Busybox ash based log examination script w/ iptables firewall rule generation response (fail2ban for OpenWRT)
Switch branches/tags
Nothing to show
Clone or download
robzr Merge pull request #4 from jschornick/master
Ensure that dropbear has verbose logging enabled
Latest commit 5fbae01 May 24, 2017

README.md

bearDropper

dropbear log parsing ban agent for OpenWRT (Chaos Calmer rewrite of dropBrute.sh) - @robzr

OpenWRT (Chaos Calmer) script for blocking repeated invalid dropbear ssh connection attempts (embedded fail2ban)

Status

Working, no known issues.

Dependencies

None! Written entirely in busybox ash, uses all standard OpenWRT commands.

Installation

To install or upgrade to the latest bearDropper, run:

wget -qO- http://rawgit.com/robzr/bearDropper/master/install.sh | sh
  • To modify the config options, edit the uci config file (/etc/config/bearDropper)
  • Use bearDropper -h to see options for runtime config (runtime options override uci config options)
  • Consider increasing your syslog ring buffer size (/etc/config/system option log_size)

Logging

  • logs to the syslog ring buffer by default (view with the logread command)
  • logs to stdout with "-f stdout" (or logFacility config option)
  • increaser verbosity with "-l 2" (or logLevel config option)

Features

  • small size, low memory footprint, no external dependencies
  • uses uci for config, overridable via command line arguments
  • uses a state database which periodically syncs to iptables (for resiliency)
  • can sync state database to persistent storage, with logic to avoid excessive flash writes
  • state database supports optional compression
  • uses highly readable BIND time syntax for all time values (ex: 9d2h3s is 9 days, 2 hours, 3 seconds)
  • runs in the background for realtime monitoring when run via included init script
  • can also be run by hand to process historical log entries
  • self installs into iptables for simple and reliable setup (easily disabled)
  • conservative input validation for security

TBD

  • Add optional freegeoip.net lookups for (de|ac)cellerated banning
  • implement whitelist
  • CIDR processing for bans & whitelists
  • self expiring ipset based ban list
  • package and submit to openwrt repo once it's reasonably bug free
  • ipv6 support

Also see the sister project sub2rbl for RBL based banning: https://github.com/robzr/sub2rbl

Discussion of these projects at OpenWRT forums: https://forum.openwrt.org/viewtopic.php?id=62084