Block IP list on Turris

Hi,
What is the best way to have my personal ip blacklist ?
I saw in my log many attempts to my openvpn port, and I want to drop these curious visitors.
My guess is to make a new ipset collection and add 2 new iptables rules …
something like this :
ipset create blacklist hash:ip hashsize 4096
iptables -I INPUT -m set --match-set blacklist src -j DROP
iptables -I FORWARD -m set --match-set blacklist src -j DROP

Is that correct ? do I need to take care of somethings ?

Wouldn’t it be easier to use Honeypot?

@jada4p You right but, in my understanding Honeypot do not track openvpn or wireguard ports but only 22, 23, 443, …
People who are visiting my router are trying “certificats” to gain access to the internal network. Logs looks like this :
Feb 22 17:58:04 turris openvpn(server_turris)[8139]: 172.105.234.232:43885 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Do someone can confirm that honeypot do not cover openvpn port ?
Of course if the same guy (same IP) try to scan other port like ssh it will be ban by sentinel (thanks to the honeypot) and it will not have access to openvpn port anymore.
I share these IPs with the other members of the forum, it will be interesting to see if other have the same visitors.

root@turris:~# ipset list |grep 146.88.240.4

172.105.234.232
146.88.240.4 ->> this one is member of turris-sn-dynfw-block (this morning)
185.200.118.51
185.200.118.48

Feb 22 03:24:53 turris openvpn(server_turris)[8139]: 146.88.240.4:48802 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 22 03:24:53 turris openvpn(server_turris)[8139]: 146.88.240.4:48802 TLS Error: TLS handshake failed
Feb 22 03:24:53 turris openvpn(server_turris)[8139]: 146.88.240.4:48802 SIGUSR1[soft,tls-error] received, client-instance restarting

I also have it in my log. But check this out:
https://www.abuseipdb.com/check/146.88.240.4
This IP address is actively attacking other host. Many times.
EDIT:
The more interesting part is their website:
https://www.arbor-observatory.com/ MUST READ!

1 Like