[ 386.11alpha Build(s) ] Testing available build(s)

[Howard_inGA]

After all post upgrade protocols and multiple reboots of the router/modem combo, I still getting 1 of these each SECOND??

Apr 28 10:43:07 kernel: out_fd is a pipe
Apr 28 10:43:07 kernel: out_fd is a pipe
Apr 28 10:43:10 kernel: out_fd is a pipe
Apr 28 10:43:10 kernel: out_fd is a pipe
Apr 28 10:43:10 kernel: out_fd is a pipe

They fill the log and render it useless due to sheer size.

Any ideas howcome?

 

[Howard_inGA]

After all post upgrade protocols and multiple reboots of the router/modem combo, I still getting 1 of these each SECOND??

Apr 28 10:43:07 kernel: out_fd is a pipe
Apr 28 10:43:07 kernel: out_fd is a pipe
Apr 28 10:43:10 kernel: out_fd is a pipe
Apr 28 10:43:10 kernel: out_fd is a pipe
Apr 28 10:43:10 kernel: out_fd is a pipe

They fill the log and render it useless due to sheer size.

Any ideas howcome?

So, finally rolled back the firmware to .10. Oddly, I was still getting these same repeating log entries!?
Restored .cfg and .tar files that I save with each change of firmware edition. The endless log entries STOPPED.
I hope that this will help Merlin understand what's going on with the alpha...

 

[Calkulin]

Did something happen to the SSH brute force protection on this build? Didn't really test this on 386.10 but it looks like brute force protection is not working properly on this build based on the logs. The login attempts continued till 6:43 but had to truncate this post due to the 10K character limit,

