[HowTo] avoid brute force in AP mode

[newbiefan]

Well, as promised please find below a setup for iptables in AP mode.
Tested on ilys/olegs fw, kernel 2.4.37
If necessary adjust vars of scripts.

This howto consists of 2 scripts:
avbf (avoid brute force)
checklog (check logfile for failed logins)

What the scripts are doing:
avbf
Avbf is just a script which should called at startup. The script installes the module ipt_recent if not loaded, allows any acces from localhost and your network, blocks any ip/netmask listed in file /opt/etc/hosts.deny. Further the script adds an emty chain called BLOCKIT which does at startup nothing. The chain BLOCKIT is just a placeholder for the script checklog. In any case the script avbf does not need script checklog. If you do not want to block any ip at startup, just delete your /opt/etc/hosts.deny file. You can add anytime ip's
and netmasks to /opt/etc/hosts.deny.
Avbf blocks with ipt_recent when an ip want to get 3 times access via port 21 & 22 within 180 seconds.

checklog
Is called (in my setup) by cron every 10 minutes and put an ip to iptables BLOCKIT rule when the searchstring "non existing" is found 3 times in your logfile. From this time on, such an ip does not have any access until reboot or calling again avbf. The script write an message to syslog when an ip is blocked. If nothing is changed, the script ends himself without writing anything.
You can adjust the search string and cuts to your needs.

INSTALLATION:
copy unzipped scripts to /opt/sbin and
chmod 755 /opt/sbin/avbf
chmod 755 /opt/sbin/checklog
copy hosts.deny to /opt/etc/hosts.deny

Add to your /opt etc/crontab the following lines:
*/10 * * * * admin nice -20 /opt/sbin/checklog

Add to your post-mount as last line:
/opt/sbin/avbf & and perform the usual
flashfs save
flashfs commit
flashfs enable
reboot

After start, you can have a closer look to your iptables config with:
iptables -n -L

Thats it!

In order to emty the BLOCKIT rules from time to time, just add a line to your crontab, calling script avbf every day or week, as you like.
15 1 * * * admin /opt/sbin/avbf #call avbf at 1:15 a.m.
If you are not firm with crontab, just google for it.

This setup allows you although to log any access, even when a lan pc is started (trying to get an ip from dhcp).
If you want to log everything (for tests), just uncomment the appropiate entry. It is interesting, how many bad guys are out there.......

Thanks again to al37919, he pointed me in the right direction.
Nevertheless, such an setup should work also, when asus is used as gateway.
Just add your rules and chains to avbf.

Of course, you can shorten the script as much as you want and I know it. But I kept them a bit longer, hence they are more understandable.

Calling script checklog with nice -20 makes sense when a dos attack arise.
Any improvments are greatly appreciated.

And a last info: never use a mac-rule for an ACCEPT when mac is outside of your network! I've done it and I payed the bill.........



@al37919
it seems that SYN is enough, I never got a log with state NEW, independent of that, I kept it in the script - just for safety.

have fun
newbiefan

Edit: no need any longer for script checklog, just use the files from here.
Further, there is a version for Kernel 2.6.x.x available, unfortunately until now in German language. When somebody ist interested to translate or to proof read (native speaker only) please let me know.

[poiu]

I see you are fan of newbie ^^ so i ask kindly for a explanation of "asusip=192.168.178.2" line.
I suppose to use my internal ip of router there ? .1.1 ?
This script is useful on any interface as is ?
Because like all of you out there my log is full of ssh attempts ...
I use Asus on gateway mode so wan is exposed to outside.

[avberk]

You hardly get (if any) ssh attacks if you port forward from another port number than 22.

e.g. forward port 54321 external to internal port 22.

[newbiefan]

I see you are fan of newbie ^^ so i ask kindly for a explanation of "asusip=192.168.178.2" line.
I suppose to use my internal ip of router there ? .1.1 ?

right, its just your router ip (lan)

Code:

This script is useful on any interface as is ?

