Posted: Wed Aug 16, 2006 12:12 Post subject: [new feature] fail2ban ?
Hi,
what's about adding the fail2ban package to dd-wrt ? fail2ban filters the client's ip address after N wrong ssh login attempts. myabe it can be useful ?
Its a good idea, but I dont think any of the current implementations are fit for the small memory footprints of these units simply because they all use either python or perl.
You would want to use denyhosts then however.
I have denyhosts installed on my NSLU and it works very nicely. The main benefit over fail2ban is that the guys put in a way to share blocked IPs with all denyhosts users, which is very effective. I receive ca. 3-4 attempts to login with standard passwords to my NSLU ssh. And 99% are already blocked when they try it. And the remaining 1% my denyhosts then reports to the database so that they get blocked by all other users of the database immediately. 8-;
_________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
I am running an OpenVPN server on my DD-WRT router. How would I implement this rule to so that too many incorrect authentication attempts to my vpn server on port 1194 would ban the attempting client?
Currently, I only have the following rules in my firewall configuration to allow the openvpn server to work:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
I am running an OpenVPN server on my DD-WRT router. How would I implement this rule to so that too many incorrect authentication attempts to my vpn server on port 1194 would ban the attempting client?
Currently, I only have the following rules in my firewall configuration to allow the openvpn server to work:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
isn't it a bit stupid to block every host that makes 5 connections?
I need them myself regularly
and fail2ban works differently, fail2ban watches the logs and has depending on the mode over 30 regex filters that kick in e.g. at "bad protokol" or "socket error".
This evaluates only connections that cause errors as critical.
Of course it doesn't stop you from limiting the maximum number of connections.
I am running an OpenVPN server on my DD-WRT router. How would I implement this rule to so that too many incorrect authentication attempts to my vpn server on port 1194 would ban the attempting client?
Currently, I only have the following rules in my firewall configuration to allow the openvpn server to work:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
# extra security for openvpn server
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
OVPN_PROTO="$(nvram get openvpn_proto | awk '{print substr ($1,1,3)}')"
OVPN_PORT="$(nvram get openvpn_port)"
iptables -I INPUT -p $OVPN_PROTO --dport $OVPN_PORT -i $WAN_IF -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -I INPUT -p $OVPN_PROTO --dport $OVPN_PORT -i $WAN_IF -m state --state NEW -m recent --set
Thanks go to Eibgrad
Thank you for this! In my openvpn server config, I have "CVE-2019-14899 Mitigation" enabled, which requires adding the following line to the firewall config:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
Should I add your firewall code before or after that line? _________________ DanRanRocks - Tech Tutorials by Dan Ran