Menu
What's new
By:
Filters Better Search

Am I under attack?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

L

lwizard

Regular Contributor
Mar 25 21:53:57 dropbear[1210]: Child connection from 115.29.190.221:35362
Mar 25 21:53:59 dropbear[1210]: Login attempt for nonexistent user from 115.29.190.221:35362
Mar 25 21:54:00 dropbear[1210]: Exit before auth: Exited normally

This repeats all day long..

I have disabled SSH from WAN and SSH port forwarding.

Now it seems that there is no more activity.
 
I think 'attack' is a strong word, but you're certainly being probed for accessibility ;-)

http://myip.ms/view/ip_addresses/1931329024/115.29.190.0_115.29.190.255

There are a couple of people on the forums reporting IP addresses originating in China trying to establish VPN connections (including myself), and in your case SSH.

I presume they are port-scanning entire address ranges and just looking for weaknesses.
 
Pericynthion said:
I think 'attack' is a strong word, but you're certainly being probed for accessibility ;-)

http://myip.ms/view/ip_addresses/1931329024/115.29.190.0_115.29.190.255

There are a couple of people on the forums reporting IP addresses originating in China trying to establish VPN connections (including myself), and in your case SSH.

I presume they are port-scanning entire address ranges and just looking for weaknesses.
Click to expand...

I have ssh open on my machine (not the router) and it gets probed every single day.

If you have ssh open, you need to take measures. I have blacklisted china and a bunch of other countries on the router.

And the machine has a very small white list of ip addresses that can connect.
(i can get in from work, and from my mother in laws house)

So far nobody has been able to get in.

(knock on wood)
 
Enabling Brute Force Protection will also make it very unlikely someone will be able to brute force your login, by throttling their connection attempts.
 
In fact it was enabled. Now I have disabled WAN ssh access and they are quitted.
Yes, I have also enabled brute force protection.

I can't do a whitelist because my IPs outdoor are various.

I have web interface enabled on WAN (I need it to WOL from WAN), so I will enable ssh access from WAN only when needed.

Thanks!
 
lwizard said:
Mar 25 21:53:57 dropbear[1210]: Child connection from 115.29.190.221:35362
Mar 25 21:53:59 dropbear[1210]: Login attempt for nonexistent user from 115.29.190.221:35362
Mar 25 21:54:00 dropbear[1210]: Exit before auth: Exited normally

This repeats all day long..

I have disabled SSH from WAN and SSH port forwarding.

Now it seems that there is no more activity.
Click to expand...

i have seen this happen before, mainly when my tenants run torrents.

used to pop up like crazy in my logs. but i never had any problems.
 
This is one of the main reasons that prompted me to upgrade away from consumer routers.

With an Ubiquiti EdgeRouter or MikroTik RouterBOARD, you can simply create a firewall rule to drop all packets from your pre-defined Blacklisted IP table and that person won't even have a chance to even try to login to your VPN server again.

Best part is all these can be done on the GUI. No cryptic scripts or SSH connections to mess around with unlike AsusWRT or DD-WRT.
 
That's usually not very useful, because those log on attempts almost never originates from the same IP address.
 
lwizard said:
Mar 25 21:53:57 dropbear[1210]: Child connection from 115.29.190.221:35362
Mar 25 21:53:59 dropbear[1210]: Login attempt for nonexistent user from 115.29.190.221:35362
Mar 25 21:54:00 dropbear[1210]: Exit before auth: Exited normally

This repeats all day long..

I have disabled SSH from WAN and SSH port forwarding.

Now it seems that there is no more activity.
Click to expand...

I get those SSH login attempts too for my Synology NAS (for SCP).

I ended up choosing TCP/Port 22222 instead of 22. It helps that the NAS also has an auto-block feature for failed login attempts.
 
Nerre said:
That's usually not very useful, because those log on attempts almost never originates from the same IP address.
Click to expand...

Not supposed to block just 1 IP address.

I'll usually block the entire chunk belonging to the ISP and some can go as big as /8 :D
 
You must log in or register to reply here.

Similar threads

corgan2224
RT-AX88U creates a lot of dropbear processes after update
Replies
8
Views
1K
Ripshod
Ripshod
M
ac86u Dual core occupancy is 100% and stuck
Replies
1
Views
588
drinkingbird
drinkingbird
R
Prevent SSH Disconnect / Timeout around ~ 105-116 seconds from last activity on terminal session
Replies
7
Views
1K
ColinTaylor
C
K
System log information
Replies
1
Views
2K
ColinTaylor
C
K
Issue with system log for Asus AX88U
Replies
1
Views
1K
ColinTaylor
C
Similar threads
Thread starter Title Forum Replies Date
J The '802.1Q' setting under 'WAN - Internet Connection' (Editing PVC) [Enabled] effect on network performance? ASUS Wi-Fi 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 870 (members: 25, guests: 845)
Top