What's new

Attack from a Chineese friend ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

huotg01

Senior Member
I have thousands of these in my partner's syslog.
Code:
Dec  4 09:43:54 dropbear[23304]: Login attempt for nonexistent user from 218.2.0.133:14389
Dec  4 09:43:55 dropbear[23304]: Login attempt for nonexistent user from 218.2.0.133:14389
Dec  4 09:43:55 dropbear[23304]: Exit before auth: Max auth tries reached - user 'is invalid' from 218.2.0.133:14389
Dec  4 09:43:58 dropbear[23306]: Login attempt for nonexistent user from 218.2.0.133:15961

After googling around, it seems that it is a too well known address from China, and it would be a brute force attack.

Enable Web Access from WAN is already disable but
Allow SSH password login is allowed. Now that I can use Public/Private keys to login, I will just disable it, but is there anything else to do ? (by the way, what is Enable SSH Brute Force Protection?)

Thanks
 
I have thousands of these in my partner's syslog.
Code:
Dec  4 09:43:54 dropbear[23304]: Login attempt for nonexistent user from 218.2.0.133:14389
Dec  4 09:43:55 dropbear[23304]: Login attempt for nonexistent user from 218.2.0.133:14389
Dec  4 09:43:55 dropbear[23304]: Exit before auth: Max auth tries reached - user 'is invalid' from 218.2.0.133:14389
Dec  4 09:43:58 dropbear[23306]: Login attempt for nonexistent user from 218.2.0.133:15961

After googling around, it seems that it is a too well known address from China, and it would be a brute force attack.

Enable Web Access from WAN is already disable but
Allow SSH password login is allowed. Now that I can use Public/Private keys to login, I will just disable it, but is there anything else to do ? (by the way, what is Enable SSH Brute Force Protection?)

Thanks

SSH Brute Force Protection limits the number of connection per minute a given IP can make to the SSH daemon. This prevents brute force attacks, when someone would repeatedly connect to ssh, and try random passwords in hope of finding one that works.

In your case disabling password authentication might be a good idea indeed. You will still get notifications of connection attempts, but at least you'll know that it will be nearly impossible for any of them to succeed.

Otherwise, the only option is to move ssh to a non-standard port (like 1222 - use something higher than 1024 to avoid potential conflicts), and adjust your whole backup mechanism accordingly.
 
Last edited:
[...]In your case disabling password authentication might be a good idea indeed. You will still get notifications of connection attempts, but at least you'll know that it will be nearly impossible for any of them to succeed.[...]
As soon as I disable Allow SSH password login , I'm unable to even ssh connect from the other machine (either with or without password).
When I re-enable it, after rebooting the partner, then I can again connect and login without password. Strange, isn't ? Could it be a bug, or 2 bad observations ?

GH
 
Last edited:
As soon as I disable Allow SSH password login , I'm unable to even ssh connect to the other machine (either with or without password).
When I re-enable it, after rebooting the partner, then I can again connect and login without password. Strange, isn't ? Could it be a bug, or 2 bad observations ?

GH

I'd have to re-test it, I'm not at home right now to do so. But normally you should still be able to connect using your keys.
 
I'd have to re-test it, I'm not at home right now to do so. But normally you should still be able to connect using your keys.

It ends on a:
Code:
Admin@1080-Router:/jffs/scripts# ssh -i /jffs/dropbear/dropbear_rsa_host_key [email]admin@xxxxx.asuscomm.com[/email]
ssh: Exited: Error connecting: Connection timed out
 
Is there any good reason for anybody from China to access your server?

If not, I believe there is a package that will block unfriendly countries. Or at least people with IP addresses in unfriendly countries.

You might want to edit the list, as I noticed that Australia was one of the unfriendly countries....

I think there are a couple of different packages.

Don't know much about it, just came across it reading through optware packages.

It's something I should do on my VPS.
 
Is there any good reason for anybody from China to access your server?
If not, I believe there is a package that will block unfriendly countries. Or at least people with IP addresses in unfriendly countries.
You might want to edit the list, as I noticed that Australia was one of the unfriendly countries....
I think there are a couple of different packages.
Don't know much about it, just came across it reading through optware packages.
It's something I should do on my VPS.

