Menu
▾
▴
Re: [Astlinux-devel] Using APIBAN in Astlinux
|
From: Michael K. <li...@mk...> - 2021-10-15 15:34:26
|
Sent from a mobile device. Michael Keuter > Am 15.10.2021 um 17:17 schrieb Lonnie Abelbeck <li...@lo...>: > > Hi Michael, > >>> The user has to configure a cronjob anyway, so it's not more work to add "apiban" to that line (if they even know about it) :-). >> >> Update: I forgot - the other point is: for the other netsets there is timespan of an hour set before you can update again. >> For apiban this limit is 11 connects in 2 minutes! Not that I need it that often :-). > > FYI, it currently takes 3 "connects" to download the full list, as the list grows it will take more ... N+1 connects for each 250 set of IPs. Thanks for clarifying, didn‘t know that. > Testing with apiban-netset this morning it went a couple hours before the results changed. If a person is sharing the same apiban.conf across different boxes, the reload-blocklist-netset crontabs should be staggered by at least 2+ minutes, 5 to be safe. I did it exactly with 5 minutes :-). > I tested the '11 connects in 2 minutes" rate limiting, and it is exactly that. > > >>> "reload-blocklist-netset /mnt/kd/blocklists apiban" > > Good point. Being able to selectively update 'apiban' is an interesting idea. Using an AGE=600 (10 minutes) will keep it from accidentally updating too often. Yes, 10 minutes is fine. > Lonnie > > > >>> On Oct 15, 2021, at 9:37 AM, Michael Keuter <li...@mk...> wrote: >>> >>> >>> >>>> Am 15.10.2021 um 16:33 schrieb Michael Keuter <li...@mk...>: >>> >>> >>> >>>> Am 15.10.2021 um 16:20 schrieb Lonnie Abelbeck <li...@lo...>: >>>> >>>> OK, but if your concern is that "this is not for everyone IMHO" if it were under 'asterisk' apiban-netset would only be called if /mnt/kd/apiban.conf exists (without the key apiban doesn't work). >>>> >>>> The difference would be: >>>> >>>> 'asterisk.netset' -> blocklist_de_sip.ipset + apiban-netset (if apiban.conf exists) >>>> >>>> or >>>> >>>> 'asterisk.netset' -> blocklist_de_sip.ipset >>>> >>>> 'apiban.netset' -> apiban-netset (error if apiban.conf does not exists) >>>> >>>> >>>> I'm thinking keeping it under 'asterisk' is the least work for users. But I have no firm opinion either way. >>> >>> My main reason is the possibility to update it separate from the other netsets more often. >>> >>> "reload-blocklist-netset /mnt/kd/blocklists apiban" >>> >>> The user has to configure a cronjob anyway, so it's not more work to add "apiban" to that line (if they even know about it) :-). >> >> Update: I forgot - the other point is: for the other netsets there is timespan of an hour set before you can update again. >> For apiban this limit is 11 connects in 2 minutes! Not that I need it that often :-). >> >>>> Lonnie >>>> >>>> >>>> >>>>> On Oct 15, 2021, at 9:01 AM, Michael Keuter <li...@mk...> wrote: >>>>> >>>>> I would prefer to keep it separated as "apiban.netset" (and an additional "apiban" parameter for "reload-blocklist-netset"), cause this is not for everyone IMHO. >>>>> On those systems where I want it, I will update it more often (let's say hourly) compared to the 2 times per day update of the other netsets. E.g. >>>>> >>>>> ---- >>>>> ## update blocklists >>>>> 45 03,15 * * * reload-blocklist-netset /mnt/kd/blocklists firehol_level1 firehol_webclient asterisk custom >/dev/null 2>&1 >>>>> ## Test apiban >>>>> 07 * * * * /mnt/kd/bin/apiban-netset > /mnt/kd/blocklists/apiban.netset; arno-iptables-firewall force-reload >>>>> ---- >>>>> >>>>>> Am 15.10.2021 um 15:09 schrieb Lonnie Abelbeck <li...@lo...>: >>>>>> >>>>>> Thanks Michael for testing. >>>>>> >>>>>> Yes, the 'apiban' IPs seem high quality, seemingly aged after 7 days or so, and regularly updated. >>>>>> >>>>>> If we were to incorporate apiban-netset into the reload-blocklist-netset script, should it be a new 'apiban' type or include it as part of the existing 'asterisk' type? >>>>>> >>>>>> Lonnie >>>>>> >>>>>> >>>>>>> On Oct 15, 2021, at 4:49 AM, Michael Keuter <li...