moeburn Posted October 18, 2013 Share Posted October 18, 2013 My router is now suddenly flooded with logs that look like this: Oct 15 22:50:00 Gargoyle httpd_gargoyle: error: can't initialize ssl connection, error = -208 Oct 15 23:58:28 Gargoyle dropbear: Child connection from 141.212.121.129:54032 Oct 15 23:58:29 Gargoyle dropbear: Exit before auth: No matching algo hostkey Oct 16 11:42:47 Gargoyle dropbear: Child connection from 114.112.191.244:36588 Oct 16 11:42:50 Gargoyle dropbear: Bad password attempt for 'root' from 114.112.191.244:36588 Oct 16 11:42:51 Gargoyle dropbear: Exit before auth (user 'root', 1 fails): Disconnect received Oct 16 11:42:51 Gargoyle dropbear: Child connection from 114.112.191.244:38299 Oct 16 11:42:57 Gargoyle dropbear: Bad password attempt for 'root' from 114.112.191.244:38299 Oct 16 11:42:59 Gargoyle dropbear: Child connection from 114.112.191.244:40594 Oct 16 11:43:00 Gargoyle dropbear: Exit before auth (user 'root', 1 fails): Disconnect received Oct 16 11:43:02 Gargoyle dropbear: Bad password attempt for 'root' from 114.112.191.244:40594 Oct 16 11:43:03 Gargoyle dropbear: Exit before auth (user 'root', 1 fails): Disconnect received Oct 16 21:24:46 Gargoyle dropbear: Child connection from 94.102.63.245:40539 Oct 16 21:24:48 Gargoyle dropbear: Login attempt for nonexistent user from 94.102.63.245:40539 Oct 16 21:24:49 Gargoyle dropbear: Exit before auth: Disconnect received Oct 16 22:43:11 Gargoyle dropbear: Child connection from 211.141.34.111:37147 Oct 16 22:43:17 Gargoyle dropbear: Bad password attempt for 'root' from 211.141.34.111:37147 Oct 16 22:43:17 Gargoyle dropbear: Exit before auth (user 'root', 1 fails): Disconnect received Oct 16 22:43:17 Gargoyle dropbear: Child connection from 211.141.34.111:39726 Oct 16 22:43:20 Gargoyle dropbear: Bad password attempt for 'root' from 211.141.34.111:39726 Oct 16 22:43:20 Gargoyle dropbear: Exit before auth (user 'root', 1 fails): Disconnect received Oct 16 22:43:21 Gargoyle dropbear: Child connection from 211.141.34.111:40913 Oct 16 22:43:23 Gargoyle dropbear: Bad password attempt for 'root' from 211.141.34.111:40913 Oct 16 22:43:23 Gargoyle dropbear: Exit before auth (user 'root', 1 fails): Disconnect received Oct 16 23:12:12 Gargoyle dropbear: Child connection from 119.10.114.52:16289 Oct 16 23:12:17 Gargoyle dropbear: Bad password attempt for 'root' from 119.10.114.52:16289 Oct 16 23:12:18 Gargoyle dropbear: Exit before auth (user 'root', 1 fails): Disconnect received Oct 16 23:12:19 Gargoyle dropbear: Child connection from 119.10.114.52:18260 Oct 16 23:12:23 Gargoyle dropbear: Bad password attempt for 'root' from 119.10.114.52:18260 Oct 16 23:12:24 Gargoyle dropbear: Exit before auth (user 'root', 1 fails): Disconnect received Oct 16 23:12:24 Gargoyle dropbear: Child connection from 119.10.114.52:14378 Oct 16 23:12:26 Gargoyle dropbear: Bad password attempt for 'root' from 119.10.114.52:14378 Oct 16 23:12:27 Gargoyle dropbear: Exit before auth (user 'root', 1 fails): Disconnect received Oct 17 04:03:06 Gargoyle dropbear: Child connection from 222.143.26.246:51071 Oct 17 04:08:06 Gargoyle dropbear: Exit before auth: Timeout before auth Oct 17 08:47:30 Gargoyle dropbear: Child connection from 221.130.14.90:51502 Oct 17 08:47:39 Gargoyle dropbear: Bad password attempt for 'root' from 221.130.14.90:51502 Oct 17 08:47:40 Gargoyle dropbear: Exit before auth (user 'root', 1 fails): Disconnect received Oct 17 08:47:41 Gargoyle dropbear: Child connection from 221.130.14.90:55007 Oct 17 08:47:45 Gargoyle dropbear: Bad password attempt for 'root' from 221.130.14.90:55007 Oct 17 08:47:46 Gargoyle dropbear: Exit before auth (user 'root', 1 fails): Disconnect received Oct 17 08:47:46 Gargoyle dropbear: Child connection from 221.130.14.90:57085 Oct 17 08:47:49 Gargoyle dropbear: Bad password attempt for 'root' from 221.130.14.90:57085 Oct 17 08:47:49 Gargoyle dropbear: Exit before auth (user 'root', 1 fails): Disconnect received A few questions. What does the first line mean? The http daemon error? I have my router's WebUI set to lock out for 5 minutes, after 3 bad connection attempts, but I'm not sure if the SSH is the same. Are these dropbear bad password attempts to the WebUI, or to the SSH? And yes, they are set to allow connections from the WAN, because I often need to change settings in my router while not at home (like just the other day I wanted to print to my home printer while away, so I had to log into the router WebUI to port forward the printer). What should I do to make my router more secure? I am also running an OpenVPN server, but it requires an auth keyfile. Link to comment Share on other sites More sharing options...
