Are there any scripts or packages with functionality similar to fail2ban?

[Metro]

Hello,

I've just started using amtm, Diversion, and Skynet and loving the added functionality.

Are there any tools available for functionality similar to fail2ban? That is, the routers I support are constantly hammered with bots looking for open ports. I do have to have a few open ports and would like to limit the bots that hit these ports hundreds of times trying to get in.

Is there any functionality anywhere that can achieve this?

Thanks so much!

 

[L&LD]

Isn't Skynet doing that for you? Have you tried enabling AiProtection too and then allowing Diversion (and Skynet?) to protect from those sources too?

What router and what firmware are you running? Kind of important info here.

 

[Adamm]

iirc Fail2Ban works by scanning particular services log files for suspicious behavior (eg SSH/FTP/Apache). The only really relevant one in this situation would be SSH if you expose that to WAN (which you never should!), in which case Skynet taps into Merlins BFD and adds any entries to its own blacklist after 5 connection attempts in 60 seconds

 

[Metro]

Thank you both!

I'm on a RT-AC86U running 384.15.

I don't expose SSH to WAN, fortunately. I understand that it's based on logs. Does Diversion and/or Skynet provide any intuitive understanding of attempts to probe ports and/or brute force? I do have AI Protection on as well.

Thank you again for chiming in.

 

[Wisiwyg]

Does Diversion and/or Skynet provide any intuitive understanding of attempts to probe ports and/or brute force?

This? Located on Firewall tab. You can click on a bar for further details.

 

[Chris H]

I found this thread looking for a way to ban IPs with X number of failed attempts to login to the OpenVPN server on my router. I think most of these are just port probes and result in log errors like "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" but if someone did attempt to login with a valid username, I would like something in place to stop them after a few attempts.

Is this the kind of thing that the built-in firewall / Skynet logic is going to handle? Any other suggestions? Thank you.

 

[Maverickcdn]

I found this thread looking for a way to ban IPs with X number of failed attempts to login to the OpenVPN server on my router. I think most of these are just port probes and result in log errors like "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" but if someone did attempt to login with a valid username, I would like something in place to stop them after a few attempts.

Don't need anything too special for this, you can use iptables in firewall-start to rate limit connection attempts. But likely just 'door knocking' from the internet not actual attempts to connect.

This can work against you though if in sketchy connection situations where your vpn is constantly reconnecting due to a bad connection you can end up locking yourself out if you dont have an exclusive ACCEPT rule from a known IP your connecting from like I have below

# limits connections to 31194 to 3
iptables -I INPUT -p tcp --dport 31194 -i eth0 -m state --state NEW -m recent --update --seconds 180 --hitcount 3 -j DROP

# sets table for IPTABLES to reference from
iptables -I INPUT -p tcp --dport 31194 -i eth0 -m state --state NEW -m recent --set

# allow 31194 vpn connections from work regardless
iptables -I INPUT -s 123.123.123.123 -p tcp -m tcp --dport 31194 -j ACCEPT

# logs connections to 31194
iptables -I INPUT -p tcp -m tcp --dport 31194 -m state --state NEW -j LOG --log-level 1 --log-prefix "openvpn31194 "