Is this someone trying to connect to my router?

[truoc]

Title says it all. I went to add my brothers iPhone MAC address to the wireless MAC filtering part in my router and just happened to check the logs and I see this:

http://puu.sh/8EpfU.png

I'm running version 3.0.3.8-081 of Padavan's custom firmware on my Asus rt-n56u. Is this someone trying to connect to my router or am I reading that wrong? None of the devices I have in my house that are wireless have this MAC address nor do any other family member's that I have added to the filtering list as I just checked them all. Now I know that MAC address filtering isn't foolproof, but it looks like in this case that it may have kept someone out for right now since I don't see anything unusual on the client status page. Just want to make sure that I'm not going mad. Any other steps I can take to make my router even more secure other than WPA2 security (AES) with a good password and wireless MAC address filtering? Thanks.

 

[stevech]

Device is made by Samsung.
Smart phone most likely. Or TV. Yours?
To harm, the device would need your WPA password (which is in use, right?)
No guest SSID, right?

More stringent WiFi security not needed.

38-AA-3C (hex) SAMSUNG ELECTRO-MECHANICS
38AA3C (base 16) SAMSUNG ELECTRO-MECHANICS
314, Maetan3-Dong, Yeongtong-Gu
Suwon Gyunggi-Do 443-743
KOREA, REPUBLIC OF

 

[truoc]

Device is made by Samsung.
Smart phone most likely. Or TV. Yours?
To harm, the device would need your WPA password (which is in use, right?)
No guest SSID, right?


38-AA-3C (hex) SAMSUNG ELECTRO-MECHANICS
38AA3C (base 16) SAMSUNG ELECTRO-MECHANICS
314, Maetan3-Dong, Yeongtong-Gu
Suwon Gyunggi-Do 443-743
KOREA, REPUBLIC OF

Thanks for the info! Yeah have the WPA2 AES encryption enabled with a decent password. Guest SSID is disabled. The only thing Samsung in the house is 2 TV's, but they aren't smart TV's and don't have wireless capabilities. Family members own iPhones and I own a Windows Phone. That is odd. One question I do have is if someone tried to connect with a Samsung phone and they didn't have the right password would it still show up as a MAC filter denial? The reason I ask is because I have been having problems with Comcast and one of the techs that came asked for my router password so I gave it to him so he could test the speed on his phone. After he left I changed the password and enabled MAC filtering as well. He lives in the same neighborhood, but doesn't have the updated password that I changed. Could it possibly be him in the area trying to connect when he drives by or something? Thanks for your help.

 

[RogerSC]

Yes, I've had this happen as well, more than just occasionally. Did a "tracert" back to the ip address, and it's somewhere in Asia. Usually China. None the less, not worried. I keep a strong password on my router and on my wireless (although someone in China isn't likely to try to crack my wireless *smile*), so nobody's breaking in here easily.

 

[stevech]

There's a constant barrage of failed attempts to connect on http, telnet, ssh, etc. Most come from China or eastern europe.
Many of these attempts are either intentional virus proliferaters or, I think, lots of infected PCs/servers.

My router allows me to blacklist large address blocks, like most in those regions. This keeps the noise down.

 

[Deleted member 28741]

There's a constant barrage of failed attempts to connect on http, telnet, ssh, etc. Most come from China or eastern europe.
Many of these attempts are either intentional virus proliferaters or, I think, lots of infected PCs/servers.

My router allows me to blacklist large address blocks, like most in those regions. This keeps the noise down.

How can they find you though? I thought if all the ports are blocked then you would be invisible to the outside world?

Have you used these tools to check vulnerability: https://www.grc.com

 

[stevech]

how do they find you?
My theory

Your ISP has a block of IP addresses known to the world. That's one way.

The other, which I experienced, is new DNS names. If you use a dynamic DNS service, you'll get a new DNS domain name. That change to the DNS servers propagates world-wide. I think it's a honey-pot for some nefarious people: Ah-ha! A newbie! Let's go see if we can penetrate the newbie!

I believe this happened in my job where I put a number of unattended sensors out, all on cellular modems. I put a DDNS client on so I could know their dynamic IP address. Soon, the inward attemps began. No damage could be done as I had all the ports locked down.

So I changed them all to static public IP. Cost $.
Virtually no more inbounds.

But, these are benign. If/when we pay for this unwanted traffic, there are some billing and legal issues.

LTE cellular does NOT give a modem a public IP address. Not so 3G cellular in the US. Your LTE modem gets a net 10 address - at least on Verizon (I'd never use AT&T). The double-NAT. So you cannot run a server this way. You can $$ pay for a static IP on LTE. Or you can pay to connect via the carrier's data center proxy/VPN.

Cable modems, DSL - I don't think are doing this yet.

 

[fistv]

You techs phone connected to it once and it may still try when ever he drives by your house and the phone picks up your network.

 

[stevech]

You techs phone connected to it once and it may still try when ever he drives by your house and the phone picks up your network.

Try, but the drive-by needs two things
1. Motive
2. WPA passcode. Not practical for a drive-by to crack WPA

 

[sfx2000]

This is on the WLAN - so likely a device that is attempting to connect.

Samsung's more recent smartphone's do support WiFi direct, so this is likely what you're seeing here.

As long as you're running WPA2 with a robust password, you're ok...

 

[truoc]

Good deal. Thank you all for your help.