May  2 05:32:16 dropbear[2212]: Child connection from 170.187.188.98:60000
May  2 05:32:16 dropbear[2212]: Exit before auth from <170.187.188.98:60000>: Exited normally
May  2 05:43:01 dropbear[3726]: Child connection from 170.187.188.98:40956
May  2 05:43:01 dropbear[3726]: Login attempt for nonexistent user
May  2 05:43:02 dropbear[3726]: Exit before auth from <170.187.188.98:40956>: Exited normally
May  2 05:43:09 dropbear[3748]: Child connection from 170.187.188.98:42092
May  2 05:43:10 dropbear[3748]: Login attempt for nonexistent user
May  2 05:43:11 dropbear[3748]: Exit before auth from <170.187.188.98:42092>: Exited normally
May  2 05:43:18 dropbear[3763]: Child connection from 170.187.188.98:45088
May  2 05:43:18 dropbear[3763]: Login attempt for nonexistent user
May  2 05:43:19 dropbear[3763]: Exit before auth from <170.187.188.98:45088>: Exited normally
May  2 05:48:22 dropbear[4416]: Child connection from 170.187.188.98:41472
May  2 05:48:22 dropbear[4416]: Login attempt for nonexistent user
May  2 05:48:23 dropbear[4416]: Exit before auth from <170.187.188.98:41472>: Exited normally
May  2 05:48:28 dropbear[4432]: Child connection from 170.187.188.98:43210
May  2 05:48:29 dropbear[4432]: Login attempt for nonexistent user
May  2 05:48:30 dropbear[4432]: Exit before auth from <170.187.188.98:43210>: Exited normally
May  2 05:48:30 dropbear[4435]: Child connection from 170.187.188.98:41904
May  2 05:48:31 dropbear[4435]: Login attempt for nonexistent user
May  2 05:48:32 dropbear[4435]: Exit before auth from <170.187.188.98:41904>: Exited normally
May  2 05:48:39 dropbear[4452]: Child connection from 170.187.188.98:41032
May  2 05:48:40 dropbear[4452]: Login attempt for nonexistent user
May  2 05:48:40 dropbear[4452]: Exit before auth from <170.187.188.98:41032>: Exited normally
May  2 05:48:48 dropbear[4472]: Child connection from 170.187.188.98:55138
May  2 05:48:48 dropbear[4472]: Login attempt for nonexistent user
May  2 05:48:49 dropbear[4472]: Exit before auth from <170.187.188.98:55138>: Exited normally
May  2 05:48:56 dropbear[4498]: Child connection from 170.187.188.98:55152
May  2 05:48:57 dropbear[4498]: Login attempt for nonexistent user
May  2 05:48:58 dropbear[4498]: Exit before auth from <170.187.188.98:55152>: Exited normally
May  2 05:49:05 dropbear[4516]: Child connection from 170.187.188.98:53004
May  2 05:49:06 dropbear[4516]: Login attempt for nonexistent user
May  2 05:49:06 dropbear[4516]: Exit before auth from <170.187.188.98:53004>: Exited normally
May  2 05:49:14 dropbear[4538]: Child connection from 170.187.188.98:43980
May  2 05:49:14 dropbear[4538]: Login attempt for nonexistent user
May  2 05:49:15 dropbear[4538]: Exit before auth from <170.187.188.98:43980>: Exited normally
May  2 05:49:22 dropbear[4552]: Child connection from 170.187.188.98:53978
May  2 05:49:23 dropbear[4552]: Login attempt for nonexistent user
May  2 05:49:23 dropbear[4552]: Exit before auth from <170.187.188.98:53978>: Exited normally
May  2 05:49:31 dropbear[4570]: Child connection from 170.187.188.98:52126
May  2 05:49:31 dropbear[4570]: Login attempt for nonexistent user
May  2 05:49:32 dropbear[4570]: Exit before auth from <170.187.188.98:52126>: Exited normally
May  2 05:49:40 dropbear[4586]: Child connection from 170.187.188.98:57306
May  2 05:49:40 dropbear[4586]: Login attempt for nonexistent user
May  2 05:49:41 dropbear[4586]: Exit before auth from <170.187.188.98:57306>: Exited normally
May  2 05:49:48 dropbear[4606]: Child connection from 170.187.188.98:50122
May  2 05:49:49 dropbear[4606]: Login attempt for nonexistent user
May  2 05:49:49 dropbear[4606]: Exit before auth from <170.187.188.98:50122>: Exited normally
May  2 05:49:57 dropbear[4634]: Child connection from 170.187.188.98:50126
May  2 05:49:57 dropbear[4634]: Login attempt for nonexistent user
May  2 05:49:58 dropbear[4634]: Exit before auth from <170.187.188.98:50126>: Exited normally
May  2 05:50:06 dropbear[4651]: Child connection from 170.187.188.98:41734
May  2 05:50:06 dropbear[4651]: Login attempt for nonexistent user
May  2 05:50:07 dropbear[4651]: Exit before auth from <170.187.188.98:41734>: Exited normally
May  2 05:50:14 dropbear[4675]: Child connection from 170.187.188.98:37942
May  2 05:50:15 dropbear[4675]: Login attempt for nonexistent user
May  2 05:50:15 dropbear[4675]: Exit before auth from <170.187.188.98:37942>: Exited normally
May  2 05:50:23 dropbear[4689]: Child connection from 170.187.188.98:55474
May  2 05:50:23 dropbear[4689]: Login attempt for nonexistent user
May  2 05:50:24 dropbear[4689]: Exit before auth from <170.187.188.98:55474>: Exited normally
May  2 05:50:32 dropbear[4706]: Child connection from 170.187.188.98:44230
May  2 05:50:32 dropbear[4706]: Login attempt for nonexistent user
May  2 05:50:33 dropbear[4706]: Exit before auth from <170.187.188.98:44230>: Exited normally
May  2 05:50:40 dropbear[4723]: Child connection from 170.187.188.98:54846
May  2 05:50:41 dropbear[4723]: Login attempt for nonexistent user
May  2 05:50:41 dropbear[4723]: Exit before auth from <170.187.188.98:54846>: Exited normally
May  2 05:50:49 dropbear[4744]: Child connection from 170.187.188.98:51762
May  2 05:50:49 dropbear[4744]: Login attempt for nonexistent user
May  2 05:50:50 dropbear[4744]: Exit before auth from <170.187.188.98:51762>: Exited normally
May  2 05:50:58 dropbear[4771]: Child connection from 170.187.188.98:44342
May  2 05:50:58 dropbear[4771]: Login attempt for nonexistent user
May  2 05:50:59 dropbear[4771]: Exit before auth from <170.187.188.98:44342>: Exited normally
May  2 05:51:06 dropbear[4789]: Child connection from 170.187.188.98:44346
May  2 05:51:07 dropbear[4789]: Login attempt for nonexistent user
May  2 05:51:07 dropbear[4789]: Exit before auth from <170.187.188.98:44346>: Exited normally
May  2 05:51:15 dropbear[4811]: Child connection from 170.187.188.98:45292
May  2 05:51:15 dropbear[4811]: Login attempt for nonexistent user
May  2 05:51:16 dropbear[4811]: Exit before auth from <170.187.188.98:45292>: Exited normally
May  2 05:51:23 dropbear[4826]: Child connection from 170.187.188.98:40144
May  2 05:51:24 dropbear[4826]: Login attempt for nonexistent user
May  2 05:51:24 dropbear[4826]: Exit before auth from <170.187.188.98:40144>: Exited normally
May  2 05:51:32 dropbear[4843]: Child connection from 170.187.188.98:50530
May  2 05:51:32 dropbear[4843]: Login attempt for nonexistent user
May  2 05:51:33 dropbear[4843]: Exit before auth from <170.187.188.98:50530>: Exited normally
May  2 05:51:41 dropbear[4859]: Child connection from 170.187.188.98:55822
May  2 05:51:41 dropbear[4859]: Login attempt for nonexistent user
May  2 05:51:42 dropbear[4859]: Exit before auth from <170.187.188.98:55822>: Exited normally
May  2 05:51:49 dropbear[4881]: Child connection from 170.187.188.98:35688
May  2 05:51:50 dropbear[4881]: Login attempt for nonexistent user
May  2 05:51:50 dropbear[4881]: Exit before auth from <170.187.188.98:35688>: Exited normally
May  2 05:51:58 dropbear[4908]: Child connection from 170.187.188.98:37000
May  2 05:51:58 dropbear[4908]: Login attempt for nonexistent user
May  2 05:51:59 dropbear[4908]: Exit before auth from <170.187.188.98:37000>: Exited normally
May  2 05:52:06 dropbear[4925]: Child connection from 170.187.188.98:37006
May  2 05:52:07 dropbear[4925]: Login attempt for nonexistent user
May  2 05:52:07 dropbear[4925]: Exit before auth from <170.187.188.98:37006>: Exited normally
May  2 05:52:15 dropbear[4948]: Child connection from 170.187.188.98:42372
May  2 05:52:16 dropbear[4948]: Login attempt for nonexistent user
May  2 05:52:16 dropbear[4948]: Exit before auth from <170.187.188.98:42372>: Exited normally
May  2 05:52:24 dropbear[4963]: Child connection from 170.187.188.98:60828
May  2 05:52:24 dropbear[4963]: Login attempt for nonexistent user
May  2 05:52:25 dropbear[4963]: Exit before auth from <170.187.188.98:60828>: Exited normally
May  2 05:52:33 dropbear[4980]: Child connection from 170.187.188.98:35100
May  2 05:52:33 dropbear[4980]: Login attempt for nonexistent user
May  2 05:52:34 dropbear[4980]: Exit before auth from <170.187.188.98:35100>: Exited normally
May  2 05:52:41 dropbear[4997]: Child connection from 170.187.188.98:49770
May  2 05:52:42 dropbear[4997]: Login attempt for nonexistent user
May  2 05:52:42 dropbear[4997]: Exit before auth from <170.187.188.98:49770>: Exited normally
May  2 05:52:50 dropbear[5017]: Child connection from 170.187.188.98:40404
May  2 05:52:50 dropbear[5017]: Login attempt for nonexistent user
May  2 05:52:51 dropbear[5017]: Exit before auth from <170.187.188.98:40404>: Exited normally
May  2 05:52:59 dropbear[5044]: Child connection from 170.187.188.98:59514
May  2 05:52:59 dropbear[5044]: Login attempt for nonexistent user
May  2 05:53:00 dropbear[5044]: Exit before auth from <170.187.188.98:59514>: Exited normally
May  2 05:53:07 dropbear[5061]: Child connection from 170.187.188.98:59528
May  2 05:53:08 dropbear[5061]: Login attempt for nonexistent user
May  2 05:53:08 dropbear[5061]: Exit before auth from <170.187.188.98:59528>: Exited normally
May  2 05:53:16 dropbear[5084]: Child connection from 170.187.188.98:40620
May  2 05:53:16 dropbear[5084]: Login attempt for nonexistent user
May  2 05:53:17 dropbear[5084]: Exit before auth from <170.187.188.98:40620>: Exited normally
May  2 05:53:25 dropbear[5098]: Child connection from 170.187.188.98:36660
May  2 05:53:25 dropbear[5098]: Login attempt for nonexistent user
May  2 05:53:26 dropbear[5098]: Exit before auth from <170.187.188.98:36660>: Exited normally

