Novice user unsure of what to do about an issue, any advice welcomed.

[Skeptical.me]

Hi,

ASUS RT-AC87U WRT-Merlin 384.5

These "attacks" keep happening, I don't really know what they are trying to accomplish, and I have no idea what do about it. Please see the images. Any advice from people who understand this stiff is welcomed, Thanks for your time

These are my security settings in the router ...

 

[skeal]

Hi,

ASUS RT-AC87U WRT-Merlin 384.5

These "attacks" keep happening, I don't really know what they are trying to accomplish, and I have no idea what do about it. Please see the images. Any advice from people who understand this stiff is welcomed, Thanks for your time

These are my security settings in the router ...

These are records of blocks made. It is really just saying "look what I caught so far."

 

[kfp]

Do you have port forwarding rules for that one client (the one that ends in 2) that seems to be the target? UPnP enabled? What’s running on that client?

 

[skeal]

Just make sure of two things. Do not expose the ssh access to WAN or expose webui to WAN. These are no, no's. If you need help making sure this is so, just ask my friend.

 

[Skeptical.me]

These are records of blocks made. It is really just saying "look what I caught so far."

Hey, thanks for replying.

I see, so it's the router saying I've caught and prevented these attacks. So I guess there's nothing much to worry about?

 

[skeal]

Hey, thanks for replying.

I see, so it's the router saying I've caught and prevented these attacks. So I guess there's nothing much to worry about?

Thats right however the posts on this thread are all great advice. Try to implement them in your configuration.

 

[Skeptical.me]

Just make sure of two things. Do not expose the ssh access to WAN or expose webui to WAN. These are no, no's. If you need help making sure this is so, just ask my friend.

Thanks!

The Web UI is definitely not open to the WAN, no port forwarding or anything like that. The second picture shows that. I'll check the device the attacks are aimed at and see whats going on there. I don't thinks its my QNAP NAS, and nothing in the NAS is exposed to the WAN, not even Plex.

 

[skeal]

If security is your main concern I would look towards installing Skynet and AB-Solution. You could also install Dnscrypt. Have a look at this stuff and use AMTM (asus-merlin terminal menu) it will help getting you up and running. Again ask for help if you need it.

 

[Skeptical.me]

If security is your main concern I would look towards installing Skynet and AB-Solution. You could also install Dnscrypt. Have a look at this stuff and use AMTM (asus-merlin terminal menu) it will help getting you up and running. Again ask for help if you need it.

Will do, thank you very much for the advice. I'll get on to it.

 

[kfp]

If you don’t have port forwarding rules set up, I’d suggest checking UPnP and if any ports were opened by it.

I’m unfamiliar with how AiProtection displays info, is that IP under Top Clients a local IP or your WAN IP?

 

[Skeptical.me]

If you don’t have port forwarding rules set up, I’d suggest checking UPnP and if any ports were opened by it.

I’m unfamiliar with how AiProtection displays info, is that IP under Top Clients a local IP or your WAN IP?

It's the MAC Address of a client, I'm not sure which one, however. I'm going to look through all the MAC Addresses and see what it is. I've disabled UPnP in the router and NAS. I disable all things I don't really have a good understanding of, I try to be as cautious as possible about things I'm not well versed in. That's why I don't use port forwarding or access my LAN from the WAN because I want to have a good understanding of how best to do it securely, if you get what I mean. I'm learning slowly. its enjoyable

 

[kfp]

It's the MAC Address of a client, I'm not sure which one, however. I'm going to look through all the MAC Addresses and see what it is.

Network Map > View List

 

[wiz]

based on the exploits I think it is the mac address on the wan port. Be aware though that trend micro sees all your devices, and if they think there's something strange going on they will capture all data for analyzing (whole emails / screens, and they gather data on all devices attached to your router).

 

[kfp]

based on the exploits I think it is the mac address on the wan port. Be aware though that trend micro sees all your devices, and if they think there's something strange going on they will capture all data for analyzing (whole emails / screens, and they gather data on all devices attached to your router).

So can your ISP.

While I don’t like and don’t use AiProtection myself, there is no need for this kind of fear-mongering.

 

[Skeptical.me]

based on the exploits I think it is the mac address on the wan port. Be aware though that trend micro sees all your devices, and if they think there's something strange going on they will capture all data for analyzing (whole emails / screens, and they gather data on all devices attached to your router).

I was actually wondering what their privacy policy is. I don't use Google products and service because of the personal data collection so this doesn't make me very happy. You can't escape it, can you?

 

[kfp]

I was actually wondering what their privacy policy is. I don't use Google products and service because of the personal data collection so this doesn't make me very happy. You can't escape it, can you?

You just have to stop using AiProtect and QoS.

 

[Skeptical.me]

So can your ISP.

While I don’t like and don’t use AiProtection myself, there is no need for this kind of fear-mongering.

I use ProtonVPN and AirVPN on my router as well as select devices. My ISP only see's the IP addresses of the VPN companies. I also configured Little Snitch as a Kill Switch on my iMac. In Australia the Government collects all of your meta-data and holds that in data centers for 2 years. I don't engage in nefarious activities online but that type of surveillance of an entire nation doesn't make me feel very comfortable.

 

[Skeptical.me]

You just have to stop using AiProtect and QoS.

Yeah, true. Is there any way I can analyze or get warned of attacks or intrusion attempts without those services?

 

[kfp]

I use ProtonVPN and AirVPN on my router as well as select devices.

Right, so you’re shifting your trust from ISP to VPN operators, which I guess depending on where you’re located it might make sense.

As for detecting attacks, you can set up your own with entware+snort or suricata, but the CPUs are severely underpowered for the task.

Asus/Broadcom/Trend Micro’s AiProtect would be more optimized in terms of speed but whether it’s as useful that’s up for debate.

 

[Skeptical.me]

so you’re shifting your trust from ISP to VPN operators

That's true, but I did my research and AirVPN and ProtonVPN seemed more trustworthy than the Australian Government But, yes, you're correct.

It sounds like I need to learn how to setup an old PC as a router, I looked at pfSense recently - when I get the time I might try and learn more about running it on an old PC with a network card, I'll see if I can do it. However, I like WRT-Merlin and ASUS routers, they're relatively easy to use.