banIP - OpenWRT IP List Blocker
![banIP - OpenWRT IP List Blocker](/content/images/size/w960/2023/09/robot_war__fire__wall__castle__art_310929595.png)
So I host a HoneyPot to test whether how many attacks I get per day and what security measures are able to block it. And I started with Snort3 in IDS mode which allowed to detect malicious activity. After I switched to IPS, I noticed that while miscellaneous attacks had fallen off, still a large chunk of BotNet attacks kept on making through. After some small analysis on Grafana (same dashboard discussed in cowrie post), I was able to discern that some IPs (particularly from China) were responsible for most of this traffic, and I wanted to reduce this. So after some research I zeroed in on banIP
as my next target.
To put it very crudely, banIP is a neat service, which takes IPs from lists and blocks them using NFTables. It also allows pulling updated lists periodically and has a great Luci frontend to support this.
Installation is pretty simple on latest OpenWRT release.
opkg install luci-app-banip
# installs banip automatically as a dependency
Immediately we're greeted with a new screen for banIP
.
![](https://prafiles.in/content/images/2023/09/1.png)
After some configuration (basically selecting which lists you want to enable), you can also do country level blocks, which I was particularly interested in.
![](https://prafiles.in/content/images/2023/09/Screenshot-2023-09-02-at-10.04.08-PM.png)
And after this, along with IPS, this is the resultant traffic drop to HoneyPot. You can find some more configuration details and documentation here.
![](https://prafiles.in/content/images/2023/09/Screenshot-2023-09-02-at-9.34.37-PM.png)
We can see a huge drop! Although it looks like the traffic is now zero, it is not. The axis is just too compressed to denote any notable change!