OpenWrt Forum Archive

Topic: Firewall config - block after X attempts

The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
digital
31 May 2013, 23:14

Hi there,
is it possible to open a router port (22) to wan, but limiting it to X connections in X seconds?

I'm asking this, because of this log:

May 31 17:29:00 owrt86 authpriv.info dropbear[12192]: Exit before auth: Disconnect received
May 31 17:29:00 owrt86 authpriv.info dropbear[12204]: Child connection from 80.69.77.247:33374
May 31 17:29:02 owrt86 authpriv.warn dropbear[12204]: Login attempt for nonexistent user from 80.69.77.247:33374
May 31 17:29:03 owrt86 authpriv.info dropbear[12204]: Exit before auth: Disconnect received
May 31 17:29:03 owrt86 authpriv.info dropbear[12234]: Child connection from 80.69.77.247:33806
May 31 17:29:04 owrt86 authpriv.warn dropbear[12234]: Login attempt for nonexistent user from 80.69.77.247:33806
May 31 17:29:05 owrt86 authpriv.info dropbear[12234]: Exit before auth: Disconnect received
May 31 17:29:06 owrt86 authpriv.info dropbear[12291]: Child connection from 80.69.77.247:34237
May 31 17:29:07 owrt86 authpriv.warn dropbear[12291]: Login attempt for nonexistent user from 80.69.77.247:34237
May 31 17:29:08 owrt86 authpriv.info dropbear[12291]: Exit before auth: Disconnect received
May 31 17:29:08 owrt86 authpriv.info dropbear[12321]: Child connection from 80.69.77.247:34646
May 31 17:29:09 owrt86 authpriv.warn dropbear[12321]: Login attempt for nonexistent user from 80.69.77.247:34646
May 31 17:29:10 owrt86 authpriv.info dropbear[12321]: Exit before auth: Disconnect received
May 31 17:29:10 owrt86 authpriv.info dropbear[12378]: Child connection from 80.69.77.247:35039
May 31 17:29:12 owrt86 authpriv.warn dropbear[12378]: Login attempt for nonexistent user from 80.69.77.247:35039
May 31 17:29:13 owrt86 authpriv.info dropbear[12378]: Exit before auth: Disconnect received
May 31 17:29:13 owrt86 authpriv.info dropbear[12408]: Child connection from 80.69.77.247:35481
May 31 17:29:15 owrt86 authpriv.warn dropbear[12408]: Login attempt for nonexistent user from 80.69.77.247:35481
May 31 17:29:15 owrt86 authpriv.info dropbear[12408]: Exit before auth: Disconnect received
May 31 17:29:16 owrt86 authpriv.info dropbear[12420]: Child connection from 80.69.77.247:35910
May 31 17:29:17 owrt86 authpriv.warn dropbear[12420]: Login attempt for nonexistent user from 80.69.77.247:35910
May 31 17:29:18 owrt86 authpriv.info dropbear[12420]: Exit before auth: Disconnect received
May 31 17:29:18 owrt86 authpriv.info dropbear[12450]: Child connection from 80.69.77.247:36359
May 31 17:29:20 owrt86 authpriv.warn dropbear[12450]: Login attempt for nonexistent user from 80.69.77.247:36359
May 31 17:29:21 owrt86 authpriv.info dropbear[12450]: Exit before auth: Disconnect received
May 31 17:29:21 owrt86 authpriv.info dropbear[12462]: Child connection from 80.69.77.247:36764
May 31 17:29:22 owrt86 authpriv.warn dropbear[12462]: Login attempt for nonexistent user from 80.69.77.247:36764
May 31 17:29:23 owrt86 authpriv.info dropbear[12462]: Exit before auth: Disconnect received
May 31 17:29:23 owrt86 authpriv.info dropbear[12492]: Child connection from 80.69.77.247:37182
May 31 17:29:25 owrt86 authpriv.warn dropbear[12492]: Login attempt for nonexistent user from 80.69.77.247:37182
