Posted: Sun Apr 11, 2021 19:40 Post subject: Unknown dropbear login on router in log
Hi,
I was going through my router logs this morning and noticed a few new messages I had never seen before. Here's one of them:
Apr 11 13:29:04 R8000 authpriv.notice dropbear[3013]: Password auth succeeded for 'root' from 78.128.113.150:58538
I had like 2 or 3 or these throughout the night from different IP addresses which seemed weird to me. I check my logs every 2-3 days and had never seen this before so this is completely brand new. I immediately rebooted my router thinking it was perhaps an error or something. I didn't get any more of them until maybe an hour ago when I saw the above one pop up.
I did an IP lookup search on this IP address, and it appears this 78.128.113.150 IP address is in Bulgaria. I'm concerned that it means someone found a way to access my router.
Like on the Administration tab, under remote access, I had WebGUI and SSH access disabled, so I'm not sure how anyone could even access my router remotely. Do I need to do something else to ensure no one can access my router from outside my LAN>
Any advice on what to do? My best guess is:
1) Disable SSH under services immediately
2) Make a manual note of all my settings (on paper as I don't know if doing a router backup and restoring settings would somehow allow this access to happen again)
3) Reflash the firmware with a reset of all settings
4) Erase NVRAM
5) Manually add back all setting
Does that seem like a good plan?
Thanks in advance!
Disable password login for dropbear and use key authentication, especially if you are opening it up to remote access via WAN.
Hi kernel-panic69,
Thanks for the quick reply! I am currently researching how to enable key authentication and found some things about using puttygen to set it up. I will have it set up soon.
One question though - how do I close remote access via WAN? I don't think my settings don't allow for remote access, so is there some other issue I have? I attached a screenshot of my administration tab showing my settings and I have SSH management disabled.
If I try to disable "Allow any remote IP" then it opens up a box that forces me to choose some IP address so I kept that enabled.
Joined: 08 May 2018 Posts: 14244 Location: Texas, USA
Posted: Sun Apr 11, 2021 20:27 Post subject:
Are those the settings you had set up when this happened? If so, then something is definitely amiss if a remote client from the internet connected and was able to login. I don't think the "allow any IP" is effective until remote management of WebUI, ssh, or telnet is enabled. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Those have always been my settings (disabled remote access) - and that's why this does not make any sense at all. I looked through my log more carefully and interestingly, the connection was closed immediately after it was opened. Does that mean anything? Here is my full log around the event. Of note - it occurred while my router was rebooting and had just updated it's time and was connecting to wifi clients. (I deleted MAC addresses).
Joined: 08 May 2018 Posts: 14244 Location: Texas, USA
Posted: Sun Apr 11, 2021 20:42 Post subject:
It could mean someone has attempted to gain access. On your firewall settings (Security tab), under "Impede WAN DoS/Bruteforce", do you have all of those checked (enabled) as well? _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
No, I did not have any of the Impede WAN DoS/Bruteforce options enabled at the time this all happened. I have since checked them all and applied settings.
Perhaps that's all that I can do at this point? Reformatting, redoing all my settings, using key authentication, and enabling the Impede WAN/DoS options in security.
I just wanted to make sure this wasn't some sort of security issue with dropbear, because it still leaves me with the question of why it even accepted a connection through the WAN when it was disabled in the Administration tab.
Do you use Openvpn?
If so do you have the Firewall of openvpn enabled?
I do use openVPN and i noticed I do not have the Inbound Firewall on TUN option checked.
I will enable it. Do you think it's an openVPN issue? I will say last night while at work, I did login to my router using my openvpn connection and all this started after that.
If it's an openvpn issue, does this mean I need to reissue my keys for it?
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Mon Apr 12, 2021 10:24 Post subject:
well do we know your router model and current firmware number on it... its very important...
are you part of fibernet network....??
as they have a virtual network (VPS), where they claim its safe and isolated form each other and they provide you with a static IP address where it's open/visible to the WEB..but they kindly do not exclude the option of VLAN hopping...
