[NCLUG] iptables ssh protection, but with Linksys WRT54G DD-WRT?

Kevin Fenzi kevin at scrye.com
Wed Apr 12 18:57:22 MDT 2006


>>>>> "Benson" == Benson Chow <blc+nclug at q.dyndns.org> writes:

Benson> DDWRT is yet another open source WRT54G linux distribution.
Benson> Instead of simply adding on to Linksys firmware which seems to
Benson> be the OpenWRT model, it improves and changes whereever is
Benson> needed and still retains full opensource to the public.  One

OpenWRT is pretty much a "from the ground up" distro. The only thing I
know of that they share with the linksys firmware is the kernel
version (So they can load the wireless driver module). Everything else
is written from scratch. ;) 

See: http://wiki.openwrt.org/OpenWrtDocs/About

Benson> of the biggest things I like in dd-wrt is that it runs
Benson> dropbear, a small ssh server/client.  Their project is at
Benson> http://www.dd-wrt.org.

Yeah, OpenWRT uses dropbear as well. It's a nice server for the
space. ;) 

Benson> Anyway, unfortunately I have to run on the well known server
Benson> port 22 as the internet connection firewall that I mainly
Benson> connect from prohibits connections opened on anything but 22,
Benson> 80, and 443.  So I have to resort to limiting exposure.  So,
Benson> as suggested last night and on debian-administration, I used
Benson> the following iptables commands, where $inf is the interface:

Benson> iptables -I INPUT -p tcp --dport 22 -i $inf -m state --state
Benson> NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i
Benson> $inf -m state --state NEW -m recent --update --seconds 60
Benson> --hitcount 4 -j DROP

Benson> Both commands go through with no error on my little wrt54g,
Benson> and didn't see any warnings or errors in the logs.  However,
Benson> when I tried connecting to it, it wouldn't reject the packets
Benson> even if I spammed the port.

Benson> I've tried $inf all of (eth0 eth1 eth2 vlan0 vlan1 imq0 br0)
Benson> to no avail. The exact commands work fine on my full-sized
Benson> 2.6.15 box, unlike this little box.

Odd, but ddwrt might not have the 'recent' or --set modules? 

Althought you would think it would error if it didn't...
I don't suppose it has hashlimit? 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://lists.nclug.org/pipermail/nclug/attachments/20060412/640091a6/attachment.pgp>


More information about the NCLUG mailing list