I am suffering a lot of brute force SSH attempts and would like to implement a simple rule to fix this as explained here: http://www.macsat.com/macsat/content/vi … /#sshbrute
iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --rcheck --hitcount 3 --seconds 120 -j LOG --log-prefix "SSH_BRUTE "
iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --update --hitcount 3 --seconds 120 -j DROP
iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --set -j ACCEPT
I am using OpenWrt White Russian - With X-Wrt Extensions 0.9 and this uses two seperate files for setting up te firewall: /etc/firewall.user and /etc/config/firewall. The latter is used for the webif but uses a syntax I do not understand. Could anyone help me out how to implement the above rules in /etc/config/firewall? If I put them in /etc/firewall.user the rules don't seem to apply? I think that that the pre-build X-WRT already comes with the required packages.
My /etc/firewall.user:
#!/bin/sh
# Copyright (C) 2006 OpenWrt.org
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
# The following chains are for traffic directed at the IP of the
# WAN interface
iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan
### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
# iptables -A input_wan -p tcp --dport 22 -j ACCEPT
iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --rcheck --hitcount 3 --seconds 120 -j LOG --log-prefix "SSH_BRUTE "
iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --update --hitcount 3 --seconds 120 -j DROP
iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --set -j ACCEPT
### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
# iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
# iptables -A forwarding_wan -d 192.168.1.2 -j ACCEPT
My /etc/config/firewall:
accept:dport=22
Installed packages (ipkg list_installed |sort):
base-files - 9 - OpenWrt filesystem structure and scripts
base-files-brcm - 2 - Board/architecture specific files
bridge - 1.0.6-1 - Ethernet bridging tools
busybox - 1.4.0-1 - Core utilities for embedded Linux systems
dnsmasq - 2.35-1 - A lightweight DNS and DHCP server
dropbear - 0.48.1-1 - a small SSH 2 server/client designed for small memory environments.
e2fsprogs - 1.38-1 -
ez-ipupdate - 3.0.11b8-2 - a client for dynamic DNS services
fdisk - 2.12r-1 -
haserl - 0.8.0-1 - a CGI wrapper to embed shell scripts in HTML documents
ip - 2.6.11-050330-1 - iproute2 routing control utility
ipkg - 0.99.149-2 - lightweight package management system
ipkg-upgrade-fix - 0.2-1 - Shows warning about 'ipkg upgrade' when user tries to use it.
iptables - 1.3.3-2 - The netfilter firewalling software for IPv4
iptables-mod-conntrack - 1.3.3-2 - Iptables (IPv4) extensions for connection tracking
iptables-mod-extra - 1.3.3-2 - Other extra Iptables (IPv4) extensions
iptables-mod-filter - 1.3.3-2 - Iptables (IPv4) extension for packet content inspection
iptables-mod-imq - 1.3.3-2 - Iptables (IPv4) extensions for Intermediate Queuing Device QoS-support
iptables-mod-ipopt - 1.3.3-2 - Iptables (IPv4) extensions for matching/changing IP packet options
iwlib - 29.pre10-1 - Library for setting up WiFi cards using the Wireless Extension
kernel - 2.4.30-brcm-5 -
kmod-brcm-wl - 2.4.30-brcm-5 - Proprietary driver for Broadcom Wireless chipsets
kmod-diag - 2.4.30-brcm-5 - Kernel modules for LEDs and buttons
kmod-ext2 - 2.4.30-brcm-5 - Kernel modules for EXT2 filesystem support
kmod-ext3 - 2.4.30-brcm-5 - Kernel modules for EXT3 filesystem support
kmod-imq - 2.4.30-brcm-5 - Kernel support for the Intermediate Queueing device
kmod-ipt-conntrack - 2.4.30-brcm-5 - Extra Netfilter (IPv4) kernel modules for connection tracking
kmod-ipt-extra - 2.4.30-brcm-5 - Other extra Netfilter (IPv4) kernel modules
kmod-ipt-filter - 2.4.30-brcm-5 - Netfilter (IPv4) kernel modules for packet content inspection
kmod-ipt-ipopt - 2.4.30-brcm-5 - Netfilter (IPv4) kernel modules for matching/changing IP packet options
kmod-ipt-nat-default - 2.4.30-brcm-5 - Default Netfilter (IPv4) NAT kernel modules for special protocols
kmod-ppp - 2.4.30-brcm-5 - PPP support
kmod-pppoe - 2.4.30-brcm-5 - PPP over Ethernet support
kmod-sched - 2.4.30-brcm-5 - Kernel schedulers for IP traffic
kmod-switch - 2.4.30-brcm-1 - switch driver for robo/admtek switch
kmod-tun - 2.4.30-brcm-5 - Kernel TUN/TAP extension
kmod-usb-core - 2.4.30-brcm-5 - Kernel Support for USB
kmod-usb-storage - 2.4.30-brcm-5 - Kernel modules for USB storage support
kmod-usb2 - 2.4.30-brcm-5 - Kernel driver for USB2 controllers
kmod-vfat - 2.4.30-brcm-5 - Kernel modules for VFAT filesystem support
kmod-wlcompat - 2.4.30-brcm-4 - Compatibility module for using the Wireless Extension with broadcom's wl
libgcc - 3.4.4-9 - GCC support library
liblzo - 2.02-1 - a real-time data compression library
libopenssl - 0.9.8d-1 - OpenSSL (Secure Socket Layer) libraries
miniupnpd - 1.0-RC3-1 - a small and capable UPNP daemon.
mtd - 4 - Tool for modifying the flash chip
nas - 3.90.37-17 - Proprietary Broadcom WPA Authenticator/Supplicant
ntpclient - 2003_194-2 - NTP client for setting system time from NTP servers.
nvram - 1 - NVRAM utility and libraries for Broadcom hardware
openvpn - 2.0.9-1 - Open source VPN solution using SSL
ppp - 2.4.3-7 - a PPP (Point-to-Point Protocol) daemon (with MPPE/MPPC support)
ppp-mod-pppoe - 2.4.3-7 - a PPPoE (PPP over Ethernet) plugin for PPP
qos-scripts - 0.9.4-1 - QoS scripts for OpenWrt
samba-server - 2.0.10-2 - NetBIOS/SMB file and print server
tc - 2.6.11-050330-1 - iproute2 traffic control utility
uclibc - 0.9.27-9 - Standard C library for embedded Linux systems
webif - 0.3-6 -
wificonf - 6 - Replacement utility for wlconf
wireless-tools - 29.pre10-1 - Tools for setting up WiFi cards using the Wireless Extension
wol - 0.7.1-1 - A Program to send magic Wake-on-LAN packets
(Last edited by 500gx on 21 Apr 2007, 12:05)