Security Issue AC87

[Sky]

I caught this bit of data in my log. The ip's trace to known bad actors, but this is a new twist tapping high ports, etc. I've seen the bot scans for PPTP b ut this is different than normal, perhaps OpenVPN scans? I don't know, can someone take a look at this? I can send the log in full if needed.

Oct 29 07:59:49 vpnserver1[1095]: 192.241.201.221:34728 TLS: Initial packet from [AF_INET]192.241.201.221:34728 (via [AF_INET]98.36.240.130%eth0), sid=01000000 00000000​

Oct 29 07:59:49 vpnserver1[1095]: 192.241.201.221:34728 TLS Error: reading acknowledgement record from packet​

Oct 29 08:00:49 vpnserver1[1095]: 192.241.201.221:34728 [UNDEF] Inactivity timeout (--ping-restart), restarting​

Oct 29 08:00:49 vpnserver1[1095]: 192.241.201.221:34728 SIGUSR1[soft,ping-restart] received, client-instance restarting​

Oct 29 13:43:28 vpnserver1[1095]: 185.200.118.71:45378 TLS: Initial packet from [AF_INET]185.200.118.71:45378 (via [AF_INET]98.36.240.130%eth0), sid=12121212 12121212​

Oct 29 13:44:28 vpnserver1[1095]: 185.200.118.71:45378 [UNDEF] Inactivity timeout (--ping-restart), restarting​

Oct 29 13:44:28 vpnserver1[1095]: 185.200.118.71:45378 SIGUSR1[soft,ping-restart] received, client-instance restarting​

Oct 29 14:39:48 vpnserver1[1095]: 167.94.138.22:30734 TLS: Initial packet from [AF_INET]167.94.138.22:30734 (via [AF_INET]98.36.240.130%eth0), sid=4d658221 07fcfd52​

Oct 29 14:40:03 vpnserver1[1095]: 167.94.138.60:46245 TLS: Initial packet from [AF_INET]167.94.138.60:46245 (via [AF_INET]98.36.240.130%eth0), sid=f87caac7 6749fcd0​

Oct 29 14:40:48 vpnserver1[1095]: 167.94.138.22:30734 [UNDEF] Inactivity timeout (--ping-restart), restarting​

Oct 29 14:40:48 vpnserver1[1095]: 167.94.138.22:30734 SIGUSR1[soft,ping-restart] received, client-instance restarting​

Oct 29 14:41:03 vpnserver1[1095]: 167.94.138.60:46245 [UNDEF] Inactivity timeout (--ping-restart), restarting​

Oct 29 14:41:03 vpnserver1[1095]: 167.94.138.60:46245 SIGUSR1[soft,ping-restart] received, client-instance restarting​

Thanks,
Sky

 

[ColinTaylor]

Looks like normal port scanners to me (although as you say they don't normally bother with high ports).

Interestingly the 167.94.x.y addresses are from censys.io. I noticed that since only a couple of days ago they've been aggressively scanning all ports on my router, even the high ports. That's new. I've now blocked them.

Censys

 

[Justinh]

I've now blocked them.

How do you block the addresses? Can it be done with AsusWRT?

 

[ColinTaylor]

How do you block the addresses? Can it be done with AsusWRT?

No you need a custom firmware like Merlin.

 

[Sky]

Looks like normal port scanners to me (although as you say they don't normally bother with high ports).

Interestingly the 167.94.x.y addresses are from censys.io. I noticed that since only a couple of days ago they've been aggressively scanning all ports on my router, even the high ports. That's new. I've now blocked them.

Censys

Sorry to be so late — forgot to say "Thanks!"