search

opentechinstitute / commotion-router

The build system for the OpenWRT-based Commotion firmware.
https://commotionwireless.net
GNU General Public License v3.0
121 stars 43 forks source link

Rate limit ssh attempts to WAN zone #120

Closed areynold closed 9 years ago

areynold commented 10 years ago

Incorporates firewall changes suggested by @raniarho in #116 with some modifications. Partially addresses #30.

To test:

  1. Flash the node and configure it as a gateway
  2. Log in and make note of the public-facing IP address.
  3. Connect another machine to the same network as the node, but not to the node itself. You should not receive an IP address from the node or be inside the commotion network.
  4. SSH to the node and enter an invalid password until you are disconnected (3 attempts), then immediately repeat. On the fourth attempt within 1 minute your connection should be denied.
dismantl commented 10 years ago

I think the whole reason we went with the firewall.user script was because UCI didn't offer the options to reproduce those iptables rules. We looked into adding UCI rules at first, but couldn't make it work.

areynold commented 10 years ago

@jheretic I've reverted the uci commit and fixed the syntax in /etc/firewall.user.

On the 4th ssh connection within 60 seconds, the connection attempt will hang until the minute is up. Existing ssh connections are not affected.

I have a newly built node up with these rules in place if you want to test them.

dismantl commented 9 years ago

confirmed working.