The Evil Overlord Posted October 18, 2013 Share Posted October 18, 2013 Although I cannot help you with the info on your attachment, +BudMan would be better suited for this I think A few steps you can take is, hide or turn off the broadcast of your SSID, change your password, and make sure all push to connect features are turned off, if all your devices are paired to the router Link to comment Share on other sites More sharing options...
moeburn Posted October 18, 2013 Author Share Posted October 18, 2013 Although I cannot help you with the info on your attachment, +BudMan would be better suited for this I think A few steps you can take is, hide or turn off the broadcast of your SSID, change your password, and make sure all push to connect features are turned off, if all your devices are paired to the router Yeah, BudMan has helped me many times in the past, he is very helpful. Thanks for your advice! But those sound like steps to secure Wifi. I don't think these are attempts to break into my Wifi. I live in a pretty quiet, suburbian neighbourhood. I personally know all the people that are within range of my wifi, and I'd notice a car parked in front of my house trying to break into it. These appear to me, to be attempts to log in as root in one of the authentication methods open to WAN, but I'm not sure which one, or what 'dropbear' refers to. EDIT: it appears Dropbear is the SSH server. So I need to learn how to secure my SSH. I think it involves editing my /etc/firewall.user, and adding a bunch of iptables scripts, but I would have no idea what I'm doing. Link to comment Share on other sites More sharing options...
mercenary Posted October 18, 2013 Share Posted October 18, 2013 I think closing off the wan connections and only using vpn is the best way, especially if you are a active target. It may also just be a bot which is going through an IP range? Link to comment Share on other sites More sharing options...
grunger106 Posted October 18, 2013 Share Posted October 18, 2013 You could always just block the ability to login to the device from the WAN interface.... If you can VPN to that net you can always access from the private side. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted October 18, 2013 MVC Share Posted October 18, 2013 ^ yeah you really should use a vpn to get into your network vs remote your router web gui. If you bring up a ssh server on default 22 port it will be hit, this is just fact ;) I allow ssh into my network because I use it all the time remote. But I only allow public key auth, so there is no freaking way they are going to break that - if they do, hey more power too them ;) If you don't like the logs - you could try moving it to a different port.. But security through obscurity is not security. You could use sshguard to trim down the logs to only 4 hits or so from an IP before its blocked and not logged anymore. Now on mine I have the ability to block out of the gate known bad locations, country based IPs - well known bots, and such - this is a package in pfsense. If you really need access to your web gui remotely I would look to only allowing your IP your going to come from. This works for like your place of work or something but not very useful if on the road. What I would suggest is change over to vpn connection. Then you can do whatever you want via the vpn connection and your web gui is not exposed to the public net. If you don't go that route, look to setup public key for ssh, this works on dd-wrt. Then hit your web gui through a ssh tunnel. And for logging relief of lots of hits via bots and stuff - change the port. Problem with changing port is non standard might not be open from where your at, etc. What route do you want to take and can walk you through it. So examples from my setup. So here you !spammers as source - this is a listing of bad IPs and such that would never have valid reason to connect, etc. Here here where I publickey into my AP running dd-wrt Here as you notice on the firewall rules I allow traffic into my ubuntu box for ssh.. Even when I block known bad ****.. some still get through the firewall rule, where you have to public key to get in, but sshguard blocks the IPs anyway from filling up the logs when they bang their heads trying to auth, etc. Happy to help you get all secured up -- just let me know what you want help with. BTW - I don't block known bad with ntp, since even bad guys might need to set their clocks.. And my IP is part of pool.ntp.org ;) Never know what IP that might come from, etc. I don't really have any concerns with a ntp query ;) nabz0r and Marshall 2 Share Link to comment Share on other sites More sharing options...
nabz0r Veteran Posted October 20, 2013 Veteran Share Posted October 20, 2013 As everybody suggested, use VPN to connect to your home and then you can manage your firewall or whatever you want to do, this would work if you're connecting to your home from different locations. But if you know that you're connecting from one subnet you can only allow that subnet and you're done. For me, I have allowed only one subnet (work) and have a VPN connection to my ASA where I can login from anywhere. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted October 20, 2013 Veteran Share Posted October 20, 2013 I use logmein if I need to make changes to my router. No ports to open easy to setup and can access from anywhere. Link to comment Share on other sites More sharing options...
Recommended Posts