 

[dev_null]

Did something happen to the SSH brute force protection on this build? Didn't really test this on 386.10 but it looks like brute force protection is not working properly on this build based on the logs. The login attempts continued till 6:43 but had to truncate this post due to the 10K character limit,

May  2 05:32:16 dropbear[2212]: Child connection from 170.187.188.98:60000
May  2 05:32:16 dropbear[2212]: Exit before auth from <170.187.188.98:60000>: Exited normally
May  2 05:43:01 dropbear[3726]: Child connection from 170.187.188.98:40956
May  2 05:43:01 dropbear[3726]: Login attempt for nonexistent user
May  2 05:43:02 dropbear[3726]: Exit before auth from <170.187.188.98:40956>: Exited normally
May  2 05:43:09 dropbear[3748]: Child connection from 170.187.188.98:42092
May  2 05:43:10 dropbear[3748]: Login attempt for nonexistent user

Looks like it's working fine: it's validating and dropping the connection attempt.

Change your OVPN port to something non-standard and/or disable it for awhile and/or change your external (ISP) IP address (reboot your router and modem).

 

[Calkulin]

Looks like it's working fine: it's validating and dropping the connection attempt.

Change your OVPN port to something non-standard and/or disable it for awhile and/or change your external (ISP) IP address (reboot your router and modem).

Brute force protection is suppose to block the connection for a certain amount of time and not allow repeated connections and login attempts from the same IP

 

[dev_null]

Brute force protection is suppose to block the connection for a certain amount of time and not allow repeated connections and login attempts from the same IP

That is certainly true on Tomato (it's a checkbox) but I don't recall seeing that setting on AWM.

Regardless, using the common port is a risk and this will likely continue until you address it.

 

[Calkulin]

That is certainly true on Tomato (it's a checkbox) but I don't recall seeing that setting on AWM.

Regardless, using the common port is a risk and this will likely continue until you address it.

The brute force protection checkbox was remove for 386.2 as Merlin stated Asuswrt's protect service daemon already handled it but something is up with it as I've never seen it not work like this. And to note, it's not set to the default port 22 but honestly a port scan will eventually find whatever I set anyways being my ISP is still using IPv4

 

[鸟语花香]

This test version of the 5G signal through the wall is very good. It would be perfect if the connection between the wireless relay and the China Mobile Broadband custom router causes many APPs on the mobile phone to be unable to use the network.

 

[dev_null]

The brute force protection checkbox was remove for 386.2 as Merlin stated Asuswrt's protect service daemon already handled it but something is up with it as I've never seen it not work like this. And to note, it's not set to the default port 22 but honestly a port scan will eventually find whatever I set anyways being my ISP is still using IPv4

Having SSH exposed to the internet is always risky and personally I'd never chance it, whether brute force protection is available or not.

This might be better in it's own thread, I'm sure you'd get more feedback that way, because it's unlikely to be changed in the firmware.

 

[Calkulin]

SSH is not exposed all the time, it's only turned on when I need it

 

[L&LD]

And then, you're exposed.

