feat: add country tracking to ban management; update templates and scripts for country display

Author: TheophileDiot

.pre-commit-config.yaml

@@ -62,7 +62,7 @@ repos:
       - id: codespell
         name: Codespell Spell Checker
         exclude: (^src/(ui/templates|common/core/.+/files|bw/loading)/.+.html|modsecurity-rules.conf.*|src/ui/app/static/(fonts|libs)/.+)$
-        entry: codespell --ignore-regex="(tabEl|Widgits)" --skip CHANGELOG.md,CODE_OF_CONDUCT.md,src/ui/client/build.py,src/ui/app/static/json/countries.geojson,src/ui/app/static/js/pages/reports.js,src/ui/app/static/json/periscop.min.json,src/ui/app/static/json/blockhaus.min.json,src/ui/app/routes/reports.py
+        entry: codespell --ignore-regex="(tabEl|Widgits)" --skip CHANGELOG.md,CODE_OF_CONDUCT.md,src/ui/client/build.py,src/ui/app/static/json/countries.geojson,src/ui/app/static/js/pages/bans.js,src/ui/app/static/json/periscop.min.json,src/ui/app/static/json/blockhaus.min.json,src/ui/app/routes/reports.py
         language: python
         types: [text]
 

src/bw/lua/bunkerweb/api.lua

@@ -15,6 +15,7 @@ local api = class("api")
 local datastore = cdatastore:new()
 local logger = clogger:new("API")
 
+local get_country = utils.get_country
 local get_variable = utils.get_variable
 local is_ip_in_networks = utils.is_ip_in_networks
 -- local run = shell.run
@@ -248,6 +249,7 @@ api.global.POST["^/ban$"] = function(self)
 		exp = 86400,
 		reason = "manual",
 		service = "unknown",
+		country = "local",
 	}
 	ban.ip = ip["ip"]
 	if ip["exp"] then
@@ -259,12 +261,19 @@ api.global.POST["^/ban$"] = function(self)
 	if ip["service"] then
 		ban.service = ip["service"]
 	end
+	local country, err = get_country(ban["ip"])
+	if not country then
+		country = "unknown"
+		logger:log(ERR, "can't get country code " .. err)
+	end
+	ban.country = country
 	datastore:set(
 		"bans_ip_" .. ban["ip"],
 		encode({
 			reason = ban["reason"],
 			service = ban["service"],
 			date = os.time(),
+			country = ban["country"],
 		}),
 		ban["exp"]
 	)
@@ -301,6 +310,7 @@ api.global.GET["^/bans$"] = function(self)
 				reason = ban_data["reason"],
 				service = ban_data["service"],
 				date = ban_data["date"],
+				country = ban_data["country"],
 				exp = math.floor(ttl),
 			})
 		end

src/bw/lua/bunkerweb/utils.lua

@@ -735,12 +735,13 @@ utils.is_banned = function(ip)
 	return false, "not banned"
 end
 
-utils.add_ban = function(ip, reason, ttl, service)
+utils.add_ban = function(ip, reason, ttl, service, country)
 	-- Set on local datastore
 	local ban_data = encode({
 		reason = reason,
 		service = service or "unknown",
 		date = os.time(),
+		country = country or "local",
 	})
 	local ok, err = datastore:set("bans_ip_" .. ip, ban_data, ttl)
 	if not ok then

src/common/cli/CLI.py

@@ -257,13 +257,16 @@ def bans(self) -> Tuple[bool, str]:
                 cli_str += "No ban found\n"
 
             for ban in bans:
+                banned_country = ban.get("country", "unknown")
                 banned_date = ""
                 remaining = "for eternity"
                 if ban["date"] != -1:
                     banned_date = f"the {datetime.fromtimestamp(ban['date']).strftime('%Y-%m-%d at %H:%M:%S %Z')} "
                 if ban["exp"] != -1:
                     remaining = f"for {format_remaining_time(ban['exp'])} remaining"
-                cli_str += f"- {ban['ip']} ; banned {banned_date}{remaining} with reason \"{ban.get('reason', 'no reason given')}\""
+                cli_str += (
+                    f"- {ban['ip']} from country \"{banned_country}\" ; banned {banned_date}{remaining} with reason \"{ban.get('reason', 'no reason given')}\""
+                )
 
                 if ban.get("service", "unknown") != "unknown":
                     cli_str += f" by {ban['service'] if ban['service'] != '_' else 'default server'}"

src/common/core/badbehavior/badbehavior.lua

@@ -12,6 +12,7 @@ local timer_at = ngx.timer.at
 local add_ban = utils.add_ban
 local is_whitelisted = utils.is_whitelisted
 local is_banned = utils.is_banned
+local get_country = utils.get_country
 local get_security_mode = utils.get_security_mode
 local tostring = tostring
 
@@ -39,6 +40,16 @@ function badbehavior:log()
 	end
 	-- Get security mode
 	local security_mode = get_security_mode(self.ctx)
+	-- Get country
+	local country = "local"
+	local err
+	if self.ctx.bw.ip_is_global then
+		country, err = get_country(self.ctx.bw.remote_addr)
+		if not country then
+			country = "unknown"
+			self.logger:log(ERR, "can't get country code " .. err)
+		end
+	end
 	-- Call increase function later and with cosocket enabled
 	local ok, err = timer_at(
 		0,
@@ -49,7 +60,8 @@ function badbehavior:log()
 		tonumber(self.variables["BAD_BEHAVIOR_THRESHOLD"]),
 		self.use_redis,
 		self.ctx.bw.server_name,
-		security_mode
+		security_mode,
+		country
 	)
 	if not ok then
 		return self:ret(false, "can't create increase timer : " .. err)
@@ -67,7 +79,17 @@ function badbehavior:log_stream()
 end
 
 -- luacheck: ignore 212
-function badbehavior.increase(premature, ip, count_time, ban_time, threshold, use_redis, server_name, security_mode)
+function badbehavior.increase(
+	premature,
+	ip,
+	count_time,
+	ban_time,
+	threshold,
+	use_redis,
+	server_name,
+	security_mode,
+	country
+)
 	-- Instantiate objects
 	local logger = require "bunkerweb.logger":new("badbehavior")
 	local datastore = require "bunkerweb.datastore":new()
@@ -108,7 +130,7 @@ function badbehavior.increase(premature, ip, count_time, ban_time, threshold, us
 	-- Store local ban
 	if counter > threshold then
 		if security_mode == "block" then
-			ok, err = add_ban(ip, "bad behavior", ban_time, server_name)
+			ok, err = add_ban(ip, "bad behavior", ban_time, server_name, country)
 			if not ok then
 				logger:log(ERR, "(increase) can't save ban : " .. err)
 				return