.ban_enabled='1'
banip.global.ban_debug='0'
banip.global.ban_autodetect='0'
banip.global.ban_logterm='Exit before auth from' 'luci: failed login' 'error: ma ximum authentication attempts exceeded' 'sshd.*Connection closed by.*\[preauth\] ' 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' 'received a suspicious re mote IP '\''.*'\''' 'TLS Auth Error: Auth Username/Password verification failed for peer'
banip.global.ban_fetchcmd='curl'
banip.global.ban_protov4='1'
banip.global.ban_allowurl='https://dc391ab3-e1d7-4bc4-aca6-56382fd45603:b32ef679 ccadd5da0fb5e1b7ec75a7e1ce97a694a0eaedf5bb155cf50f0d9231@bl.nethesis.it/plain/ne thesis-blacklists/whitelist.global'
banip.global.ban_logreadfile='/var/log/messages'
banip.global.ban_logcount='3'
banip.global.ban_nftexpiry='1d'
banip.global.ban_nftloglevel='info'
banip.global.ban_protov6='1'
banip.global.ban_feed='debl' 'urlhaus' 'drop' 'firehol1' 'urlvir' 'webclient' 'd shield' 'bruteforceblock' 'ipthreat' 'cinsscore' 'threatview' 'iblockspy' 'count ry' 'nixspam' 'uceprotect1' 'darklist'
banip.global.ban_ifv4='wan'
banip.global.ban_ifv6='wan'
banip.global.ban_trigger='wan'
banip.global.ban_dev='eth1'
Enabled "ban_logforwardwan" and i see the log filling
Thanks for the support !!
Can we call this a bug ? ;-)
It is running now for a few hours, but i don't see in the UI that an IP is blocked
Sep 24 20:26:07 NethSec8 kernel: [ 6365.989498] banIP/fwd-wan/drop/uceprotect1v4: IN=eth1 OUT=br-lan MAC=70:10:6f:3e:41:95:00:01:5c:72:24:46:08:00 SRC=179.43.172.41 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=38037 DF PROTO=TCP SPT=59646 DPT=25 WINDOW=64860 RES=0x00 SYN URGP=0 MARK=0x3f00 Sep 24 20:26:09 NethSec8 kernel: [ 6368.004926] banIP/fwd-wan/drop/uceprotect1v4: IN=eth1 OUT=br-lan MAC=70:10:6f:3e:41:95:00:01:5c:72:24:46:08:00 SRC=179.43.172.41 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=38038 DF PROTO=TCP SPT=59646 DPT=25 WINDOW=64860 RES=0x00 SYN URGP=0 MARK=0x3f00 Sep 24 20:26:14 NethSec8 kernel: [ 6372.225621] banIP/fwd-wan/drop/uceprotect1v4: IN=eth1 OUT=br-lan MAC=70:10:6f:3e:41:95:00:01:5c:72:24:46:08:00 SRC=179.43.172.41 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=38039 DF PROTO=TCP SPT=59646 DPT=25 WINDOW=64860 RES=0x00 SYN URGP=0 MARK=0x3f00 Sep 24 20:26:16 NethSec8 kernel: [ 6374.991421] banIP/fwd-wan/drop/uceprotect1v4: IN=eth1 OUT=br-lan MAC=70:10:6f:3e:41:95:00:01:5c:72:24:46:08:00 SRC=179.43.172.41 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=41755 DF PROTO=TCP SPT=58504 DPT=25 WINDOW=64860 RES=0x00 SYN URGP=0 MARK=0x3f00 Sep 24 20:26:17 NethSec8 kernel: [ 6376.001453] banIP/fwd-wan/drop/uceprotect1v4: IN=eth1 OUT=br-lan MAC=70:10:6f:3e:41:95:00:01:5c:72:24:46:08:00 SRC=179.43.172.41 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=41756 DF PROTO=TCP SPT=58504 DPT=25 WINDOW=64860 RES=0x00 SYN URGP=0 MARK=0x3f00 Sep 24 20:26:19 NethSec8 kernel: [ 6378.020708] banIP/fwd-wan/drop/uceprotect1v4: IN=eth1 OUT=br-lan MAC=70:10:6f:3e:41:95:00:01:5c:72:24:46:08:00 SRC=179.43.172.41 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=41757 DF PROTO=TCP SPT=58504 DPT=25 WINDOW=64860 RES=0x00 SYN URGP=0 MARK=0x3f00 Sep 24 20:26:24 NethSec8 kernel: [ 6382.210420] banIP/fwd-wan/drop/uceprotect1v4: IN=eth1 OUT=br-lan MAC=70:10:6f:3e:41:95:00:01:5c:72:24:46:08:00 SRC=179.43.172.41 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=41758 DF PROTO=TCP SPT=58504 DPT=25 WINDOW=64860 RES=0x00 SYN URGP=0 MARK=0x3f00 Sep 24 20:26:26 NethSec8 kernel: [ 6384.998134] banIP/fwd-wan/drop/uceprotect1v4: IN=eth1 OUT=br-lan MAC=70:10:6f:3e:41:95:00:01:5c:72:24:46:08:00 SRC=179.43.172.41 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=61346 DF PROTO=TCP SPT=50158 DPT=25 WINDOW=64860 RES=0x00 SYN URGP=0 MARK=0x3f00 Sep 24 20:26:27 NethSec8 kernel: [ 6386.018113] banIP/fwd-wan/drop/uceprotect1v4: IN=eth1 OUT=br-lan MAC=70:10:6f:3e:41:95:00:01:5c:72:24:46:08:00 SRC=179.43.172.41 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=61347 DF PROTO=TCP SPT=50158 DPT=25 WINDOW=64860 RES=0x00 SYN URGP=0 MARK=0x3f00 Sep 24 20:26:29 NethSec8 kernel: [ 6388.037405] banIP/fwd-wan/drop/uceprotect1v4: IN=eth1 OUT=br-lan MAC=70:10:6f:3e:41:95:00:01:5c:72:24:46:08:00 SRC=179.43.172.41 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=61348 DF PROTO=TCP SPT=50158 DPT=25 WINDOW=64860 RES=0x00 SYN URGP=0 MARK=0x3f00 Sep 24 20:26:34 NethSec8 kernel: [ 6392.199490] banIP/fwd-wan/drop/uceprotect1v4: IN=eth1 OUT=br-lan MAC=70:10:6f:3e:41:95:00:01:5c:72:24:46:08:00 SRC=179.43.172.41 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=61349 DF PROTO=TCP SPT=50158 DPT=25 WINDOW=64860 RES=0x00 SYN URGP=0 MARK=0x3f00
Is there another setting that i need to put in?
Can we call this a bug ? ;-)
Yes, because the behavior changed from the old release.
Is there another setting that i need to put in?
You do not need to change any other option. The counter should already work, but probably it's not what the user expect. We added an improvement for it.
It will be releases along with #795
Testing image version: 8-23.05.5-ns.1.2.99-alpha1-1-gf0b38b9578
Steps to reproduce
Actual behavior It looks lik 23.05.4-ns1.2.0 is blocking IP's as per threadshield, but i cannot check it No info in the logs to confirm
See also (https://community.nethserver.org/t/nethsecurity-threath-shield-no-info-at-dashboard-tile/24568)