search

lixuewei / rt-n56u

Automatically exported from code.google.com/p/rt-n56u
0 stars 0 forks source link

SSH Server Brute-force protection: false positive results block access #1243

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Select Default seeting of "SSH Server Brute-force protection": Max 3 tries / 
5 min
2. Make 3 successful logins from same external IP to router (SSH keypair 
authorization) - use commands like ssh, scp etc.
3. The 4th login attempt and all further attempts from the same IP will be 
blocked.

What is the expected output? What do you see instead?

I want to login with my correct SSH key, but I can't. I have to change my IP 
adress or to wait 5 minutes or to reboot the router.

What version of the product are you using? On what operating system?

RT-N65U_3.0.3.8-081_full / Linux

Original issue reported on code.google.com by ulysses....@gmail.com on 6 May 2014 at 9:18

GoogleCodeExporter commented 9 years ago 
Very useful option I think.
After successful login you can do:
# echo -"your_rem_ip" > /proc/net/xt_recent/blacklist
or
# echo / > /proc/net/xt_recent/blacklist

the first one removes ip address, which you connected (your_rem_ip) from 
blacklist
the second - cleans blacklist

Original comment by d...@soulblader.com on 9 May 2014 at 2:16

GoogleCodeExporter commented 9 years ago 
I don't agree that it is very useful that a *successful* login creates an entry 
in the blacklist! For my understanding, the blacklist shall prevent hackers to 
enter my account with brute force, as it blocks access after the third false 
attempt. Once somebody got my password and entered my account, he can do 
anything he wants, including changing the password and deleting the blacklist. 
So, this option doesn't add any secuurity once the account was hacked. But it 
forces me to write a .login script that removes "my_rem_ip" from the blacklist 
after every login (from hotel, mobile network etc.). I would prefer if only 
login failures would create an entry in the blacklist.

By the way - is there an option to block specific IP adresses from VPN access 
forever? For example, block the Chinese 183.60.48.25 and 14.17.35.181 who scan 
IP adresses worldwide and try VPN access every second day?

Original comment by ulysses....@gmail.com on 9 May 2014 at 7:25

GoogleCodeExporter commented 9 years ago 
Sure it is.
Add to /etc/storage/post_iptables_script.sh something like:
iptables -I INPUT -s 183.60.48.25 -j DROP

You know, it is called "SSH Server Brute-force protection" by Andy, and it is 
implemented by ipfilter. So it can be used for any other traffic. That's why I 
think it is very useful. BTW, openssh has its own implementation of brute-force 
protection. There are some options like MaxStartups etc.

Original comment by d...@soulblader.com on 10 May 2014 at 8:23