@mk...> wrote: >>>>>>> >>>>>>> Hi Lonnie, >>>>>>> >>>>>>> thanks for your work! >>>>>>> The script works fine and the blocked addresses seem to be very precise. >>>>>>> >>>>>>> I verified a few of the addresses, that I saw in sngrep, and all addresses were already included in the apiban.netset. >>>>>>> >>>>>>>> Am 15.10.2021 um 00:26 schrieb Lonnie Abelbeck <li...@lo...>: >>>>>>>> >>>>>>>> I wrote a PHP script that retrieves all the APIBAN 'banned' IPs and runs them through iprange to generate a .netset file as stdout. >>>>>>>> >>>>>>>> https://gist.github.com/abelbeck/28bdea0d45be8bfcbf65bb34e57fd4d4 >>>>>>>> >>>>>>>> Remove the trailing .php and make apiban-netset executable. >>>>>>>> >>>>>>>> You must have an APIBAN Key, and place it by itself (no leading/trailing text) in '/mnt/kd/apiban.conf'. >>>>>>>> >>>>>>>> We can decide if we want this in production AstLinux. >>>>>>>> >>>>>>>> Lonnie >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Oct 14, 2021, at 9:27 AM, Lonnie Abelbeck <li...@lo...> wrote: >>>>>>>>> >>>>>>>>> Michael, thanks for bringing APIBAN to our attention. >>>>>>>>> >>>>>>>>> I re-looked at our /usr/sbin/reload-blocklist-netset script and the 'asterisk' URLs, turns out only "blocklist_de_sip.ipset" is actively updated. >>>>>>>>> >>>>>>>>> The 'voipbl' URL has only grown over time, no IPs have been removed, which makes false positives a problem. >>>>>>>>> >>>>>>>>> So, the APIBAN list may have a place, but requiring an access key and not a straight .ipset/.netset file download is a hurdle. >>>>>>>>> >>>>>>>>> Possibly there are other sip/asterisk related blocklists? >>>>>>>>> >>>>>>>>> Lonnie >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Oct 13, 2021, at 5:55 PM, Michael Knill <mic...@ip...> wrote: >>>>>>>>>> >>>>>>>>>> Yep it needs to go into a netset list aggregated with iprange. Note their client does actually work on Astlinux. >>>>>>>>>> Should be pretty easy to do! >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Michael Knill >>>>>>>>>> >>>>>>>>>> From: Michael Keuter <li...@mk...> >>>>>>>>>> Reply to: AstLinux Developers Mailing List <ast...@li...> >>>>>>>>>> Date: Thursday, 14 October 2021 at 9:41 am >>>>>>>>>> To: AstLinux Developers Mailing List <ast...@li...> >>>>>>>>>> Subject: Re: [Astlinux-devel] Using APIBAN in Astlinux >>>>>>>>>> >>>>>>>>>> Quite interesting thread about apiban: >>>>>>>>>> >>>>>>>>>> https://community.freepbx.org/t/integrating-apiban-org-with-freepbx/69422/11 >>>>>>>>>> >>>>>>>>>> Sent from a mobile device. >>>>>>>>>> >>>>>>>>>> Michael Keuter >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Am 13.10.2021 um 23:24 schrieb Michael Knill <mic...@ip...>: >>>>>>>>>>> >>>>>>>>>>> APIBAN looks very interesting. There will be a session on it at Astricon this year as well. >>>>>>>>>>> I assume that banned IP addresses could just be pulled into a netset list? >>>>>>>>>>> >>>>>>>>>>> https://apiban.org/doc.html >>>>>>>>>>> https://www.securevoip.io/48-hours-with-apiban/ >>>>>>>>>>> >>>>>>>>>>> Regards >>>>>>>>>>> >>>>>>>>>>> Michael Knill >>>>>>>>>>> Managing Director >>>>>>>>>>> >>>>>>>>>>> D: +61 2 6189 1360 >>>>>>>>>>> P: +61 2 6140 4656 >>>>>>>>>>> E: mic...@ip... >>>>>>>>>>> W: ipcsolutions.com.au >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> <image001.png> >>>>>>>>>>> Smarter Business Communications >>>>>>>>>>> >>> >>> >>> Michael >>> >>> http://www.mksolutions.info >> >> >> Michael >> >> http://www.mksolutions.info >> >> >> >> >> >> _______________________________________________ >> Astlinux-devel mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-devel >> >> > > > > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
