My router is getting a lot of login attempts in the last few days. Most of them are originated from China, except this morning I saw one came from Canada. Here is the log from System Log/General Log.
Nov 7 06:25:47 dropbear[6310]: Login attempt for nonexistent user from 122.225.97.115:4480
[Note: 122.225.97.115 is originated CHINANET-BACKBONE No.31,Jin-rong Street,CN]
Nov 7 06:25:48 dropbear[6309]: Login attempt for nonexistent user from 122.225.97.115:3693
Nov 7 06:25:48 dropbear[6309]: Exit before auth: Max auth tries reached - user 'is invalid' from 122.225.97.115:3693
Nov 7 06:25:48 dropbear[6311]: Login attempt for nonexistent user from 122.225.97.115:4811
Nov 7 06:25:48 dropbear[6310]: Login attempt for nonexistent user from 122.225.97.115:4480
Nov 7 06:25:48 dropbear[6310]: Exit before auth: Max auth tries reached - user 'is invalid' from 122.225.97.115:4480
Nov 7 06:25:49 dropbear[6312]: Child connection from 122.225.97.115:6222
..
Nov 7 09:01:09 dropbear[6897]: Login attempt for nonexistent user from 122.225.97.80:13319
[Note: 122.225.97.80 is originated from CHINANET-BACKBONE No.31,Jin-rong Street,CN]
Nov 7 09:01:10 dropbear[6897]: Login attempt for nonexistent user from 122.225.97.80:13319
Nov 7 09:01:10 dropbear[6897]: Exit before auth: Max auth tries reached - user 'is invalid' from 122.225.97.80:13319
Nov 7 09:01:14 dropbear[6899]: Child connection from 122.225.97.80:19272
Nov 7 09:01:24 dropbear[6899]: Login attempt for nonexistent user from 122.225.97.80:19272
Nov 7 09:01:24 dropbear[6899]: Login attempt for nonexistent user from 122.225.97.80:19272
Nov 7 09:01:34 dropbear[6899]: Exit before auth: Error reading: Connection reset by peer
Nov 7 09:31:16 dropbear[7009]: Child connection from 184.107.18.250:41033
[Note: 184.107.18.250 is originated from 20 Place Du Commerce, Montreal, QC, H3E-1Z6, Canada]
Nov 7 09:31:17 dropbear[7009]: Login attempt for nonexistent user from 184.107.18.250:41033
Nov 7 09:31:17 dropbear[7009]: Login attempt for nonexistent user from 184.107.18.250:41033
I have never checked the logs before so I don't know if these attempts are "normal" hacking activity. Or should I worry about them? Is there anything I can do to prevent them or strengthen my router's security? My router have some forwarding ports (FTP, SSH, and remote desktop ports). Any advice and comments are welcome and appreciated. BTW, my router is a T-Mobile brand Asus RT-AC68U.
Many thanks,
lamsao
Nov 7 06:25:47 dropbear[6310]: Login attempt for nonexistent user from 122.225.97.115:4480
[Note: 122.225.97.115 is originated CHINANET-BACKBONE No.31,Jin-rong Street,CN]
Nov 7 06:25:48 dropbear[6309]: Login attempt for nonexistent user from 122.225.97.115:3693
Nov 7 06:25:48 dropbear[6309]: Exit before auth: Max auth tries reached - user 'is invalid' from 122.225.97.115:3693
Nov 7 06:25:48 dropbear[6311]: Login attempt for nonexistent user from 122.225.97.115:4811
Nov 7 06:25:48 dropbear[6310]: Login attempt for nonexistent user from 122.225.97.115:4480
Nov 7 06:25:48 dropbear[6310]: Exit before auth: Max auth tries reached - user 'is invalid' from 122.225.97.115:4480
Nov 7 06:25:49 dropbear[6312]: Child connection from 122.225.97.115:6222
..
Nov 7 09:01:09 dropbear[6897]: Login attempt for nonexistent user from 122.225.97.80:13319
[Note: 122.225.97.80 is originated from CHINANET-BACKBONE No.31,Jin-rong Street,CN]
Nov 7 09:01:10 dropbear[6897]: Login attempt for nonexistent user from 122.225.97.80:13319
Nov 7 09:01:10 dropbear[6897]: Exit before auth: Max auth tries reached - user 'is invalid' from 122.225.97.80:13319
Nov 7 09:01:14 dropbear[6899]: Child connection from 122.225.97.80:19272
Nov 7 09:01:24 dropbear[6899]: Login attempt for nonexistent user from 122.225.97.80:19272
Nov 7 09:01:24 dropbear[6899]: Login attempt for nonexistent user from 122.225.97.80:19272
Nov 7 09:01:34 dropbear[6899]: Exit before auth: Error reading: Connection reset by peer
Nov 7 09:31:16 dropbear[7009]: Child connection from 184.107.18.250:41033
[Note: 184.107.18.250 is originated from 20 Place Du Commerce, Montreal, QC, H3E-1Z6, Canada]
Nov 7 09:31:17 dropbear[7009]: Login attempt for nonexistent user from 184.107.18.250:41033
Nov 7 09:31:17 dropbear[7009]: Login attempt for nonexistent user from 184.107.18.250:41033
I have never checked the logs before so I don't know if these attempts are "normal" hacking activity. Or should I worry about them? Is there anything I can do to prevent them or strengthen my router's security? My router have some forwarding ports (FTP, SSH, and remote desktop ports). Any advice and comments are welcome and appreciated. BTW, my router is a T-Mobile brand Asus RT-AC68U.
Many thanks,
lamsao