newbiefan
21-05-2009, 17:08
Well, as promised please find below a setup for iptables in AP mode.
Tested on ilys/olegs fw, kernel 2.4.37
If necessary adjust vars of scripts.
This howto consists of 2 scripts:
avbf (avoid brute force)
checklog (check logfile for failed logins)
What the scripts are doing:
avbf
Avbf is just a script which should called at startup. The script installes the module ipt_recent if not loaded, allows any acces from localhost and your network, blocks any ip/netmask listed in file /opt/etc/hosts.deny. Further the script adds an emty chain called BLOCKIT which does at startup nothing. The chain BLOCKIT is just a placeholder for the script checklog. In any case the script avbf does not need script checklog. If you do not want to block any ip at startup, just delete your /opt/etc/hosts.deny file. You can add anytime ip's
and netmasks to /opt/etc/hosts.deny.
Avbf blocks with ipt_recent when an ip want to get 3 times access via port 21 & 22 within 180 seconds.
checklog
Is called (in my setup) by cron every 10 minutes and put an ip to iptables BLOCKIT rule when the searchstring "non existing" is found 3 times in your logfile. From this time on, such an ip does not have any access until reboot or calling again avbf. The script write an message to syslog when an ip is blocked. If nothing is changed, the script ends himself without writing anything.
You can adjust the search string and cuts to your needs.
INSTALLATION:
copy unzipped scripts to /opt/sbin and
chmod 755 /opt/sbin/avbf
chmod 755 /opt/sbin/checklog
copy hosts.deny to /opt/etc/hosts.deny
Add to your /opt etc/crontab the following lines:
*/10 * * * * admin nice -20 /opt/sbin/checklog
Add to your post-mount as last line:
/opt/sbin/avbf & and perform the usual
flashfs save
flashfs commit
flashfs enable
reboot
After start, you can have a closer look to your iptables config with:
iptables -n -L
Thats it!
In order to emty the BLOCKIT rules from time to time, just add a line to your crontab, calling script avbf every day or week, as you like.
15 1 * * * admin /opt/sbin/avbf #call avbf at 1:15 a.m.
If you are not firm with crontab, just google for it.
This setup allows you although to log any access, even when a lan pc is started (trying to get an ip from dhcp).
If you want to log everything (for tests), just uncomment the appropiate entry. It is interesting, how many bad guys are out there.......
Thanks again to al37919, he pointed me in the right direction.
Nevertheless, such an setup should work also, when asus is used as gateway.
Just add your rules and chains to avbf.
Of course, you can shorten the script as much as you want and I know it. But I kept them a bit longer, hence they are more understandable.
Calling script checklog with nice -20 makes sense when a dos attack arise.
Any improvments are greatly appreciated.
And a last info: never use a mac-rule for an ACCEPT when mac is outside of your network! I've done it and I payed the bill.........
@al37919
it seems that SYN is enough, I never got a log with state NEW, independent of that, I kept it in the script - just for safety.
have fun
newbiefan
Edit: no need any longer for script checklog, just use the files from here (http://www.wl500g.info/attachment.php?attachmentid=7958&d=1303480871).
Further, there is a version for Kernel 2.6.x.x (http://wl500g.info/showthread.php?t=27852) available, unfortunately until now in German language. When somebody ist interested to translate or to proof read (native speaker only) please let me know.
Tested on ilys/olegs fw, kernel 2.4.37
If necessary adjust vars of scripts.
This howto consists of 2 scripts:
avbf (avoid brute force)
checklog (check logfile for failed logins)
What the scripts are doing:
avbf
Avbf is just a script which should called at startup. The script installes the module ipt_recent if not loaded, allows any acces from localhost and your network, blocks any ip/netmask listed in file /opt/etc/hosts.deny. Further the script adds an emty chain called BLOCKIT which does at startup nothing. The chain BLOCKIT is just a placeholder for the script checklog. In any case the script avbf does not need script checklog. If you do not want to block any ip at startup, just delete your /opt/etc/hosts.deny file. You can add anytime ip's
and netmasks to /opt/etc/hosts.deny.
Avbf blocks with ipt_recent when an ip want to get 3 times access via port 21 & 22 within 180 seconds.
checklog
Is called (in my setup) by cron every 10 minutes and put an ip to iptables BLOCKIT rule when the searchstring "non existing" is found 3 times in your logfile. From this time on, such an ip does not have any access until reboot or calling again avbf. The script write an message to syslog when an ip is blocked. If nothing is changed, the script ends himself without writing anything.
You can adjust the search string and cuts to your needs.
INSTALLATION:
copy unzipped scripts to /opt/sbin and
chmod 755 /opt/sbin/avbf
chmod 755 /opt/sbin/checklog
copy hosts.deny to /opt/etc/hosts.deny
Add to your /opt etc/crontab the following lines:
*/10 * * * * admin nice -20 /opt/sbin/checklog
Add to your post-mount as last line:
/opt/sbin/avbf & and perform the usual
flashfs save
flashfs commit
flashfs enable
reboot
After start, you can have a closer look to your iptables config with:
iptables -n -L
Thats it!
In order to emty the BLOCKIT rules from time to time, just add a line to your crontab, calling script avbf every day or week, as you like.
15 1 * * * admin /opt/sbin/avbf #call avbf at 1:15 a.m.
If you are not firm with crontab, just google for it.
This setup allows you although to log any access, even when a lan pc is started (trying to get an ip from dhcp).
If you want to log everything (for tests), just uncomment the appropiate entry. It is interesting, how many bad guys are out there.......
Thanks again to al37919, he pointed me in the right direction.
Nevertheless, such an setup should work also, when asus is used as gateway.
Just add your rules and chains to avbf.
Of course, you can shorten the script as much as you want and I know it. But I kept them a bit longer, hence they are more understandable.
Calling script checklog with nice -20 makes sense when a dos attack arise.
Any improvments are greatly appreciated.
And a last info: never use a mac-rule for an ACCEPT when mac is outside of your network! I've done it and I payed the bill.........
@al37919
it seems that SYN is enough, I never got a log with state NEW, independent of that, I kept it in the script - just for safety.
have fun
newbiefan
Edit: no need any longer for script checklog, just use the files from here (http://www.wl500g.info/attachment.php?attachmentid=7958&d=1303480871).
Further, there is a version for Kernel 2.6.x.x (http://wl500g.info/showthread.php?t=27852) available, unfortunately until now in German language. When somebody ist interested to translate or to proof read (native speaker only) please let me know.