Results 1 to 9 of 9

Thread: [HowTo] avoid brute force in AP mode

  1. #1
    Join Date
    Jul 2007
    Location
    Austria
    Posts
    1,336

    [HowTo] avoid brute force in AP mode

    Well, as promised please find below a setup for iptables in AP mode.
    Tested on ilys/olegs fw, kernel 2.4.37
    If necessary adjust vars of scripts.

    This howto consists of 2 scripts:
    avbf (avoid brute force)
    checklog (check logfile for failed logins)

    What the scripts are doing:
    avbf
    Avbf is just a script which should called at startup. The script installes the module ipt_recent if not loaded, allows any acces from localhost and your network, blocks any ip/netmask listed in file /opt/etc/hosts.deny. Further the script adds an emty chain called BLOCKIT which does at startup nothing. The chain BLOCKIT is just a placeholder for the script checklog. In any case the script avbf does not need script checklog. If you do not want to block any ip at startup, just delete your /opt/etc/hosts.deny file. You can add anytime ip's
    and netmasks to /opt/etc/hosts.deny.
    Avbf blocks with ipt_recent when an ip want to get 3 times access via port 21 & 22 within 180 seconds.

    checklog
    Is called (in my setup) by cron every 10 minutes and put an ip to iptables BLOCKIT rule when the searchstring "non existing" is found 3 times in your logfile. From this time on, such an ip does not have any access until reboot or calling again avbf. The script write an message to syslog when an ip is blocked. If nothing is changed, the script ends himself without writing anything.
    You can adjust the search string and cuts to your needs.

    INSTALLATION:
    copy unzipped scripts to /opt/sbin and
    chmod 755 /opt/sbin/avbf
    chmod 755 /opt/sbin/checklog
    copy hosts.deny to /opt/etc/hosts.deny

    Add to your /opt etc/crontab the following lines:
    */10 * * * * admin nice -20 /opt/sbin/checklog

    Add to your post-mount as last line:
    /opt/sbin/avbf & and perform the usual
    flashfs save
    flashfs commit
    flashfs enable
    reboot

    After start, you can have a closer look to your iptables config with:
    iptables -n -L

    Thats it!

    In order to emty the BLOCKIT rules from time to time, just add a line to your crontab, calling script avbf every day or week, as you like.
    15 1 * * * admin /opt/sbin/avbf #call avbf at 1:15 a.m.
    If you are not firm with crontab, just google for it.

    This setup allows you although to log any access, even when a lan pc is started (trying to get an ip from dhcp).
    If you want to log everything (for tests), just uncomment the appropiate entry. It is interesting, how many bad guys are out there.......

    Thanks again to al37919, he pointed me in the right direction.
    Nevertheless, such an setup should work also, when asus is used as gateway.
    Just add your rules and chains to avbf.

    Of course, you can shorten the script as much as you want and I know it. But I kept them a bit longer, hence they are more understandable.

    Calling script checklog with nice -20 makes sense when a dos attack arise.
    Any improvments are greatly appreciated.

    And a last info: never use a mac-rule for an ACCEPT when mac is outside of your network! I've done it and I payed the bill.........



    @al37919
    it seems that SYN is enough, I never got a log with state NEW, independent of that, I kept it in the script - just for safety.

    have fun
    newbiefan

    Edit: no need any longer for script checklog, just use the files from here.
    Further, there is a version for Kernel 2.6.x.x available, unfortunately until now in German language. When somebody ist interested to translate or to proof read (native speaker only) please let me know.
    Attached Files Attached Files
    Last edited by newbiefan; 06-10-2011 at 12:22.
    Alle HowTo's, all howto's

    RT-N16 1.9.2.7-rtn-r3121, Samba, VSFTP, Lightthpd, PHP, Perl, MySQL, Serendipity, Aria2web, HDD 640GB
    RT-N66U, 16GB MicroSD/ 2 Partitions, 2,5" HDD 1TB, running with Merlin's FW and Entware, 16 Mbit A1,
    Netgear DGND 3700V2, QNAP TS119PII 4 TB, QNAP TS209 2 TB Raid1, Backup Synology DS107+ 1 TB, HP CP1515n

