New - learning about wrt - any advice

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
wannabe2018
DD-WRT Novice


Joined: 23 Dec 2018
Posts: 5

PostPosted: Sun Dec 23, 2018 14:36    Post subject: New - learning about wrt - any advice Reply with quote
Ho-lee-cow. I typed a long post and the forum detected it as something and BAM! lol.. all gone. Okay, will copy it down this time just in case Razz

I am posting this while I read as much of the forum as possible. Not asking for someone to hand me an answer, but figured to outline it here so I do not have to re-type it 40 times.. just 2, it seems .. lol...actually .. 3 Razz

First off, been hearing about dd-wrt a long time, just never really "bit-the-bullet" till now.

About a year and a half ago, I got booted off my home PC a couple times.. made me go "hrm" so, went to the house and saw someone was logged in. That will wake ya up...

So, I locked it down, somewhat...but I still am getting brute force attacked by evidence in my event logs. They are not "on" the pc but, I have a new PC.. and 3 Asus routers, so figured it is time to learn more and lock it down right.

So, while I browse the forums and try things out, here is what I have and what I am trying to do and need to do.. and any insight is appreciated.

Beforehand, thank you all for any help. I know you do not have to, and I am willing and able to do a lot on my own, but experience is more valuable and I will gladly take any advice.

I have 2 PCs, about to have 2 more when the kids get theirs for Christmas.. heh (they got so many viruses the last time I decided to wait till I had a plan).

I have 10 IP cameras (we had a lot of tools stolen a month or so ago.. and a few acres, so added a lot of wifi cams...wifi is not an issue out here.. the attacks are not from around here.. heh)

I have a single wifi printer.. it can be usb, but prefer wifi for the wife's ipad.

A few kindles, a few apple products.


My biggest neds are:

- RDP to my PC. I am a dba.. telework.. so I vpn OUT.. and I RDP back in. I have 7 licenses for VPN accounts.. but have not installed them yet except when I need to download something onto one PC.. heh.. torrent.. and then turn it off. I have a friend that has everything with a vpn, but I was worried I would get somewhere and be unable to rdp back.

Games.. not many.. but Rift.. and a couple other games.. would like to be able to do so.

NAS - I own two. Synology does the cams.. Qnap does plex.

That is about it.

I was thinking of having the Asus RT-AC3200 be my external router, than having an Asus RT-AC66U_B1 have a VPN to that router, and have IT handle the dhcp of the computers and wifi?

Not sure any of that will matter, but I had 3 routers.. so figured to put them to good use.

I just want the login attempts on my new PC to stop... and try to block them at the router. It seems that the router is overwhelmed with the attack. I log into it and it auto-refreshes a lot and half the devices disappear every refresh then come back off and on.

Anyway, going to get more coffee, then will start reading and learning again.

Thank you all and Good Morning!

Noob
Sponsor
HalfBit
DD-WRT Guru


Joined: 04 Sep 2009
Posts: 776
Location: AR, USA

PostPosted: Thu Dec 27, 2018 3:51    Post subject: Reply with quote
Please don't leave a port open on your router for RDP. That is asking for trouble. At least use something like Teamviewer--a personal account is free.

Oh, and the back button can be your friend for those lost posts--most of the time.

_________________
R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Thu Dec 27, 2018 7:28    Post subject: Reply with quote
make sure your CAM's are not broadcasting outside of your LAN...so cut their WAN side use...very often those cheap CAM's are full of spy/malware
use this rule if you have cams on br0 or adapt this rule to your case...

iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p tcp -s ip of camera -j DROP

and do not have GUI on WAN port...
disable telnet and use only SSh on different port, secured with key file

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
danielwritesback
DD-WRT User


Joined: 29 Aug 2011
Posts: 240

PostPosted: Sat Jan 05, 2019 12:38    Post subject: Reply with quote
Alozaros wrote:
...disable telnet and use only SSh on different port, secured with key file

I made a guess, but I think this disables My servers on these ports:
Code:
iptables -t nat -I PREROUTING -p tcp -m multiport --sport 22,23,111,135,139,445,623,5000,5001,8080,9971,16992,16993,16994,16995 -j DROP
iptables -t nat -I PREROUTING -p udp -m multiport --sport 22,111,135,137,138,161,445,623,3702,9971,13131,16992,16993,16994,16995 -j DROP
Maximum number for multiport is 15 ports per command.
I think this firewall command is for: If you don't want to host a server on those ports. So, it should prevent remote administration from strangers on the internet.
This may be redundant since the firewall has probably dropped incoming requests for these ports anyway.


Bonus:
Set DHCP auto ip address range below ...126 (50-100 is fine)
Give work computer fixed address above ...126
Code:
iptables -I INPUT -s 192.168.1.1/25 -m connlimit --connlimit-mask 32 --connlimit-above 200 -j REJECT
Anything above ...126 doesn't have the limit applied.
This prevents router lockup/slowdown from too many simultaneous connections. That command is masked to apply the limit 200 concurrent per each client. It looks like a firewall command; however, -I are startup commands. For use when family and work are on the same router, along with IOT's, smarthouse and all the modern stuff that doesn't always do fair play.

_________________
R6250 with fan on; wifi off
R6300.1 mips DD-WRT 42617 Giga AP
WNR3500Lv2 DD-WRT 33525 K3 Giga
E3000 5ghz multicast AP DD-WRT 33525 K2.6
WRT54GSv2 long range AP HyperWRT 15
2 WR841Nv9 DD-WRT 33006 AP
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum