Menu
What's new
By:
Filters Better Search

change SSH Brute Force Protection

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

C

caxap

New Around Here
I use my router as SSH proxy with up to 15 connections from the same IP at a time. That triggers a bruteforce protection hitcount.
I don't want to disable a bruteforce protection completely. What would be the best way to increase hitcount number?
 
You could whitelist that IP by adding an iptables rule that will skip the BFD rules when connections are from your static IP.
 
Hi,

you could disable the built in brute force protection in web ui and then add a custom firewall-start script with your own iptables brute force protection lines:
Code: 
user@router:/tmp/home/root# cat /jffs/scripts/firewall-start
#!/bin/sh
iptables -I INPUT 6 -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -I INPUT 7 -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 6 --rttl --name SSH -j DROP
user@router:/tmp/home/root#

Tune hitcount and seconds parameters according to your needs. You might also need to adjust the input line numbers if you have other non-default iptables rules in place.

After router restart the input chain in iptables should look something like this:
Code: 
user@router:/tmp/home/root# iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       icmp --  eth0   any     anywhere             anywhere             icmp echo-request
2    1478K  188M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
3      128  8722 DROP       all  --  any    any     anywhere             anywhere             state INVALID
4     702K  106M PTCSRVWAN  all  --  !br0   any     anywhere             anywhere
5     651K   95M PTCSRVLAN  all  --  br0    any     anywhere             anywhere
6        0     0            tcp  --  eth0   any     anywhere             anywhere             tcp dpt:ssh state NEW recent: SET name: SSH side: source
7        0     0 DROP       tcp  --  eth0   any     anywhere             anywhere             tcp dpt:ssh state NEW recent: UPDATE seconds: 300 hit_count: 6 TTL-Match name: SSH side: source
8     651K   95M ACCEPT     all  --  br0    any     anywhere             anywhere             state NEW
9     702K  106M ACCEPT     all  --  lo     any     anywhere             anywhere             state NEW
10     208 33285 OVPN       all  --  any    any     anywhere             anywhere             state NEW
11       0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
12       0     0 INPUT_ICMP  icmp --  any    any     anywhere             anywhere
13     208 33285 DROP       all  --  any    any     anywhere             anywhere
<snip>
 
Ferisko said:
you could disable the built in brute force protection in web ui and then add a custom firewall-start script with your own iptables brute force protection lines
Click to expand...

before disabling brute force protection:
Code: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      515 63939 PTCSRV     tcp  --  any    any     anywhere             anywhere             multiport dports 3333
2       56  2240 DROP       all  --  any    any     anywhere             anywhere             state INVALID
3     3741  525K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
4      300 22473 ACCEPT     all  --  lo     any     anywhere             anywhere             state NEW
5      510 42334 ACCEPT     all  --  br0    any     anywhere             anywhere             state NEW
6        0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
7        4   208 SSHBFP     tcp  --  any    any     anywhere             anywhere             tcp dpt:3333 state NEW
8      394 69390 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  vlan2  any     anywhere             anywhere             state INVALID
2     1249 67570 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
3        0     0 DROP       all  --  !br0   vlan2   anywhere             anywhere
4        0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere
5        0     0 DROP       icmp --  vlan2  any     anywhere             anywhere
6        0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT
7      266 17729 ACCEPT     all  --  br0    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 4804 packets, 762K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FUPNP (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain PControls (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain PTCSRV (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain SSHBFP (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        4   208            all  --  any    any     anywhere             anywhere             recent: SET name: SSH side: source
2        0     0 DROP       all  --  any    any     anywhere             anywhere             recent: UPDATE seconds: 60 hit_count: 4 name: SSH side: source
3        4   208 ACCEPT     all  --  any    any     anywhere             anywhere

Chain logaccept (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  any    any     anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
2        0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain logdrop (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  any    any     anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
2        0     0 DROP       all  --  any    any     anywhere             anywhere

I've adjusted your lines a bit:
Code: 
#!/bin/sh
iptables -I INPUT 6 -i any -p tcp --dport 3333 -m state --state NEW -m recent --set --name SSH
iptables -I INPUT 7 -i any -p tcp --dport 3333 -m state --state NEW -m recent --update --seconds 300 --hitcount 15 --rttl --name SSH -j DROP

