Was my router owned?

[martinr]

no I did not use the default password. I used a randomly generated 8 symbol password. One that I thought was secure. anyway changing the password to a new one did in deed put a bandage on. And ssh is no longer exposed to the wan. But there are still attempts.

Mar  4 04:46:37 dropbear[29942]: Bad password attempt for 'admin' from 27.72.233.207:39365
Mar  4 04:46:40 dropbear[29942]: Exit before auth (user 'admin', 1 fails): Exited normally
Mar  4 05:54:30 dropbear[1347]: Bad password attempt for 'admin' from 188.72.166.216:44423
Mar  4 05:54:36 dropbear[1347]: Exit before auth (user 'admin', 1 fails): Exited normally

You've confirmed that your password was something other than the default password, but you haven't answered Colin's question: "Did you have "Web Access from WAN" enabled?"
https://www.snbforums.com/threads/was-my-router-owned.37860/#post-311497

It's quite important we know: if the answer's yes, people will be relieved, and if no, there will be concern.

 

[Thagor]

You've confirmed that your password was something other than the default password, but you haven't answered Colin's question: "Did you have "Web Access from WAN" enabled?"
https://www.snbforums.com/threads/was-my-router-owned.37860/#post-311497

It's quite important we know: if the answer's yes, people will be relieved, and if no, there will be concern.

Oh sorry yes web access via wan was open and I read in the other thread that that was most likely the weakness.

 

[ColinTaylor]

Thanks for confirming that access from WAN was enabled. That reinforces the current theory that they get in via a flaw in the web server.

And ssh is no longer exposed to the wan. But there are still attempts.

Mar  4 04:46:37 dropbear[29942]: Bad password attempt for 'admin' from 27.72.233.207:39365
Mar  4 04:46:40 dropbear[29942]: Exit before auth (user 'admin', 1 fails): Exited normally
Mar  4 05:54:30 dropbear[1347]: Bad password attempt for 'admin' from 188.72.166.216:44423
Mar  4 05:54:36 dropbear[1347]: Exit before auth (user 'admin', 1 fails): Exited normally

This attack sets up second SSH server, so that's probably still running. It's interesting (sort of) that the other devices in the botnet are still trying to connect to you using your previous password.

P.S. What firmware version are you running? There were some security fixes in the recent versions. It would be useful to know whether they mitigate against this attack.

 

[Thagor]

Until shortly I was running an ancient firmware because I did not realize the update was not happening, because I did not do the intermediate CFE upgrade. Then I directly patched to 380.65 but without a factory reset. My laziness serves me right...

 

[martinr]

Until shortly I was running an ancient firmware because I did not realize the update was not happening, because I did not do the intermediate CFE upgrade. Then I directly patched to 380.65 but without a factory reset. My laziness serves me right...

Then it's a timely reminder to the rest of us against complacency.

 

[NUTW0RX]

yeah I will it is 8 I miss typed

Too short and unfortunately you're stuck with up to 16 since these routers don't support longer passwords.

 

[Helghast59]

Change default username and use puttygen to generate public key. I think it's can solve the problem. Or just disable wan access to ssh.

 

[KevTech]

I would reflash the firmware as well.

 

[Thagor]

yeah I did all those things
Factory reset -> re-flash -> reset again -> closed previous vulnerabilities

 

[redhat27]

I need to have my ssh port exposed, but I changed the default port and use pubkey authentication. Attempts are much less frequent, and never succeeds (I keep tabs on attempts).

Edit: Sorry I just noticed @Heighast59 already mentioned this

 

[martinr]

I need to have my ssh port exposed, but I changed the default port and use pubkey authentication. Attempts are much less frequent, and never succeeds (I keep tabs on attempts).

Edit: Sorry I just noticed @Heighast59 already mentioned this

Have you tried moving the ssh port from 22 to an obscure, uncommon port number? Of course, it won't stop someone prepared to spend 30 mins or so scanning all your ports, but it would beat someone looking only for a target of opportunity on port 22.

I used to have my ssh port open (on an obscure port) until I was talked out of doing so:
https://www.snbforums.com/threads/w...can-login-my-router-easily.36564/#post-298721

 

[swetoast]

https://gitlab.com/swe_toast/dropbear-offenders

 

[redhat27]

Very cool. I do the same thing too, except I have disabled password authentication completely. I too scan syslog (have a script monitor it) and have it add to my custom blocklist. In addition I have the SSHBFP in iptables (enabled from web GUI)

 

[redhat27]

Have you tried moving the ssh port from 22 to an obscure, uncommon port number? Of course, it won't stop someone prepared to spend 30 mins or so scanning all your ports, but it would beat someone looking only for a target of opportunity on port 22.

Yes, it's not default, and password authentication is disabled. Ports scans are very routine.

I used to have my ssh port open (on an obscure port) until I was talked out of doing so

To each his own I need to keep mine open for tunneling in from outside.