  2. #2
    Join Date
    Mar 2008
    Location
    Next to Serpent ..
    Posts
    62
    I see you are fan of newbie ^^ so i ask kindly for a explanation of "asusip=192.168.178.2" line.
    I suppose to use my internal ip of router there ? .1.1 ?
    This script is useful on any interface as is ?
    Because like all of you out there my log is full of ssh attempts ...
    I use Asus on gateway mode so wan is exposed to outside.
    Last edited by poiu; 15-06-2009 at 20:40.

  3. #3
    You hardly get (if any) ssh attacks if you port forward from another port number than 22.

    e.g. forward port 54321 external to internal port 22.

  4. #4
    Join Date
    Jul 2007
    Location
    Austria
    Posts
    1,336
    I see you are fan of newbie ^^ so i ask kindly for a explanation of "asusip=192.168.178.2" line.
    I suppose to use my internal ip of router there ? .1.1 ?
    right, its just your router ip (lan)

    Code:
    This script is useful on any interface as is ?
    As you can see, all rules are just valid for the INPUT chain.
    As usual, you can use any other chain and rule as needed.
    Best is to configure your firewall through webif

    Code:
    Because like all of you out there my log is full of ssh attempts ...
    I use Asus on gateway mode so wan is exposed to outside
    Well, as avberk mentioned you can avoid most of ssh attacks by using an other port as 22.
    Further, I block any "bad" ip with my /opt/etc/hosts.deny file at startup.
    For instance, the complete 200.0.0.0/8 is blocked.

    Have fun
    Last edited by newbiefan; 19-06-2009 at 23:13.
    Alle HowTo's, all howto's

    RT-N16 1.9.2.7-rtn-r3121, Samba, VSFTP, Lightthpd, PHP, Perl, MySQL, Serendipity, Aria2web, HDD 640GB
    RT-N66U, 16GB MicroSD/ 2 Partitions, 2,5" HDD 1TB, running with Merlin's FW and Entware, 16 Mbit A1,
    Netgear DGND 3700V2, QNAP TS119PII 4 TB, QNAP TS209 2 TB Raid1, Backup Synology DS107+ 1 TB, HP CP1515n

  5. #5
    Join Date
    Mar 2008
    Location
    Next to Serpent ..
    Posts
    62
    Got it, thank you guys.

  6. #6
    l've got a kind of a stupid q:
    - is the block enabled as soon as the script adds it to hosts.deny?
    and regarding this:
    From this time on, such an ip does not have any access until reboot or calling again avbf.
    Does this mean that once a reboot takes place, the rules get deleted and they need to be re-entered? Or are avbf and checklog started at bootup and are always running?

    thanks for the great script btw,
    mosoo

  7. #7
    Join Date
    Jul 2007
    Location
    Austria
    Posts
    1,336
    Quote Originally Posted by mosoo View Post
    l've got a kind of a stupid q:
    - is the block enabled as soon as the script adds it to hosts.deny?
    and regarding this:

    Does this mean that once a reboot takes place, the rules get deleted and they need to be re-entered? Or are avbf and checklog started at bootup and are always running?

    thanks for the great script btw,
    mosoo
    Well the scripts add at runtime an ip to the blockit-chain. When a reboot happens (or restarting avbf) the blockit rule is emty. At least it means you get more and more blocked ip's - thats the reason why I suggest to call avbf once a day or week.

    Anyhow, you do not need script checklog - avbf just configures at startup your iptables rules.
    Below you find the version which I use now - it's without checklog, because an ip is blocked when anybody try to establish a new connection 3 times to port 21&22 within 180 seconds. Then such an IP is blocked for 180 seconds.
    My newest hosts.deny file is up-to-date and blocks everything from APNIC (pacific asia region) and just a few others due to the fact, that 98% of the hackers are coming from asia. I have always a closer look to my logfiles, when an ip is trying to hack me several times (from the same subnet), I put the complete subnet to my hosts.deny file.

