People are trying to hack into my router, what should I do?

[moeburn]

My router is now suddenly flooded with logs that look like this:

Oct 15 22:50:00 Gargoyle httpd_gargoyle:  error: can't initialize ssl connection, error = -208 
Oct 15 23:58:28 Gargoyle dropbear:  Child connection from 141.212.121.129:54032 
Oct 15 23:58:29 Gargoyle dropbear:  Exit before auth: No matching algo hostkey 
Oct 16 11:42:47 Gargoyle dropbear:  Child connection from 114.112.191.244:36588 
Oct 16 11:42:50 Gargoyle dropbear:  Bad password attempt for 'root' from 114.112.191.244:36588 
Oct 16 11:42:51 Gargoyle dropbear:  Exit before auth (user 'root', 1 fails): Disconnect received 
Oct 16 11:42:51 Gargoyle dropbear:  Child connection from 114.112.191.244:38299 
Oct 16 11:42:57 Gargoyle dropbear:  Bad password attempt for 'root' from 114.112.191.244:38299 
Oct 16 11:42:59 Gargoyle dropbear:  Child connection from 114.112.191.244:40594 
Oct 16 11:43:00 Gargoyle dropbear:  Exit before auth (user 'root', 1 fails): Disconnect received 
Oct 16 11:43:02 Gargoyle dropbear:  Bad password attempt for 'root' from 114.112.191.244:40594 
Oct 16 11:43:03 Gargoyle dropbear:  Exit before auth (user 'root', 1 fails): Disconnect received 
Oct 16 21:24:46 Gargoyle dropbear:  Child connection from 94.102.63.245:40539 
Oct 16 21:24:48 Gargoyle dropbear:  Login attempt for nonexistent user from 94.102.63.245:40539 
Oct 16 21:24:49 Gargoyle dropbear:  Exit before auth: Disconnect received 
Oct 16 22:43:11 Gargoyle dropbear:  Child connection from 211.141.34.111:37147 
Oct 16 22:43:17 Gargoyle dropbear:  Bad password attempt for 'root' from 211.141.34.111:37147 
Oct 16 22:43:17 Gargoyle dropbear:  Exit before auth (user 'root', 1 fails): Disconnect received 
Oct 16 22:43:17 Gargoyle dropbear:  Child connection from 211.141.34.111:39726 
Oct 16 22:43:20 Gargoyle dropbear:  Bad password attempt for 'root' from 211.141.34.111:39726 
Oct 16 22:43:20 Gargoyle dropbear:  Exit before auth (user 'root', 1 fails): Disconnect received 
Oct 16 22:43:21 Gargoyle dropbear:  Child connection from 211.141.34.111:40913 
Oct 16 22:43:23 Gargoyle dropbear:  Bad password attempt for 'root' from 211.141.34.111:40913 
Oct 16 22:43:23 Gargoyle dropbear:  Exit before auth (user 'root', 1 fails): Disconnect received 
Oct 16 23:12:12 Gargoyle dropbear:  Child connection from 119.10.114.52:16289 
Oct 16 23:12:17 Gargoyle dropbear:  Bad password attempt for 'root' from 119.10.114.52:16289 
Oct 16 23:12:18 Gargoyle dropbear:  Exit before auth (user 'root', 1 fails): Disconnect received 
Oct 16 23:12:19 Gargoyle dropbear:  Child connection from 119.10.114.52:18260 
Oct 16 23:12:23 Gargoyle dropbear:  Bad password attempt for 'root' from 119.10.114.52:18260 
Oct 16 23:12:24 Gargoyle dropbear:  Exit before auth (user 'root', 1 fails): Disconnect received 
Oct 16 23:12:24 Gargoyle dropbear:  Child connection from 119.10.114.52:14378 
Oct 16 23:12:26 Gargoyle dropbear:  Bad password attempt for 'root' from 119.10.114.52:14378 
Oct 16 23:12:27 Gargoyle dropbear:  Exit before auth (user 'root', 1 fails): Disconnect received 
Oct 17 04:03:06 Gargoyle dropbear:  Child connection from 222.143.26.246:51071 
Oct 17 04:08:06 Gargoyle dropbear:  Exit before auth: Timeout before auth 
Oct 17 08:47:30 Gargoyle dropbear:  Child connection from 221.130.14.90:51502 
Oct 17 08:47:39 Gargoyle dropbear:  Bad password attempt for 'root' from 221.130.14.90:51502 
Oct 17 08:47:40 Gargoyle dropbear:  Exit before auth (user 'root', 1 fails): Disconnect received 
Oct 17 08:47:41 Gargoyle dropbear:  Child connection from 221.130.14.90:55007 
Oct 17 08:47:45 Gargoyle dropbear:  Bad password attempt for 'root' from 221.130.14.90:55007 
Oct 17 08:47:46 Gargoyle dropbear:  Exit before auth (user 'root', 1 fails): Disconnect received 
Oct 17 08:47:46 Gargoyle dropbear:  Child connection from 221.130.14.90:57085 
Oct 17 08:47:49 Gargoyle dropbear:  Bad password attempt for 'root' from 221.130.14.90:57085 
Oct 17 08:47:49 Gargoyle dropbear:  Exit before auth (user 'root', 1 fails): Disconnect received 

