Re: [Astlinux-devel] Using APIBAN in Astlinux

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> Am 15.10.2021 um 16:33 schrieb Michael Keuter <li...@mk...>:
> 
> 
> 
>> Am 15.10.2021 um 16:20 schrieb Lonnie Abelbeck <li...@lo...>:
>> 
>> OK, but if your concern is that "this is not for everyone IMHO" if it were under 'asterisk' apiban-netset would only be called if /mnt/kd/apiban.conf exists (without the key apiban doesn't work).
>> 
>> The difference would be:
>> 
>> 'asterisk.netset' -> blocklist_de_sip.ipset + apiban-netset (if apiban.conf exists)
>> 
>> or
>> 
>> 'asterisk.netset' -> blocklist_de_sip.ipset
>> 
>> 'apiban.netset' -> apiban-netset (error if apiban.conf does not exists)
>> 
>> 
>> I'm thinking keeping it under 'asterisk' is the least work for users.  But I have no firm opinion either way.
> 
> My main reason is the possibility to update it separate from the other netsets more often.
> 
> "reload-blocklist-netset /mnt/kd/blocklists apiban"
> 
> The user has to configure a cronjob anyway, so it's not more work to add "apiban" to that line (if they even know about it) :-).

Update: I forgot - the other point is: for the other netsets there is timespan of an hour set before you can update again.
For apiban this limit is 11 connects in 2 minutes! Not that I need it that often :-).

>> Lonnie
>> 
>> 
>> 
>>> On Oct 15, 2021, at 9:01 AM, Michael Keuter <li...@mk...> wrote:
>>> 
>>> I would prefer to keep it separated as "apiban.netset" (and an additional "apiban" parameter for "reload-blocklist-netset"), cause this is not for everyone IMHO.
>>> On those systems where I want it, I will update it more often (let's say hourly) compared to the 2 times per day update of the other netsets. E.g.
>>> 
>>> ----
>>> ## update blocklists
>>> 45 03,15 * * * reload-blocklist-netset /mnt/kd/blocklists firehol_level1 firehol_webclient asterisk custom >/dev/null 2>&1
>>> ## Test apiban
>>> 07 * * * *      /mnt/kd/bin/apiban-netset > /mnt/kd/blocklists/apiban.netset; arno-iptables-firewall force-reload
>>> ----
>>> 
>>>> Am 15.10.2021 um 15:09 schrieb Lonnie Abelbeck <li...@lo...>:
>>>> 
>>>> Thanks Michael for testing.
>>>> 
>>>> Yes, the 'apiban' IPs seem high quality, seemingly aged after 7 days or so, and regularly updated.
>>>> 
>>>> If we were to incorporate apiban-netset into the reload-blocklist-netset script, should it be a new 'apiban' type or include it as part of the existing 'asterisk' type?
>>>> 
>>>> Lonnie
>>>> 
>>>> 
>>>>> On Oct 15, 2021, at 4:49 AM, Michael Keuter <li...@mk...> wrote:
>>>>> 
>>>>> Hi Lonnie,
>>>>> 
>>>>> thanks for your work!
>>>>> The script works fine and the blocked addresses seem to be very precise.
>>>>> 
>>>>> I verified a few of the addresses, that I saw in sngrep, and all addresses were already included in the apiban.netset.
>>>>> 
>>>>>> Am 15.10.2021 um 00:26 schrieb Lonnie Abelbeck <li...@lo...>:
>>>>>> 
>>>>>> I wrote a PHP script that retrieves all the APIBAN 'banned' IPs and runs them through iprange to generate a .netset file as stdout.
>>>>>> 
>>>>>> https://gist.github.com/abelbeck/28bdea0d45be8bfcbf65bb34e57fd4d4
>>>>>> 
>>>>>> Remove the trailing .php and make apiban-netset executable.
>>>>>> 
>>>>>> You must have an APIBAN Key, and place it by itself (no leading/trailing text) in '/mnt/kd/apiban.conf'.
>>>>>> 
>>>>>> We can decide if we want this in production AstLinux.
>>>>>> 
>>>>>> Lonnie
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On Oct 14, 2021, at 9:27 AM, Lonnie Abelbeck <li...@lo...> wrote:
>>>>>>> 
>>>>>>> Michael, thanks for bringing APIBAN to our attention.
>>>>>>> 
>>>>>>> I re-looked at our /usr/sbin/reload-blocklist-netset script and the 'asterisk' URLs, turns out only "blocklist_de_sip.ipset" is actively updated.
>>>>>>> 
>>>>>>> The 'voipbl' URL has only grown over time, no IPs have been removed, which makes false positives a problem.
>>>>>>> 
>>>>>>> So, the APIBAN list may have a place, but requiring an access key and not a straight .ipset/.netset file download is a hurdle.
>>>>>>> 
>>>>>>> Possibly there are other sip/asterisk related blocklists?
>>>>>>> 
>>>>>>> Lonnie
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>> On Oct 13, 2021, at 5:55 PM, Michael Knill <mic...@ip...> wrote:
>>>>>>>> 
>>>>>>>> Yep it needs to go into a netset list aggregated with iprange. Note their client does actually work on Astlinux.
>>>>>>>> Should be pretty easy to do!
>>>>>>>> 
>>>>>>>> Regards
>>>>>>>> Michael Knill
>>>>>>>> 
>>>>>>>> From: Michael Keuter <li...@mk...>
>>>>>>>> Reply to: AstLinux Developers Mailing List <ast...@li...>
>>>>>>>> Date: Thursday, 14 October 2021 at 9:41 am
>>>>>>>> To: AstLinux Developers Mailing List <ast...@li...>
>>>>>>>> Subject: Re: [Astlinux-devel] Using APIBAN in Astlinux
>>>>>>>> 
>>>>>>>> Quite interesting thread about apiban:
>>>>>>>> 
>>>>>>>> https://community.freepbx.org/t/integrating-apiban-org-with-freepbx/69422/11
>>>>>>>> 
>>>>>>>> Sent from a mobile device.
>>>>>>>> 
>>>>>>>> Michael Keuter
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> Am 13.10.2021 um 23:24 schrieb Michael Knill <mic...@ip...>:
>>>>>>>>> 
>>>>>>>>> APIBAN looks very interesting. There will be a session on it at Astricon this year as well.
>>>>>>>>> I assume that banned IP addresses could just be pulled into a netset list?
>>>>>>>>> 
>>>>>>>>> https://apiban.org/doc.html
>>>>>>>>> https://www.securevoip.io/48-hours-with-apiban/
>>>>>>>>> 
>>>>>>>>> Regards
>>>>>>>>> 
>>>>>>>>> Michael Knill
>>>>>>>>> Managing Director
>>>>>>>>> 
>>>>>>>>> D: +61 2 6189 1360
>>>>>>>>> P: +61 2 6140 4656
>>>>>>>>> E: mic...@ip...
>>>>>>>>> W: ipcsolutions.com.au
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> <image001.png>
>>>>>>>>> Smarter Business Communications
>>>>>>>>> 
> 
> 
> Michael
> 
> http://www.mksolutions.info

Michael

http://www.mksolutions.info