Not an option, my IP is dynamic.You could whitelist that IP
user@router:/tmp/home/root# cat /jffs/scripts/firewall-start
#!/bin/sh
iptables -I INPUT 6 -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -I INPUT 7 -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 6 --rttl --name SSH -j DROP
user@router:/tmp/home/root#
user@router:/tmp/home/root# iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP icmp -- eth0 any anywhere anywhere icmp echo-request
2 1478K 188M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3 128 8722 DROP all -- any any anywhere anywhere state INVALID
4 702K 106M PTCSRVWAN all -- !br0 any anywhere anywhere
5 651K 95M PTCSRVLAN all -- br0 any anywhere anywhere
6 0 0 tcp -- eth0 any anywhere anywhere tcp dpt:ssh state NEW recent: SET name: SSH side: source
7 0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 300 hit_count: 6 TTL-Match name: SSH side: source
8 651K 95M ACCEPT all -- br0 any anywhere anywhere state NEW
9 702K 106M ACCEPT all -- lo any anywhere anywhere state NEW
10 208 33285 OVPN all -- any any anywhere anywhere state NEW
11 0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
12 0 0 INPUT_ICMP icmp -- any any anywhere anywhere
13 208 33285 DROP all -- any any anywhere anywhere
<snip>
you could disable the built in brute force protection in web ui and then add a custom firewall-start script with your own iptables brute force protection lines
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 515 63939 PTCSRV tcp -- any any anywhere anywhere multiport dports 3333
2 56 2240 DROP all -- any any anywhere anywhere state INVALID
3 3741 525K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
4 300 22473 ACCEPT all -- lo any anywhere anywhere state NEW
5 510 42334 ACCEPT all -- br0 any anywhere anywhere state NEW
6 0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
7 4 208 SSHBFP tcp -- any any anywhere anywhere tcp dpt:3333 state NEW
8 394 69390 DROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- vlan2 any anywhere anywhere state INVALID
2 1249 67570 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3 0 0 DROP all -- !br0 vlan2 anywhere anywhere
4 0 0 ACCEPT all -- br0 br0 anywhere anywhere
5 0 0 DROP icmp -- vlan2 any anywhere anywhere
6 0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT
7 266 17729 ACCEPT all -- br0 any anywhere anywhere
Chain OUTPUT (policy ACCEPT 4804 packets, 762K bytes)
num pkts bytes target prot opt in out source destination
Chain FUPNP (0 references)
num pkts bytes target prot opt in out source destination
Chain PControls (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any any anywhere anywhere
Chain PTCSRV (1 references)
num pkts bytes target prot opt in out source destination
Chain SSHBFP (1 references)
num pkts bytes target prot opt in out source destination
1 4 208 all -- any any anywhere anywhere recent: SET name: SSH side: source
2 0 0 DROP all -- any any anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: SSH side: source
3 4 208 ACCEPT all -- any any anywhere anywhere
Chain logaccept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- any any anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
2 0 0 ACCEPT all -- any any anywhere anywhere
Chain logdrop (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- any any anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
2 0 0 DROP all -- any any anywhere anywhere
#!/bin/sh
iptables -I INPUT 6 -i any -p tcp --dport 3333 -m state --state NEW -m recent --set --name SSH
iptables -I INPUT 7 -i any -p tcp --dport 3333 -m state --state NEW -m recent --update --seconds 300 --hitcount 15 --rttl --name SSH -j DROP
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 489 109K PTCSRV tcp -- any any anywhere anywhere multiport dports 3333
2 22 19594 DROP all -- any any anywhere anywhere state INVALID
3 876 200K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
4 9 1098 ACCEPT all -- lo any anywhere anywhere state NEW
5 52 7930 ACCEPT all -- br0 any anywhere anywhere state NEW
6 0 0 tcp -- any any anywhere anywhere tcp dpt:3333 state NEW recent: SET name: SSH side: source
7 0 0 DROP tcp -- any any anywhere anywhere tcp dpt:3333 state NEW recent: UPDATE seconds: 300 hit_count: 15 TTL-Match name: SSH side: source
8 0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
9 17 884 ACCEPT tcp -- any any anywhere anywhere tcp dpt:3333
10 115 36608 DROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- vlan2 any anywhere anywhere state INVALID
2 42 2280 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3 0 0 DROP all -- !br0 vlan2 anywhere anywhere
4 0 0 ACCEPT all -- br0 br0 anywhere anywhere
5 0 0 DROP icmp -- vlan2 any anywhere anywhere
6 0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT
7 89 9420 ACCEPT all -- br0 any anywhere anywhere
Chain OUTPUT (policy ACCEPT 1054 packets, 215K bytes)
num pkts bytes target prot opt in out source destination
Chain FUPNP (0 references)
num pkts bytes target prot opt in out source destination
Chain PControls (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any any anywhere anywhere
Chain PTCSRV (1 references)
num pkts bytes target prot opt in out source destination
Chain logaccept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- any any anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
2 0 0 ACCEPT all -- any any anywhere anywhere
Chain logdrop (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- any any anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
2 0 0 DROP all -- any any anywhere anywhere
Not an option, my IP is dynamic.
I'm using ssh proxy from different locations while moving.Whitelist the whole subnet then. Chances that you have an attacker from within the same subnet are probably low. Still better than completely disabling BFD for every sources.
I'm using ssh proxy from different locations while moving.
If whitelisting is the only option then sure I can whitelist IP just before using proxy. But it adds extra steps every time.
Can IP be whitelisted from cli?
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!