[Q] Security monitoring

Hi all,
How do you guys security monitor your OpenWrt routers? Do you actually monitor connection attempts?

I noticed yesterday that there was an attempt to connect on port 1194 (OpenVPN) from an IP in Romania and another one from Singapore and it made me wonder if I should perhaps keep track of these and other snooping attempts.

If I want to do that, how easy is it to track and log the attempts for various ports as well as the originating IPs and frequencies? Any help would be appreciated.

p.s. I am aware of applications that block repeat attempts such as ip banning but I'm not quite there yet. I would like to start with logging first.

Unless you suspect you're specifically being targeted there's probably little point in going down this route. Just being online will result in various probes being sent to your IP, especially against well known port numbers. Logging all these attempts is unlikely to tell you anything more of use.

6 Likes

I use softflowd (https://openwrt.org/packages/pkgdata/softflowd) and nfsen.

FYI - Your firewall should already be blocking this [unsolicited] traffic, you shouldn't need to specify each offending IP.

2 Likes

The bad boys scan all the registerd comunications ports like 22, 80, 443, and for this case 1194.

As fast as they find a responding port on 1194 they assume they have found a VPN tunnel or a small business and the connection attempts will begin, this will be logged in the OpenVPN log. After that the DoS/DDoS attacks will come with higher and higher frequency over timr and they will last for about 30min each time.

But the simplest tactic to evade them is to not use registered ports like 1194 towards internet and let them bounce of the firewall.

You can log everything the firewall drops but the only confirmation you will see in the log is that internet is a bad place to be.

2 Likes

Install fail2ban, or limit the IPs allowed to connect.
There are also black lists of IPs scanning.

3 Likes

Portscans and connection attempts happen all the time, reporting those simply doesn't make sense - your passwords/ keys need to be secure (fail2ban like approaches make sense, but the reporting doesn't - no one's going to read- or take seriously the 47th connection attempt at 00:01 and then remain attentive for 00:02; not that you'd be able to manually react -in time- anyways).

3 Likes

I am dropping via the firewall the initial 3 SYN packets towards the router - some of the TCP port scan attempts will fail this way. Usually, if there is a real connection, it is likely to retry and connect. Also, there could be some logging (and then drop) of the packets being received to some well-known port (22) and then the result to be used to feed a filtering rule. The client source networks are known in my case, so they are whitelisted, then the additional filtering. If your client supports setting the port number - do not use a well-known port for the server. With some additional software you can do, for example, "port knocking".