Menu
▾
▴
Re: [Astlinux-devel] Using APIBAN in Astlinux
|
From: Lonnie A. <li...@lo...> - 2021-10-15 15:17:19
|
Hi Michael, >> The user has to configure a cronjob anyway, so it's not more work to add "apiban" to that line (if they even know about it) :-). > > Update: I forgot - the other point is: for the other netsets there is timespan of an hour set before you can update again. > For apiban this limit is 11 connects in 2 minutes! Not that I need it that often :-). FYI, it currently takes 3 "connects" to download the full list, as the list grows it will take more ... N+1 connects for each 250 set of IPs. Testing with apiban-netset this morning it went a couple hours before the results changed. If a person is sharing the same apiban.conf across different boxes, the reload-blocklist-netset crontabs should be staggered by at least 2+ minutes, 5 to be safe. I tested the '11 connects in 2 minutes" rate limiting, and it is exactly that. >> "reload-blocklist-netset /mnt/kd/blocklists apiban" Good point. Being able to selectively update 'apiban' is an interesting idea. Using an AGE=600 (10 minutes) will keep it from accidentally updating too often. Lonnie > On Oct 15, 2021, at 9:37 AM, Michael Keuter <li...@mk...> wrote: > > > >> Am 15.10.2021 um 16:33 schrieb Michael Keuter <li...@mk...>: >> >> >> >>> Am 15.10.2021 um 16:20 schrieb Lonnie Abelbeck <li...@lo...>: >>> >>> OK, but if your concern is that "this is not for everyone IMHO" if it were under 'asterisk' apiban-netset would only be called if /mnt/kd/apiban.conf exists (without the key apiban doesn't work). >>> >>> The difference would be: >>> >>> 'asterisk.netset' -> blocklist_de_sip.ipset + apiban-netset (if apiban.conf exists) >>> >>> or >>> >>> 'asterisk.netset' -> blocklist_de_sip.ipset >>> >>> 'apiban.netset' -> apiban-netset (error if apiban.conf does not exists) >>> >>> >>> I'm thinking keeping it under 'asterisk' is the least work for users. But I have no firm opinion either way. >> >> My main reason is the possibility to update it separate from the other netsets more often. >> >> "reload-blocklist-netset /mnt/kd/blocklists apiban" >> >> The user has to configure a cronjob anyway, so it's not more work to add "apiban" to that line (if they even know about it) :-). > > Update: I forgot - the other point is: for the other netsets there is timespan of an hour set before you can update again. > For apiban this limit is 11 connects in 2 minutes! Not that I need it that often :-). > >>> Lonnie >>> >>> >>> >>>> On Oct 15, 2021, at 9:01 AM, Michael Keuter <li...@mk...> wrote: >>>> >>>> I would prefer to keep it separated as "apiban.netset" (and an additional "apiban" parameter for "reload-blocklist-netset"), cause this is not for everyone IMHO. >>>> On those systems where I want it, I will update it more often (let's say hourly) compared to the 2 times per day update of the other netsets. E.g. >>>> >>>> ---- >>>> ## update blocklists >>>> 45 03,15 * * * reload-blocklist-netset /mnt/kd/blocklists firehol_level1 firehol_webclient asterisk custom >/dev/null 2>&1 >>>> ## Test apiban >>>> 07 * * * * /mnt/kd/bin/apiban-netset > /mnt/kd/blocklists/apiban.netset; arno-iptables-firewall force-reload >>>> ---- >>>> >>>>> Am 15.10.2021 um 15:09 schrieb Lonnie Abelbeck <li...@lo...>: >>>>> >>>>> Thanks Michael for testing. >>>>> >>>>> Yes, the 'apiban' IPs seem high quality, seemingly aged after 7 days or so, and regularly updated. >>>>> >>>>> If we were to incorporate apiban-netset into the reload-blocklist-netset script, should it be a new 'apiban' type or include it as part of the existing 'asterisk' type? >>>>> >>>>> Lonnie >>>>> >>>>> >>>>>> On Oct 15, 2021, at 4:49 AM, Michael Keuter <li...@mk...> wrote: >>>>>> >>>>>> Hi Lonnie, >>>>>> >>>>>> thanks for your work! >>>>>> The script works fine and the blocked addresses seem to be very precise. >>>>>> >>>>>> I verified a few of the addresses, that I saw in sngrep, and all addresses were already included in the apiban.netset. >>>>>> >>>>>>> Am 15.10.2021 um 00:26 schrieb Lonnie Abelbeck <li...@lo...>: >>>>>>> >>>>>>> I wrote a PHP script that retrieves all the APIBAN 'banned' IPs and runs them through iprange to generate a .netset file as stdout. >>>>>>> >>>>>>> https://gist.github.com/abelbeck/28bdea0d45be8bfcbf65bb34e57fd4d4 >>>>>>> >>>>>>> Remove the trailing .php and make apiban-netset executable. >>>>>>> >>>>>>> You must have an APIBAN Key, and place it by itself (no leading/trailing text) in '/mnt/kd/apiban.conf'. >>>>>>> >>>>>>> We can decide if we want this in production AstLinux. >>>>>>> >>>>>>> Lonnie >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Oct 14, 2021, at 9:27 AM, Lonnie Abelbeck <li...@lo...> wrote: >>>>>>>> >>>>>>>> Michael, thanks for bringing APIBAN to our attention. >>>>>>>> >>>>>>>> I re-looked at our /usr/sbin/reload-blocklist-netset script and the 'asterisk' URLs, turns out only "blocklist_de_sip.ipset" is actively updated. >>>>>>>> >>>>>>>> The 'voipbl' URL has only grown over time, no IPs have been removed, which makes false positives a problem. >>>>>>>> >>>>>>>> So, the APIBAN list may have a place, but requiring an access key and not a straight .ipset/.netset file download is a hurdle. >>>>>>>> >>>>>>>> Possibly there are other sip/asterisk related blocklists? >>>>>>>> >>>>>>>> Lonnie >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Oct 13, 2021, at 5:55 PM, Michael Knill <mic...@ip...> wrote: >>>>>>>>> >>>>>>>>> Yep it needs to go into a netset list aggregated with iprange. Note their client does actually work on Astlinux. >>>>>>>>> Should be pretty easy to do! >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Michael Knill >>>>>>>>> >>>>>>>>> From: Michael Keuter <li...@mk...> >>>>>>>>> Reply to: AstLinux Developers Mailing List <ast...@li...> >>>>>>>>> Date: Thursday, 14 October 2021 at 9:41 am >>>>>>>>> To: AstLinux Developers Mailing List <ast...@li...> >>>>>>>>> Subject: Re: [Astlinux-devel] Using APIBAN in Astlinux >>>>>>>>> >>>>>>>>> Quite interesting thread about apiban: >>>>>>>>> >>>>>>>>> https://community.freepbx.org/t/integrating-apiban-org-with-freepbx/69422/11 >>>>>>>>> >>>>>>>>> Sent from a mobile device. >>>>>>>>> >>>>>>>>> Michael Keuter >>>>>>>>> >>>>>>>>> >>>>>>>>>> Am 13.10.2021 um 23:24 schrieb Michael Knill <mic...@ip...>: >>>>>>>>>> >>>>>>>>>> APIBAN looks very interesting. There will be a session on it at Astricon this year as well. >>>>>>>>>> I assume that banned IP addresses could just be pulled into a netset list? >>>>>>>>>> >>>>>>>>>> https://apiban.org/doc.html >>>>>>>>>> https://www.securevoip.io/48-hours-with-apiban/ >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> >>>>>>>>>> Michael Knill >>>>>>>>>> Managing Director >>>>>>>>>> >>>>>>>>>> D: +61 2 6189 1360 >>>>>>>>>> P: +61 2 6140 4656 >>>>>>>>>> E: mic...@ip... >>>>>>>>>> W: ipcsolutions.com.au >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> <image001.png> >>>>>>>>>> Smarter Business Communications >>>>>>>>>> >> >> >> Michael >> >> http://www.mksolutions.info > > > Michael > > http://www.mksolutions.info > > > > > > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > |
