OpenWRT, SuperWRT, Scripturi OpenWRT, etc..legat de OpenWRT
Last Updated: Jul 17 2022 14:06, Started by
SpargatorulDeVise
, May 20 2015 22:35
·
0
#1
Posted 20 May 2015 - 22:35
Deoarece nu am gasit un Topic dedicat OpenWRT pe acest forum , m-am decis sa deschid eu unul .
De multe ori am "sapat" pe net dupa documentatie pentru unele scripturi,module,configuratii,etc..si ar fi fost mai bine daca ar fi existat aici un topic dedicat OpenWRT ori SuperWRT in care sa putem discuta despre acesta ,profitand cu totii de experienta practica a utilizatorilor de aici . Am mai multe Device-uri cu OpenWRT in locatii diferite , dar ma axez in discutie pe cel pe care il am instalat acasa . Model = TP-Link TL-WR1043/ND v2 Firmware Version = OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530) Kernel Version = 3.10.49 In router am instalat in principal OpenVPN Server si Squid Proxy Server , imi routez propria clasa ipv6 de la Hurricane , etc.. In spatele routerului am un MiniPC pe care am instalat un DNS Server pentru cateva domenii personale , VNC Server , FTP , si altele Zilele astea am instalat cateva module si cateva scripturi in router. Deoarece aveam zeci de tentative de autentificare in serverele ssh , vnc , squid , ...s.a.m.d , m-am hotarat sa instalez urmatorul script , pentru a bloca mare parte din acestea . Scriptul este : Various IP blacklisting scripts for Linux and OpenWRT https://github.com/k...er/blacklist.sh In cazul meu l-am personalizat asa:
Spoiler
Scriptul isi face treaba destul de bine . Blocarile arata cam asa : dmesg|grep BLOCK >/tmp/ip-uri_blocate.txt
Spoiler
Apoi , pentru SSH BruteForce , deorece nu am gasit un echivalent Fail2Ban pentru OpenWRT , m-am gandit ca ar fi bun un script care sa-mi trimita automat pe mail , in maxim 10 minute orice orice atack SSH BruteForce Si am folosit ceva de genul : Script that sends email when it finds specific notification in logread https://forum.openwr...=214591#p214591 In cazul meu am personalizat asa (am un USB-Flash montat ca /mnt/sda/): /etc/rc.local
Spoiler
/etc/crontabs/root
Spoiler
/mnt/sda/var/sendlog/sendlogs.sh
Spoiler
/mnt/sda/var/sendlog/sendlogs2.sh
Spoiler
Le-am impartit in doua , in incercarea de a rezolva cumva problema ca nu imi trimite si rapoartele cu ip-urile blocate . Dar primesc pe mail constant , rapoarte cu incercarile de autentificare SSH As fi dorit sa primesc pe mail de cateva ori pe zi , liste cu ip-urile blocate Ori .. as fi vrut sa reusesc modificarea scriptului si sa folosesc "mutt" (http://wiki.openwrt..../email.overview) pentru trimiterea rapoartelor . Edited by SpargatorulDeVise, 20 May 2015 - 22:38. |
#3
Posted 21 May 2015 - 11:15
Adm, on 21 mai 2015 - 05:59, said:
Din gama WRT, OpenWRT si interfata LUCi mi s-a parut cea mai enervanta/neergonomica. Bazat pe OpenWRT, dar cu o interfata foarte curata este Gargoyle. Are deja protectie pt SSH. Are si OpenWRT protectia asta . Este implicita in OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530) . Thu May 21 12:08:36 2015 authpriv.info dropbear[28648]: Child connection from 109.166.135.182:46498 Thu May 21 12:08:49 2015 authpriv.warn dropbear[28648]: Bad password attempt for 'root' from 109.166.135.182:46498 Thu May 21 12:08:55 2015 authpriv.warn dropbear[28648]: Bad password attempt for 'root' from 109.166.135.182:46498 Thu May 21 12:09:00 2015 authpriv.warn dropbear[28648]: Bad password attempt for 'root' from 109.166.135.182:46498 Thu May 21 12:09:06 2015 authpriv.warn dropbear[28648]: Bad password attempt for 'root' from 109.166.135.182:46498 Thu May 21 12:09:10 2015 authpriv.warn dropbear[28648]: Bad password attempt for 'root' from 109.166.135.182:46498 Thu May 21 12:09:15 2015 authpriv.warn dropbear[28648]: Bad password attempt for 'root' from 109.166.135.182:46498 Thu May 21 12:09:20 2015 authpriv.warn dropbear[28648]: Bad password attempt for 'root' from 109.166.135.182:46498 Thu May 21 12:09:25 2015 authpriv.warn dropbear[28648]: Bad password attempt for 'root' from 109.166.135.182:46498 Thu May 21 12:09:30 2015 authpriv.warn dropbear[28648]: Bad password attempt for 'root' from 109.166.135.182:46498 Thu May 21 12:09:37 2015 authpriv.warn dropbear[28648]: Bad password attempt for 'root' from 109.166.135.182:46498 Thu May 21 12:09:38 2015 authpriv.info dropbear[28648]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 109.166.135.182:46498 Thu May 21 12:10:01 2015 cron.info crond[947]: crond: USER root pid 28754 cmd sh /mnt/sda/var/sendlog/sendlogs.sh Thu May 21 12:10:01 2015 mail.info sSMTP[28765]: Creating SSL connection to host .... Ai dreptate "Adm".Am uitat sa introduc in titlul topicului si Gargoyle. Am folosit si Gargoyle pe unele device-uri . Initial pentru suportul mai bun DDNS (mai multi provideri in lista) Apoi pentru filtrare acces internet pe baza de MAC Address. Ulterior am copiat config-ul setarilor din Gargoyle si am introdus in Routerele cu OpenWRT. Edited by SpargatorulDeVise, 21 May 2015 - 11:32. |
#4
Posted 31 May 2015 - 09:20
M-ar interesa sa fac un log al traficului http pentru dispozitivele din retea direct in router, un 1043nd v2, cu superwrt, cu stick de 8 gb. Am citit ca ar merge cu tinyproxy, dar nu am gasit prea multe detalii despre configurare.
Am gasit ceva detalii aici: http://www.farville....o-monitor-kids/ , dar cere un calculator cu linux separat pentru analiza log. Nu se poate face analiza direct in router? Edited by cation, 31 May 2015 - 09:27. |
#5
Posted 31 May 2015 - 12:46
cation, on 31 mai 2015 - 09:20, said:
M-ar interesa sa fac un log al traficului http pentru dispozitivele din retea direct in router, un 1043nd v2, cu superwrt, cu stick de 8 gb. Am citit ca ar merge cu tinyproxy, dar nu am gasit prea multe detalii despre configurare. Am gasit ceva detalii aici: http://www.farville....o-monitor-kids/ , dar cere un calculator cu linux separat pentru analiza log. Nu se poate face analiza direct in router? Dar ...Atentie ! : http://www.farville....o-monitor-kids/ http://www.farville.com/home-networks-a-transparent-proxy-to-monitor-kids/ Note that tinyproxy on openwrt only proxies port 80 traffic, so if you need to also proxy port 443 (ssl) traffic, then you’ll want to look at using squid instead. Deci poti sa redirectezi catre tinyproxy doar traficul http , nu si https . Ai spatiu suficient sa instalezi squid ? Pe care il recomand "squid no caching" Deci il vei folosi ca simplu proxy server . Am ceva config-uri doar pentru openwrt squid 2.7, in caz ca te decizi asupra squid LaterEdit: Precizez ca eu nu am folosit niciodata squid pentru redirect trafic (Transparent Proxy) Dar pentru redirect trafic, la final , dupa configurarea pachetului squid se executa urmatoarele : # # Shell commands to run on router to enable transparent proxying # uci add firewall redirect uci set firewall.@redirect[0].name='Transparent Proxy Redirect' uci set firewall.@redirect[0].src=lan uci set firewall.@redirect[0].proto=tcp uci set firewall.@redirect[0].dest_port=3128 uci set firewall.@redirect[0].src_dport=80 uci set firewall.@redirect[0].src_dip='!192.168.1.1' uci set firewall.@redirect[0].dest_ip=192.168.1.1 uci set firewall.@redirect[0].target='DNAT' uci commit firewall /etc/init.d/firewall restart Edited by SpargatorulDeVise, 31 May 2015 - 12:54. |
#7
Posted 31 May 2015 - 17:35
Salut!
Foarte interesant topicul. Am incercat scripturile de trimitere mail la Bad password attempt si functioneaza. Daca poti pune cateva detalii despre OpenVPN (configuri pe server si setari pe clienti). Ma bate gandul de mult sa incerc si eu, dar nu prea am avut timp.. Eu folosesc urmatorul script de Remove Ads: ( wget -qO- http://www.mvps.org/.../hosts.txt|grep "^127.0.0.1" > /mnt/sda/share/tmp/block.host wget -qO- http://pgl.yoyo.org/...rmat=hosts|grep "^127.0.0.1" > /mnt/sda/share/tmp/block.host wget -qO- http://someonewhocar...osts/hosts|grep "^127.0.0.1" >> /mnt/sda/share/tmp/block.host wget -qO- http://www.malwaredo.../hosts.txt|grep "^127.0.0.1" >> /mnt/sda/share/tmp/block.host sort /mnt/sda/share/tmp/block.host|uniq -u >/mnt/sda/share/tmp/sorted mv /mnt/sda/share/tmp/sorted /mnt/sda/share/tmp/block.host /etc/init.d/dnsmasq restart ) & il rulez in cron zilnic. # run this script every day at 04:30 30 4 * * * /root/removeads.sh |
#8
Posted 31 May 2015 - 20:36
Instalare Squid Proxy 2.7 cu acces extern si modul de autentificare : user&password ,
pe TP-Link TL-WR1043N/ND v2 , OpenWrt Barrier Breaker 14.07 In portul USB al routerului am folosit un Stick-USB Se instaleaza : squid , squid-mod-basic-auth-ncsa , mini-httpd-htpasswd Pentru USB Flash , se instaleaza : kmod-usb-core , kmod-usb-ohci , kmod-usb-uhci , kmod-usb-storage , usbutils , mountd , libmount , block-mount , kmod-fs-ext4 , swap-utils Via Putty , se introduc urmatoarele comenzi : mkdir -p /mnt/sda mount -t ext4 /dev/sda1 /mnt/sda -o rw,sync mkdir -p /mnt/sda/var mkdir -p /mnt/sda/var/cache mkdir -p /mnt/sda/var/logs chown nobody:nogroup /mnt/sda/var/cache chown nobody:nogroup /mnt/sda/var/logs touch /etc/squid/squid_htpasswd chown nobody:nogroup /etc/squid/squid_htpasswd htpasswd -c /etc/squid/squid_htpasswd usersquid1 parolauser1 htpasswd /etc/squid/squid_htpasswd usersquid2 parolauser2 chmod o+r /etc/squid/squid_htpasswd Prin SCP ori.. WinSCP se muta(se creeaza!) urmatoarele fisiere in router: /etc/config/squid
Spoiler
/etc/init.d/squid
Spoiler
/lib/functions/squid.sh
Spoiler
/etc/squid/squid.conf
Spoiler
Apoi se introduc comenzile in consola putty : chmod o+r /lib/functions/squid.sh chmod +x /lib/functions/squid.sh chmod o+r /etc/init.d/squid chmod +x /etc/init.d/squid /etc/init.d/squid enable /etc/init.d/squid start /etc/config/firewall config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp' option src_dport '3128' option dest_ip '192.168.1.1' option dest_port '3128' option name 'squid' config rule option target 'ACCEPT' option src 'wan' option proto 'tcp' option dest_port '3128' option name 'squidf' Cam atat din cate imi aduc aminte... Attached FilesEdited by SpargatorulDeVise, 31 May 2015 - 20:43. |
#9
Posted 31 May 2015 - 21:07
manowar27, on 31 mai 2015 - 17:35, said:
Salut! Foarte interesant topicul. Am incercat scripturile de trimitere mail la Bad password attempt si functioneaza. Intre timp am rezolvat si Rapoartele cu IP-urile Blocate. (Dar tot nu am mai avut timp sa ma joc cu "mutt" !) /etc/rc.local
Spoiler
/mnt/sda/var/sendlog/sendlogs2.sh
Spoiler
Multumesc pentru scriptul de Remove Ads . E bine de retinut . Acasa folosesc ABP in Browser . Nu as putea folosi scriptul ala deoarece nu am control total ce sa blocheze si ce nu /per situatie . De exemplu aici pe softpedia inchid ABP-ul .: 1. Pentru support moral forum 2. Vreau sa vad imaginile postate pe forum si care sunt hostate de exemplu pe imgurDOTcom/ Edited by SpargatorulDeVise, 31 May 2015 - 21:13. |
