Menu
What's new
By:
Filters Better Search

Harvest IPs from SSH brute force protection

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

redhat27

redhat27

Very Senior Member
Hello everyone, I have enabled brute force protection in the from the Web UI, and I'm trying to identify the IPs that are dropped by the rule.

This is what gets created when I enable brute force protection:
:SSHBFP - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHBFP
-A SSHBFP -m recent --set --name SSH --rsource
-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j logdrop
-A SSHBFP -j logaccept

I tried to create a different log target (and not use logdrop) so that these stand out:
if [ $(nvram get sshd_bfp) -eq 1 -a "$(nvram get fw_log_x)" != "none" ]; then
iptables -N bfplog
iptables -A INPUT -j bfplog
if [ "$(nvram get fw_log_x)" = "drop" -o "$(nvram get fw_log_x)" = "both" ]; then
iptables -D SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j logdrop
iptables -A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j bfplog
fi
iptables -A bfplog -m state --state NEW -j LOG --log-prefix "SSHBFP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A bfplog -j DROP
fi

But I am not an expert on iptables, so I'm doing something wrong. There is nothing in the log that has SSHBFP, even though there have been attempts:
admin@RT-AC66R-D700:/jffs/scripts# iptables -L -v | grep "dpt:ssh"
24 1112 SSHBFP tcp -- eth0 any anywhere anywhere tcp dpt:ssh state NEW

How do I easily identify the brute force attempts? (Either through syslog or otherwise)
 
Thanks for replying, I have seen that thread, but since I've disabled password login on SSH, I do not get any in the syslog that has the text "Bad password attempt for". I do get several
"Login attempt for nonexistent user from ", "Client trying multiple usernames from ", and "Pubkey auth bad signature for" I am able to capture the source IPs for those attempts and put them in my own implementation of custom blocklist. I'm trying to get the brute force SSH attempts as well. (4 or more in a minute)
 
You must log in or register to reply here.

Similar threads

PR3MIUM
News Cisco warns of large-scale brute-force attacks against VPN and SSH services
Replies
2
Views
766
Paliv
P
R
Prevent SSH Disconnect / Timeout around ~ 105-116 seconds from last activity on terminal session
Replies
7
Views
1K
ColinTaylor
C
B
AC68u fast blinking power light from time to time (nvram issue)
Replies
18
Views
2K
bibikalka
B
H
Limiting router to certain countries only & brute force attack protection
Replies
2
Views
2K
Wisiwyg
W
G
Wireguard VPN Client: killswitch activation -> LAN administration lock-out
Replies
6
Views
696
ZebMcKayhan
Z
Similar threads
Thread starter Title Forum Replies Date
L Access to certain IPs in LAN blocked somehow? Asuswrt-Merlin 4
P Catch all IPs from certain port and add them to ipset list? Asuswrt-Merlin 18
A RT-AX88U - 3004.388.8_2 - SSH connection closed after few minutes from reboot Asuswrt-Merlin 10
CntrlAltDel Switch WAN type from SSH Asuswrt-Merlin 3
W Question: About AX4200 regarding SSH support and Entware Asuswrt-Merlin 23
S restart web server from SSH Asuswrt-Merlin 13
K Toggle VPN Director rules for WireGuard via SSH Asuswrt-Merlin 2
M ssh access with DNS name takes a long time where it did not used to Asuswrt-Merlin 0
William Higgs Ssh to router logging in as wrong user? Asuswrt-Merlin 3
S Route add via SSH - persistent-how? Asuswrt-Merlin 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 613 (members: 16, guests: 597)
Top