Hello guys 
Few months ago i noticed many bruteforce attacks to my server behind OpenWRT.
I Try find something like fail2ban in OpenWRT, but i need to filter FORWARD connections.
So, in total, i came to this solution: (iptables rules + some scripting).
My firewall.user config:
for ip in `cat /etc/portscan`; do
iptables -I INPUT -s $ip -j DROP
done
iptables -N portscan_check
iptables -A portscan_check -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A portscan_check -m recent --name portscan --remove
iptables -A portscan_check -p tcp -m multiport --dports 22,139,3389 -m recent --name portscan --set -j DROP
iptables -I INPUT -i eth1 -j portscan_check
iptables -N ssh_brute_check
iptables -A ssh_brute_check -m conntrack --ctstate NEW -m recent --name BLOCK --rcheck --seconds 3600 -j DROP
iptables -A ssh_brute_check -m conntrack --ctstate NEW -m hashlimit --hashlimit-name BLOCK --hashlimit-mode srcip --hashlimit-above 2/h --hashlimit-burst 2 -m recent --name BLOCK --set -j DROP
iptables -A ssh_brute_check -p tcp --syn -j ACCEPT
iptables -N rdp_brute_check
iptables -A rdp_brute_check -m conntrack --ctstate NEW -m recent --name BLOCKRDP --rcheck --seconds 3600 -j DROP
iptables -A rdp_brute_check -m conntrack --ctstate NEW -m hashlimit --hashlimit-name BLOCKRDP --hashlimit-mode srcip --hashlimit-above 2/h --hashlimit-burst 2 -m recent --name BLOCKRDP --set -j DROP
iptables -A rdp_brute_check -p tcp --syn -j ACCEPT
iptables -I INPUT -m conntrack --ctstate NEW -p tcp --dport 2245 -j ssh_brute_check
iptables -I FORWARD -m conntrack --ctstate NEW -p tcp --dport 22 -j ssh_brute_check
iptables -I FORWARD -m conntrack --ctstate NEW -p tcp --dport 3389 -j rdp_brute_check
iptables -t nat -I PREROUTING -p tcp --dport 22219 -j DNAT --to-destination 192.168.1.9:3389
iptables -t nat -I PREROUTING -p tcp --dport 22389 -j DNAT --to-destination 192.168.1.8:3389
My /etc/init.d/portscan Script
#!/bin/sh /etc/rc.common
awk -F'[=, ]' '{print $2}' /proc/net/xt_recent/portscan >> /etc/portscan
echo "$(sort -nu /etc/portscan)" > /etc/portscan
/etc/init.d/firewall restart
And Cron task
echo "0 */6 * * * /etc/init.d/portscan" >> /etc/crontabs/root && /etc/init.d/cron restart
Explaining:
I use custom ports for ssh\rdp. so, i think all IP's which will connect to standard ports - are port scanners (search target for bruteforce attacks), so i block them in first connect to 22,139,3389 ports.
And IF someone (if got luck) will find my custom ports - I use --hashlimit to slow down bruteforcing to 2-4 tries in 1 hour. (sometimes i miss the key, so i don't want to ban myself).
Script works every 6 hours: get catched ip's from portscan table and erites them into etc/portscan. Then i use script in firewall.user for generating DROP rules for this ip's.
Tested. Seems all worked fine . Catch around 50ip's in 24hour.
Now I'm search a geek\developer, Who can use my 'bicycle' and creates LuCI addon , where users can set up their own parametres. Also I need help with creating some kind of Central IP`s list (server).
It would be nice if script once per day will send catched ip list to server, and server generates blacklist if ip catched mora than on 5 routers.
Who can help?