spammer?

[blastboy]

Apr 15 10:45:29 dropbear[27081]: Login attempt for nonexistent user from 123.30.182.178:45189
Apr 15 10:45:30 dropbear[27081]: Exit before auth: Disconnect received
Apr 15 10:45:34 dropbear[27082]: Child connection from 123.30.182.178:45832
Apr 15 10:45:36 dropbear[27082]: Login attempt for nonexistent user from 123.30.182.178:45832
Apr 15 10:45:36 dropbear[27082]: Exit before auth: Disconnect received
Apr 15 10:45:37 dropbear[27085]: Child connection from 123.30.182.178:47145
Apr 15 10:45:39 dropbear[27085]: Login attempt for nonexistent user from 123.30.182.178:47145
Apr 15 10:45:40 dropbear[27085]: Exit before auth: Disconnect received
Apr 15 10:45:40 dropbear[27086]: Child connection from 123.30.182.178:47853
Apr 15 10:45:42 dropbear[27086]: Login attempt for nonexistent user from 123.30.182.178:47853
Apr 15 10:45:43 dropbear[27086]: Exit before auth: Disconnect received
Apr 15 10:45:43 dropbear[27088]: Child connection from 123.30.182.178:48471
Apr 15 10:45:45 dropbear[27088]: Login attempt for nonexistent user from 123.30.182.178:48471
Apr 15 10:45:46 dropbear[27088]: Exit before auth: Disconnect received
Apr 15 10:45:46 dropbear[27090]: Child connection from 123.30.182.178:49164
Apr 15 10:45:49 dropbear[27090]: Login attempt for nonexistent user from 123.30.182.178:49164
Apr 15 10:45:49 dropbear[27090]: Exit before auth: Disconnect received
Apr 15 10:45:50 dropbear[27091]: Child connection from 123.30.182.178:49815
Apr 15 10:45:52 dropbear[27091]: Login attempt for nonexistent user from 123.30.182.178:49815
Apr 15 10:45:53 dropbear[27091]: Exit before auth: Disconnect received
Apr 15 10:45:53 dropbear[27092]: Child connection from 123.30.182.178:50564
Apr 15 10:45:55 dropbear[27092]: Login attempt for nonexistent user from 123.30.182.178:50564
Apr 15 10:45:56 dropbear[27092]: Exit before auth: Disconnect received
Apr 15 10:45:59 dropbear[27094]: Child connection from 123.30.182.178:51187
Apr 15 10:46:06 dropbear[27094]: Exit before auth: Exited normally

how can i block this kind of actions?
log was a lot longer starting from Apr 15 04:16:41

thanks in advance

 

[thelonelycoder]

Is ssh from WAN enabled?
That is a typical login attempt I see on my production Servers daily.
These are usually automated queries from hackers.

 

[Adamm]

Disable SSH access from outside WAN, Use SSH keys and enable bruteforce protection

 

[thelonelycoder]

If ssh from WAN is enabled and you need it either change the port or enable "Enable SSH Brute Force Protection".
This is coming from static.vdc.vn, VietNam Data Communication Company

 

[Adamm]

If ssh from WAN is enabled and you need it either change the port or enable "Enable SSH Brute Force Protection".
This is coming from static.vdc.vn, VietNam Data Communication Company

More then likely its just a botnet scanning IP ranges for open ports etc to try create other zombies, I get thousands of these every day so I created some custom firewall rules to permanently block them.

Apr 15 09:00:02 Firewall: [Complete] 14080 IPs currently banned. 435 New IP's Banned.

 

[thelonelycoder]

More then likely its just a botnet scanning IP ranges for open ports etc to try create other zombies, I get thousands of these every day so I created some custom firewall rules to permanently block them.

As only Key login is permitted on my servers I dont even bother to block them. Who cares if they try to login, they wont be able to anyway.
Btw did you put in an iptables rule?

 

[Adamm]

As only Key login is permitted on my servers I dont even bother to block them. Who cares if they try to login, they wont be able to anyway.
Btw did you put in an iptables rule?

I still like to permanently ban the IP's so on the odd chance they do find an attack vector they won't have an opportunity to exploit it.

http://198.23.248.102/AC68U/firewall.sh

Anyone feel free to use the script I wrote to automate banning/whitelisting IP's using IPSet (can ban hundreds of thousands of IP's without any performance degradation)

##############################
#####Commands / Variables#####
##############################
UNBANSINGLE="unban" # <-- Remove Single IP From Blacklist
UNBANALL="unbanall" # <-- Unbans All IPs In Blacklist
REMOVEBANS="removeall" # <-- Remove All Entries From Blacklist
SAVEIPSET="save" # <-- Save Blacklists to /opt/tmp/ipset.txt
BANSINGLE="ban" # <-- Adds Entry To Blacklist
BANCOUNTRYSINGLE="country" # <-- Adds entire country to blacklist
BANCOUNTRYLIST="bancountry" # <-- Bans specified countries in this file
WHITELIST="whitelist" # <-- Add IPs from path to Whitelist
HIDEMYASS="hideme" # <-- Switch to unrestricted DNS (tunlr.net) Broken
FINDMYASS="findme" # <-- Switch to Bigpond DNS (Default)
BACKUPRULES="backup" # <-- Backup IPSet Rules to /opt/tmp/ipset2.txt / Checks for firmware updates
##############################

 

[thelonelycoder]

Bigpond! I've lived three years Down Under, was still Dial-Up time then.
Thanks for the script. I have seen others doing the same.
Lets see if I can adapt it to my most hit Server and see what happens.

 

[Adamm]

Bigpond! I've lived three years Down Under, was still Dial-Up time then.
Thanks for the script. I have seen others doing the same.
Lets see if I can adapt it to my most hit Server and see what happens.

Thank god for HFC, even that is dodgy most of the time.

Also script should work on any AC68* router, usage is fairly simple and has a description at the top of the file on what each function does.

http://198.23.248.102/AC68U/firewall.sh > /opt/bin/firewall
http://198.23.248.102/AC68U/firewall-start.sh > /jffs/scripts/firewall-start

Chmod both files so they can be executed (chmod +x /file/location)

If done correctly it should configure the firewall rules on startup, to confirm look at the syslog. After doing so command usage is as simple as "firewall *commandhere*" in SSH

 

[blastboy]

Thanks guys for the info !