    Please consider, that this setup is useful in AP-Mode. When using your asus as gateway, you have to change (delete) some lines.
    Code:
    #delete the following lines
    #emty all chains
    $ipt -F
    #and delete own chains
    $ipt -X
    sleep 2
    If you do not want to log everything just add the comment sign to the line.
    Maybe you are using an other FW version, so you have to adjust the path to your ipt_recent module.

    And now the answer to your last question:
    checklog does not put an ip to your hosts.deny list, just to the chain blockit.
    You have to do this manually (hosts.deny), but just once.
    When using the new avbf, there is no need to reboot or restart of avbf.

    Hope it helps.
    Have fun
    newbiefan
    Attached Files Attached Files
    Last edited by newbiefan; 31-12-2009 at 23:15.
    Alle HowTo's, all howto's

    RT-N16 1.9.2.7-rtn-r3121, Samba, VSFTP, Lightthpd, PHP, Perl, MySQL, Serendipity, Aria2web, HDD 640GB
    RT-N66U, 16GB MicroSD/ 2 Partitions, 2,5" HDD 1TB, running with Merlin's FW and Entware, 16 Mbit A1,
    Netgear DGND 3700V2, QNAP TS119PII 4 TB, QNAP TS209 2 TB Raid1, Backup Synology DS107+ 1 TB, HP CP1515n

  8. #8
    Hi newbiefan,
    the script looks nice, maybe i try it in the next days.

    One little thing that could be an enhancement, instead of manually edit the hosts.deny you could also take (or let the script download at startup) a list from eg. http://www.sshbl.org/

    This list here should be suitable: http://www.sshbl.org/lists/base.txt

    Then you are always up-to-date.

  9. #9
    Join Date
    Jul 2007
    Location
    Austria
    Posts
    1,336
    Hi darkside40!



    Many thanks for your input - but when I have a closer look to the base.txt file, I see 56!! pages with IP's and no subnets at all.

    This isn't very efficiently and at least it slows down your throughput speed.

    Due to missing (blocked) subnets, I deny to use it - every hacker has usually a botnet available, they change their IP very often.

    For instance: several month ago I recognized a brute force-attack, they used a very good dictionary and changed the IP always after 20 tries.

    This is one of the main reason, why I blocked the complete asia-pacific region. If you use my hosts.deny from here

    http://www.wl500g.info/attachment.ph...8&d=1260906885

    you will see soon, that every IP of your list is blocked. I'm personally not interested to have visitors from china on my personal website and ftp.

    Of course, I'm always against any restrictions, especially of our beloved internet - but I've written several mails to admins claiming to block the bad guys.
    I got no response at all, just an unbelievable increasement of attacks, thats why I blocked the complete asia and pacific region.

    It was not so funny to read extremly long logfiles - but now my system is absolutly clean!



    Have fun

    Newbiefan
    Alle HowTo's, all howto's

    RT-N16 1.9.2.7-rtn-r3121, Samba, VSFTP, Lightthpd, PHP, Perl, MySQL, Serendipity, Aria2web, HDD 640GB
    RT-N66U, 16GB MicroSD/ 2 Partitions, 2,5" HDD 1TB, running with Merlin's FW and Entware, 16 Mbit A1,
    Netgear DGND 3700V2, QNAP TS119PII 4 TB, QNAP TS209 2 TB Raid1, Backup Synology DS107+ 1 TB, HP CP1515n

Similar Threads

  1. [HOWTO] WL-500g bridgen met Tele2 / DV-201AMR
    By Chemist in forum Dutch Discussion - Nederlands
    Replies: 2
    Last Post: 29-09-2010, 18:20
  2. OLEG + Client Mode
    By eriche in forum WL-500w Q&A
    Replies: 0
    Last Post: 16-03-2008, 13:38
  3. VSFTP Brute force attacks
    By sarlacc in forum WL-500g Q&A
    Replies: 2
    Last Post: 28-08-2007, 20:56

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •