Inspecting router log files I discovered occasional but massive login attempts. This is typical observation when SSH port visible from WAN is left on default port 22. Mine was set to custom and configured with firewall port redirection. At least I thought so. In reality custom port was accessible along with default port. Same problem affected FTP configuration. Looking at the UCI firewall commands I spent over hour to spot where the problem was.
My log file was sliced by hundreds lines bursts of entries generated in response to brute force attacks from bots:
Jan 19 12:47:21 dropbear[14241]: Child connection from 195.175.239.169:40090 Jan 19 12:47:23 dropbear[14241]: bad password attempt for 'root' from 195.175.239.169:40090 Jan 19 12:47:23 dropbear[14241]: exit before auth (user 'root', 1 fails): Disconnect received Jan 19 12:47:23 dropbear[14245]: Child connection from 195.175.239.169:40713 Jan 19 12:47:26 dropbear[14245]: bad password attempt for 'root' from 195.175.239.169:40713 Jan 19 12:47:26 dropbear[14245]: exit before auth (user 'root', 1 fails): Disconnect received ... Jan 19 12:50:07 dropbear[14350]: Child connection from 195.175.239.169:45583 Jan 19 12:50:08 dropbear[14350]: login attempt for nonexistent user from 195.175.239.169:45583 Jan 19 12:50:09 dropbear[14350]: exit before auth: Disconnect received Jan 19 12:50:09 dropbear[14351]: Child connection from 195.175.239.169:45960 Jan 19 12:50:10 dropbear[14351]: login attempt for nonexistent user from 195.175.239.169:45960 Jan 19 12:50:11 dropbear[14351]: exit before auth: Disconnect received ... |
Apparently my current firewall setup was misconfigured. Port forwarding was OK but default SSH port on WAN site was open too. Looking at /etc/config/firewall file I could not see problem immediately:
config 'rule' option '_name' 'ssh' option 'target' 'ACCEPT' option 'proto' 'tcp' option 'src' 'wan' option 'dest_port' '22' config 'redirect' option '_name' 'ssh-wan-redirect' option 'src' 'wan' option 'proto' 'tcp' option 'src_dport' '2222' option 'dest_port' '22' option 'dest_ip' '192.168.1.1' |
First thing I fixed was destination zone in ‘redirect’ section. It did not solve the problem however, still I was able to use port 22 on WAN site. Dozen of googl-o-queries later I was nowhere with the solution. I found receipts injecting iptables entries as /etc/firewall.user script extending UCI commands. I could not believe UCI config was not capable to solve the problem and I was right. Finally I noticed embarrassment of some other internaut, who pointed out that rule section has to specify ‘dest_ip’ in the other zone and that this acceptance rule works as if rejecting ‘dest_port’ on ‘src’ zone. I tried and it… worked (#@$!). Final solution was enriched with lines 7 and 16 and looks like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | config 'rule' option '_name' 'ssh' option 'target' 'ACCEPT' option 'src' 'wan' option 'proto' 'tcp' option 'dest_port' '22' option 'dest_ip' '192.168.1.1' config 'redirect' option '_name' 'ssh-wan-redirect' option 'src' 'wan' option 'proto' 'tcp' option 'src_dport' '2222' option 'dest_port' '22' option 'dest_ip' '192.168.1.1' option 'dest' 'lan' |
For completeness, find below configuration for FTP available on hypothetical port 2121 on WAN site and default port 21 on LAN site. Passive mode configuration requires additional ports to be opened, here in range from 32000 to 32127.
config 'rule' option '_name' 'vsftp-ftp-accept' option 'target' 'ACCEPT' option 'src' 'wan' option 'proto' 'tcp' option 'dest_port' '21' option 'dest_ip' '192.168.1.1' config 'redirect' option '_name' 'vsftp-ftp-redirect' option 'src' 'wan' option 'dest_ip' '192.168.1.1' option 'dest_port' '21' option 'proto' 'tcp' option 'src_dport' '2121' option 'target' 'DNAT' option 'dest' 'lan' config 'rule' option '_name' 'vsftp-passive-accept' option 'src' 'wan' option 'target' 'ACCEPT' option 'dest_port' '32000:32127' option 'dest_ip' '192.168.1.1' option 'proto' 'tcp' config 'redirect' option '_name' 'vsftp-passive-redirect' option 'src' 'wan' option 'dest_ip' '192.168.1.1' option 'proto' 'tcp' option 'src_dport' '32000:32137' option 'target' 'DNAT' option 'dest' 'lan' |
Firewall config is accompanied with /etc/vsftpd.conf configuration file having following entries:
port_enable=YES pasv_enable=YES pasv_address= <numeric WAN interface IP address here> pasv_min_port=32000 pasv_max_port=32127 |
Worked like a charm. Many thanks for all the help!
After port redirection (wan:2222 -> lan:22)
Network – Firewall – Custom Rules (/etc/firewall.user)
iptables -D zone_wan -p tcp –dport 22 -j ACCEPT
Thank you for sharing this. Traffic rules helped me out…
option ‘src_dport’ ‘32000:32137’
Ports range must be separate with –
option ‘src_dport’ ‘32000-32137’
This gives me the chance to share a small crontab line I created for myself today. I want all the non-LAN accesses of today to be logged and in future be sent by email.
Regardless of accessing only on custom ports and with RSA keys only, it is good to know whether you are being targeted.
logread | grep “$(date +”%a %b %d”)” | grep dropbear | grep Child | grep -v 192 >> /mnt/usb/USB-A1/xxx.txt