Posted: Thu Jun 29, 2017 4:57 Post subject: HELP! I'm under a Brute Force Attack !!!
So, today my internet started to slow to a crawl. Checked out my logs on my DDWRT R7000, and I"m getting a lot of auth attempts from various IPs in Asia
So, two questions:
1 - How do I watch "Live" of attempted IP connections? Is this possible?
2 - since the IPs are varrying enormusly, how can I stop this?
THX
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Thu Jun 29, 2017 6:30 Post subject:
it depends where they want to log in, are they trying
your GUI or Wi-Fi ?
there are some tricks to prevent this, using iptables commands/rules...give me more details, can you identify IP's or range of IP's to block...
do you have Telnet/SSh service running....? _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
it depends where they want to log in, are they trying
your GUI or Wi-Fi ?
there are some tricks to prevent this, using iptables commands/rules...give me more details, can you identify IP's or range of IP's to block...
do you have Telnet/SSh service running....?
Did you see the picture above? I"m assuming it's GUI
The IPs were all different, but MOSTLY China and Korea.
on security page enable everything under
'Impede WAN DoS/Bruteforce'
will help you some but, as mentioned you should disable remote WAN access and if you need it create an
ovpn server on this router or on one within your network to access your devices remotely.
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Thu Jun 29, 2017 15:28 Post subject:
ok then you have a few options, to filter those IP's or range of IP's or to filter port 80 for specific MAC addresses only
iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br0 -p tcp --dport 80 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
-------------------------------------------------------------(your allowed mac address)
do keep in mind new lines for more addresses in the same format/syntax
or
to block all range of IP's or just one IP if you want....
iptables -I INPUT -s 46.101.128.0/17 -j DROP
if you use SSh, you better do instead of Telnet...you have to choose any different than port 23 and then lock it with key file
generate it with puttygen.exe SSH-2 RSA 2048bit and use it and no access with password only connection with key-file and if you
decide key-file could be locked with pass so nobody can use it, only you...
i use those lines for hardening SSh take a note to change port 23 with your current port serving SSh
iptables -N IN_SSH
iptables -I INPUT -p tcp --dport 23 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 23 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j LOGDROP
iptables -A INPUT -p tcp --dport 23 -m conntrack --ctstate NEW -j IN_SSH
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 1 --seconds 10 -j LOGDROP
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 2 --seconds 1800 -j LOGDROP
iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT
you can use those lines to hardening you router too
iptables -t mangle -I PREROUTING -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -I INPUT -f -j DROP
iptables -I INPUT -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get wan_ipaddr` -j DROP
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
iptables -A INPUT -m recent --name portscan --rcheck --seconds 8640 -j DROP
at the end make sure you'd use strong password for GUI something with capital letters, numbers and symbols .... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Well, that was a pretty quick and solid response. Where you able to keep things safe SeanVree? _________________ Netgear WNDR4300v1 DD-WRT v3.0 BS r29837 | Netgear R6400 DD-WRT v3.0 KB r33525M | Tickets: 5429 IPv4 & IPv6-PD | ProFTP & Samba to USB thumb | DNSMasq DHCPv6 | Pi-Hole on RasPi