It's always a good thing to start looking at our log files...
In this specific case it seems to come from China, but this is irrelevant. Based on what I read, some techno-friends, from anywhere, find on internet a program to make brute attacks and plays with it to start new bases to start other brute attacks, and so on.

In my case, as suggested by RMerlin, I also changed my ssh port number to make the router more difficult to attack. To confuse the attacker, I switched the position of the 2 numbers of the standard ssh port number. Therefore it's now 22.

GH ;-)
 
I always user a random port number for SSH. I only want the more sophisticated hackers. ;)
 
It ends on a:
Code:
Admin@1080-Router:/jffs/scripts# ssh -i /jffs/dropbear/dropbear_rsa_host_key [email]admin@xxxxx.asuscomm.com[/email]
ssh: Exited: Error connecting: Connection timed out

Check if it's not an issue with your DDNS. I tested it here, and it worked fine for me - I was able to connect using my key from both a LAN and a WAN machine.
 
Check if it's not an issue with your DDNS. I tested it here, and it worked fine for me - I was able to connect using my key from both a LAN and a WAN machine.

I don't know what to say other than, ... as usual you are right (the point where we can read "Remote closed the connection" is when password login password was turned off on the remote):
Code:
ASUSWRT-Merlin RT-AC56U_3.0.0.4 Sat Nov  8 02:23:13 UTC 2014
xxxx@RT-AC56U:/tmp/home/root# exit
Admin@1080-Router:/tmp/home/root# ssh -p xxxx -i /jffs/dropbear/dropbear_rsa_host_key xxxx@xxxx.asuscomm.com


ASUSWRT-Merlin RT-AC56U_3.0.0.4 Sat Nov  8 02:23:13 UTC 2014
admin@RT-AC56U:/tmp/home/root# 
ssh: Connection to xxxx@xxxx.asuscomm.com:xxxxx exited: Remote closed the connection
Admin@1080-Router:/tmp/home/root# ssh -p xxxx -i /jffs/dropbear/dropbear_rsa_host_key xxxx@xxxx.asuscomm.com


ASUSWRT-Merlin RT-AC56U_3.0.0.4 Sat Nov  8 02:23:13 UTC 2014
xxxx@RT-AC56U:/tmp/home/root# exit
Admin@1080-Router:/tmp/home/root# ssh -p xxxx -i /jffs/dropbear/dropbear_rsa_host_key xxxx@xxxx.asuscomm.com


ASUSWRT-Merlin RT-AC56U_3.0.0.4 Sat Nov  8 02:23:13 UTC 2014
xxxx@RT-AC56U:/tmp/home/root#

That said, I don't know what else could affect the result. I think that the DDNS was ok because I tried the process on 2 cycles, always with the same URL. The only thing I could add about yesterday's tests is that after turning OFF the password login on the remote, noticed that it was then impossible to login the remote, with or without password, just re-enabling the login password on the remote was not enough to make the connection possible, with or without passord. I had to reboot the remote.

Anyways, it works. Thanks.
 
Is fail2ban an option for the Asuswrt-merlin builds?

requires python, but otherwise... could be useful for many things, not just SSH
 
[...]In this specific case it seems to come from China, but this is irrelevant. Based on what I read, some techno-friends, from anywhere, find on internet a program to make brute attacks and plays with it to start new bases to start other brute attacks, and so on.[...]
The "readings" were from that site: http://www.websworld.org/?explain=yes&numat=72
 
Is fail2ban an option for the Asuswrt-merlin builds?

requires python, but otherwise... could be useful for many things, not just SSH

Considering how bloated python is, I wouldn't run anything based on Python on a router when the same thing could be done more efficiently with a plain sh script.
 
@Merlin: Do you have a link to an sh script that would substitute for fail2ban?
 
@Merlin: Do you have a link to an sh script that would substitute for fail2ban?

None for a router. For my servers, I use CSF.
 
may i install this CSF to asus router with your firmware? i realy looking some script for blocking IP ranges to my router?

No. You will need a customized solution, as a router's firewall is far too different from a standard Linux distro firewall.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top