IP address filtering

[Hacksaw]

I have been searching through the admin web GUI and can't seem to find an option for blocking WAN side addresses from accessing the router. I have a couple of IP addresses hammering my vsftpd and would like to block their access.

I assume I will need to do this through a shell?

Thanks,
Hacksaw.

[kfurge]

Good luck! It got so bad on my box that I had to disable external ftp access. I had IP addresses from all over the world brute-force pounding on the box.

You could address this by adding some iptables rules to block access. I had to do something similar (but opposite) to allow external SSH access.

Below is what I added to the bottom of my rc.local file (outside of the rc.local.done check):

if [ -e /shares/MYVOLUME1/iptables_ssh.sh ]; then
/opt/bin/bash /shares/MYVOLUME1/iptables_ssh.sh
fi

Here's the iptables_ssh.sh script:

#!/opt/bin/bash

lines=`/usr/sbin/iptables --list | /opt/bin/grep dpt:ssh | /opt/bin/wc -l`

if test $lines -eq "1"; then
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
fi

You'll have to beef up the grep search and insert DROP rules instead of ACCEPT rules for your situation.

A better alternative might be able to use exponential connection throttling to frustrate multiple attempts from the same IP address without impeding legitimate connection attempts.

http://www.debian-administration.org/articles/187

Please post details if you're successful.

- K.C.

[Hacksaw]

Excellent! I will give it a try tonight.

Hacksaw.

[Hacksaw]

I am using PPPoE to connect to my ISP so I assume I would want to use the ppp0 interface in my iptables rule to stop attacks from the internet?

Code:

# ifconfig
br0       Link encap:Ethernet  HWaddr 00:18:F3:71:16:F4
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1063828 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1598453 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:138115296 (131.7 MiB)  TX bytes:1723494178 (1643.6 MiB)

eth0      Link encap:Ethernet  HWaddr 00:18:F3:71:16:F4
          inet addr:0.152.180.42  Bcast:255.255.255.255  Mask:0.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1717727 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2008720 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1328083847 (1266.5 MiB)  TX bytes:801738176 (764.5 MiB)
          Interrupt:4 Base address:0x1000

eth1      Link encap:Ethernet  HWaddr 00:18:F3:71:16:F4
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1080080 errors:0 dropped:0 overruns:0 frame:2238130
          TX packets:1827241 errors:1626 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:159458581 (152.0 MiB)  TX bytes:1758998125 (1677.5 MiB)
          Interrupt:2 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:407 errors:0 dropped:0 overruns:0 frame:0
          TX packets:407 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:86959 (84.9 kiB)  TX bytes:86959 (84.9 kiB)

ppp0      Link encap:Point-Point Protocol
          inet addr:64.230.7.74  P-t-P:64.230.197.120  Mask:255.255.255.255
          UP POINTOPOINT RUNNING MULTICAST  MTU:1492  Metric:1
          RX packets:1659459 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1736301 errors:0 dropped:1 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:1269441826 (1210.6 MiB)  TX bytes:740402487 (706.1 MiB)

vlan0     Link encap:Ethernet  HWaddr 00:18:F3:71:16:F4
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2243 errors:0 dropped:0 overruns:0 frame:0
          TX packets:213395 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:357124 (348.7 kiB)  TX bytes:18654221 (17.7 MiB)
#

Hacksaw.

[Hacksaw]

New problem. Looks like I need libipt_recent.so to use the iptables "-m recent" option.

Code:

iptables v1.2.7a: Couldn't load match 'recent':/usr/lib/iptables/libipt_recent.so: cannot open shared object file: No such file or directory

Any clue where I could get a compiled module? The source is found at:

http://snowman.net/projects/ipt_recent/

Thanks,
Hacksaw.

[kfurge]

I'll try to compile and load it.

- K.C.

[medsource]

There's also the option of using Fail2Ban to peruse your logfiles and temporarily ban ips for a set period of time before unbanning them.

http://www.fail2ban.org/wiki/index.php/Main_Page

Problem is that it requires written log files and won't be able to use the ones in the logread <memory> function. If there was a way to have the logfiles written to a vm directory then that might work and also allow for drive spindown; but that's beyond my scope.

[Hacksaw]

I'll try to compile and load it.

- K.C.

Thank you - I have not yet attempted to configure a build environment.

Hacksaw.

[hmantsao]

There's also the option of using Fail2Ban to peruse your logfiles and temporarily ban ips for a set period of time before unbanning them.

http://www.fail2ban.org/wiki/index.php/Main_Page

Problem is that it requires written log files and won't be able to use the ones in the logread <memory> function. If there was a way to have the logfiles written to a vm directory then that might work and also allow for drive spindown; but that's beyond my scope.

If you use openwrt , you can ref this link

[tiwag]

I'll try to compile and load it.

- K.C.

was there any progress with this project ?

i would highly appreciate any solution to this problem,
since i get attacked continously ...

thx & brgds

--
tiwag

[kfurge]

was there any progress with this project ?

No. But I get hammered too. It's on my 1.0.7.8 list.

- K.C.

[medsource]

No. But I get hammered too. It's on my 1.0.7.8 list.

- K.C.

Fail2ban works great for me. I altered vsftpd to write the logfile to the ramdisk in /var/tmp/log/ and have cron purge the log every 12 hours. This preserves the drive spindown and prevents the logfile from getting enormous (which is no longer an issue as my attacks are less now). The brute force attacks only get about 10 attempts in before they get IP banned (takes about 2 seconds usually) and have timed out their attacks when their IP's get unbanned. The end result: I now only get about 2 attack episodes a day (or 20 actual login attempts total).

Yay!

[Rejan]

You could try knockd to get rid of the hammering on your ports.
All ports closed and custom opened via knockd when I use a secret knock sequence on specific ports...

Works like a charm!

[mistraller]

Did you already updated vsftpd to latest version 2.0.5.-1, it has support for

Code:

delay_failed_login=15
max_login_fails=3

[medsource]

Did you already updated vsftpd to latest version 2.0.5.-1, it has support for

Code:

delay_failed_login=15
max_login_fails=3

Did the performance improve also??? The included version of vsftpd blew chunks with large directories. I did like the tie-in of vsftpd to the security settings in the GUI, were these preserved in the new version (there were rumors that the asus vsftpd had been modified in such ways). If all that is true then that would be great as it would mean one less service to run, log file to check, cron job to run etc.

Update with answers if you've got em!!!