You can limit dropbear use, to a specific macc address or IP, as well change its port a lock SSh with a kay log in only (passprotected key) and see if this will work...if you are not part of 'fibernet network', you can limit all its IP range via iptables rules..
iptables -I FORWARD -s 78.128.113.0/24 -j DROP
iptables -I INPUT -s 78.128.113.0/24 -j DROP
those 2 will limit that network, so it wont see you...
there was a current issue with a firmware (number), that if you had anything in 'access restrictions' was causing that issue, do you have anything there..?? that why I asked for your current firmware build ?
also disable upnp and ping, if by any chance you run those on your router side...
P.S. if all those come from the VPN side than its a another game... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Mon Apr 12, 2021 12:12; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Mon Apr 12, 2021 10:38 Post subject:
buffpatel wrote:
egc wrote:
Do you use Openvpn?
If so do you have the Firewall of openvpn enabled?
I do use openVPN and i noticed I do not have the Inbound Firewall on TUN option checked.
I will enable it. Do you think it's an openVPN issue? I will say last night while at work, I did login to my router using my openvpn connection and all this started after that.
If it's an Openvpn issue, does this mean I need to reissue my keys for it?
I was not very clear but I was referring to an OpenVPN client.
For the server you cannot enable the Firewall otherwise you cannot reach your server.
Running a server you should be fine (if you have a recent build) of course someone can try to log into your OpenVPN server but not into the router itself.
Of course if your keys are out in the wild that is possible.
Are you sure it is not a login from yourself via the OpenVPn server from somewhere else (maybe the client you used to login to the OVPNserver is routed via a VPN?)
well do we know your router model and current firmware number on it... its very important...
are you part of fibernet network....??
as they have a virtual network (VPS), where they claim its safe and isolated form each other and they provide you with a static IP address where it's open/visible to the WEB..but they kindly do not exclude the option of VLAN hopping...
You can limit dropbear use, to a specific macc address or IP, as well change its port a lock SSh with a kay log in only (passprotected key) and see if this will work...if you are not part of 'fibernet network', you can limit all its IP range via iptables rules..
iptables -I FORWARD -s 78.128.113.0/24 -j DROP
iptables -I INPUT -s 78.128.113.0/24 -j DROP
those 2 will limit that network, so it wont see you...
there was a current issue with a firmware (number), that if you had anything in 'access restrictions' was causing that issue, do you have anything there..?? that why I asked for your current firmware build ?
also disable upnp and ping, if by any chance you run those on your router side...
P.S. if all those come from the VPN side than its a another game...
Hi Alozaros,
Thank you for the very detailed reply and suggestions! So for my router:
R8000
Firmware affected: BOTH 4/7/21 - r46301 and 4/9/21 - r46316 were affected as in I had strange login messages on my Syslog. I use the Administration->syslog page, and it highlighted these logins in a bright green color, so I am 100% certain that I did not miss seeing these on any previous firmware and I usually scroll through my logs every 2-3 days.
Prior to the 4/7/21 firmware, I was using 4/3/21 - r46259 which was NOT affected.
I don't have anything added to the access restrictions in my firmware setup. I did have uPNP enabled on my router, but have since turned it off. Not sure how to disable ping.
I am not part of a fibernet network. Not even sure what that it to be honest. I have Spectrum cable internet with a cable modem. My router is connected directly to the modem. No special set up at all in my case.
In terms of my set up, I do have an OpenVPN Server running on my R8000. I use it to login to my network whenever I'm on a public wifi hotspot for security. I believe that's the intended use for it. I always thought using OpenVPN in that way was secure, but am starting to wonder if that could be a security issue - ie. do I need to switch to a paid VPN for security when traveling (like PureVPN, or HideMyAss, etc?).
My OpenVPN server also has a site to site OpenVPN tunnel from my parents router to my router. I have an OpenVPN client running on their router and it's connected to my network so whenever they have network issues (or problems with their printer) I can directly login to their devices to help them troubleshoot. I checked all of their syslog's and did not see any dropbear logins for them.
