search

robzr / bearDropper

Busybox ash based log examination script w/ iptables firewall rule generation response (fail2ban for OpenWRT)
90 stars 34 forks source link

bearDropper not actually banning attackers? #10

Open Goro2030 opened 6 years ago

Goro2030 commented 6 years ago

I have been running bearDropper for ages, as part of David's build of LEDE, but now looking into the Logs , it actually doesn't seen to be blocking the offending IP's.

My current configuration has this section:

  # IPTables chains to add rules to, syntax is chain:position where
  #   position is (-1 = don't add, 0 = append, 1+ = absolute position)
    list    firewallHookChain       input_wan_rule:1
    list    firewallHookChain       forwarding_wan_rule:1

This LEDE Version from David's 502 builds: Lede SNAPSHOT, r7093-4fdc6ca31b

And the latest bearDropper version.

And I found this in the log today:

logread | grep 5.101.

Mon Jun 11 09:11:10 2018 authpriv.info dropbear[24930]: Child connection from 5.101.140.66:51179
Mon Jun 11 11:10:50 2018 authpriv.info dropbear[24388]: Child connection from 5.101.140.66:54713
Mon Jun 11 11:10:52 2018 authpriv.warn dropbear[24388]: Bad password attempt for 'root' from 5.101.140.66:54713
Mon Jun 11 11:10:53 2018 authpriv.warn dropbear[24388]: Client trying multiple usernames from 5.101.140.66:54713
Mon Jun 11 11:10:53 2018 authpriv.warn dropbear[24388]: Login attempt for nonexistent user from 5.101.140.66:54713
Mon Jun 11 11:10:53 2018 authpriv.warn dropbear[24388]: Login attempt for nonexistent user from 5.101.140.66:54713
Mon Jun 11 11:10:54 2018 authpriv.warn dropbear[24388]: Client trying multiple usernames from 5.101.140.66:54713
Mon Jun 11 11:10:54 2018 authpriv.warn dropbear[24388]: Login attempt for nonexistent user from 5.101.140.66:54713
Mon Jun 11 11:10:54 2018 authpriv.notice bearDropper[19917]: Inserting ban rule for IP 5.101.140.66 into iptables chain bearDropper
Mon Jun 11 11:10:54 2018 authpriv.notice bearDropper[18583]: Inserting ban rule for IP 5.101.140.66 into iptables chain bearDropper
Mon Jun 11 11:10:54 2018 authpriv.warn dropbear[24388]: Login attempt for nonexistent user from 5.101.140.66:54713
Mon Jun 11 11:10:54 2018 authpriv.warn dropbear[24388]: Client trying multiple usernames from 5.101.140.66:54713
Mon Jun 11 11:10:55 2018 authpriv.warn dropbear[24388]: Bad password attempt for 'root' from 5.101.140.66:54713
Mon Jun 11 11:10:55 2018 authpriv.warn dropbear[24388]: Bad password attempt for 'root' from 5.101.140.66:54713
Mon Jun 11 11:10:55 2018 authpriv.notice bearDropper[18583]: Inserting ban rule for IP 5.101.140.66 into iptables chain bearDropper
Mon Jun 11 11:10:56 2018 authpriv.warn dropbear[24388]: Bad password attempt for 'root' from 5.101.140.66:54713
Mon Jun 11 11:10:56 2018 authpriv.info dropbear[24388]: Exit before auth (user 'root', 3 fails): Max auth tries reached - user 'root' from 5.101.140.66:54713

See that the "ban rule" was inserted twice ( instead of just once?) , but the offending IP kept trying after that ? It all happened within 2 seconds... maybe this is just a syslogd delay in the messages?

@robzr , can you take a look?

BTW: iptables -L has the ban rule on it .

Goro2030 commented 6 years ago

I have more proof from today that bearDropper is actually not working ...

Thu Jun 14 04:42:58 2018 authpriv.info dropbear[11882]: Child connection from 193.201.224.208:29745
Thu Jun 14 04:43:07 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:07 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:07 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:07 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:08 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:08 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:10 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:10 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
**Thu Jun 14 04:43:11 2018 authpriv.notice bearDropper[20934]: Inserting ban rule for IP 193.201.224.208 into iptables chain bearDropper**
Thu Jun 14 04:43:11 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:11 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:12 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:12 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:43:14 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:14 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:15 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:15 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:43:15 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:15 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:16 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:16 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:19 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:19 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:20 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:20 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:20 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:20 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:22 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:22 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:29 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:29 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:45 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:45 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:46 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:46 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:46 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:46 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:48 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:48 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:49 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:49 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:50 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:50 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:43:51 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:51 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:52 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:52 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:43:54 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:54 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:54 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:54 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:55 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:55 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:55 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:55 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:58 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:59 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:59 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:43:59 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:59 2018 authpriv.warn dropbear[11882]: User 'ftp' has invalid shell, rejected
Thu Jun 14 04:44:01 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:01 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:02 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:02 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:02 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:02 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:03 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:03 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:04 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:04 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:07 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:07 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:44:22 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:22 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:23 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:23 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:24 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:24 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:24 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:24 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:44:31 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:31 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:32 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:32 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:34 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:34 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:36 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:36 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:39 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:39 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:39 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:39 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:40 2018 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED 70:ee:50:03:6a:50
Thu Jun 14 04:44:43 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:43 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:44 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:44 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:46 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:46 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:45:02 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:45:02 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
WiteWulf commented 5 years ago

I've just noticed the same on my system. It was working until recently but definitely not now. Sadly, I think this project is abandoned as it's not been updated in 2+ years :-(

satheras commented 5 years ago

is there an alternative?

jose1711 commented 4 years ago

I've tested this a few days ago and it was working fine. Maybe it's something about your setup.