May 31 17:29:26 owrt86 authpriv.info dropbear[12492]: Exit before auth: Disconnect received
May 31 17:29:26 owrt86 authpriv.info dropbear[12504]: Child connection from 80.69.77.247:37599
May 31 17:29:27 owrt86 authpriv.warn dropbear[12504]: Login attempt for nonexistent user from 80.69.77.247:37599
May 31 17:29:28 owrt86 authpriv.info dropbear[12504]: Exit before auth: Disconnect received
May 31 17:29:29 owrt86 authpriv.info dropbear[12535]: Child connection from 80.69.77.247:38025
May 31 17:29:30 owrt86 authpriv.warn dropbear[12535]: Login attempt for nonexistent user from 80.69.77.247:38025
May 31 17:29:31 owrt86 authpriv.info dropbear[12535]: Exit before auth: Disconnect received
May 31 17:29:31 owrt86 authpriv.info dropbear[12546]: Child connection from 80.69.77.247:38458
May 31 17:29:33 owrt86 authpriv.warn dropbear[12546]: Login attempt for nonexistent user from 80.69.77.247:38458
May 31 17:29:33 owrt86 authpriv.info dropbear[12546]: Exit before auth: Error reading: Connection reset by peer
May 31 17:29:34 owrt86 authpriv.info dropbear[12577]: Child connection from 80.69.77.247:38864
May 31 17:29:35 owrt86 authpriv.warn dropbear[12577]: Login attempt for nonexistent user from 80.69.77.247:38864
May 31 17:29:36 owrt86 authpriv.info dropbear[12577]: Exit before auth: Disconnect received
May 31 17:29:36 owrt86 authpriv.info dropbear[12660]: Child connection from 80.69.77.247:39293
May 31 17:29:38 owrt86 authpriv.warn dropbear[12660]: Login attempt for nonexistent user from 80.69.77.247:39293
May 31 17:29:39 owrt86 authpriv.info dropbear[12660]: Exit before auth: Disconnect received
May 31 17:29:39 owrt86 authpriv.info dropbear[12709]: Child connection from 80.69.77.247:39708
May 31 17:29:40 owrt86 authpriv.warn dropbear[12709]: Login attempt for nonexistent user from 80.69.77.247:39708
May 31 17:29:41 owrt86 authpriv.info dropbear[12709]: Exit before auth: Disconnect received
May 31 17:29:41 owrt86 authpriv.info dropbear[12747]: Child connection from 80.69.77.247:40140
May 31 17:29:43 owrt86 authpriv.warn dropbear[12747]: Login attempt for nonexistent user from 80.69.77.247:40140
May 31 17:29:44 owrt86 authpriv.info dropbear[12747]: Exit before auth: Disconnect received
May 31 17:29:44 owrt86 authpriv.info dropbear[12751]: Child connection from 80.69.77.247:40551
May 31 17:29:45 owrt86 authpriv.warn dropbear[12751]: Login attempt for nonexistent user from 80.69.77.247:40551
May 31 17:29:46 owrt86 authpriv.info dropbear[12751]: Exit before auth: Disconnect received
May 31 17:29:47 owrt86 authpriv.info dropbear[12790]: Child connection from 80.69.77.247:40997
May 31 17:29:48 owrt86 authpriv.warn dropbear[12790]: Login attempt for nonexistent user from 80.69.77.247:40997
May 31 17:29:49 owrt86 authpriv.info dropbear[12790]: Exit before auth: Disconnect received
May 31 17:29:49 owrt86 authpriv.info dropbear[12793]: Child connection from 80.69.77.247:41411
May 31 17:29:51 owrt86 authpriv.warn dropbear[12793]: Login attempt for nonexistent user from 80.69.77.247:41411
May 31 17:29:52 owrt86 authpriv.info dropbear[12793]: Exit before auth: Disconnect received
May 31 17:29:52 owrt86 authpriv.info dropbear[12832]: Child connection from 80.69.77.247:41847