I think for my purposes, perhaps I can try to use the key access for SSH along with another very simple protective measure. I can keep SSH disabled until I specifically need it. If/when I need to SSH into the router, I can first remotely login to my router with openVPN first and enable it. Then make sure to disable SSH once I'm done with it. Lastly, I think I will turn off my router and cable modem for like 4-5 hours and then turn them both on later. This way I should get a completely new IPV4 and IPV6 address which should also help shield me from whoever made the logins on my router. They can't really login to my router if they no longer have my ip address, right?
Do you use Openvpn?
If so do you have the Firewall of openvpn enabled?
I do use openVPN and i noticed I do not have the Inbound Firewall on TUN option checked.
I will enable it. Do you think it's an openVPN issue? I will say last night while at work, I did login to my router using my openvpn connection and all this started after that.
If it's an Openvpn issue, does this mean I need to reissue my keys for it?
I was not very clear but I was referring to an OpenVPN client.
For the server you cannot enable the Firewall otherwise you cannot reach your server.
Running a server you should be fine (if you have a recent build) of course someone can try to log into your OpenVPN server but not into the router itself.
Of course if your keys are out in the wild that is possible.
Are you sure it is not a login from yourself via the OpenVPn server from somewhere else (maybe the client you used to login to the OVPNserver is routed via a VPN?)
If not I would reset the router to defaults and make new OpenPVN keys etc.
Hello,
Haha - I unfortunately learned the hard way about the OpenVPN Firewall pretty much stopping my VPN from connecting! I have since disabled the OpenVPN firewall on BOTH my OpenVPN server on my router and on the OpenVPN client on my parents router.
Please see my post above, but my setup is: my router only has OpenVPN server running. I use it to login from my cellphone when traveling or when at work. I work in a hospital and they apparently blocked the dd-wrt website as it's listed as "controversial" on their security settings. Funny story, but I had logged into my OpenVPN server 2 nights ago while at work to read to forum when all this started!
My parents router also has OpenVPN client running which is connected to my routers server in a site to site tunnel so I can help them with any network issues from my home.
Your thought about the login being me is a good one, but I know that's not possible because I don't use any other VPN service so I should not have any routing to europe or elsewhere. Also, this occurred while I was at work in the hospital 2 nights ago after I connected from the hospital, but the messages occurred after I disconnected. For safety I only connect to my VPN to browse the web, then immediately disconnect once I'm done using it. Lastly, when it occurred yesterday morning, it happened while I was at home and had just flashed the newest firmware - 4/9/21 version upon the first startup of the router after the flash. Interestingly, it occurred right after the router had set the clock, but BEFORE the openVPN service was enabled so I just don't know if my OpenVPN connection was the way the connection occurred.
One thought I had was it seems strange to me if someone maliciously got access to my router, that they'd login, and then immediately logoff in the same second as my log posted a few messages above show. Like why would anyone, once they gain access to a computer, logoff before they did anything? Could it be possible this was something related to the firmware itself and I'm misinterpreting a normal function of the firmware?
Either way, I've already reset my router, painfully re-entered all my settings (including over 30 static IP addresses), and reset up my OpenVpn network and issued new keys, and also disabled SSH access. I am planning on powering down my whole network for 4-5 hours to get a new IP address and I don't know what else I can do above that.
client must match the server settings, try to use a decent encryption...
if not used... telnet and ssh over the WAN must be disabled or use ssh with key only if needed...
log-in and immediately log-off may mean they didn't match the requirements and dropbear dropped it off..
yep its a good idea to reset/redo...settings, you can add static leases in DNSmasq advanced config box, instead of GUI, it easy...use this format
i would advise you to disable upnp its a very bad practice...
disable ping is where security page is
Block WAN Requests - Block Anonymous WAN Requests (ping)
on server VPN setting and client, use this option turned on Inbound Firewall on TUN (thick that box),
unless it does not interfere with your settings... than you can specify route in advanced set up...but have a look on the guide, as well deeply search trough the ddwrt forum...lots of info on the subject..i just dont have a time to find those to share with you... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913