Brute force protection in LAN (!)

I want to achieve following:

  1. 4 times wrong password when connecting to network = ban MAC

  2. How to get Admin panel (Luci) brute force protection in LAN (not from external source, protect from someone who already knows network credentials and use same network)?

Adding more details to understand function - I assume you want LuCI code that will drop the user from your AP after 4 incorrect login attempts?

If you truly had a malicious actor, I could actually imagine your DHCP running our of leases because MAC addresses can be changed, DoSing you and giving your attacker unlimited attempts (well, in theory the attempts would total 400 with default configurations). If you have a concern that LAN users may maliciously access LuCI, you may wish to try things like:

  • Disable it
  • Only allow on a second management network
  • Have LuCI listen on localhost - and use SSH port tunneling to access LuCI via a URL e.g. https://127.0.0.1:xxxxx

I believe you have another thread discussing this for SSH also. I'm certain members there will also offer you valuable suggestions and advice.

Thee is a package called fail2ban which may do what you want.

fail2ban - 0.11.2-9 - Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts.

However, I already said in the other thread that you're creating unnecessary headaches for yourself if you can actually trust your trusted lan. If you can't, you would be better served by an isolated management network on a dedicated physical ethernet port.

4 Likes

One can change mac for every attempt, or clone your trusted mac... Best to leave only publickey ssh reachable from wired lan while wifi is guest wirh no admin acces at all