Posted: Sat Apr 03, 2021 5:24 Post subject: Is someone trying to hack me brute force my router?
I activated the remote administration several days ago, fortunately I had a look at the sys log and then I found this:
It's over several pages. Yesterday it was only one ip constantly trying to get in over random ports.
Today there are already two IPs trying to get access. _________________ VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
Didn't know that this would cause such attention and that the routers web administration could be found that fast.
It's not necessary for me, I got a working wireguard set up. I thought just in case that the tunnel fails I've got a back solution to get into my network. _________________ VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
The exit before auth should just be the tcp connection scan but the login attempt from nonexistent user is a login attempt.
This happens all over the net, people regularly scan... I used to track/log telnet attempts for a website and it is rediculous how often people scan for that open port. Got to the point where I just turned off logging for that because it would fill up the logs.
these are not people these are botnets scanning on the standard ports and then brutforce
The botnets are big enough that it's close to DDoS in volume
Edit:
you should think twice before opening ports for remote maintenance
just google for ssh hardening
you should not use standard ports for example
disable password authentication
it is best to use a secure cryptographic key like ed25519
Limiting access via fail2ban
etc
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Apr 05, 2021 8:14 Post subject:
ed25519 ?? last time i tried SSh key with ed25519 was fun..
but yep secure Web access with (password protected) SSh key with max acceptable encryption...and no password entry allowed, its fine...
just add some restricting/permitting iptables rules and you are done, safe and sound to use ssh via web...but as EGC noted best practice is VPN remote access to the router only...
to be honest WEB administration is not needed unless you are really in demand of it, like no physical access to the router and doing some remote administration... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ed25519 ?? last time i tried SSh key with ed25519 was fun..
currently not supported by dd-wrt with dropbear ssh (probably not configured for space reasons)
but have been using curve25519 for a while on other machines
has e.g. the advantage that it is much faster than RSA and is generally considered to be secure (while RSA now requires keys that are at least 3072 bit long)
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Apr 05, 2021 11:41 Post subject:
ho1Aetoo wrote:
Alozaros wrote:
ed25519 ?? last time i tried SSh key with ed25519 was fun..
currently not supported by dd-wrt with dropbear ssh (probably not configured for space reasons)
but have been using curve25519 for a while on other machines
has e.g. the advantage that it is much faster than RSA and is generally considered to be secure (while RSA now requires keys that are at least 3072 bit long)
ho1Aetoo wrote:
it is best to use a secure cryptographic key like ed25519
yep i know ed25519 is faster, as well i know its not supported...(learned it hard way)... that's why im not advising ppl to use it on DDWRT routers yet...and said use 'max acceptable encryption' instead _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 24 Oct 2008 Posts: 1079 Location: Latin America
Posted: Mon Apr 05, 2021 20:33 Post subject:
You can also filter the IP addresses you allow to remotely access your device. _________________ If you want support, please read first the announcements and forum rules.
Si usted desea ayuda, por favor lea primero los anuncios y las reglas del foro.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Apr 12, 2021 10:01 Post subject:
VPN doesn't guarantee you are save from tracking at all..
You may get tracked inside the VPN pool too...or if you have a compromised software running, it can even communicate with the malicious origin, wherever you are...
Also there is a known bug in windows/mac where VPN could be compromised in terms of geolocation and than they know its you ...
However, there are tricks, like tin-foil hat, that helps with WIFI radiation and internet paranoia, or security oriented courses/web sites, where you can gain more knowledge, how to persuade a better security and good internet hygiene... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Mon Apr 12, 2021 16:58 Post subject:
Alozaros wrote:
ho1Aetoo wrote:
Alozaros wrote:
ed25519 ?? last time i tried SSh key with ed25519 was fun..
currently not supported by dd-wrt with dropbear ssh (probably not configured for space reasons)
but have been using curve25519 for a while on other machines
has e.g. the advantage that it is much faster than RSA and is generally considered to be secure (while RSA now requires keys that are at least 3072 bit long)
ho1Aetoo wrote:
it is best to use a secure cryptographic key like ed25519
yep i know ed25519 is faster, as well i know its not supported...(learned it hard way)... that's why im not advising ppl to use it on DDWRT routers yet...and said use 'max acceptable encryption' instead
Yep, it was never supported, even though some 'professional' claimed it was
VPN doesn't guarantee you are save from tracking at all..
You may get tracked inside the VPN pool too...or if you have a compromised software running, it can even communicate with the malicious origin, wherever you are...
Also there is a known bug in windows/mac where VPN could be compromised in terms of geolocation and than they know its you ...
However, there are tricks, like tin-foil hat, that helps with WIFI radiation and internet paranoia, or security oriented courses/web sites, where you can gain more knowledge, how to persuade a better security and good internet hygiene...
I use a trusted VPN and it does say that it masks my ip address, is what you're saying is true then thanks. I have to be try that now.
Last edited by atifak on Wed Apr 14, 2021 4:58; edited 1 time in total