[new feature] fail2ban ?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
giuliano
DD-WRT Novice


Joined: 28 Jul 2006
Posts: 10

PostPosted: Wed Aug 16, 2006 12:12    Post subject: [new feature] fail2ban ? Reply with quote
Hi,

what's about adding the fail2ban package to dd-wrt ? fail2ban filters the client's ip address after N wrong ssh login attempts. myabe it can be useful ?

cheers

giuliano
Sponsor
tommyboy180
DD-WRT Novice


Joined: 30 Nov 2006
Posts: 37

PostPosted: Sat Mar 17, 2007 8:27    Post subject: I just now found this lol Reply with quote
I would like this feature big time
mas
DD-WRT Novice


Joined: 16 Mar 2007
Posts: 4

PostPosted: Sat Mar 17, 2007 20:38    Post subject: Reply with quote
Its a good idea, but I dont think any of the current implementations are fit for the small memory footprints of these units simply because they all use either python or perl.

You would want to use denyhosts then however.

I have denyhosts installed on my NSLU and it works very nicely. The main benefit over fail2ban is that the guys put in a way to share blocked IPs with all denyhosts users, which is very effective. I receive ca. 3-4 attempts to login with standard passwords to my NSLU ssh. And 99% are already blocked when they try it. And the remaining 1% my denyhosts then reports to the database so that they get blocked by all other users of the database immediately. 8-;
Syris2k4
DD-WRT Novice


Joined: 16 Sep 2006
Posts: 20

PostPosted: Sat Mar 17, 2007 23:16    Post subject: Reply with quote
Yeah - something like denyhosts would be very nice to put in place. Use on my bsd boxes is mandatory... working perfectly and basically 0 to config :)
robertut
DD-WRT User


Joined: 30 Mar 2009
Posts: 145

PostPosted: Sat Dec 26, 2009 12:43    Post subject: Reply with quote
How about the new Asus RT-N16 router?
Would Asus RT-N16 be able to run python / perl scripts in DD-WRT?
foamcup
DD-WRT Novice


Joined: 02 Jun 2008
Posts: 24

PostPosted: Sat Dec 26, 2009 15:32    Post subject: Reply with quote
How about just using a key to login and disabling password login.
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Sat Dec 26, 2009 17:12    Post subject: Reply with quote
A package?
This can be done with iptables.....
I do believe we are missing something for this on DD-WRT...
This is straight from my Fedora machine....

Code:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --set
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j LOG
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

This is a really effective measure without making things overcomplicated... One should mix security with common sense.....

I think it should be this on DD-WRT...

Code:
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j logdrop
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 22 -m recent --set

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI

PostPosted: Mon Jan 16, 2023 9:07    Post subject: Reply with quote
frater wrote:
A package?
This can be done with iptables.....
I do believe we are missing something for this on DD-WRT...
This is straight from my Fedora machine....

Code:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --set
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j LOG
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

This is a really effective measure without making things overcomplicated... One should mix security with common sense.....

I think it should be this on DD-WRT...

Code:
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j logdrop
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 22 -m recent --set


I am running an OpenVPN server on my DD-WRT router. How would I implement this rule to so that too many incorrect authentication attempts to my vpn server on port 1194 would ban the attempting client?

Currently, I only have the following rules in my firewall configuration to allow the openvpn server to work:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE


Would this suffice?
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 1194 -m recent --update --seconds 60 --hitcount 3 -j logdrop
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 1194 -m recent --set

_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Jan 16, 2023 9:20    Post subject: Reply with quote
if router is using -m recent and i guess (it does for some stuff) you can try...
not 100% sure about the correct spelling...(1 line)

iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 1194 -m recent --update --seconds 60 --hitcount 3 -j logdrop
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 1194 -m recent --set

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Mon Jan 16, 2023 9:34    Post subject: Reply with quote
atomicamp wrote:
frater wrote:
A package?
This can be done with iptables.....
I do believe we are missing something for this on DD-WRT...
This is straight from my Fedora machine....

Code:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --set
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j LOG
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

This is a really effective measure without making things overcomplicated... One should mix security with common sense.....

I think it should be this on DD-WRT...

Code:
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j logdrop
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 22 -m recent --set


I am running an OpenVPN server on my DD-WRT router. How would I implement this rule to so that too many incorrect authentication attempts to my vpn server on port 1194 would ban the attempting client?

Currently, I only have the following rules in my firewall configuration to allow the openvpn server to work:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE


Would this suffice?
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 1194 -m recent --update --seconds 60 --hitcount 3 -j logdrop
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 1194 -m recent --set


I use this for my OVPN Server
Code:
# extra security for openvpn server
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
OVPN_PROTO="$(nvram get openvpn_proto | awk '{print substr ($1,1,3)}')"
OVPN_PORT="$(nvram get openvpn_port)"
iptables -I INPUT -p $OVPN_PROTO --dport $OVPN_PORT -i $WAN_IF -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -I INPUT -p $OVPN_PROTO --dport $OVPN_PORT -i $WAN_IF -m state --state NEW -m recent --set

Thanks go to Eibgrad

_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jan 16, 2023 12:28    Post subject: Reply with quote
You can go one step further and use ipset to collect those IP addresses and ban them "permanently"

see: https://upcloud.com/resources/tutorials/iptables-firewall-recent-triggering-ipset

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Mon Jan 16, 2023 13:24    Post subject: Reply with quote
isn't it a bit stupid to block every host that makes 5 connections?
I need them myself regularly

and fail2ban works differently, fail2ban watches the logs and has depending on the mode over 30 regex filters that kick in e.g. at "bad protokol" or "socket error".
This evaluates only connections that cause errors as critical.
Of course it doesn't stop you from limiting the maximum number of connections.
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI

PostPosted: Sun Jan 29, 2023 18:13    Post subject: Reply with quote
foz111 wrote:
atomicamp wrote:
frater wrote:
A package?
This can be done with iptables.....
I do believe we are missing something for this on DD-WRT...
This is straight from my Fedora machine....

Code:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --set
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j LOG
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

This is a really effective measure without making things overcomplicated... One should mix security with common sense.....

I think it should be this on DD-WRT...

Code:
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j logdrop
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 22 -m recent --set


I am running an OpenVPN server on my DD-WRT router. How would I implement this rule to so that too many incorrect authentication attempts to my vpn server on port 1194 would ban the attempting client?

Currently, I only have the following rules in my firewall configuration to allow the openvpn server to work:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE


Would this suffice?
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 1194 -m recent --update --seconds 60 --hitcount 3 -j logdrop
iptables -I INPUT -m --state NEW -m tcp -p tcp --dport 1194 -m recent --set


I use this for my OVPN Server
Code:
# extra security for openvpn server
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
OVPN_PROTO="$(nvram get openvpn_proto | awk '{print substr ($1,1,3)}')"
OVPN_PORT="$(nvram get openvpn_port)"
iptables -I INPUT -p $OVPN_PROTO --dport $OVPN_PORT -i $WAN_IF -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -I INPUT -p $OVPN_PROTO --dport $OVPN_PORT -i $WAN_IF -m state --state NEW -m recent --set

Thanks go to Eibgrad


Thank you for this! In my openvpn server config, I have "CVE-2019-14899 Mitigation" enabled, which requires adding the following line to the firewall config:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE


Should I add your firewall code before or after that line?

_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum