@sfx2000 , take a look at my example routerOS config. Instead of blocking a whole country what i do is block based on an input attempt. If an input attempt failed regardless of what port(like if im not using port 21 and someone tries to see if it is open) it uses than blacklist it.
China isnt the only country running bot hacks, theres brazil, africa, russia, US even amazon cloud.
CN US TW NL DE IE JP TR SG GB FR CZ ZA PA CH AT MX HK CO KR IR
77 73 15 8 5 4 3 3 2 2 2 1 1 1 1 1 1 1 1 1 1
Never exposed your ssh/smtp port to the net. If you need to use SMTP make sure authentication is required and blacklist IP addresses after 3 attempts. You should also use the DoS protection for all services which is to delay response after a wrong login. Dont blacklist for an hour, blacklist for days or forever. I suggest using VPN if you need to access SSH from outside.
China isnt the only country running bot hacks, theres brazil, africa, russia, US even amazon cloud. An infected device could be running scripts to try and hack you. Just blocking China may not be an effective method. Hackers do use amazon cloud to hack others. Amazon cant stop people from renting their cloud, they cant do background checks to see if you secretely meet other people in a hut out in the forest. My proxy once had a botnet spamming it with ads trying to make it browse other ads and it all came from amazon.
On my home router (atm RT-AC56U), I have ports open for OpenVPN server (1 port), IPsec VPN (2) and http server (1). ICMP 0/3/11 cstate NEW accepted as well as ICMP 8 with rate limited. This is IPv4.
The http is for a special and limited purpose. It has no authentication but ipset restricted to a tiny ip range. The two VPN are open to the wild. OpenVPN used to be my main connection while not home for multitude of purposes (one use is superb adblock). IPsec VPN was set up later to replace it. It runs IKEv2 (StrongSwan as auth and keying agent + multi-threaded crypto engine in kernel).
I still keep OpenVPN but on TCP because some networks especially WiFi hotspots don't like UDP. Both authentications use 2048 bit certificates. For encryption, I pick 128 bit AES - a good balance between speed and privacy IMO.
I haven't seen floods on the open ports. When it happens, I might considering rate limiting on them. I handcraft all iptables rules. They're arranged in a way that whitelist comes first and good packets go through minimal traversal of the iptables. Everything else is considered bad and dropped with packets logged.
Cool - something might consider is keeping an eye on entropy - check
/proc/sys/kernel/random/entropy_avail
Should always be higher than 200, and my end-point, since it's headless, would often drop below that - the fix there was to install/config haveged - which helps keep random numbers a bit more random
Good setup - being TCP, do you see a fair amount of door-knocker noise on that port in the logs?
Drop everything, and then only let certain trusted IP's and Blocks in - more efficient that way...
I have quite a few applications running on RT-AC56U. Some homebrew apps (a bunch of scripts run as daemon or one-shot recurring tasks). But I decided to move my home network to ER-X. It will take over firewall/NAT/routing/QoS/IPsec/other network functions. Will turn RT-AC56U into a AP and an application server. Runs OpenVPN server, NTP daemon and many other services. Have to devise a plan for seamless transition. I'm very excited looking forward! Feel a bit relieved to hand over the more difficult task to Ubiquiti.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!