Since the corona happening, my home "server" is battling a RDP Bruteforce attack.
I am able to automatically ban IP-addresses on the "server", but i kinda want to block them on my router, before they even can contact my "server". (since i have more then 700 open connections bashing port 3389)
I made the following rule (with some example ip-addresses, i have collected over 300 addresses so far in 1 week....) :
Thanks for the reply's, have tried all your advise with no success
-renamed list to something simple
instead of destination zone lan, this device with server ip adress
the source port doesn't really matter, does it? if xxx ip adress in list want to make connection to 3389, just block....
-Drop and Reject are kinda the same thing indeed, but they both give the same result
i have installed the ipset thing but.... it has no GUI ?
@lleachii , can you explain a bit more, how to: "make a rule that blocks attempts for a time period of n - after x amount of tries"?
That also sounds like the thing i am trying to do here with this manual updating ip block list !
The idea is after 3x wrong user/pass then ban 4 life.
think its the best option use vpn
also, always when you public some service to the internet ALWAYS, IF YOU CAN, CHANGE THE PORT!
its the best, efficienty and easy method to prevent botnet attack
in your firewall rules can make the change and for your server its totally transparent
example
client try to connect :5000
open port in router 5000
router redirect port 5000 to 3389
server listen port 3389
It doesn't "prevent" - it changes the port; hence this adds no additional security to the server or network. This obviously won't stop WAN port scanning. Lastly, I don't suggest 5000, I would use an ephemeral port.
true my mistake
and the port yes, before you select a new port you need to know where is used those port and check (its bad idea to use tcp/22 port for example)
other possible solution its enable port knowking (https://openwrt.org/docs/guide-user/services/remote_control/portknock.server) but you need more tools and configuration.
maybe the same rdp protocol have some security features (i know the protocol but never i configured as server)
My advice is to whitelist (authorize) only the needed IP...
All the rest of the world will be blacklisted...
Already tested at a client site, without problems
yeah i know about VPN blablabla, just want to RDP and don't want to set up a whole remote LAN solution.
Also dont want to change the default port, because there is always a application that you gonne use and don't support or understand that you use a non standard port.
Just a SIMPLE list with ip adresses that aren't allowed, i can modify, and easy manage with a GUI.
That's it, that's all i request
I really want to thank you all for these comments and thinking along!
Is it btw possible to set a "hitcount" as argument on my 3389 port forward?
Have tried the option extra line from @lleachii , and some google around and found this argument:
iptables -A INPUT -p tcp --dport 3389 -m recent --update --seconds 30 --hitcount 2
--rttl --name SSH -j DROP
I cannot verify what package is missing because I don't have access to an OpenWrt box right now. But I'm sure you are missing the proper iptables module for this. Sth. like ipt-hitscan.