Posted: Thu Jan 12, 2023 18:29 Post subject: Blocking incoming, unwanted IP connections
I've never wanted to block incoming connections from an IP or range, but I am seeing unwanted incoming connections and want to add firewall rules to block them. I did a lot of reading and IPTABLES is still confusing to me. Simple question, does adding this line to the Firewall Rules block connections from 179.60.147.x? (The "FORWARD" confuses me.)
Incoming connections are already blocked by default so no need to block it again.
It helps if you describe your problem.
I see log entries like this. I see this as someone trying to connect to my router and I want to block it. Is that not a good idea?
Code:
Jan 12 13:41:31 LandiRouter authpriv.info dropbear[4077]: Child connection from 179.60.147.157:40226
Jan 12 13:41:33 LandiRouter authpriv.info dropbear[4077]: Exit before auth from <179.60.147.157:40226>: Integrity error
Jan 12 13:41:33 LandiRouter authpriv.info dropbear[4079]: Child connection from 179.60.147.157:46102
Jan 12 13:41:36 LandiRouter authpriv.warn dropbear[4079]: Login attempt for nonexistent user
Jan 12 13:41:37 LandiRouter authpriv.info dropbear[4079]: Exit before auth from <179.60.147.157:46102>: Exited normally
Looks like you have ssh open on the wan and someone trues to login.
I do, and I have the port set to something other than 22. I also have password login disabled and I have an authorized key created. Should I try blocking these IPs? _________________ Netgear R9000
DD-WRT v3.0-r55819 std (04/17/24)
Linux 4.9.337 #722 SMP Wed Apr 17 04:16:49 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
Then you obviously didn't use a smart port. (there are ~50,000 ports and scanning them all takes a very long time)
You have the option "limit ssh access" under the firewall settings which can provide additional security.
The option should prevent ddos / brutforce attacks - they can create a very high load on your router.
Otherwise there are some other ways to harden ssh but not with the built in dropbear server.
E.g. disable banner, don't allow root login, use fail2ban etc...
(the dd-wrt banner directly reveals which system is used with which software and which security vulnerabilities are involved
the root user also makes it more insecure, because most ssh attacks target this user, if you use an unknown user the authentication attempts fail just because of the user = double security and not only the key)
fail2ban can be scripted so that it automatically bans according to desired criteria.
To block single IP-addresses manually makes no sense at all, if you look at how big the IPv4 address space is you will never be able to handle it.
Can you point me to how to do these two? I do not see the options, but I may have missed them. _________________ Netgear R9000
DD-WRT v3.0-r55819 std (04/17/24)
Linux 4.9.337 #722 SMP Wed Apr 17 04:16:49 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
The first is near-painless. For the second, if I drop "root", what do I use for SSH login? I'm thinking that since I use a key not a password, I am not risking much _________________ Netgear R9000
DD-WRT v3.0-r55819 std (04/17/24)
Linux 4.9.337 #722 SMP Wed Apr 17 04:16:49 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps