Re: [Astlinux-devel] Using APIBAN in Astlinux

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> Am 15.10.2021 um 16:20 schrieb Lonnie Abelbeck <li...@lo...>:
> 
> OK, but if your concern is that "this is not for everyone IMHO" if it were under 'asterisk' apiban-netset would only be called if /mnt/kd/apiban.conf exists (without the key apiban doesn't work).
> 
> The difference would be:
> 
> 'asterisk.netset' -> blocklist_de_sip.ipset + apiban-netset (if apiban.conf exists)
> 
> or
> 
> 'asterisk.netset' -> blocklist_de_sip.ipset
> 
> 'apiban.netset' -> apiban-netset (error if apiban.conf does not exists)
> 
> 
> I'm thinking keeping it under 'asterisk' is the least work for users.  But I have no firm opinion either way.

My main reason is the possibility to update it separate from the other netsets more often.

"reload-blocklist-netset /mnt/kd/blocklists apiban"

The user has to configure a cronjob anyway, so it's not more work to add "apiban" to that line (if they even know about it) :-).

> Lonnie
> 
> 
> 
>> On Oct 15, 2021, at 9:01 AM, Michael Keuter <li...@mk...> wrote:
>> 
>> I would prefer to keep it separated as "apiban.netset" (and an additional "apiban" parameter for "reload-blocklist-netset"), cause this is not for everyone IMHO.
>> On those systems where I want it, I will update it more often (let's say hourly) compared to the 2 times per day update of the other netsets. E.g.
>> 
>> ----
>> ## update blocklists
>> 45 03,15 * * * reload-blocklist-netset /mnt/kd/blocklists firehol_level1 firehol_webclient asterisk custom >/dev/null 2>&1
>> ## Test apiban
>> 07 * * * *      /mnt/kd/bin/apiban-netset > /mnt/kd/blocklists/apiban.netset; arno-iptables-firewall force-reload
>> ----
>> 
>>> Am 15.10.2021 um 15:09 schrieb Lonnie Abelbeck <li...@lo...>:
>>> 
>>> Thanks Michael for testing.
>>> 
>>> Yes, the 'apiban' IPs seem high quality, seemingly aged after 7 days or so, and regularly updated.
>>> 
>>> If we were to incorporate apiban-netset into the reload-blocklist-netset script, should it be a new 'apiban' type or include it as part of the existing 'asterisk' type?
>>> 
>>> Lonnie
>>> 
>>> 
>>>> On Oct 15, 2021, at 4:49 AM, Michael Keuter <li...@mk...> wrote:
>>>> 
>>>> Hi Lonnie,
>>>> 
>>>> thanks for your work!
>>>> The script works fine and the blocked addresses seem to be very precise.
>>>> 
>>>> I verified a few of the addresses, that I saw in sngrep, and all addresses were already included in the apiban.netset.
>>>> 
>>>>> Am 15.10.2021 um 00:26 schrieb Lonnie Abelbeck <li...@lo...>:
>>>>> 
>>>>> I wrote a PHP script that retrieves all the APIBAN 'banned' IPs and runs them through iprange to generate a .netset file as stdout.
>>>>> 
>>>>> https://gist.github.com/abelbeck/28bdea0d45be8bfcbf65bb34e57fd4d4
>>>>> 
>>>>> Remove the trailing .php and make apiban-netset executable.
>>>>> 
>>>>> You must have an APIBAN Key, and place it by itself (no leading/trailing text) in '/mnt/kd/apiban.conf'.
>>>>> 
>>>>> We can decide if we want this in production AstLinux.
>>>>> 
>>>>> Lonnie
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Oct 14, 2021, at 9:27 AM, Lonnie Abelbeck <li...@lo...> wrote:
>>>>>> 
>>>>>> Michael, thanks for bringing APIBAN to our attention.
>>>>>> 
>>>>>> I re-looked at our /usr/sbin/reload-blocklist-netset script and the 'asterisk' URLs, turns out only "blocklist_de_sip.ipset" is actively updated.
>>>>>> 
>>>>>> The 'voipbl' URL has only grown over time, no IPs have been removed, which makes false positives a problem.
>>>>>> 
>>>>>> So, the APIBAN list may have a place, but requiring an access key and not a straight .ipset/.netset file download is a hurdle.
>>>>>> 
>>>>>> Possibly there are other sip/asterisk related blocklists?
>>>>>> 
>>>>>> Lonnie
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On Oct 13, 2021, at 5:55 PM, Michael Knill <mic...@ip...> wrote:
>>>>>>> 
>>>>>>> Yep it needs to go into a netset list aggregated with iprange. Note their client does actually work on Astlinux.
>>>>>>> Should be pretty easy to do!
>>>>>>> 
>>>>>>> Regards
>>>>>>> Michael Knill
>>>>>>> 
>>>>>>> From: Michael Keuter <li...@mk...>
>>>>>>> Reply to: AstLinux Developers Mailing List <ast...@li...>
>>>>>>> Date: Thursday, 14 October 2021 at 9:41 am
>>>>>>> To: AstLinux Developers Mailing List <ast...@li...>
>>>>>>> Subject: Re: [Astlinux-devel] Using APIBAN in Astlinux
>>>>>>> 
>>>>>>> Quite interesting thread about apiban:
>>>>>>> 
>>>>>>> https://community.freepbx.org/t/integrating-apiban-org-with-freepbx/69422/11
>>>>>>> 
>>>>>>> Sent from a mobile device.
>>>>>>> 
>>>>>>> Michael Keuter
>>>>>>> 
>>>>>>> 
>>>>>>>> Am 13.10.2021 um 23:24 schrieb Michael Knill <mic...@ip...>:
>>>>>>>> 
>>>>>>>> APIBAN looks very interesting. There will be a session on it at Astricon this year as well.
>>>>>>>> I assume that banned IP addresses could just be pulled into a netset list?
>>>>>>>> 
>>>>>>>> https://apiban.org/doc.html
>>>>>>>> https://www.securevoip.io/48-hours-with-apiban/
>>>>>>>> 
>>>>>>>> Regards
>>>>>>>> 
>>>>>>>> Michael Knill
>>>>>>>> Managing Director
>>>>>>>> 
>>>>>>>> D: +61 2 6189 1360
>>>>>>>> P: +61 2 6140 4656
>>>>>>>> E: mic...@ip...
>>>>>>>> W: ipcsolutions.com.au
>>>>>>>> 
>>>>>>>> 
>>>>>>>> <image001.png>
>>>>>>>> Smarter Business Communications
>>>>>>>> 

Michael

http://www.mksolutions.info