Repeated login attempts/hacking attack?

[lamsao]

My router is getting a lot of login attempts in the last few days. Most of them are originated from China, except this morning I saw one came from Canada. Here is the log from System Log/General Log.

Nov 7 06:25:47 dropbear[6310]: Login attempt for nonexistent user from 122.225.97.115:4480
[Note: 122.225.97.115 is originated CHINANET-BACKBONE No.31,Jin-rong Street,CN]
Nov 7 06:25:48 dropbear[6309]: Login attempt for nonexistent user from 122.225.97.115:3693
Nov 7 06:25:48 dropbear[6309]: Exit before auth: Max auth tries reached - user 'is invalid' from 122.225.97.115:3693
Nov 7 06:25:48 dropbear[6311]: Login attempt for nonexistent user from 122.225.97.115:4811
Nov 7 06:25:48 dropbear[6310]: Login attempt for nonexistent user from 122.225.97.115:4480
Nov 7 06:25:48 dropbear[6310]: Exit before auth: Max auth tries reached - user 'is invalid' from 122.225.97.115:4480
Nov 7 06:25:49 dropbear[6312]: Child connection from 122.225.97.115:6222

..

Nov 7 09:01:09 dropbear[6897]: Login attempt for nonexistent user from 122.225.97.80:13319
[Note: 122.225.97.80 is originated from CHINANET-BACKBONE No.31,Jin-rong Street,CN]
Nov 7 09:01:10 dropbear[6897]: Login attempt for nonexistent user from 122.225.97.80:13319
Nov 7 09:01:10 dropbear[6897]: Exit before auth: Max auth tries reached - user 'is invalid' from 122.225.97.80:13319
Nov 7 09:01:14 dropbear[6899]: Child connection from 122.225.97.80:19272
Nov 7 09:01:24 dropbear[6899]: Login attempt for nonexistent user from 122.225.97.80:19272
Nov 7 09:01:24 dropbear[6899]: Login attempt for nonexistent user from 122.225.97.80:19272
Nov 7 09:01:34 dropbear[6899]: Exit before auth: Error reading: Connection reset by peer
Nov 7 09:31:16 dropbear[7009]: Child connection from 184.107.18.250:41033
[Note: 184.107.18.250 is originated from 20 Place Du Commerce, Montreal, QC, H3E-1Z6, Canada]
Nov 7 09:31:17 dropbear[7009]: Login attempt for nonexistent user from 184.107.18.250:41033
Nov 7 09:31:17 dropbear[7009]: Login attempt for nonexistent user from 184.107.18.250:41033

I have never checked the logs before so I don't know if these attempts are "normal" hacking activity. Or should I worry about them? Is there anything I can do to prevent them or strengthen my router's security? My router have some forwarding ports (FTP, SSH, and remote desktop ports). Any advice and comments are welcome and appreciated. BTW, my router is a T-Mobile brand Asus RT-AC68U.

Many thanks,
lamsao

 

[AdvHomeServer]

The same thing happened to me. I turned off uPnP on the router and all features that allowed remote access from outside the network. China will hack anything. My guess is it's only students and wannabees because anyone with real chops who wanted something of yours would be better at getting in.

 

[ColinTaylor]

All commonly used ports will be subject to continuous hacking attempts or port scans, particularly from China.

Just create a /jffs/scripts/firewall-start script as follows, but modify the IP addresses for your case.

#!/bin/sh

logger -t $(basename $0) $1

iptables -I INPUT -s 14.17.35.181   -j logdrop
iptables -I INPUT -s 183.60.48.25   -j logdrop
iptables -I INPUT -s 198.20.64.0/18 -j logdrop

As you're forwarding some ports you might have to use the FORWARD chain rather than INPUT. If one doesn't work try the other.

 

[RMerlin]

Those connection attempts are to Dropbear, the SSH server. Do not enable WAN access to SSH if you don't need it, or otherwise be prepared to face the constant logging of port scanners trying to get into your network through SSH.

 

[Adamm]

Yeah there should be no good reason to have SSH access to WAN for the router for people to bruteforce, lots of port scanners looking to exploit anything possible, I usually get 50,000 or so per week.

 

[ml70]

Yeah there should be no good reason to have SSH access to WAN for the router for people to bruteforce, lots of port scanners looking to exploit anything possible, I usually get 50,000 or so per week.

What script/program are you using to handle that?

 

[octopus]

Yeah there should be no good reason to have SSH access to WAN for the router for people to bruteforce, lots of port scanners looking to exploit anything possible, I usually get 50,000 or so per week.

Have you take down your server or am i banned ......
Octopus

 

[lamsao]

What script/program are you using to handle that?

I love to know too and would appreciate if Adamm could share how he did that.

 

[lamsao]

Those connection attempts are to Dropbear, the SSH server. Do not enable WAN access to SSH if you don't need it, or otherwise be prepared to face the constant logging of port scanners trying to get into your network through SSH.

Thanks for reminding me it's the SSH server. For now I still need SSH access but will remember to disable it. BTW, do you think changing SSH port to something else like 40 would alleviate the attack?

 

[RMerlin]

Thanks for reminding me it's the SSH server. For now I still need SSH access but will remember to disable it. BTW, do you think changing SSH port to something else like 40 would alleviate the attack?

You could do that, or just enable the brute-force protection to slow down their attempts.

Another method to improve security is to disable password login, and use key-based authentication.

 

[lamsao]

You could do that, or just enable the brute-force protection to slow down their attempts.

Another method to improve security is to disable password login, and use key-based authentication.

Key-based authentication sounds very attractive. I am not familiar with this so I need to read it up first. I'd appreciate it if you could recommend some pointers/links to how it may be done on Asus RT-AC68U router.

 

[RMerlin]

Key-based authentication sounds very attractive. I am not familiar with this so I need to read it up first. I'd appreciate it if you could recommend some pointers/links to how it may be done on Asus RT-AC68U router.

This guide for Tomato should be a good starting place:

http://tomatousb.org/forum/t-619135

Once you have pasted the key and tested key-based login work, you can disable the password login option on the router's webui.

You will still get occasional log attempts in your syslog, but at least you'll know that it'll be highly unlikely that anyone will ever succeed in getting in.

 

[lamsao]

Thanks for reminding me it's the SSH server. For now I still need SSH access but will remember to disable it. BTW, do you think changing SSH port to something else like 40 would alleviate the attack?

Changed the SSH server port to something else and have not seen a single login attempt for 24hrs. I am happy to be able to keep China hackers off my router

 

[L&LD]

Changed the SSH server port to something else and have not seen a single login attempt for 24hrs. I am happy to be able to keep China hackers off my router

What did you change it to?





Sorry, just being silly.

 

[TeHashX]

Changed the SSH server port to something else and have not seen a single login attempt for 24hrs. I am happy to be able to keep China hackers off my router

Don't be so sure about hackers, maybe it's your neighbour connected to a chinese vpn server.

 

[belden_jeff]

use a vpn

Just thinking that somebody's snooping around your network is really creepy. You better take a proactive solution to ensure your safety online. I guess you should use VPN. You don't know why they're attempting to login to your system but you need to be prepared. I f you want, you can take a look at bestvpnservicemag about the kind of vpn that suits your needs. My email was hacked before and from then on, I learned to use VPN. hope this helped.

 

[Deleted member 27741]

^^ Not sure what this guy is selling but he is right about one thing.

I used to get these kind of login events. I had ports forwarded for remote desktop, also WAN accessible SSH, and WAN GUI login.

Then I realized I did not have to have ANY of those ports open. Once connected from WAN to OPENVPN if it is configured correctly you will be able to access all of these things as if you are locally connected. So you can still have access from WAN, you just need to connect to your VPN to get local access to the resources.

So maybe setting up that VPN and closing the ports/WAN access is an option. It worked well for me.

 

[ColinTaylor]

^^ Not sure what this guy is selling but he is right about one thing.

It's an interesting point I suppose.

If you just want to stop people port scanning you or trying to hack your router you don't need to pay for a third party VPN service. As you say, either turn off all access from the WAN, or if you need remote access use the built in VPN server.

On the other hand, if you're worried that the NSA/GCHQ/Google/<insert local government here> are intercepting your traffic and spying on you, then encrypting it with a 3rd party VPN service might be a good idea. That's assuming that you trust the VPN company and that the NSA/GCHQ etc. aren't already monitoring all the traffic through their backdoors at the company's datacentre.

Now where did I put my tinfoil hat.

 

[Deleted member 27741]

Hahaha... aren't all the 3rd party VPN providers NSA fronts anyway?

 

[Ron T Flynn]

It's not China, I've been down every road with this subject, and it turns out someone brute forced shell from the Jinrong street location or China-Telecom. They said it was an accident, but with the behavior of the Tesco robbery, I believe they mirrored their screens and broke into piggy-back of the country itself, so to speak.