Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: IP address filtering

  1. #1
    Join Date
    Apr 2007
    Location
    Great White North
    Posts
    28

    IP address filtering

    I have been searching through the admin web GUI and can't seem to find an option for blocking WAN side addresses from accessing the router. I have a couple of IP addresses hammering my vsftpd and would like to block their access.

    I assume I will need to do this through a shell?

    Thanks,
    Hacksaw.

  2. #2
    Good luck! It got so bad on my box that I had to disable external ftp access. I had IP addresses from all over the world brute-force pounding on the box.

    You could address this by adding some iptables rules to block access. I had to do something similar (but opposite) to allow external SSH access.

    Below is what I added to the bottom of my rc.local file (outside of the rc.local.done check):

    if [ -e /shares/MYVOLUME1/iptables_ssh.sh ]; then
    /opt/bin/bash /shares/MYVOLUME1/iptables_ssh.sh
    fi
    Here's the iptables_ssh.sh script:

    #!/opt/bin/bash

    lines=`/usr/sbin/iptables --list | /opt/bin/grep dpt:ssh | /opt/bin/wc -l`

    if test $lines -eq "1"; then
    iptables -I INPUT -p tcp --dport 22 -j ACCEPT
    fi
    You'll have to beef up the grep search and insert DROP rules instead of ACCEPT rules for your situation.

    A better alternative might be able to use exponential connection throttling to frustrate multiple attempts from the same IP address without impeding legitimate connection attempts.

    http://www.debian-administration.org/articles/187

    Please post details if you're successful.

    - K.C.
    Last edited by kfurge; 26-04-2007 at 03:42. Reason: Formatting

  3. #3
    Join Date
    Apr 2007
    Location
    Great White North
    Posts
    28
    Excellent! I will give it a try tonight.

    Hacksaw.
    http://hacksaw.dnsalias.org - my WL-700gE in action.
    http://thecomichaven.com - my favorite site!

  4. #4
    Join Date
    Apr 2007
    Location
    Great White North
    Posts
    28
    I am using PPPoE to connect to my ISP so I assume I would want to use the ppp0 interface in my iptables rule to stop attacks from the internet?

    Code:
    # ifconfig
    br0       Link encap:Ethernet  HWaddr 00:18:F3:71:16:F4
              inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1063828 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1598453 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:138115296 (131.7 MiB)  TX bytes:1723494178 (1643.6 MiB)
    
    eth0      Link encap:Ethernet  HWaddr 00:18:F3:71:16:F4
              inet addr:0.152.180.42  Bcast:255.255.255.255  Mask:0.0.0.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1717727 errors:0 dropped:0 overruns:0 frame:0
              TX packets:2008720 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:1328083847 (1266.5 MiB)  TX bytes:801738176 (764.5 MiB)
              Interrupt:4 Base address:0x1000
    
    eth1      Link encap:Ethernet  HWaddr 00:18:F3:71:16:F4
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1080080 errors:0 dropped:0 overruns:0 frame:2238130
              TX packets:1827241 errors:1626 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:159458581 (152.0 MiB)  TX bytes:1758998125 (1677.5 MiB)
              Interrupt:2 Base address:0x2000
    
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
              RX packets:407 errors:0 dropped:0 overruns:0 frame:0
              TX packets:407 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:86959 (84.9 kiB)  TX bytes:86959 (84.9 kiB)
    
    ppp0      Link encap:Point-Point Protocol
              inet addr:64.230.7.74  P-t-P:64.230.197.120  Mask:255.255.255.255
              UP POINTOPOINT RUNNING MULTICAST  MTU:1492  Metric:1
              RX packets:1659459 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1736301 errors:0 dropped:1 overruns:0 carrier:0
              collisions:0 txqueuelen:3
              RX bytes:1269441826 (1210.6 MiB)  TX bytes:740402487 (706.1 MiB)
    
    vlan0     Link encap:Ethernet  HWaddr 00:18:F3:71:16:F4
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:2243 errors:0 dropped:0 overruns:0 frame:0
              TX packets:213395 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:357124 (348.7 kiB)  TX bytes:18654221 (17.7 MiB)
    #
    Hacksaw.
    http://hacksaw.dnsalias.org - my WL-700gE in action.
    http://thecomichaven.com - my favorite site!

  5. #5
    Join Date
    Apr 2007
    Location
    Great White North
    Posts
    28
    New problem. Looks like I need libipt_recent.so to use the iptables "-m recent" option.

