Is there a way to Auto Block IP addresses from WAN side, so incoming, after X amount of Rejected packet logged ?
Let me give you an example what I'm thinking about.
There is a an IP address (not a certain one since different scans from different IP addresses are happening every minute according to the log) where from someone is doing a port scan, I mean it's really visible, trying different ports below 1024...etc and let's say I'd like to create such rule that after 5 rejected packets from any IP address then put this IP address to a complete block / ban for 60 minutes or forever.
Seems like banip is not compatible with OpenWrt 22.03 running to Uknown package and after some search I got this answer that it's N/A for 22.03. Althought I found some pre release versions.
Fail2Ban is really for this, but it has no native support for the OpenWrt System log, and I couldn't find anyone who made it work to parse the system log file or even anyone who started to work on this customization
That's the point it's not app specific what I'd like to block, like only Dropebear, simply the common portscans what are happening time to time on the WAN interface so it's the common syslog.
I'd actually need a simple rule, if any external IP has X amount of rejected log entry Block it. That's it.
I do have few open ports which I'm using mostly for forward, obviously in the upper range. but usually all portscans are starting with the <1024 ports, so when the IP address starts scanning for 20,21,22...etc block it before it would reach any of my open port in the upper ranges.
there are public IP lists with scanners/attackers, you can use to create an ipset, and use for blacklisting.
those ports wouldn't show on the openwrt device though, but on the host those calls are forwarded to ?
I used to have fail2ban set up and running, worked fine, but I ended up putting up rules in my fw, allowing only IPs or IP ranges from devices I own or have access to.
Instead of allowing the whole world to connect, only the public IP ranges for my cell phone carrier are now allowed, this stopped 100% of all scans and logon attempts.
