From 2e16b442e192f03063d3d7ca866e2704c86a8c5e Mon Sep 17 00:00:00 2001 From: RaniaRho Date: Tue, 18 Mar 2014 17:53:53 +0200 Subject: [PATCH 1/7] Create firewall.user block any IP address who has made more than 3 ssh connections or attempted connections within the past 3 minutes. --- default-files/etc/firewall.user | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 default-files/etc/firewall.user diff --git a/default-files/etc/firewall.user b/default-files/etc/firewall.user new file mode 100644 index 0000000..029e1e2 --- /dev/null +++ b/default-files/etc/firewall.user @@ -0,0 +1,15 @@ +# This file is interpreted as shell script. +# Put your custom iptables rules here, they will +# be executed with each firewall (re-)start. + +#to restart the fire wall use /etc/init.d/firewall restart; + +#for debugging added rules ues FW_TRACE=1 fw reload + +#more details http://wiki.openwrt.org/doc/uci/firewall + +#if it didn't work remove "-i br-lan" to accept any interface + +iptables -I INPUT -i br-lan -p tcp -m tcp --dport 22 -m recent --set --name DEFAULT --rsource + +iptables -I INPUT -i br-lan-p tcp -m tcp --dport 22 -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP From 883fd34719b5ebf007739e8fa41525969a411536 Mon Sep 17 00:00:00 2001 From: RaniaRho Date: Tue, 18 Mar 2014 17:56:59 +0200 Subject: [PATCH 2/7] Update firewall add include path for etc/firewall.user to limit brute force --- default-files/etc/config/firewall | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/default-files/etc/config/firewall b/default-files/etc/config/firewall index 6865e9e..fdaf078 100644 --- a/default-files/etc/config/firewall +++ b/default-files/etc/config/firewall @@ -1,4 +1,3 @@ - config defaults option syn_flood '1' option input 'DROP' @@ -167,3 +166,15 @@ config rule option src 'vpn' option proto 'icmp' option target 'ACCEPT' + +#just a test to block certain IP ! +config rule + option name 'block' + option src '*' + option src_port '22' + option dest '*' + option dest_ip '192.168.1.2' + option target 'DROP' + +config include + option path '/etc/firewall.user' From dd562f2c712f3b826d2365a4dca52d074ec6a35b Mon Sep 17 00:00:00 2001 From: RaniaRho Date: Tue, 18 Mar 2014 20:50:50 +0200 Subject: [PATCH 3/7] Update firewall --- default-files/etc/config/firewall | 9 --------- 1 file changed, 9 deletions(-) diff --git a/default-files/etc/config/firewall b/default-files/etc/config/firewall index fdaf078..553d9cb 100644 --- a/default-files/etc/config/firewall +++ b/default-files/etc/config/firewall @@ -167,14 +167,5 @@ config rule option proto 'icmp' option target 'ACCEPT' -#just a test to block certain IP ! -config rule - option name 'block' - option src '*' - option src_port '22' - option dest '*' - option dest_ip '192.168.1.2' - option target 'DROP' - config include option path '/etc/firewall.user' From 220027a847b2e6856fc21b1bf8ecab35e7f72449 Mon Sep 17 00:00:00 2001 From: Andrew Reynolds Date: Thu, 17 Apr 2014 14:20:32 -0400 Subject: [PATCH 4/7] Fixed typo in /etc/firewall.user --- default-files/etc/firewall.user | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default-files/etc/firewall.user b/default-files/etc/firewall.user index 029e1e2..b111bb9 100644 --- a/default-files/etc/firewall.user +++ b/default-files/etc/firewall.user @@ -12,4 +12,4 @@ iptables -I INPUT -i br-lan -p tcp -m tcp --dport 22 -m recent --set --name DEFAULT --rsource -iptables -I INPUT -i br-lan-p tcp -m tcp --dport 22 -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP +iptables -I INPUT -i br-lan -p tcp -m tcp --dport 22 -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP From 40f288237a72fdf365c8e3a8fe4b4b0c92672c26 Mon Sep 17 00:00:00 2001 From: Andrew Reynolds Date: Thu, 17 Apr 2014 17:45:23 -0400 Subject: [PATCH 5/7] Moved firewall.user rules to /etc/config/firewall. Limiting ssh connections from wan zone. --- default-files/etc/config/firewall | 11 +++++++++++ default-files/etc/firewall.user | 15 --------------- 2 files changed, 11 insertions(+), 15 deletions(-) delete mode 100644 default-files/etc/firewall.user diff --git a/default-files/etc/config/firewall