I've said it before and I'll say it again:
iptables -I zone_wan -j DROP
And if you really need access from wan INSERT a rule before that DROP.
Regards,
Maciej
On Mon, Jan 28, 2013 at 4:44 PM, Török Edwin
<edwin+ml-cerowrt@etorok.net> wrote:
On 01/13/2013 11:15 AM, Török Edwin wrote:
> On 01/13/2013 06:50 AM, Dave Taht wrote:
>> one of the underused features of cerowrt is that I stuck a sensor on
>> xinetd to detect attempts to telnet or ftp to the router and cut off
>> access to some other services, notably ssh.
>
> I don't see this on my cerowrt, is this only in the 3.7.x series?
>
>>
>> I would have loved to extend this facility to either do it entirely in
>> iptables or leverage xinetd to talk to iptables to (for example)
>> disable access to the web server.
>>
>> I'm curious if anyone elses server logs ever show something like this
>> in the Real World:
>>
>> Jan 12 20:44:02 europa daemon.crit xinetd[3273]: 3273 {process_sensor}
>> Adding 190.185.12.121 to the global_no_access list for 120 minutes
With 3.7.4 I see these now on my home router, so its definetely working:
root@OpenWrt:~# logread|grep xinetd|grep Adding|wc -l
20
The IPs are from Russia, Peru, Colombia, Egypt, UK, Kuwait, Turkey, Azerbaijan.
Best regards,