bearDropper not actually banning attackers? #10
Description
I have been running bearDropper for ages, as part of David's build of LEDE, but now looking into the Logs , it actually doesn't seen to be blocking the offending IP's.
My current configuration has this section:
# IPTables chains to add rules to, syntax is chain:position where
# position is (-1 = don't add, 0 = append, 1+ = absolute position)
list firewallHookChain input_wan_rule:1
list firewallHookChain forwarding_wan_rule:1
This LEDE Version from David's 502 builds:
Lede SNAPSHOT, r7093-4fdc6ca31b
And the latest bearDropper version.
And I found this in the log today:
logread | grep 5.101.
Mon Jun 11 09:11:10 2018 authpriv.info dropbear[24930]: Child connection from 5.101.140.66:51179
Mon Jun 11 11:10:50 2018 authpriv.info dropbear[24388]: Child connection from 5.101.140.66:54713
Mon Jun 11 11:10:52 2018 authpriv.warn dropbear[24388]: Bad password attempt for 'root' from 5.101.140.66:54713
Mon Jun 11 11:10:53 2018 authpriv.warn dropbear[24388]: Client trying multiple usernames from 5.101.140.66:54713
Mon Jun 11 11:10:53 2018 authpriv.warn dropbear[24388]: Login attempt for nonexistent user from 5.101.140.66:54713
Mon Jun 11 11:10:53 2018 authpriv.warn dropbear[24388]: Login attempt for nonexistent user from 5.101.140.66:54713
Mon Jun 11 11:10:54 2018 authpriv.warn dropbear[24388]: Client trying multiple usernames from 5.101.140.66:54713
Mon Jun 11 11:10:54 2018 authpriv.warn dropbear[24388]: Login attempt for nonexistent user from 5.101.140.66:54713
Mon Jun 11 11:10:54 2018 authpriv.notice bearDropper[19917]: Inserting ban rule for IP 5.101.140.66 into iptables chain bearDropper
Mon Jun 11 11:10:54 2018 authpriv.notice bearDropper[18583]: Inserting ban rule for IP 5.101.140.66 into iptables chain bearDropper
Mon Jun 11 11:10:54 2018 authpriv.warn dropbear[24388]: Login attempt for nonexistent user from 5.101.140.66:54713
Mon Jun 11 11:10:54 2018 authpriv.warn dropbear[24388]: Client trying multiple usernames from 5.101.140.66:54713
Mon Jun 11 11:10:55 2018 authpriv.warn dropbear[24388]: Bad password attempt for 'root' from 5.101.140.66:54713
Mon Jun 11 11:10:55 2018 authpriv.warn dropbear[24388]: Bad password attempt for 'root' from 5.101.140.66:54713
Mon Jun 11 11:10:55 2018 authpriv.notice bearDropper[18583]: Inserting ban rule for IP 5.101.140.66 into iptables chain bearDropper
Mon Jun 11 11:10:56 2018 authpriv.warn dropbear[24388]: Bad password attempt for 'root' from 5.101.140.66:54713
Mon Jun 11 11:10:56 2018 authpriv.info dropbear[24388]: Exit before auth (user 'root', 3 fails): Max auth tries reached - user 'root' from 5.101.140.66:54713
See that the "ban rule" was inserted twice ( instead of just once?) , but the offending IP kept trying after that ? It all happened within 2 seconds... maybe this is just a syslogd delay in the messages?
@robzr , can you take a look?
BTW: iptables -L has the ban rule on it .