Using Port 22 (default) is never a good idea.

 

[Calkulin]

And then, you're exposed.

Using Port 22 (default) is never a good idea.

Yes I know the risk and it's not set to port 22 like previously stated. The issue is not that someone is trying to login, that will happen anytime the port is open, the issue is that brute force protection should not allow 500+ connections from the same IP, hence my post saying something is up with Asus's daemon as I saw this behavior on 2x RT-AC68U on 386.11 alpha 1

 

[L&LD]

'Brute force protection' isn't something to rely on with prosumer routers, particularly when you're voluntarily ignoring basic security steps like 'do not enable ssh on WAN', ever.

If you're being scanned that hard on the port you're using now, time to change it. Or better yet, use OpenVPN instead.

 

[ColinTaylor]

@Calkulin Check whether the protection service daemon is running.

ps w | grep protect_srv

 

[Calkulin]

I was able to replicate the issue on 386.11 and 388.2, so it looks like Asus's daemon is allowing a free for all once the initial 5 min block is over for the first 3 login tries. After that initial 5 min block, it allows unlimited login tries with no blocking of the IP again.

@RMerlin, did your old brute force protection solution exhibit the same issue?

 

[capncybo]

'Brute force protection' isn't something to rely on with prosumer routers, particularly when you're voluntarily ignoring basic security steps like 'do not enable ssh on WAN', ever.

If you're being scanned that hard on the port you're using now, time to change it. Or better yet, use OpenVPN instead.

Myself, I don't like the precedent this response sets. @Calkulin was reporting a legitimate issue that he found within the firmware. If something is broken. It proabbly should be fixed.
Obviously you can give your recommendations or express concern.
However the level of security someone chooses to implement should be up to the customer/client.
And if Asus states the firmware has 'Brute force protection' it probably should work as intended.
Unfortunately, explaining advanced network functionality... in laymen terms is often... damn near impossible.
Regardless I think @Calkulin should be thanked & not belittled.
Isn't testing & error reporting what these forums were originally intended for?

 

[L&LD]

Nobody was 'belittled'.

Best practices are 'best practices', for a reason. This isn't precedent, this is a basic fact.

Not seeing the forest for the trees is just as big a concern as the trees themselves.

 

[capncybo]

Nobody was 'belittled'.

Best practices are 'best practices', for a reason. This isn't precedent, this is a basic fact.

Not seeing the forest for the trees is just as big a concern as the trees themselves.

Fine, I'll give you the benefit of the doubt & assume your intentions were all good.
Perhaps I shouldn't have said "belittled" but the way It was worded... It came across as rather condescending.
Especially to someone who very likely found a legitimate problem or issue.
+
Regardless of a router being classified as: -Consumer Grade, -Prosumer Grade? (Likely more advanced & more Customizable), or -Business/Commercial/Professional Grade...
Listed Features & Options should just work as advertised.
And when they don't... it should probably be fixed/corrected.
Even if the device is as you hinted, Only "Prosumer Grade". Shouldn't manufactures be held accountable?
Otherwise, they could put anything on the box with absolutely no accountability whatsoever.
Anyways, I've gone completely off topic, sorry.

 

[RMerlin]

did your old brute force protection solution exhibit the same issue?

The old system merely throttled connections, it did not do any active blocking.

 

[L&LD]

What other intentions would I have on a forum such as this? Of course, I'm trying to help to the best of my ability and limited time.

My perspective is with one goal in mind. Fix the problem quickly, and, fix the root of the problem too. Anything else on a 'free' forum is gravy (and others with more expertise than I can also chime in with their perspective and helpful hints too).

On Enterprise gear, I'd say yes 'yell louder' if the fix will come faster by doing so.

With Prosumer/Consumer equipment, those yelps fall on deaf ears. Because there is no implicit support nor cost to do otherwise.

Yes, I'm a realist. When Presidents and Prime Ministers ruin a country while reaping rewards without consequences, I don't expect a business to do otherwise. And if I do feel that strongly, I would vote with my wallet, not my time (banging my head against a wall).