May 31 17:29:53 owrt86 authpriv.warn dropbear[12832]: Login attempt for nonexistent user from 80.69.77.247:41847
May 31 17:29:54 owrt86 authpriv.info dropbear[12832]: Exit before auth: Disconnect received
May 31 17:29:55 owrt86 authpriv.info dropbear[12835]: Child connection from 80.69.77.247:42273
May 31 17:29:56 owrt86 authpriv.warn dropbear[12835]: Login attempt for nonexistent user from 80.69.77.247:42273
May 31 17:29:57 owrt86 authpriv.info dropbear[12835]: Exit before auth: Disconnect received
May 31 17:29:57 owrt86 authpriv.info dropbear[12874]: Child connection from 80.69.77.247:42680
May 31 17:29:59 owrt86 authpriv.warn dropbear[12874]: Login attempt for nonexistent user from 80.69.77.247:42680
May 31 17:29:59 owrt86 authpriv.info dropbear[12874]: Exit before auth: Disconnect received
May 31 17:30:00 owrt86 authpriv.info dropbear[12877]: Child connection from 80.69.77.247:43072
May 31 17:30:01 owrt86 authpriv.warn dropbear[12877]: Login attempt for nonexistent user from 80.69.77.247:43072
May 31 17:30:02 owrt86 authpriv.info dropbear[12877]: Exit before auth: Disconnect received
May 31 17:30:02 owrt86 authpriv.info dropbear[12916]: Child connection from 80.69.77.247:43497
May 31 17:30:04 owrt86 authpriv.warn dropbear[12916]: Login attempt for nonexistent user from 80.69.77.247:43497
May 31 17:30:04 owrt86 authpriv.info dropbear[12916]: Exit before auth: Disconnect received
May 31 17:30:05 owrt86 authpriv.info dropbear[12928]: Child connection from 80.69.77.247:43909
May 31 17:30:06 owrt86 authpriv.warn dropbear[12928]: Login attempt for nonexistent user from 80.69.77.247:43909
May 31 17:30:07 owrt86 authpriv.info dropbear[12928]: Exit before auth: Disconnect received
May 31 17:30:07 owrt86 authpriv.info dropbear[13003]: Child connection from 80.69.77.247:44336
May 31 17:30:09 owrt86 authpriv.warn dropbear[13003]: Login attempt for nonexistent user from 80.69.77.247:44336
May 31 17:30:10 owrt86 authpriv.info dropbear[13003]: Exit before auth: Disconnect received
May 31 17:30:10 owrt86 authpriv.info dropbear[13060]: Child connection from 80.69.77.247:44765
May 31 17:30:11 owrt86 authpriv.warn dropbear[13060]: Login attempt for nonexistent user from 80.69.77.247:44765
May 31 17:30:12 owrt86 authpriv.info dropbear[13060]: Exit before auth: Disconnect received

I can't change port number (22, ssh), because I can only connect to it, from my work, at this port.
Someone?

Post #2
JackYeh
10 Jun 2013, 07:35

How about add these lines into /etc/firewall.user which will be included in the /etc/config/firewall :

# ===  Block invalid SSH login request (3 tries in 1 minute period)  ===
/usr/sbin/iptables -I INPUT -j ACCEPT -p tcp -m state --state NEW --dports 22 -m limit --limit 3/min --limit-burst 2
/usr/sbin/iptables -I INPUT -j ACCEPT -p tcp -m state --state RELATED,ESTABLISHED --dports 22

but I'm not sure that's what you want.

Post #3
digital
10 Jun 2013, 23:03

These put a limit of 3 connections per minute to port 22?
Looks excelent

Post #4
kirschwasser
11 Jun 2013, 18:38

Instead of - state --state you should use -m conntrack --ctstate. State module has been deprecated in favor of conntrack module.

Alternatives to -m limit are -m recent and maybe also -m connlimit. Maybe there are more. Don't know which one is better.

The discussion might have continued from here.