As you can see, all rules are just valid for the INPUT chain.
As usual, you can use any other chain and rule as needed.
Best is to configure your firewall through webif

Code:

Because like all of you out there my log is full of ssh attempts ...
I use Asus on gateway mode so wan is exposed to outside

Well, as avberk mentioned you can avoid most of ssh attacks by using an other port as 22.
Further, I block any "bad" ip with my /opt/etc/hosts.deny file at startup.
For instance, the complete 200.0.0.0/8 is blocked.

Have fun

[poiu]

Got it, thank you guys.

[mosoo]

l've got a kind of a stupid q:
- is the block enabled as soon as the script adds it to hosts.deny?
and regarding this:

From this time on, such an ip does not have any access until reboot or calling again avbf.

Does this mean that once a reboot takes place, the rules get deleted and they need to be re-entered? Or are avbf and checklog started at bootup and are always running?

thanks for the great script btw,
mosoo

[newbiefan]

l've got a kind of a stupid q:
- is the block enabled as soon as the script adds it to hosts.deny?
and regarding this:

Does this mean that once a reboot takes place, the rules get deleted and they need to be re-entered? Or are avbf and checklog started at bootup and are always running?

thanks for the great script btw,
mosoo

Well the scripts add at runtime an ip to the blockit-chain. When a reboot happens (or restarting avbf) the blockit rule is emty. At least it means you get more and more blocked ip's - thats the reason why I suggest to call avbf once a day or week.

Anyhow, you do not need script checklog - avbf just configures at startup your iptables rules.
Below you find the version which I use now - it's without checklog, because an ip is blocked when anybody try to establish a new connection 3 times to port 21&22 within 180 seconds. Then such an IP is blocked for 180 seconds.
My newest hosts.deny file is up-to-date and blocks everything from APNIC (pacific asia region) and just a few others due to the fact, that 98% of the hackers are coming from asia. I have always a closer look to my logfiles, when an ip is trying to hack me several times (from the same subnet), I put the complete subnet to my hosts.deny file.

Please consider, that this setup is useful in AP-Mode. When using your asus as gateway, you have to change (delete) some lines.

Code:

#delete the following lines
#emty all chains
$ipt -F
#and delete own chains
$ipt -X
sleep 2

If you do not want to log everything just add the comment sign to the line.
Maybe you are using an other FW version, so you have to adjust the path to your ipt_recent module.

And now the answer to your last question:
checklog does not put an ip to your hosts.deny list, just to the chain blockit.
You have to do this manually (hosts.deny), but just once.
When using the new avbf, there is no need to reboot or restart of avbf.

Hope it helps.
Have fun
newbiefan

[darkside40]

Hi newbiefan,
the script looks nice, maybe i try it in the next days.

One little thing that could be an enhancement, instead of manually edit the hosts.deny you could also take (or let the script download at startup) a list from eg. http://www.sshbl.org/

This list here should be suitable: http://www.sshbl.org/lists/base.txt

Then you are always up-to-date.

[newbiefan]

Hi darkside40!



Many thanks for your input - but when I have a closer look to the base.txt file, I see 56!! pages with IP's and no subnets at all.

This isn't very efficiently and at least it slows down your throughput speed.

Due to missing (blocked) subnets, I deny to use it - every hacker has usually a botnet available, they change their IP very often.

For instance: several month ago I recognized a brute force-attack, they used a very good dictionary and changed the IP always after 20 tries.

This is one of the main reason, why I blocked the complete asia-pacific region. If you use my hosts.deny from here

http://www.wl500g.info/attachment.ph...8&d=1260906885

you will see soon, that every IP of your list is blocked. I'm personally not interested to have visitors from china on my personal website and ftp.

Of course, I'm always against any restrictions, especially of our beloved internet - but I've written several mails to admins claiming to block the bad guys.
I got no response at all, just an unbelievable increasement of attacks, thats why I blocked the complete asia and pacific region.

It was not so funny to read extremly long logfiles - but now my system is absolutly clean!



Have fun

Newbiefan