SSH and FTP custom ports firewall redirection in OpenWRT

Inspecting router log files I discovered occasional but massive login attempts. This is typical observation when SSH port visible from WAN is left on default port 22. Mine was set to custom and configured with firewall port redirection. At least I thought so. In reality custom port was accessible along with default port. Same problem affected FTP configuration. Looking at the UCI firewall commands I spent over hour to spot where the problem was.

My log file was sliced by hundreds lines bursts of entries generated in response to brute force attacks from bots:

Jan 19 12:47:21 dropbear[14241]: Child connection from 195.175.239.169:40090
Jan 19 12:47:23 dropbear[14241]: bad password attempt for 'root' from 195.175.239.169:40090
Jan 19 12:47:23 dropbear[14241]: exit before auth (user 'root', 1 fails): Disconnect received
Jan 19 12:47:23 dropbear[14245]: Child connection from 195.175.239.169:40713
Jan 19 12:47:26 dropbear[14245]: bad password attempt for 'root' from 195.175.239.169:40713
Jan 19 12:47:26 dropbear[14245]: exit before auth (user 'root', 1 fails): Disconnect received
...
Jan 19 12:50:07 dropbear[14350]: Child connection from 195.175.239.169:45583
Jan 19 12:50:08 dropbear[14350]: login attempt for nonexistent user from 195.175.239.169:45583
Jan 19 12:50:09 dropbear[14350]: exit before auth: Disconnect received
Jan 19 12:50:09 dropbear[14351]: Child connection from 195.175.239.169:45960
Jan 19 12:50:10 dropbear[14351]: login attempt for nonexistent user from 195.175.239.169:45960
Jan 19 12:50:11 dropbear[14351]: exit before auth: Disconnect received
...

Apparently my current firewall setup was misconfigured. Port forwarding was OK but default SSH port on WAN site was open too. Looking at /etc/config/firewall file I could not see problem immediately:

config 'rule'
	option '_name' 'ssh'
	option 'target' 'ACCEPT'
	option 'proto' 'tcp'
	option 'src' 'wan'
	option 'dest_port' '22'
 
config 'redirect'
	option '_name' 'ssh-wan-redirect'
	option 'src' 'wan'
	option 'proto' 'tcp'
	option 'src_dport' '2222'
	option 'dest_port' '22'
	option 'dest_ip' '192.168.1.1'

First thing I fixed was destination zone in ‘redirect’ section. It did not solve the problem however, still I was able to use port 22 on WAN site. Dozen of googl-o-queries later I was nowhere with the solution. I found receipts injecting iptables entries as /etc/firewall.user script extending UCI commands. I could not believe UCI config was not capable to solve the problem and I was right. Finally I noticed embarrassment of some other internaut, who pointed out that rule section has to specify ‘dest_ip’ in the other zone and that this acceptance rule works as if rejecting ‘dest_port’ on ‘src’ zone. I tried and it… worked (#@$!). Final solution was enriched with lines 7 and 16 and looks like:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
config 'rule'
	option '_name' 'ssh'
	option 'target' 'ACCEPT'
	option 'src' 'wan'
	option 'proto' 'tcp'
	option 'dest_port' '22'
	option 'dest_ip' '192.168.1.1'
 
config 'redirect'
	option '_name' 'ssh-wan-redirect'
	option 'src' 'wan'
	option 'proto' 'tcp'
	option 'src_dport' '2222'
	option 'dest_port' '22'
	option 'dest_ip' '192.168.1.1'
	option 'dest' 'lan'

For completeness, find below configuration for FTP available on hypothetical port 2121 on WAN site and default port 21 on LAN site. Passive mode configuration requires additional ports to be opened, here in range from 32000 to 32127.

config 'rule'
	option '_name' 'vsftp-ftp-accept'
	option 'target' 'ACCEPT'
	option 'src' 'wan'
	option 'proto' 'tcp'
	option 'dest_port' '21'
	option 'dest_ip' '192.168.1.1'
 
config 'redirect'
	option '_name' 'vsftp-ftp-redirect'
	option 'src' 'wan'
	option 'dest_ip' '192.168.1.1'
	option 'dest_port' '21'
	option 'proto' 'tcp'
	option 'src_dport' '2121'
	option 'target' 'DNAT'
	option 'dest' 'lan'
 
config 'rule'
	option '_name' 'vsftp-passive-accept'
	option 'src' 'wan'
	option 'target' 'ACCEPT'
	option 'dest_port' '32000:32127'
	option 'dest_ip' '192.168.1.1'
	option 'proto' 'tcp'
 
config 'redirect'
	option '_name' 'vsftp-passive-redirect'
	option 'src' 'wan'
	option 'dest_ip' '192.168.1.1'
	option 'proto' 'tcp'
	option 'src_dport' '32000:32137'
	option 'target' 'DNAT'
	option 'dest' 'lan'

Firewall config is accompanied with /etc/vsftpd.conf configuration file having following entries:

port_enable=YES
pasv_enable=YES
pasv_address= <numeric WAN interface IP address here>
pasv_min_port=32000
pasv_max_port=32127
This entry was posted in OpenWRT and tagged , , , , , , . Bookmark the permalink.

5 Responses to SSH and FTP custom ports firewall redirection in OpenWRT

  1. Olav Queseth says:

    Worked like a charm. Many thanks for all the help!

  2. Figaro says:

    After port redirection (wan:2222 -> lan:22)
    Network – Firewall – Custom Rules (/etc/firewall.user)
    iptables -D zone_wan -p tcp –dport 22 -j ACCEPT

  3. Nache says:

    Thank you for sharing this. Traffic rules helped me out…

  4. Pit says:

    option ‘src_dport’ ‘32000:32137’

    Ports range must be separate with –
    option ‘src_dport’ ‘32000-32137’

  5. flapane says:

    This gives me the chance to share a small crontab line I created for myself today. I want all the non-LAN accesses of today to be logged and in future be sent by email.
    Regardless of accessing only on custom ports and with RSA keys only, it is good to know whether you are being targeted.

    logread | grep “$(date +”%a %b %d”)” | grep dropbear | grep Child | grep -v 192 >> /mnt/usb/USB-A1/xxx.txt

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.