b/default-files/etc/config/firewall index 553d9cb..f7852e3 100644 --- a/default-files/etc/config/firewall +++ b/default-files/etc/config/firewall @@ -60,6 +60,17 @@ config forwarding config rule option src 'wan' option dest_port '22' + option proto 'tcp' + option state 'NEW' + option limit '3/min' + option limit_burst '2' + option target 'LOG' + +config rule + option src 'wan' + option dest_port '22' + option state 'RELATED' + option state 'ESTABLISHED' option target 'ACCEPT' option proto 'tcp' diff --git a/default-files/etc/firewall.user b/default-files/etc/firewall.user deleted file mode 100644 index b111bb9..0000000 --- a/default-files/etc/firewall.user +++ /dev/null @@ -1,15 +0,0 @@ -# This file is interpreted as shell script. -# Put your custom iptables rules here, they will -# be executed with each firewall (re-)start. - -#to restart the fire wall use /etc/init.d/firewall restart; - -#for debugging added rules ues FW_TRACE=1 fw reload - -#more details http://wiki.openwrt.org/doc/uci/firewall - -#if it didn't work remove "-i br-lan" to accept any interface - -iptables -I INPUT -i br-lan -p tcp -m tcp --dport 22 -m recent --set --name DEFAULT --rsource - -iptables -I INPUT -i br-lan -p tcp -m tcp --dport 22 -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP From e45da0d31452258f33b4363cf43aa6fc20c231e1 Mon Sep 17 00:00:00 2001 From: Andrew Reynolds Date: Tue, 20 May 2014 12:13:53 -0400 Subject: [PATCH 6/7] Revert "Moved firewall.user rules to /etc/config/firewall." State option not supported in UCI firewall. This reverts commit 40f288237a72fdf365c8e3a8fe4b4b0c92672c26. --- default-files/etc/config/firewall | 11 ----------- default-files/etc/firewall.user | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 11 deletions(-) create mode 100644 default-files/etc/firewall.user diff --git a/default-files/etc/config/firewall b/default-files/etc/config/firewall index f7852e3..553d9cb 100644 --- a/default-files/etc/config/firewall +++ b/default-files/etc/config/firewall @@ -60,17 +60,6 @@ config forwarding config rule option src 'wan' option dest_port '22' - option proto 'tcp' - option state 'NEW' - option limit '3/min' - option limit_burst '2' - option target 'LOG' - -config rule - option src 'wan' - option dest_port '22' - option state 'RELATED' - option state 'ESTABLISHED' option target 'ACCEPT' option proto 'tcp' diff --git a/default-files/etc/firewall.user b/default-files/etc/firewall.user new file mode 100644 index 0000000..b111bb9 --- /dev/null +++ b/default-files/etc/firewall.user @@ -0,0 +1,15 @@ +# This file is interpreted as shell script. +# Put your custom iptables rules here, they will +# be executed with each firewall (re-)start. + +#to restart the fire wall use /etc/init.d/firewall restart; + +#for debugging added rules ues FW_TRACE=1 fw reload + +#more details http://wiki.openwrt.org/doc/uci/firewall + +#if it didn't work remove "-i br-lan" to accept any interface + +iptables -I INPUT -i br-lan -p tcp -m tcp --dport 22 -m recent --set --name DEFAULT --rsource + +iptables -I INPUT -i br-lan -p tcp -m tcp --dport 22 -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP From 4dac40dd570d94f92b34aec9b42a144d149dc5ff Mon Sep 17 00:00:00 2001 From: Andrew Reynolds Date: Tue, 20 May 2014 12:20:46 -0400 Subject: [PATCH 7/7] Updating ssh rate limit in firewall.user --- default-files/etc/firewall.user | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/default-files/etc/firewall.user b/default-files/etc/firewall.user index b111bb9..bc17455 100644 --- a/default-files/etc/firewall.user +++ b/default-files/etc/firewall.user @@ -8,8 +8,5 @@ #more details http://wiki.openwrt.org/doc/uci/firewall -#if it didn't work remove "-i br-lan" to accept any interface - -iptables -I INPUT -i br-lan -p tcp -m tcp --dport 22 -m recent --set --name DEFAULT --rsource - -iptables -I INPUT -i br-lan -p tcp -m tcp --dport 22 -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP +iptables -I INPUT -i br-lan -p tcp --dport 22 -m state --state NEW -m recent --set +iptables -I INPUT -i br-lan -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP