Firewall - Block IP Adresses inTraffic Rules

Hi There,

Since the corona happening, my home "server" is battling a RDP Bruteforce attack.
I am able to automatically ban IP-addresses on the "server", but i kinda want to block them on my router, before they even can contact my "server". (since i have more then 700 open connections bashing port 3389)
I made the following rule (with some example ip-addresses, i have collected over 300 addresses so far in 1 week....) :

openwrt897×611 54.9 KB

But when i enable this rule it completely stop WAN RDP connections.
(so bruteforce, as myself cant connect it anymore :P)

Can someone with greater knowledge assist me with some tips?
I use a default image of OpenWRT for my tp-link C2600

You may want to take a look at ipset.

• Why do you use an exclamation point (in Linux, this character may cause issues)?
• I would not open RDP, perhaps you can SSH tunnel or a VPN (e.g. Wireguard) to the LAN IP...use another WAN port (only obscures things), etc.
• You can also make a rule that blocks attempts for a time period of n - after x amount of tries
• The rule should be to reject these IPs at 3389/tcp on WAN, not LAN
• Instead of REJECT, I suggest using DROP instead

• It's possible one of those source IPs - was in fact you

You don't need that rule.
WAN to LAN forwarding is disabled by default.

I think it is correct as it is, as after nat prerouting the destination IP has changed already.

Port forward redirects will bypass that

In your theory then the OpenWrt's CPU will process a NAT - then drop it.

Yes, but this kind of rule is useless against botnet attacks.

It's best to set up a VPN:

As long as the drop rule in filter is before the accept port forwards, then yes.

Thanks for the reply's, have tried all your advise with no success

-renamed list to something simple

• instead of destination zone lan, this device with server ip adress
• the source port doesn't really matter, does it? if xxx ip adress in list want to make connection to 3389, just block....
  -Drop and Reject are kinda the same thing indeed, but they both give the same result

i have installed the ipset thing but.... it has no GUI ?

@lleachii , can you explain a bit more, how to: "make a rule that blocks attempts for a time period of n - after x amount of tries"?
That also sounds like the thing i am trying to do here with this manual updating ip block list !
The idea is after 3x wrong user/pass then ban 4 life.

I don't think it's wise to try to self-maintain a list of IPs to block.

It does and should be left blank; as you don't know the source port of the originating traffic.

config rule
	option src 'wan'
	option name 'RDP_CheckDrop'
	option family 'ipv4'
	option proto 'tcp'
	option dest '*'
	option dest_port '3389'
	option target 'DROP'
	option extra '--syn -m recent --name rdp --update --seconds 300 --hitcount 5'

config rule
	option target 'ACCEPT'
	option family 'ipv4'                                                 
	option proto 'tcp'
	option src 'wan'
	option dest_port '3389'
	option extra '--syn -m recent --name rdp --set'
	option name 'RDP_CheckAccept'
	option dest '*'

No, it they're not:

• REJECT sends an ICMP Unreachable message (taking more CUP resources of the OpenWrt)
• DROP is silent

• This method is ineffective against botnets.
• It will backfire if they use a dynamic or spoofed IP or operate behind a CGNAT.
• You cannot identify failed attempts with just firewall.

Set up a VPN, preferable WireGuard or OpenVPN:
https://openwrt.org/docs/guide-user/services/vpn/start

think its the best option use vpn
also, always when you public some service to the internet ALWAYS, IF YOU CAN, CHANGE THE PORT!
its the best, efficienty and easy method to prevent botnet attack
in your firewall rules can make the change and for your server its totally transparent
example
client try to connect :5000
open port in router 5000
router redirect port 5000 to 3389
server listen port 3389

True, as I noted:

It doesn't "prevent" - it changes the port; hence this adds no additional security to the server or network. This obviously won't stop WAN port scanning. Lastly, I don't suggest 5000, I would use an ephemeral port.

true my mistake
and the port yes, before you select a new port you need to know where is used those port and check (its bad idea to use tcp/22 port for example)
other possible solution its enable port knowking (https://openwrt.org/docs/guide-user/services/remote_control/portknock.server) but you need more tools and configuration.
maybe the same rdp protocol have some security features (i know the protocol but never i configured as server)

If you don't want to go for VPN you could setup a RPD Gateway also (as an alternative):

So you could block 3389 completley and use 443 instead.

My advice is to whitelist (authorize) only the needed IP...
All the rest of the world will be blacklisted...
Already tested at a client site, without problems

The best method is still a VPN

RDP is the (open) door for ransomwares !

• yeah i know about VPN blablabla, just want to RDP and don't want to set up a whole remote LAN solution.
• Also dont want to change the default port, because there is always a application that you gonne use and don't support or understand that you use a non standard port.

Just a SIMPLE list with ip adresses that aren't allowed, i can modify, and easy manage with a GUI.
That's it, that's all i request

I really want to thank you all for these comments and thinking along!

Is it btw possible to set a "hitcount" as argument on my 3389 port forward?
Have tried the option extra line from @lleachii , and some google around and found this argument:

iptables -A INPUT -p tcp --dport 3389 -m recent --update --seconds 30 --hitcount 2
--rttl --name SSH -j DROP

But both don't work on the forward

image963×877 29.3 KB

I cannot verify what package is missing because I don't have access to an OpenWrt box right now. But I'm sure you are missing the proper iptables module for this. Sth. like ipt-hitscan.

• No package needed
• Why does it say SSH (maybe you have a mismatch in the rules)?