Is someone trying to hack me brute force my router?

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Goto page 1, 2  Next
Author Message
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Sat Apr 03, 2021 5:24    Post subject: Is someone trying to hack me brute force my router? Reply with quote
I activated the remote administration several days ago, fortunately I had a look at the sys log and then I found this:




It's over several pages. Yesterday it was only one ip constantly trying to get in over random ports.

Today there are already two IPs trying to get access.

_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Apr 03, 2021 6:11    Post subject: Reply with quote
We always tell people not to use remote administration and now you now why.

Use a VPN to contact your network from remote.

If you have no other means then to use remote administration use an SSH key.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sat Apr 03, 2021 8:22    Post subject: Reply with quote
egc wrote:
If you have no other means then to use remote administration use an SSH key.


Yes, and turn off password authentication.
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Sat Apr 03, 2021 10:39    Post subject: Reply with quote
Didn't know that this would cause such attention and that the routers web administration could be found that fast.
It's not necessary for me, I got a working wireguard set up. I thought just in case that the tunnel fails I've got a back solution to get into my network.

_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Sat Apr 03, 2021 15:14    Post subject: Reply with quote
Welcome to the series of tubes!

https://whatismyipaddress.com/ip/36.76.218.22

https://whatismyipaddress.com/ip/183.182.118.95
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1407

PostPosted: Sat Apr 03, 2021 17:04    Post subject: Reply with quote
The exit before auth should just be the tcp connection scan but the login attempt from nonexistent user is a login attempt.

This happens all over the net, people regularly scan... I used to track/log telnet attempts for a website and it is rediculous how often people scan for that open port. Got to the point where I just turned off logging for that because it would fill up the logs.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat Apr 03, 2021 18:54    Post subject: Reply with quote
these are not people these are botnets scanning on the standard ports and then brutforce
The botnets are big enough that it's close to DDoS in volume

Edit:

you should think twice before opening ports for remote maintenance

just google for ssh hardening
you should not use standard ports for example
disable password authentication
it is best to use a secure cryptographic key like ed25519
Limiting access via fail2ban
etc
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Apr 05, 2021 8:14    Post subject: Reply with quote
ed25519 ?? last time i tried SSh key with ed25519 was fun..
but yep secure Web access with (password protected) SSh key with max acceptable encryption...and no password entry allowed, its fine...
just add some restricting/permitting iptables rules and you are done, safe and sound to use ssh via web...but as EGC noted best practice is VPN remote access to the router only...
to be honest WEB administration is not needed unless you are really in demand of it, like no physical access to the router and doing some remote administration...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Mon Apr 05, 2021 8:37    Post subject: Reply with quote
Alozaros wrote:
ed25519 ?? last time i tried SSh key with ed25519 was fun..

currently not supported by dd-wrt with dropbear ssh (probably not configured for space reasons)

but have been using curve25519 for a while on other machines
has e.g. the advantage that it is much faster than RSA and is generally considered to be secure (while RSA now requires keys that are at least 3072 bit long)
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Apr 05, 2021 11:41    Post subject: Reply with quote
ho1Aetoo wrote:
Alozaros wrote:
ed25519 ?? last time i tried SSh key with ed25519 was fun..

currently not supported by dd-wrt with dropbear ssh (probably not configured for space reasons)

but have been using curve25519 for a while on other machines
has e.g. the advantage that it is much faster than RSA and is generally considered to be secure (while RSA now requires keys that are at least 3072 bit long)

ho1Aetoo wrote:
it is best to use a secure cryptographic key like ed25519

yep i know ed25519 is faster, as well i know its not supported...(learned it hard way)... that's why im not advising ppl to use it on DDWRT routers yet...and said use 'max acceptable encryption' instead Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
feliciano
DD-WRT Guru


Joined: 24 Oct 2008
Posts: 1079
Location: Latin America

PostPosted: Mon Apr 05, 2021 20:33    Post subject: Reply with quote
You can also filter the IP addresses you allow to remotely access your device.
_________________
If you want support, please read first the announcements and forum rules.
Si usted desea ayuda, por favor lea primero los anuncios y las reglas del foro.
atifak
DD-WRT Novice


Joined: 02 Apr 2021
Posts: 14

PostPosted: Mon Apr 12, 2021 6:05    Post subject: Re: Is someone trying to hack me brute force my router? Reply with quote
tomron wrote:
I activated the remote administration several days ago, fortunately I had a look at the sys log and then I found this:




It's over several pages. Yesterday it was only one ip constantly trying to get in over random ports.

Today there are already two IPs trying to get access.

Might be someone trying to hack you. A VPN is the safest bet here.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Apr 12, 2021 10:01    Post subject: Reply with quote
VPN doesn't guarantee you are save from tracking at all..
You may get tracked inside the VPN pool too...or if you have a compromised software running, it can even communicate with the malicious origin, wherever you are...
Also there is a known bug in windows/mac where VPN could be compromised in terms of geolocation and than they know its you ...

However, there are tricks, like tin-foil hat, that helps with WIFI radiation and internet paranoia, or security oriented courses/web sites, where you can gain more knowledge, how to persuade a better security and good internet hygiene... Laughing Laughing

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon Apr 12, 2021 16:58    Post subject: Reply with quote
Alozaros wrote:
ho1Aetoo wrote:
Alozaros wrote:
ed25519 ?? last time i tried SSh key with ed25519 was fun..

currently not supported by dd-wrt with dropbear ssh (probably not configured for space reasons)

but have been using curve25519 for a while on other machines
has e.g. the advantage that it is much faster than RSA and is generally considered to be secure (while RSA now requires keys that are at least 3072 bit long)

ho1Aetoo wrote:
it is best to use a secure cryptographic key like ed25519

yep i know ed25519 is faster, as well i know its not supported...(learned it hard way)... that's why im not advising ppl to use it on DDWRT routers yet...and said use 'max acceptable encryption' instead Cool

Yep, it was never supported, even though some 'professional' claimed it was Rolling Eyes Twisted Evil

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323589

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
atifak
DD-WRT Novice


Joined: 02 Apr 2021
Posts: 14

PostPosted: Tue Apr 13, 2021 6:01    Post subject: Reply with quote
Alozaros wrote:
VPN doesn't guarantee you are save from tracking at all..
You may get tracked inside the VPN pool too...or if you have a compromised software running, it can even communicate with the malicious origin, wherever you are...
Also there is a known bug in windows/mac where VPN could be compromised in terms of geolocation and than they know its you ...

However, there are tricks, like tin-foil hat, that helps with WIFI radiation and internet paranoia, or security oriented courses/web sites, where you can gain more knowledge, how to persuade a better security and good internet hygiene... Laughing Laughing


I use a trusted VPN and it does say that it masks my ip address, is what you're saying is true then thanks. I have to be try that now.


Last edited by atifak on Wed Apr 14, 2021 4:58; edited 1 time in total
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum