What's new

Security question...

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Carlos M.

Regular Contributor
Waching my systme log I found this:

Code:
Jan 25 09:33:55 dropbear[1562]: Child connection from 195.154.56.194:64967
Jan 25 09:33:56 dropbear[1562]: Login attempt for nonexistent user from 195.154.56.194:64967
Jan 25 09:33:56 dropbear[1562]: Login attempt for nonexistent user from 195.154.56.194:64967
Jan 25 09:33:57 dropbear[1562]: Exit before auth: Disconnect received
Jan 25 09:33:57 dropbear[1563]: Child connection from 195.154.56.194:50000
Jan 25 09:33:58 dropbear[1563]: Login attempt for nonexistent user from 195.154.56.194:50000
Jan 25 09:33:58 dropbear[1563]: Login attempt for nonexistent user from 195.154.56.194:50000
Jan 25 09:33:59 dropbear[1563]: Exit before auth: Disconnect received
Jan 25 09:33:59 dropbear[1564]: Child connection from 195.154.56.194:51193
Jan 25 09:34:00 dropbear[1564]: Login attempt for nonexistent user from 195.154.56.194:51193
Jan 25 09:34:00 dropbear[1564]: Login attempt for nonexistent user from 195.154.56.194:51193
Jan 25 09:34:00 dropbear[1564]: Exit before auth: Disconnect received
Jan 25 10:34:25 dropbear[1594]: Child connection from 212.129.0.138:64408
Jan 25 10:34:25 dropbear[1594]: Exit before auth: Exited normally
Jan 25 10:34:28 dropbear[1595]: Child connection from 212.129.0.138:49492
Jan 25 10:34:29 dropbear[1595]: Login attempt for nonexistent user from 212.129.0.138:49492
Jan 25 10:34:29 dropbear[1595]: Login attempt for nonexistent user from 212.129.0.138:49492
Jan 25 10:34:30 dropbear[1595]: Exit before auth: Disconnect received
Jan 25 10:37:12 dropbear[1599]: Child connection from 74.208.166.108:56866
Jan 25 10:37:12 dropbear[1599]: Exit before auth: Exited normally
Jan 25 10:38:32 dropbear[1600]: Child connection from 74.208.166.108:62456
Jan 25 10:38:34 dropbear[1600]: Login attempt for nonexistent user from 74.208.166.108:62456
Jan 25 10:38:34 dropbear[1600]: Login attempt for nonexistent user from 74.208.166.108:62456
Jan 25 10:38:35 dropbear[1600]: Exit before auth: Disconnect received

I have not security knowledge to identify if this is an attack from internet to my router.

I have hundreds from diferent public IP's during several hours.

:(

Thanks!!
 
Last edited:
Waching my systme log I found this:

Code:
Jan 25 09:33:55 dropbear[1562]: Child connection from 195.154.56.194:64967
Jan 25 09:33:56 dropbear[1562]: Login attempt for nonexistent user from 195.154.56.194:64967
Jan 25 09:33:56 dropbear[1562]: Login attempt for nonexistent user from 195.154.56.194:64967
Jan 25 09:33:57 dropbear[1562]: Exit before auth: Disconnect received
Jan 25 09:33:57 dropbear[1563]: Child connection from 195.154.56.194:50000
Jan 25 09:33:58 dropbear[1563]: Login attempt for nonexistent user from 195.154.56.194:50000
Jan 25 09:33:58 dropbear[1563]: Login attempt for nonexistent user from 195.154.56.194:50000
Jan 25 09:33:59 dropbear[1563]: Exit before auth: Disconnect received
Jan 25 09:33:59 dropbear[1564]: Child connection from 195.154.56.194:51193
Jan 25 09:34:00 dropbear[1564]: Login attempt for nonexistent user from 195.154.56.194:51193
Jan 25 09:34:00 dropbear[1564]: Login attempt for nonexistent user from 195.154.56.194:51193
Jan 25 09:34:00 dropbear[1564]: Exit before auth: Disconnect received
Jan 25 10:34:25 dropbear[1594]: Child connection from 212.129.0.138:64408
Jan 25 10:34:25 dropbear[1594]: Exit before auth: Exited normally
Jan 25 10:34:28 dropbear[1595]: Child connection from 212.129.0.138:49492
Jan 25 10:34:29 dropbear[1595]: Login attempt for nonexistent user from 212.129.0.138:49492
Jan 25 10:34:29 dropbear[1595]: Login attempt for nonexistent user from 212.129.0.138:49492
Jan 25 10:34:30 dropbear[1595]: Exit before auth: Disconnect received
Jan 25 10:37:12 dropbear[1599]: Child connection from 74.208.166.108:56866
Jan 25 10:37:12 dropbear[1599]: Exit before auth: Exited normally
Jan 25 10:38:32 dropbear[1600]: Child connection from 74.208.166.108:62456
Jan 25 10:38:34 dropbear[1600]: Login attempt for nonexistent user from 74.208.166.108:62456
Jan 25 10:38:34 dropbear[1600]: Login attempt for nonexistent user from 74.208.166.108:62456
Jan 25 10:38:35 dropbear[1600]: Exit before auth: Disconnect received

I have not security knowledge to identify if this an attack from internet to my router.

I have hundreds from diferent public IP's during several hours.

:(

Thanks!!

Looks like they are trying to access your PPTP server...I hope you have a very strong PPTP password!

Code:
iptables -I INPUT -s xxx.xxx.xxx.xxx -j logdrop

could be used to manually explicitly provide additional protection, or in the case that you truly do have 'hundreds' of different source I/Ps then you can use one of the IPSET based 'intelligent' scripts in this forum.

P.S. I assume you do have your firewall enabled?
 
Last edited:
Looks like they are trying to access your PPTP server...I hope you have a very strong PPTP password!

The message is from Dropbear, which means it's SSH they are trying to access here, not PPTP.

WAN access to SSH should be disabled if it isn't needed.
 
The message is from Dropbear, which means it's SSH they are trying to access here, not PPTP.

WAN access to SSH should be disabled if it isn't needed.

:oops: Indeed - Perhaps I should learn to read properly!
 
Hi, thanks for your support. I disabled the ssh from WAN and, of course, I've the firewall enabled.

Code:
Jan 25 17:05:21 dropbear[1832]: Child connection from 212.129.0.138:64980
Jan 25 17:05:23 dropbear[1832]: Login attempt for nonexistent user from 212.129.0.138:64980
Jan 25 17:05:23 dropbear[1832]: Login attempt for nonexistent user from 212.129.0.138:64980
Jan 25 17:05:24 dropbear[1832]: Exit before auth: Disconnect received
Jan 25 17:07:59 rc_service: httpd 1048:notify_rc restart_time;restart_httpd;restart_upnp
Jan 25 17:07:59 dropbear[241]: Early exit: Terminated by signal
Jan 25 17:07:59 kernel: klogd: exiting
Jan 25 17:07:59 syslogd exiting
Jan 25 17:07:59 syslogd started: BusyBox v1.20.2
Jan 25 17:07:59 kernel: klogd started: BusyBox v1.20.2 (2015-12-24 13:53:15 EST)
Jan 25 17:07:59 dropbear[1851]: Running in background
Jan 25 17:07:59 start_nat_rules: apply the nat_rules(/tmp/nat_rules_ppp0_eth0)!
Jan 25 17:08:00 hour monitor: daemon is starting
Jan 25 17:08:00 httpd: start httpd - SSL

No new entries untill now :)

By the way, I have enabled the "bruteforce protection" but... what about use the key instead of the password?
I don't need to keep the daemon working, at least, until I finish several remote modifications with the jffs partition and the WinSCP.

Eric, how can I determinate the potencial danger with the log messages?

I have some strange records with this content in other router:

Code:
Jan 25 17:44:53 kernel: br0: received tcn bpdu on port 1(vlan1)
Jan 25 17:44:53 kernel: br0: topology change detected, propagating
Jan 25 17:44:55 kernel: br0: received tcn bpdu on port 1(vlan1)
Jan 25 17:44:55 kernel: br0: topology change detected, propagating
Jan 25 17:44:57 kernel: br0: received tcn bpdu on port 1(vlan1)
Jan 25 17:44:57 kernel: br0: topology change detected, propagating
Jan 25 17:44:59 kernel: br0: received tcn bpdu on port 1(vlan1)
Jan 25 17:44:59 kernel: br0: topology change detected, propagating
Jan 25 17:45:01 kernel: br0: received tcn bpdu on port 1(vlan1)
Jan 25 17:45:01 kernel: br0: topology change detected, propagating
Jan 25 17:45:03 kernel: br0: received tcn bpdu on port 1(vlan1)
Jan 25 17:45:03 kernel: br0: topology change detected, propagating
Jan 25 17:45:05 kernel: br0: received tcn bpdu on port 1(vlan1)
Jan 25 17:45:05 kernel: br0: topology change detected, propagating
Jan 25 17:45:07 kernel: br0: received tcn bpdu on port 1(vlan1)
Jan 25 17:45:07 kernel: br0: topology change detected, propagating
Jan 25 17:45:09 kernel: br0: received tcn bpdu on port 1(vlan1)
Jan 25 17:45:09 kernel: br0: topology change detected, propagating
Jan 25 17:45:11 kernel: br0: received tcn bpdu on port 1(vlan1)
Jan 25 17:45:11 kernel: br0: topology change detected, propagating

Thanks again!!
 
Last edited:
I couldn't decide whether to jump in here on the back of Carlos' question or to start a new topic, but I noticed some interesting entries from my syslog, which I can't fully decipher:

Jan 25 13:05:29 openvpn[8049]: TCP connection established with [AF_INET]54.200.5.211:39526

Jan 25 13:05:29 openvpn[8049]: 54.200.5.211:39526 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1547 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

Jan 25 13:05:29 openvpn[8049]: 54.200.5.211:39526 Connection reset, restarting [0]

Jan 25 13:05:29 openvpn[8049]: 54.200.5.211:39526 SIGUSR1[soft,connection-reset] received, client-instance restarting

Now, other than guessing that an IP address nominally registered to Amazon.com is trying to connect to one of the 2 OpenVPN servers** running on my RT-AC68U (378.55), is there anything else I should deduce from these entries? And, other than monitoring syslog (which I'm trying to get into the habit of), is there anything else I should be doing?

(I have public-key infrstructure as well as username/passwords set up on both OpenVPN servers and client devices.)

Thank you.

** I assume the server running on the standard port (1194).
 
Jan 25 13:05:29 openvpn[8049]: 54.200.5.211:39526 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1547 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Just the normal port scanning. The remote site opens your VPN port and just sends junk. http://www.snbforums.com/threads/is-this-an-attack-on-openvpn.18368/
 
Many thanks, Colin. I'm always thinking why didn't the poster search the forum first, and now I've done the same thing. On the other hand, that's a very interesting link you sent; another gem of expert knowledge now stored in Evernote. Thanks again, very slowly, even things like syslog are starting to make sense!
 
have not security knowledge to identify if this is an attack from internet to my router.

Dropbear == SSH server open to the WAN side according to your logs.. if you don't need SSH services to the outside world, turn it off...

These are scripts for the most part rattling door knobs - there was an OpenSSH (client side, actually) issue last week, and I've seen an uptick on SSH port scans above the average noise...
 
Dropbear == SSH server open to the WAN side according to your logs.. if you don't need SSH services to the outside world, turn it off...

These are scripts for the most part rattling door knobs - there was an OpenSSH (client side, actually) issue last week, and I've seen an uptick on SSH port scans above the average noise...
Thanks !!
 
Same issue as OP. I have however "Allow SSH access from WAN " set to "No", so I should not see such requests in my log? I have SSH enabled but not for WAN. I am running 380.57
 
Same issue as OP. I have however "Allow SSH access from WAN " set to "No", so I should not see such requests in my log? I have SSH enabled but not for WAN. I am running 380.57

Look at the IP address of the connection attempts, in case it's from something on your LAN. Also make sure you didn't disable the router's firewall, which opens it to the Internet (no firewall = nothing blocking ANY access).
 
Look at the IP address of the connection attempts, in case it's from something on your LAN. Also make sure you didn't disable the router's firewall, which opens it to the Internet (no firewall = nothing blocking ANY access).

