Log and respond to possible attacks or inusual traffic


I'd like to have a bit more visibility of what I'm getting from the wan interface, ideally I'd like to log traffic that gets dropped, reject, invalid, pings, and so on, send it to another server (raspberry pi maybe?) to avoid wearing the memory of the device.

Then automatically evaluate such logs and issue temporal ban. Is something like this possible? if so which is the recommended software to use? Is there a way to modify the firewall (to block ips) from another device?

There is a package called fail2ban which will block ips that appear to be brute forcing connection attempts. And there may be other tools like it.

But if you actually attempt to log all your incoming wan connection attempts, you will require large amounts of storage and you may even cause e real load on your system (could even decrease your throughput unless you have a powerful cpu) because general wan attempts are entirely common and very frequent. Logging takes extra resources, so you should consider if you want general logs or just for specific services or source ips.


I'd check fail2ban, it's been a while since the last time I used it, however what I'd like to have is some kind of reports of the invalid/blocked traffic at some point, that's why I was thinking about sending the logs to a separate device for storage/parsing.

My current OpenWRT device is a NanoPi R4S. Not sure how much it could take, but I'm willing to give it a try. My idea is to configure rsyslog in the "log server", then set "External system log server" configuration in OpenWRT to point to that (that should work right?).

And then try to find a log collector / visualization and a way to add and remove rules to the firewall from this host...

If there are no open ports/ logins on WAN (the default for OpenWrt), there's no need for fail2ban either.

1 Like