AC87U - SSH Being attacked

[wgentine]

Anybody else seeing such log messages? I don't have IPV6 enabled. Are they trying to exploit something related to ipv6 stack via ipv4??

Jan 4 10:32:38 dropbear[21333]: login attempt for nonexistent user from ::ffff:218.2.0.129:13075
Jan 4 10:32:38 dropbear[21334]: login attempt for nonexistent user from ::ffff:218.2.0.129:13763
Jan 4 10:32:38 dropbear[21332]: login attempt for nonexistent user from ::ffff:218.2.0.129:13078

 

[ankhazam]

yup can confirm.
1) Have IPV6 disabled
2) Had SSH enabled.

IMHO there should be an option to enable SSH only on LAN side, not both WAN&LAN

 

[System Error Message]

disable SSH from your WAN interface. Im not sure if thats available in stock firmware but merlin firmware has it.

In routerOS it is very easy to prevent brute force attacks and port scanning. It is also easy to implement a firewall to prevent man in middle attacks on your LAN and invalid packets that can cause problems for your network.

Everyday i noticed so many IPs attempted to hack or do something to my router or network. It just shows how unsafe the internet actually is and how many things go unreported. If you used firewall to drop or tarpit traffic to external traffic that isnt valid you'd be surprised to just how many IPs attack you on a daily basis.

 

[wgentine]

I mentioned IPV6 because the IP firstly seemed to be IPV6 but is just a IPV4 with a ::FFFF::

There's no option to block SSH from WAN on stock firmware.

I've more than 1.000.000 tries in the log... that's really weird.

 

[polish_pat]

Had a problem a few months back. A lot of files in my HDD connected to my router were renamed. As an example, my "Family Guy" folder was renamed to "Soo Funny" and my "Sons of Anarchy" folder was renamed to "Best show on TV".

Neither my father nor mother have write permissions on the HDD and they both would not do such prank. Besides that, nothing else was touched. None of my computers were breached as I have a pretty solid firewall that works with other computers in the house to monitor my entire network for unusual activity. Nothing on the firewall logs but I should have checked my router logs.

 

[wgentine]

This is really bad...

I enabled key based authentication and disabled password auth.

 

[RMerlin]

Not sure why Asus' SSH implementation is so quirky/incomplete. I saw in their code that they are indeed making it open to the WAN, with no option to disable it. Sound as if it was quicky added in with limited thought or even testing behind it.

 

[wgentine]

I'm just sticking a little bit more time with original firmware to test and report to asus support regarding to Port Forwarding Loopback when using CTF acceleration. And of course, waiting for your new version based on new GPL code RMerlin.