No it is not. It is from Russia and China, example:

Mar 8 22:21:21 dropbear[6977]: Exit before auth: Disconnect received
Mar 8 22:21:22 dropbear[6978]: Child connection from 182.140.140.21:52798
Mar 8 22:21:25 dropbear[6978]: Login attempt for nonexistent user from 182.140.140.21:52798
Mar 8 22:21:25 dropbear[6978]: Exit before auth: Disconnect received
Mar 8 22:21:26 dropbear[6979]: Child connection from 182.140.140.21:53478
Mar 8 22:21:29 dropbear[6979]: Login attempt for nonexistent user from 182.140.140.21:53478
Mar 8 22:21:30 dropbear[6979]: Exit before auth: Disconnect received
Mar 8 22:21:42 dropbear[6980]: Child connection from 182.140.140.21:54188
Mar 8 22:21:47 dropbear[6980]: Exit before auth: Exited normally

The point is however that firewall is enabled and SSH WAN disabled (but SSH is enabled). So what is wrong?
 
No it is not. It is from Russia and China, example:

Mar 8 22:21:21 dropbear[6977]: Exit before auth: Disconnect received
Mar 8 22:21:22 dropbear[6978]: Child connection from 182.140.140.21:52798
Mar 8 22:21:25 dropbear[6978]: Login attempt for nonexistent user from 182.140.140.21:52798
Mar 8 22:21:25 dropbear[6978]: Exit before auth: Disconnect received
Mar 8 22:21:26 dropbear[6979]: Child connection from 182.140.140.21:53478
Mar 8 22:21:29 dropbear[6979]: Login attempt for nonexistent user from 182.140.140.21:53478
Mar 8 22:21:30 dropbear[6979]: Exit before auth: Disconnect received
Mar 8 22:21:42 dropbear[6980]: Child connection from 182.140.140.21:54188
Mar 8 22:21:47 dropbear[6980]: Exit before auth: Exited normally

The point is however that firewall is enabled and SSH WAN disabled (but SSH is enabled). So what is wrong?

You have some other way of having your WAN exposed. Could be a custom firewall script messing things up, or a VPN configuration opening your router to the world.
 
You have some other way of having your WAN exposed. Could be a custom firewall script messing things up, or a VPN configuration opening your router to the world.

Well, I have never had this problem before. There two things that has changed in the last two days:

1) Started using PPPoE with VLAN tagging
2) Firmware upgrade from 378.56_2 to 380.57

I have always used Astrill VPN applet before and it starts up automatically as well, but again, this has not been causing such issues before. I have no other custom scripts.
 
Well, I have never had this problem before. There two things that has changed in the last two days:

1) Started using PPPoE with VLAN tagging
2) Firmware upgrade from 378.56_2 to 380.57

I have always used Astrill VPN applet before and it starts up automatically as well, but again, this has not been causing such issues before. I have no other custom scripts.

All I can say is it's not something caused by the router firmware itself. Your VPN is the most likely culprit, as this is effectively a tunnel between your router and that tunnel provider, with no firewall in-between. Look on Astrill's end of things, the way they handle port forwarding/NAT might be configurable.
 
All I can say is it's not something caused by the router firmware itself. Your VPN is the most likely culprit, as this is effectively a tunnel between your router and that tunnel provider, with no firewall in-between. Look on Astrill's end of things, the way they handle port forwarding/NAT might be configurable.

It looks like my Astrill's VPN IP is exposed. I am using private IP. Despite having Admin / system web interface WAN access disabled, I can access it from WAN. Question is how to make Astrill VPN working together with firewall? So it can be treated as a WAN and not LAN.
 
Bringing this up, @RMerlin is it possible to setup VPN in conjunction with router's firewall?

Anything is possible firewall-wise if you start creating iptables rules yourself. I can't give you any real pointers because it depends in large part on how your tunnel providers works. There's also a chance that the tunnel provider also provides you with configurable NAT/rules. You will have to check with them.
 
...as this is effectively a tunnel between your router and that tunnel provider, with no firewall in-between...
Merlin, if we have the VPN Client running at the router to VPN our entire LAN, does this mean that our entire LAN has no firewalling happening at the router and is dependent on our VPN providers firewall?
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top