My router is a TP-Link c7 running on a release 19.07.8 custom image.
Because someone is trying to log into my OpenSSH server, I entered these lines into /etc/config/firewall. The aim was that this someone should be rejected before getting to the "Show us your credentials" stage (or rejected at the earliest possible stage).
option src 'wan'
option name 'block-public-ip'
list src_ip '220.127.116.11'
option dest '*'
option target 'REJECT'
list proto 'all'
However in LuCI's System Log I still get:
Sat Oct 23 11:54:10 2021 auth.info sshd: Connection closed by 18.104.22.168 port 59794 [preauth]
Am I supposed to get this
[preauth] line even after a
config rule with
REJECT? (Changing to
DROP seems to make no difference.)
config rule block no good? If so, what's the right way to do it?
(I know that wireguard is "silent" and therefore "better.")
Better yet, unless you specifically need to have ssh directly exposed to the internet, use a VPN (such as wireguard, as you mention) which will be far more secure.
Thank you. That totally worked. In regard to
Specifies the traffic destination zone . Refers to one of the defined zone names , or
* for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule.
is there an express way to have the rule be treated as input? I mean something that looks like
option __ 'INPUT'.
Thanks. It is actually my first time having an OpenSSH server up and exposed. I want to go through this stage as a learning experience before getting to VPN.
LuCI > Network > Firewall > Traffic Rules > Edit > Destination zone > Device (input)
Thanks. That does not seem to put a line in /etc/config/firewall. So I'll understand that a missing
option dest line is the only config file equivalent to setting LuCI Destination zone to Device (input).
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.