Blocking inbound traffic in DD-WRT

[ryan256]

I recently bought a new Netgear 3500L router and successfully installed dd-wrt on it. Something however I would like to set up is to have my router block inbound internet traffic from certain IP addresses.
I run an FTP server and have a huge log file of chinese, thai, korean, and even some american ip addresses that have attempted to hack into it. I have set the FTP server software up to reply with a "You are banned" message and drop the connection. I would prefer to move this function to the router and block them there so that all traffic from these addresses on any port won't even make it inside my network. I thought the way to accomplish this would be through Iptables but from what I've read that appears to be for blocking outbound traffic. How can I get the router to drop inbound traffic but not restrict outbound?

 

[drebo]

What software is your FTP server running on? Filezilla has a method for automatically banning IPs after a certain number of failed login attempts.

If you're running a linux FTP server, look in to fail2ban. It will monitor the logs and add restrictions to iptables when certain conditions are met. For instance, I ban people for 100 days after 4 failed SSH login attempts within a 10 minute period. I also use it to control flooding on my DNS servers by banning for 7 days any IPs that perform 200 queries within a 30 second period.

 

[ryan256]

Its running off of an old version of Bullet Proof FTP. I do have an anti hammering configuration on it where it will auto ban you for 999 days after 5 connection attempts in a 1 minute period. This is usually how I find the people trying to hack into it. I check the auto ban logs. But this still allows the traffic inside the network to hit the FTP server. There are other ports open on the router that go to other services. I'd like to block them at the router. I believe by doing that even of they ran a port scan they would get nothing back.

 

[kevnich2]

No use in manually blocking inbound IP addresses - you'll never succeed. My suggestion is to change your FTP port to something else, maybe 2121 or something like that so it's higher up. Also, configure your FTP server (if capable), to automatically block IP addresses for a certain period that have 5 or so unsuccessful logins. This is what I did on my home FTP server and it worked fine. I believe mine also had capability to perma-block IP's that had x number of unsuccessful logins. Also, disable the administrator and admin account and make up a new admin account and choose a good password.

 

[Jamsan]

If you can get away with it, use iptables to restrict inbound FTP traffic to only specific IP addresses (i.e. if you access your FTP server from specific locations with somewhat static IPs).

This may be tricky if many people are accessing it from dynamic IPs, 3G devices, etc.

 

[Emulex]

analyze the log file and use portsentry-like tool to block ip's for a short period of time. or build an IPS. it's just is to do that work.

move ftp to another port and put ftp in portsentry blocklist. usually gets rid of the scanners.

 

[dawks]

At the office, I use a more powerful solution, Untangle. Consumer routers and dd-wrt aren't meant for this kind of higher level control. Untangle runs on a standard PC, or even as VM.

With Untangle I have it set to block all IP's from connecting, then allow 3-4 specific IP addresses. Works well at keeping the Chinese and Russians from doing random login attempts.