GEO IP blocking

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
CantRepeat
DD-WRT User


Joined: 18 Oct 2017
Posts: 59

PostPosted: Wed Sep 04, 2019 11:07    Post subject: GEO IP blocking Reply with quote
Had some SSH, dropbear, login attempts from china last night. They were from a known hacking group IPs, at least that's what the google search said.


Is there a way to implement GEO IP blocking/banning in DD-WRT?

I've done a few searches and haven't really come up with a solution.

I use SSH across my network to login to Pi and the router from time to time so I'd like to keep it on.


Also, if in fact the hackers were successful in getting root to the router what's the best way to check, remove that access?

Can I flash the router to a new firmware to both partitions and effectively reset linux?

_________________
-Tim
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2912
Location: UK, London, just across the river..

PostPosted: Wed Sep 04, 2019 11:34    Post subject: Reply with quote
first start with router model and current build running...
there are few scripts for geo blocking, as well you can block IP's or range of IP's
via IPtables rules, also you can block stuff via DNSmasq rules.
well known practice is, to not expose SSh via WAN...
if you do than change its default port to something else like port 50000 or any port above port 1000..
as well disable SSh password log in and log with key file (password protected)
with max encryption..i think DDWRT SSh key can be SSH-2 RSA 2048 bit max i use puttygen to create my keys
to limit attempts per time you also need SSh iptables rules..
than you can sleep well...
personally i never expose GUI on WAN side, no excuse...no shit..

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41369 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41321 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 2025
Location: Texas, USA

PostPosted: Wed Sep 04, 2019 15:02    Post subject: Reply with quote
Ok, uhm, for some reason, disabling password login doesn't sound right. Either this is a DD-WRT specific anomaly, but setting authorized keys with no password just doesn't sound right to me.
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 422
Location: Appalachian mountains, USA

PostPosted: Wed Sep 04, 2019 15:53    Post subject: Reply with quote
kernel-panic69 wrote:
Ok, uhm, for some reason, disabling password login doesn't sound right. Either this is a DD-WRT specific anomaly, but setting authorized keys with no password just doesn't sound right to me.
I have always disabled ssh password login (GUI>Services>Services) and also disabled ssh access from the web (GUI>Administration>Management). I use ssh key login exclusively and have never had problems with it. There is generally a passphrase used also in that process, but it's just an extra check that is very distinct from password login. It's their not having the proper private key that keeps the intruders out.
_________________
Six of the Linksys WRT1900ACSv2 on r38159 (solid), r39144 (very solid), r40009 (solid), and r40784 (trying out). On various:
VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, QoS, OpenVPN client/PBR (random NordVPN server).
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 2025
Location: Texas, USA

PostPosted: Wed Sep 04, 2019 16:57    Post subject: Reply with quote
You could possibly do the same with passwords and only allowing certain ciphers, but I guess I forgot about this feature in openssh. But you would have to trust that your client keys are not compromised and cracked. Since I don't allow remote logins on WAN, and since wireless access to webUI, telnet, ssh are all blocked, I really don't worry about it, because only the wired clients would be suspect. FWIW, distributed.net is still trying to crack 72-bit keys, and they haven't even started fooling around with elliptical curve cryptography. Yet.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum