Nethsecurity Threath Shield no info at dashboard tile

NethSecurity
,
1

Hi,

It looks that after the update to 23.05.4-ns.1.2.0 the info tile on the dashboard is not showing any blocked IP’s anymore
Normaly you will see a number, but now it only shows “0”

image

2

Are you sure that banIP is blocking something?

You can check with this command on all log:

grep -E 'banIP.*drop' /var/log/messages

You should see lines like:

...fw kernel: [811665.320268] banIP/inp-wan/drop/yoroimallvl2v4: IN=eth5 OUT= MAC=e4:3a:6e...

Then restrict the matches to last hour.

3

Hi Giacomo

grep -E 'banIP.*drop' /var/log/messages

This gives nothing. No info

/etc/init.d/banip status
::: banIP runtime information
  + status            : active (nft: ✔, monitor: ✔)
  + version           : 1.0.0-5
  + element_count     : 112370
  + active_feeds      : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6                                                                                                      , deblv4, deblv6, urlhausv4, dropv6, dropv4, urlvirv4, firehol1v4, dshieldv4, we                                                                                                      bclientv4, bruteforceblockv4, ipthreatv4, threatviewv4, cinsscorev4, iblockspyv4                                                                                                      , nixspamv4, uceprotect1v4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blockli                                                                                                      stv6
  + active_devices    : wan: eth1 / wan-if: wan, wan / vlan-allow: - / vlan-bloc                                                                                                      k: -
  + active_uplink     : 213.93.196.209/24
  + nft_info          : priority: -100, policy: memory, loglevel: info, expiry:                                                                                                       1d, limit (icmp/syn/udp): 10/10/100
  + run_info          : base: /tmp, backup: /tmp/banIP-backup, report: /tmp/banI                                                                                                      P-report
  + run_flags         : auto: ✘, proto (4/6): ✔/✔, log (pre/inp/fwd/lan): ✘/✘/✘/                                                                                                      ✘, dedup: ✔, split: ✘, custom feed: ✔, allowed only: ✘
  + last_run          : action: reload, log: tail, fetch: curl, duration: 1m 9s,                                                                                                       date: 2024-09-23 08:25:08
  + system_info       : cores: 2, memory: 708, device: VMware, Inc. VMware Virtu                                                                                                      al Platform, NethSecurity 8-23.05.4-ns.1.2.0 r24012-d8dd03c46f

This worries me a bit.

4

grep -E 'banIP' /var/log/messages

Maybe this could be something ?

Sep 23 11:57:49 NethSec8 banIP-1.0.0-5[4633]: start banIP download processes
Sep 23 11:58:39 NethSec8 banIP-1.0.0-5[4633]: download for feed 'allowlist' failed (rc: 56/log: curl: (56) The requested URL returned error: 401#012curl: (56) The requested URL returned error: 401#012curl: (56) Invalid status line#012curl: (56) The requested URL returned error: 401#012curl: (56) Invalid status line#012curl: (56) The requested URL returned error: 401)
Sep 23 11:58:43 NethSec8 banIP-1.0.0-5[4633]: download for feed 'countryv4' failed (rc: 4/log: )
Sep 23 11:58:43 NethSec8 banIP-1.0.0-5[4633]: download for feed 'countryv6' failed (rc: 4/log: )
Sep 23 11:58:49 NethSec8 banIP-1.0.0-5[4633]: start banIP domain lookup
Sep 23 11:58:49 NethSec8 banIP-1.0.0-5[4633]: domain lookup finished in 0m 0s (blocklist, 0 domains, 0 IPs)
Sep 23 11:58:51 NethSec8 banIP-1.0.0-5[4633]: domain lookup finished in 0m 2s (allowlist, 5 domains, 16 IPs)
Sep 23 11:58:51 NethSec8 banIP-1.0.0-5[4633]: start detached banIP log service (/usr/bin/tail)

This error is strange

Sep 23 11:58:39 NethSec8 banIP-1.0.0-5[4633]: download for feed 'allowlist' failed (rc: 56/log: curl: (56) The requested URL returned error: 401#012curl: (56) The requested URL returned error: 401#012curl: (56) Invalid status line#012curl: (56) The requested URL returned error: 401#012curl: (56) Invalid status line#012curl: (56) The requested URL returned error: 401)

I’ve checked the Allowlist and somehow there are a lot of double entries.
Delete them and restarted the baip service

5

This is why the number is 0.

6

Ok. But do you really think if i have normally a few attempts per hour suddenly it is dropped to 0 for a long period
I can no believe this

7

I have found the cause but not asolution yet
I’ve scanned the logfile and after the update from 23.05.4-ns1.1.0 to 23.05.4-ns1.2.0 all BanIP loglines are not in the log any more.
So i’ve restore an snapshot back to 23.05.4-ns.1.1.0 and the BanIP log line are back.
Performed again the upgrade to 23.05.4-ns.1.2.0 and the banIP loglines are not coming back.

I hope it is only cosmetic in the logs and it is blocking IP’s, but i cannot tell

8

I think banip changed the defaults another time.

Verify if the following options are enabled, and if not, feel free to enable them:

  • logforwardlan
  • logforwardwan
  • loginput

We need a UI for this as soon as possible.

9

Hi Giacomo,

How can i verify or enable these settings ? :blush:

10

To verify the options:

uci show banip

I’ve added the commands on how to enable them, inside your issue:

We are also pushing some improvements to the UI: NethSecurity 8 · GitHub

2 Likes