    Code:
    iptables v1.2.7a: Couldn't load match 'recent':/usr/lib/iptables/libipt_recent.so: cannot open shared object file: No such file or directory
    Any clue where I could get a compiled module? The source is found at:

    http://snowman.net/projects/ipt_recent/

    Thanks,
    Hacksaw.
    Last edited by Hacksaw; 28-04-2007 at 20:51. Reason: Added URL.
    http://hacksaw.dnsalias.org - my WL-700gE in action.
    http://thecomichaven.com - my favorite site!

  6. #6
    I'll try to compile and load it.

    - K.C.

  7. #7
    There's also the option of using Fail2Ban to peruse your logfiles and temporarily ban ips for a set period of time before unbanning them.

    http://www.fail2ban.org/wiki/index.php/Main_Page

    Problem is that it requires written log files and won't be able to use the ones in the logread <memory> function. If there was a way to have the logfiles written to a vm directory then that might work and also allow for drive spindown; but that's beyond my scope.

  8. #8
    Join Date
    Apr 2007
    Location
    Great White North
    Posts
    28
    Quote Originally Posted by kfurge View Post
    I'll try to compile and load it.

    - K.C.
    Thank you - I have not yet attempted to configure a build environment.

    Hacksaw.
    http://hacksaw.dnsalias.org - my WL-700gE in action.
    http://thecomichaven.com - my favorite site!

  9. #9
    Quote Originally Posted by medsource View Post
    There's also the option of using Fail2Ban to peruse your logfiles and temporarily ban ips for a set period of time before unbanning them.

    http://www.fail2ban.org/wiki/index.php/Main_Page

    Problem is that it requires written log files and won't be able to use the ones in the logread <memory> function. If there was a way to have the logfiles written to a vm directory then that might work and also allow for drive spindown; but that's beyond my scope.
    If you use openwrt , you can ref this link

  10. #10
    Join Date
    Aug 2007
    Location
    Austria
    Posts
    52

    Exclamation security issues

    Quote Originally Posted by kfurge View Post
    I'll try to compile and load it.

    - K.C.
    was there any progress with this project ?

    i would highly appreciate any solution to this problem,
    since i get attacked continously ...

    thx & brgds

    --
    tiwag

  11. #11
    Quote Originally Posted by tiwag View Post
    was there any progress with this project ?
    No. But I get hammered too. It's on my 1.0.7.8 list.

    - K.C.

  12. #12
    Quote Originally Posted by kfurge View Post
    No. But I get hammered too. It's on my 1.0.7.8 list.

    - K.C.
    Fail2ban works great for me. I altered vsftpd to write the logfile to the ramdisk in /var/tmp/log/ and have cron purge the log every 12 hours. This preserves the drive spindown and prevents the logfile from getting enormous (which is no longer an issue as my attacks are less now). The brute force attacks only get about 10 attempts in before they get IP banned (takes about 2 seconds usually) and have timed out their attacks when their IP's get unbanned. The end result: I now only get about 2 attack episodes a day (or 20 actual login attempts total).

    Yay!

  13. #13
    Join Date
    Jun 2007
    Location
    Sweden
    Posts
    33

    Alternative to fail2ban

    You could try knockd to get rid of the hammering on your ports.
    All ports closed and custom opened via knockd when I use a secret knock sequence on specific ports...

    Works like a charm!

  14. #14
    Join Date
    Apr 2006
    Location
    Heesch, Netherlands
    Posts
    118
    Did you already updated vsftpd to latest version 2.0.5.-1, it has support for
    Code:
    delay_failed_login=15
    max_login_fails=3

  15. #15
    Quote Originally Posted by mistraller View Post
    Did you already updated vsftpd to latest version 2.0.5.-1, it has support for
    Code:
    delay_failed_login=15
    max_login_fails=3
    Did the performance improve also??? The included version of vsftpd blew chunks with large directories. I did like the tie-in of vsftpd to the security settings in the GUI, were these preserved in the new version (there were rumors that the asus vsftpd had been modified in such ways). If all that is true then that would be great as it would mean one less service to run, log file to check, cron job to run etc.

    Update with answers if you've got em!!!

Page 1 of 2 12 LastLast

Similar Threads

  1. Проблема с реконектом
    By scorpio in forum Russian Discussion - РУССКИЙ (RU)
    Replies: 14
    Last Post: 28-03-2007, 10:21
  2. Replies: 0
    Last Post: 25-01-2007, 04:25
  3. filtering virtual server port with mac address
    By dwienie in forum WL-500g Q&A
    Replies: 0
    Last Post: 19-03-2006, 17:46

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •