OpenWRT Part 4 – Realtime Black Lists and Fail2Ban

These are not OpenWWRT packages, but scripts developed by a user on the OpenWRT Forums. The come as a series of config files and scripts, both are pretty simple to install.

Realtime Black Lists – sub2rbl

What this does download a number of blacklists of the web on a schedule (i.e. cron) and then, via ipset, create some iptbales rules to block them. There’s no GUI for his and to be honest, it’s not needed. Once this is installed and running, you can basically forget about it. Configuration is easy enough via /etc/config/sub2rbl in and if you are uncomfortable on the CLI, you probably shouldn’t be installing an RBL!

Installation is a simple matter of a few packages (we already install ca-certificates in part two of this series).

Once installed you can see what it’s been up to by issuing the command iptables -nvL input_wan_rule and the result should look something like this:

 Chain input_wan_rule (1 references)
 pkts bytes target prot opt in out    source       destination 
 12   480   DROP   all  --  *  *      match-set sub2rbl-net src
 28   1385  DROP   all  --  *  *      match-set sub2rbl src

Those are my actual results after having sub2rbl running for just under 24 hours, and mine is just a small home system; not exactly a prime target to the l33t h4xor5.

fail2ban – bearDropper

This is a partner to sub2rbl and is intended to monitor the logs generated by the DropBear SSH server running on OpenWRT. Even if you have certs & passphrases set-up, it’s good practice to try and cut down on brute force attacks, just in case one of the little scrotums gets lucky.

Again, this is a simple matter of going through the steps. By default it will scan the logs every 6 hours (cron) and ban an IP after 10 failed attempts for one week (all configured in /etc/config/bearDropper).

Another option for the more technically adept would be to use iptables directly to help mitigate brute force attacks as detailed in point 3) here. I will confess that directly fiddling with iptable like that is bit beyond my skills at the moment; so I prefer to rely on the expertise of others.

I also have a further reason for wanting bearDropper, the next step will be to install OpenVPN and by editing /etc/config/bearDropper I can easily have those logs monitored in a way that’s comprehensible to me. I may not get the full protection of an iptable guru, but I am also much less likely to break everything!

Although I do wonder, the the iptable rules for preventing brute force attacks are sensible, why not just make them default?

Leave a Reply