Hi all!
I'm Running a Vilfo (vilfo.com) router, that's running on LuCI openwrt-21.02.
is there anyway to monitor all ports, to detect(and ban) anybody that's running a scan on my wan ip?
Hi all!
I'm Running a Vilfo (vilfo.com) router, that's running on LuCI openwrt-21.02.
is there anyway to monitor all ports, to detect(and ban) anybody that's running a scan on my wan ip?
All WAN ports are closed by default, so there's nothing to scan.
What he said, but feel free to open some, to detect the scans....
Even if you spotted them they'd probably be using a transient or hijacked address, and have plenty of other ones to attack you from if they sense a vulnerability.
Just for clarity though, do you mean you have services running on a WAN port that you forward to LAN and you want to block an IP from accessing that service if you see also see them probing another port?
EDIT: Meant to say that this might help you: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_traffic_logging
It seems you forgot some ironic or sarcastic tags in your post ;- )
In firewall WAN settings, turn on logging.
But this will be a lot of logging data so you need to have a more serious log handling system than the standard log in OpenWRT.
BanIP also has a setting to scan the WAN port and ban illegal brute force attempts.
BTW, if you want to have some services available externally for occasional use (eg VPN or SSH) while deterring baddies then you might want to take a look at "port knocking": https://openwrt.org/docs/guide-user/services/remote_control/portknock.server. In summary, you have to make a "magic knock" on other ports before the actual service port becomes active.
My own experience of DoS attacks on the 1194 OpenVPN port is if you look in the port scan log and compare that with the TCP/UDP registered port list you will notice that all the scanned ports aren’t random spread out all over the place. They are handpicked for the standard registered communications ports used.
So the easiest way to be “left alone” on for example VPN tunnels is to go non standard because no one is looking at those ports no one use. Unless you are caught in a targeted attack but I find that highly unlikely.
[quote="IanC, post:7, topic:102557"]
It's worth a look, thx
Thx, that's why I was looking for a monitor that only logs "scans", is there anyway to log to external server?
Banip?, haven't heard about that, got link?
Yes, If I remember right it is called external log IP or something like that in system settings.
You can set port also.
Yes! Openwrt.org and then go to packages.
oh, didn't see it in "lucic's" list of available packages (software), didn't know there was others not listed there..