Now printout looks like:
Code: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      489  109K PTCSRV     tcp  --  any    any     anywhere             anywhere             multiport dports 3333
2       22 19594 DROP       all  --  any    any     anywhere             anywhere             state INVALID
3      876  200K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
4        9  1098 ACCEPT     all  --  lo     any     anywhere             anywhere             state NEW
5       52  7930 ACCEPT     all  --  br0    any     anywhere             anywhere             state NEW
6        0     0            tcp  --  any    any     anywhere             anywhere             tcp dpt:3333 state NEW recent: SET name: SSH side: source
7        0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpt:3333 state NEW recent: UPDATE seconds: 300 hit_count: 15 TTL-Match name: SSH side: source
8        0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
9       17   884 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:3333
10     115 36608 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  vlan2  any     anywhere             anywhere             state INVALID
2       42  2280 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
3        0     0 DROP       all  --  !br0   vlan2   anywhere             anywhere
4        0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere
5        0     0 DROP       icmp --  vlan2  any     anywhere             anywhere
6        0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT
7       89  9420 ACCEPT     all  --  br0    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 1054 packets, 215K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FUPNP (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain PControls (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain PTCSRV (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain logaccept (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  any    any     anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
2        0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain logdrop (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  any    any     anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
2        0     0 DROP       all  --  any    any     anywhere             anywhere

I'm trying to "brute force" and see no protection working. Could you please take a look what is wrong?
I'm really new to linux and iptables.
Thanks
 
caxap said:
Not an option, my IP is dynamic.
Click to expand...

Whitelist the whole subnet then. Chances that you have an attacker from within the same subnet are probably low. Still better than completely disabling BFD for every sources.
 
RMerlin said:
Whitelist the whole subnet then. Chances that you have an attacker from within the same subnet are probably low. Still better than completely disabling BFD for every sources.
Click to expand...
I'm using ssh proxy from different locations while moving.
If whitelisting is the only option then sure I can whitelist IP just before using proxy. But it adds extra steps every time.

Can IP be whitelisted from cli?
 
caxap said:
I'm using ssh proxy from different locations while moving.
If whitelisting is the only option then sure I can whitelist IP just before using proxy. But it adds extra steps every time.

Can IP be whitelisted from cli?
Click to expand...

You need to edit your custom firewall-start script, then restart the firewall.
 
You must log in or register to reply here.

Similar threads

R
Prevent SSH Disconnect / Timeout around ~ 105-116 seconds from last activity on terminal session
Replies
7
Views
586
ColinTaylor
C
escape75
RT-AX68U Merlin vs. 3.0.0.4.388_24646
Replies
0
Views
415
escape75
escape75
C
IPv4 Firewall/Port-Forwarding - Appear to be the same thing on Asuswrt
Replies
4
Views
757
chrisisbd
C
W
Solved Solved (for me): WiFi issues and/or crashes with Merlin on RT-AC86U
Replies
1
Views
844
livefeed
L
xander73
Release ASUS TUF-AX6000 Firmware version 3.0.0.4.388_32432 (2023/08/16)
Replies
9
Views
2K
Fandroid
F
Similar threads
Thread starter Title Forum Replies Date
J DDNS, AX86U-PRO, inadyn isn't called after wan IP change ? Asuswrt-Merlin 3
J Change the name of the guest network in network map? Asuswrt-Merlin 1
M What Firmware Version Did Killswitch Change? Asuswrt-Merlin 1
M Should I Change From Router Mode to Something Else? Asuswrt-Merlin 4
G openvpn server: can not change/select data cipher Asuswrt-Merlin 1
H Wireguard server…. Can I change my IP? Asuswrt-Merlin 4
K _ecc Certificate Folder change Asuswrt-Merlin 0
L Mtu change doesnt work on 386.11 via connection automatic ip. Asuswrt-Merlin 4
M How to change MTU of Wireguard Client Asuswrt-Merlin 1
demokedes How to change /opt path Asuswrt-Merlin 6

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 802 (members: 22, guests: 780)
Top