#10
Posted 01 June 2015 - 09:52
manowar27, on 31 mai 2015 - 17:35, said:
Salut! Foarte interesant topicul. Am incercat scripturile de trimitere mail la Bad password attempt si functioneaza. Daca poti pune cateva detalii despre OpenVPN (configuri pe server si setari pe clienti). Ma bate gandul de mult sa incerc si eu, dar nu prea am avut timp.. Eu folosesc urmatorul script de Remove Ads: ( wget -qO- http://www.mvps.org/.../hosts.txt|grep "^127.0.0.1" > /mnt/sda/share/tmp/block.host wget -qO- http://pgl.yoyo.org/...rmat=hosts|grep "^127.0.0.1" > /mnt/sda/share/tmp/block.host wget -qO- http://someonewhocar...osts/hosts|grep "^127.0.0.1" >> /mnt/sda/share/tmp/block.host wget -qO- http://www.malwaredo.../hosts.txt|grep "^127.0.0.1" >> /mnt/sda/share/tmp/block.host sort /mnt/sda/share/tmp/block.host|uniq -u >/mnt/sda/share/tmp/sorted mv /mnt/sda/share/tmp/sorted /mnt/sda/share/tmp/block.host /etc/init.d/dnsmasq restart ) & il rulez in cron zilnic. # run this script every day at 04:30 30 4 * * * /root/removeads.sh Pentru a functiona mai trebuie facute urmatoarele setari: First File: /etc/firewall.user (Make a copy of the file before editing) Add this 2 lines: iptables -t nat -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 Add the following line into /etc/config/dhcp, under the section "config dnsmasq": list addnhosts '/mnt/sda/share/tmp/block.host' |
|
#11
Posted 01 June 2015 - 09:57
manowar27, on 01 iunie 2015 - 09:52, said: Pentru a functiona mai trebuie facute urmatoarele setari: First File: /etc/firewall.user (Make a copy of the file before editing) Add this 2 lines: iptables -t nat -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 Add the following line into /etc/config/dhcp, under the section "config dnsmasq": list addnhosts '/mnt/sda/share/tmp/block.host' Intrebare : Daca ai Server DNS in Router , ori in spate la Router nu altereaza request-urile dns si buna functionare a serverului DNS ? |
#12
Posted 01 June 2015 - 10:25
iptables -t nat -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 This will divert all DNS traffic to the router even if some client has an external NS configured. Sursa: https://forum.openwr...ic.php?id=26535 Nu am incercat Server DNS dupa router. Probabil in cazul asta ar trebui sa se faca setarile de block adds pe serverul respectiv. Practic paginile de adds din fisierul block.host sunt rezolvate de dns ca avand adresa 127.0.0.1 |
#13
Posted 01 June 2015 - 22:33
Cred ca ar trebui facut sticky topicul pentru ca e de interes general. Legat de VPN, OpenVPN este foarte interesant si incet devine un fel de standard in industrie, dar aruncati un ochi si la IPsec IKEv2 cu extensia MOBIKE. Ce e misto la solutia asta e ca trecerea intre doua interfete se face seamless fara nici un disconnect, deci daca dacade ex esti conectat de pe telefon la VPN si inchizi wireless-ul VPN-ul se muta automat si singur pe datele 3G. Din cate stiu OpenVPN-ul nu poate face asta, in schimb poate face alte lucruri pe care IPsec-ul nu le poate, de ex. sa injectezi rute pe client pentru cei care vor split tunneling.
|
#15
Posted 28 January 2016 - 03:31
|
#16
Posted 21 June 2016 - 12:55
Anunturi
Bun venit pe Forumul Softpedia!
▶ 0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users