Harvest IPs from SSH brute force protection

[redhat27]

Hello everyone, I have enabled brute force protection in the from the Web UI, and I'm trying to identify the IPs that are dropped by the rule.

This is what gets created when I enable brute force protection:

Spoiler: iptables rules

:SSHBFP - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHBFP
-A SSHBFP -m recent --set --name SSH --rsource
-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j logdrop
-A SSHBFP -j logaccept

I tried to create a different log target (and not use logdrop) so that these stand out:

Spoiler: My attempt

if [ $(nvram get sshd_bfp) -eq 1 -a "$(nvram get fw_log_x)" != "none" ]; then
iptables -N bfplog
iptables -A INPUT -j bfplog
if [ "$(nvram get fw_log_x)" = "drop" -o "$(nvram get fw_log_x)" = "both" ]; then
iptables -D SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j logdrop
iptables -A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j bfplog
fi
iptables -A bfplog -m state --state NEW -j LOG --log-prefix "SSHBFP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A bfplog -j DROP
fi

But I am not an expert on iptables, so I'm doing something wrong. There is nothing in the log that has SSHBFP, even though there have been attempts:

Spoiler: Attacks

admin@RT-AC66R-D700:/jffs/scripts# iptables -L -v | grep "dpt:ssh"
24 1112 SSHBFP tcp -- eth0 any anywhere anywhere tcp dpt:ssh state NEW

How do I easily identify the brute force attempts? (Either through syslog or otherwise)

 

[martinr]

I can't help with your questions but I think I can see where you are going, and, on the off-chance you've missed it, there's a topic that might interest you:

https://www.snbforums.com/threads/d...without-proper-credentials.37524/#post-311805

 

[redhat27]

Thanks for replying, I have seen that thread, but since I've disabled password login on SSH, I do not get any in the syslog that has the text "Bad password attempt for". I do get several
"Login attempt for nonexistent user from ", "Client trying multiple usernames from ", and "Pubkey auth bad signature for" I am able to capture the source IPs for those attempts and put them in my own implementation of custom blocklist. I'm trying to get the brute force SSH attempts as well. (4 or more in a minute)