Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Thu Feb 02, 2023 20:59 Post subject:
If your WAN IP is public, you'll want to sanitize that information. This info is written to /var/log/messages as well. You should be able to 'cat /var/log/messages | grep DROP'
and sanitize any sensitive information and post. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Thu Feb 02, 2023 23:21 Post subject:
Question: do you have by any chance remote administration enabled...and which exactly...?
If ssh is exposed to WAN and you have lots of drop related to dropbear....than its under a pressure...
the correct way to use ssh via WAN is to secure it with key file only and disable password authorisation...change its port different from 22 something like above 40000 or even around 50000
In general as SPI firewall is working, if you activate the firewall log, you will see lots of DROP...
and those are normal as those are not related / established to your network...so, all Inbound is DROP by default, unless its not related/established/initiated from inside...
You could be in a very noisy WAN, so lots of DROP's...if something is very bad, it will be in the standard syslog even if firewall log is not set in Security/Firewall page...so you dont need it, unless very specific use...
You dont need firewall log set to high, as it will spam your syslog badly....
Last .. in the Security page enable those box's related to limit ssh, telnet and ect.
so those try's will be limited to a few and than blocked for a period of time...in general i disable telnet as its not secure at all...and for local(LAN) use it comes enabled by default...and shares the router password..one more good reason to have a strong pass..
If your remote administration is not enabled and you have those drops about dropbear than someone on your local LAN is trying your SSh...or compromised IoT/Smart device or malware... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
If you select anything to limit connections, it exposes those ports on the WAN, you don't have to enable remote anything. Also, there is a long-standing complaint about firewall log settings being reversed (high is low, low is high). _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Tried log level on low & high, there is nothing there about dropped connections.
However, not concerned with figuring out why messages aren't logged in /var/log/messages as I've already parsed info produced by Log_incoming.asp with an auxiliary script.
If you have information as to what causes an entry to be shown there and what causes it to go away, that would be helpful. The list of IPs seems to change rapidly; curious what controls/causes it.
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Fri Feb 03, 2023 0:48 Post subject:
dale_gribble39 wrote:
If you select anything to limit connections, it exposes those ports on the WAN....
please elaborate this bit...even if those are not active/enabled...
so. if i disable limit SSh over WAN, my remote ssh will stay not exposed ?? this sounds kinky
although it does say:
Impede WAN DoS / Bruteforce - i dont think enabling those if there is no remote administration enabled, should expose those ports to WAN at least it doesn't sounds correct...
i also checked cat /tmp/.ipt and cant even see those rules are created if i check those boxes...I dont have any remote admin enabled...so i believe those are not exposed until you enable any related remote admin in general... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
If you select anything to limit connections, it exposes those ports on the WAN....
please elaborate this bit...even if those are not active/enabled...
so. if i disable limit SSh over WAN, my remote ssh will stay not exposed ?? this sounds kinky
although it does say:
Impede WAN DoS / Bruteforce - i dont think enabling those if there is no remote administration enabled, should expose those ports to WAN at least it doesn't sounds correct...
i also checked cat /tmp/.ipt and cant even see those rules are created if i check those boxes...I dont have any remote admin enabled...so i believe those are not exposed until you enable any related remote admin in general...
How do you think it impedes it? It has to conntrack and listen to connection attempts on the ports via the firewall, which exposes the ports. You should probably search the tickets and forum <eyeroll> _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Fri Feb 03, 2023 8:18 Post subject:
I already checked your idea...
so, if i have all limit box's checked / enabled ...and dont have any remote administration services enabled...via remote administration section in the GUI..those rules the you claim ware created are not present in the cat /tmp/.ipt output so myth busted.. no rules no exposure to the WAN with or without limits...
if you have any of remote administration services enabled and than corresponding service limit enabled than the rules appear in the cat /tmp/.ipt output ... and this is the expected behaviour...
dale_gribble3 wrote:
If you select anything to limit connections, it exposes those ports on the WAN, you don't have to enable remote anything.
Im sorry for the inconvenience if i misunderstood your post from above, but it seemed like you told us that if you enable any of the limits than your WAN gets exposed even without enabling any of the remote administration services... yep eye-roll _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913