Does it work when you start it on the regular port (22)?
I am starting dropbear with port 40400 and opened firewall on same port.
WAN access through bridged modem (no port forward needed) gives putty Disconnect error: "no supported authentication methods available"
Any idea how to solve this? Seems like putty or dropbear does not support this?
Thanks for your help!
Does it work when you start it on the regular port (22)?
on port 22 it is working perfect.
WAN access with dropbear -s -p 40400 even shows login request and thereafter disconnects with the above stated error message.
any idea how to solve this?
as dropbear -s -p 40400 is not working, I am experiencing heavy attacks on port 22. Also I am using a fixed WAN-IP.
please help!
a simple defense against brute force attacks would be based on ipt_recent module of iptables. It is included by default in the latest release of testing post-10 firmware ( http://wl500g.info/showthread.php?t=18004 http://code.google.com/p/wl500g )
That's very strange!
I have created the scenario with public/private keys using parameters "-s -p 40400" as you do. By using putty, I can open a ssh session from both LAN and WAN without problems.
I have brute force attack prevention for SSH by using iptables. I can give you the configuration for it if you want.
On the other hand, I would run two SSH deamons on two different ports: one deamon on the ordinary port 22 with "disable password logins" (parameter -s) and the other one on any other port e.g. 40400 where I can login by using user/password in case I do not have the private-key with me. On both cases/ports, brute force attack prevention is desirable.
Hi Tamadite,
Could you please provide me your iptables config and if possible the brute force prevention iptables.
Thanks dyonisos
syslog.log fills up quickly; this is what I receive in thousands:
Mar 6 23:13:44 dropbear[11840]: login attempt for nonexistent user from ::ffff:66.246.72.93:51983
Since the policy of my INPUT chain is DROP, what I added to the firewall when recreating your case was:
I got your error message a couple of times while recreating your environment until I got it fixed. My experience is that the source of your problem might not be on the firewall but on the configuration of SSH and/or Putty and maybe the keys. What I can not get is why you do not get that error message on port 22 (dropbear -s) but on port 40400 (dropbear -s -p 40400). Does it work for you with "-s -p 40400" when opening a session from the LAN?Code:iptables -I INPUT -p tcp --dport 40400 -j ACCEPT
The brute force attack prevention code is:
I added the code above to a separate file that is called by post-firewall.Code:#!/bin/sh # This we know... WANIF=vlan1 LANIP=192.168.1.1 # insert necessary modules insmod ipt_recent insmod ipt_psd insmod ipt_TARPIT # deleting last firewal rules (policy) iptables -D INPUT -j DROP iptables -D INPUT -j logdrop # Drop previous offenders - you dont want them in your net at all! iptables -N BANDITDROP iptables -A INPUT -m recent --rcheck --name BANDIT -j BANDITDROP iptables -A FORWARD -m recent --rcheck --name BANDIT -j BANDITDROP iptables -A BANDITDROP -m recent --update --seconds 3600 --rttl --name BANDIT \ -j LOG --log-prefix "Bandit DROP " --log-tcp-sequence --log-tcp-options --log-ip-options iptables -A BANDITDROP -j REJECT --reject-with icmp-net-unreachable # SSH server with brute force prevention iptables -N SSHFORCEDROP iptables -N SSHACCEPT iptables -A INPUT -m tcp -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 2 -j SSHACCEPT # iptables -A INPUT -p tcp --dport 22 -j SSHACCEPT iptables -A INPUT -m tcp -p tcp --dport 22 -j SSHFORCEDROP iptables -A SSHFORCEDROP -m recent --set --name BANDIT iptables -A SSHFORCEDROP -m recent --update --seconds 3600 --rttl --name BANDIT \ -j LOG --log-prefix "SSH_Brute_Force DROP " --log-tcp-sequence --log-tcp-options --log-ip-options iptables -A SSHFORCEDROP -p tcp -j TARPIT iptables -A SSHFORCEDROP -j REJECT --reject-with icmp-proto-unreachable iptables -A SSHACCEPT -j LOG --log-prefix "SSH ACCEPT " --log-tcp-sequence \ --log-tcp-options --log-ip-options iptables -A SSHACCEPT -j ACCEPT iptables -t nat -A PREROUTING -i ${WANIF} -p tcp --dport 22 -j DNAT --to-destination ${LANIP}:22 # iptables -t nat -A PREROUTING -i ${WANIF} -p tcp --dport 22 -j DNAT --to-destination 192.168.1.1:22 # Restablishing INPUT chain policy iptables -A INPUT -p tcp -m tcp -j LOG --log-prefix "TARPIT " --log-tcp-sequence --log-tcp-options --log-ip-options iptables -A INPUT -p tcp -m tcp -j TARPIT iptables -A INPUT -j logdrop iptables -A INPUT -j DROP
NOTES:
delete entry from BANDIT file: echo "-[keyword]" > [path/BANDIT]
clear BANDIT file: echo "clear" > [path/BANDIT]
Last edited by Tamadite; 03-06-2009 at 18:39. Reason: added echo details
Thanks for your fast response!
actually I used dropbear in post-boot without any parameter (as default port is 22).
this is working perfect LAN and WAN.
I had to switch my DSL-modem into bridged mode and for this reason I wanted to use a different ssh port e.g. 40400 by using dropbear -s -p
and dropbear -s -p 40400 does neither work on LAN nor WAN displaying the authentication methods error after typing login name.
I thinks you are right, that dropbear or putty are doing something wrong here.
What is the meaning of the -s parameter of dropbear? Maybe I need to configure dropbear?
will show, among other informaiton:Code:dropbear --help
Since it seems you are not using private/public key on port 22, try:Code:-s Disable password logins
It should work from LAN. To get it to work from WAN you should open port 40400 on the firewall as mentioned on previous posts.Code:dropbear -p 40400
is my post-firewall file maybe lousy? I don't know about iptables.
#!/bin/sh
# set default policy
iptables -P INPUT DROP
#
# remove last default route
iptables -D INPUT -j DROP
#
# deny ftp access from WAN?
# iptables -D INPUT -p tcp -m tcp -d "$2" --dport 21 -j ACCEPT
#
# allow WAN ssh access
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
Thanks again!
the problem is the -s switch.
Is it difficult to arrange for public/private key (any port?) authentication?
How could I do that or is there a how to?
Is it correct I would not need typing password anymore in my ssh-tunnel setups?
I will try to make a HowTo on this matter.
The point with "-s" is that there will not be need to send the password to the server but the client sends signature generated with the private-key instead.
When the signature is generated on the client you have to introduce a passphrase instead which has local signficance only, in other words the passphrase is used by the local siganture generator to be able to use the private-key therefore the passphrase has no signifcance for the server hence it is never sent out.
A way to avoid the typing of passphrase is to use pageant. See http://the.earth.li/~sgtatham/putty/...9.html#pageant for more information.
Last edited by Tamadite; 07-03-2009 at 16:46. Reason: typo