A few questions.  What does the first line mean?  The http daemon error?  I have my router's WebUI set to lock out for 5 minutes, after 3 bad connection attempts, but I'm not sure if the SSH is the same.  Are these dropbear bad password attempts to the WebUI, or to the SSH?  And yes, they are set to allow connections from the WAN, because I often need to change settings in my router while not at home (like just the other day I wanted to print to my home printer while away, so I had to log into the router WebUI to port forward the printer).  

 

What should I do to make my router more secure?  I am also running an OpenVPN server, but it requires an auth keyfile.  

[The Evil Overlord]

Although I cannot help you with the info on your attachment, +BudMan would be better suited for this I think

 

A few steps you can take is, hide or turn off the broadcast of your SSID, change your password, and make sure all push to connect features are turned off, if all your devices are paired to the router

[moeburn]

Although I cannot help you with the info on your attachment, +BudMan would be better suited for this I think

 

A few steps you can take is, hide or turn off the broadcast of your SSID, change your password, and make sure all push to connect features are turned off, if all your devices are paired to the router

 

Yeah, BudMan has helped me many times in the past, he is very helpful.

 

Thanks for your advice!  But those sound like steps to secure Wifi.  I don't think these are attempts to break into my Wifi.  I live in a pretty quiet, suburbian neighbourhood.  I personally know all the people that are within range of my wifi, and I'd notice a car parked in front of my house trying to break into it.  These appear to me, to be attempts to log in as root in one of the authentication methods open to WAN, but I'm not sure which one, or what 'dropbear' refers to.

 

EDIT: it appears Dropbear is the SSH server.  So I need to learn how to secure my SSH.  I think it involves editing my /etc/firewall.user, and adding a bunch of iptables scripts, but I would have no idea what I'm doing.

[mercenary]

I think closing off the wan connections and only using vpn is the best way, especially if you are a active target. It may also just be a bot which is going through an IP range?

[grunger106]

You could always just block the ability to login to the device from the WAN interface....

If you can VPN to that net you can always access from the private side.

[+BudMan MVC]

^ yeah you really should use a vpn to get into your network vs remote your router web gui.

 

If you bring up a ssh server on default 22 port it will be hit, this is just fact ;)  I allow ssh into my network because I use it all the time remote.  But I only allow public key auth, so there is no freaking way they are going to break that - if they do, hey more power too them ;)

 

If you don't like the logs - you could try moving it to a different port.. But security through obscurity is not security.  You could use sshguard to trim down the logs to only 4 hits or so from an IP before its blocked and not logged anymore.

 

Now on mine I have the ability to block out of the gate known bad locations, country based IPs - well known bots, and such - this is a package in pfsense.

 

If you really need access to your web gui remotely I would look to only allowing your IP your going to come from.  This works for like your place of work or something but not very useful if on the road.

 

What I would suggest is change over to vpn connection.  Then you can do whatever you want via the vpn connection and your web gui is not exposed to the public net.  If you don't go that route, look to setup public key for ssh, this works on dd-wrt.  Then hit your web gui through a ssh tunnel.  And for logging relief of lots of hits via bots and stuff - change the port.  Problem with changing port is non standard might not be open from where your at, etc.

 

What route do you want to take and can walk you through it.

 

So examples from my setup.

 

So here you !spammers as source - this is a listing of bad IPs and such that would never have valid reason to connect, etc.

 

Here here where I publickey into my AP running dd-wrt

 

Here as you notice on the firewall rules I allow traffic into my ubuntu box for ssh..  Even when I block known bad ****.. some still get through the firewall rule, where you have to public key to get in, but sshguard blocks the IPs anyway from filling up the logs when they bang their heads trying to auth, etc.

 

Happy to help you get all secured up -- just let me know what you want help with.

 

BTW - I don't block known bad with ntp, since even bad guys might need to set their clocks.. And my IP is part of pool.ntp.org ;)  Never know what IP that might come from, etc.  I don't really have any concerns with a ntp query ;)

[nabz0r Veteran]

As everybody suggested, use VPN to connect to your  home and then you can manage your firewall or whatever you want to do, this would work if you're connecting to your home from different locations. But if you know that you're connecting from one subnet you can only allow that subnet and you're done.

 

For me, I have allowed only one subnet (work) and have a VPN connection to my ASA where I can login from anywhere.

[sc302 Veteran]

I use logmein if I need to make changes to my router. No ports to open easy to setup and can access from anywhere.