Rate limit ssh attempts to WAN zone #120
Conversation
block any IP address who has made more than 3 ssh connections or attempted connections within the past 3 minutes.
add include path for etc/firewall.user to limit brute force
…into ssh-rate-limit
Limiting ssh connections from wan zone.
| @@ -61,6 +60,17 @@ config forwarding | |||
| config rule | |||
| option src 'wan' | |||
| option dest_port '22' | |||
| option proto 'tcp' | |||
| option state 'NEW' | |||
There was a problem hiding this comment.
There's no 'state' option in the OpenWRT wiki's page about the UCI firewall, as far as I can see. Is this an undocumented option?
There was a problem hiding this comment.
Huh. I could have sworn I read it on one of the openwrt wiki pages or forum posts but now I can't find it. State is supported by iptables. The closest I can find in the UCI documentation is "The iptables rules generated for this section rely on the state match." I must have guessed at it.
|
I think the whole reason we went with the firewall.user script was because UCI didn't offer the options to reproduce those iptables rules. We looked into adding UCI rules at first, but couldn't make it work. |
State option not supported in UCI firewall. This reverts commit 40f2882.
|
@jheretic I've reverted the uci commit and fixed the syntax in /etc/firewall.user. On the 4th ssh connection within 60 seconds, the connection attempt will hang until the minute is up. Existing ssh connections are not affected. I have a newly built node up with these rules in place if you want to test them. |
Conflicts: default-files/etc/config/firewall
|
confirmed working. |
Rate limit ssh attempts to WAN zone
Incorporates firewall changes suggested by @raniarho in #116 with some modifications.
Partially addresses #30.
To test: