Unknown dropbear login on router in log

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
buffpatel
DD-WRT User


Joined: 22 Feb 2011
Posts: 115

PostPosted: Sun Apr 11, 2021 19:40    Post subject: Unknown dropbear login on router in log Reply with quote
Hi,

I was going through my router logs this morning and noticed a few new messages I had never seen before. Here's one of them:

Apr 11 13:29:04 R8000 authpriv.notice dropbear[3013]: Password auth succeeded for 'root' from 78.128.113.150:58538

I had like 2 or 3 or these throughout the night from different IP addresses which seemed weird to me. I check my logs every 2-3 days and had never seen this before so this is completely brand new. I immediately rebooted my router thinking it was perhaps an error or something. I didn't get any more of them until maybe an hour ago when I saw the above one pop up.

I did an IP lookup search on this IP address, and it appears this 78.128.113.150 IP address is in Bulgaria. I'm concerned that it means someone found a way to access my router.

Like on the Administration tab, under remote access, I had WebGUI and SSH access disabled, so I'm not sure how anyone could even access my router remotely. Do I need to do something else to ensure no one can access my router from outside my LAN>

Any advice on what to do? My best guess is:

1) Disable SSH under services immediately
2) Make a manual note of all my settings (on paper as I don't know if doing a router backup and restoring settings would somehow allow this access to happen again)
3) Reflash the firmware with a reset of all settings
4) Erase NVRAM
5) Manually add back all setting

Does that seem like a good plan?
Thanks in advance!
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sun Apr 11, 2021 19:52    Post subject: Reply with quote
Disable password login for dropbear and use key authentication, especially if you are opening it up to remote access via WAN.

Code:
$ host 78.128.113.150
150.113.128.78.in-addr.arpa domain name pointer ip-113-150.4vendeta.com.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
buffpatel
DD-WRT User


Joined: 22 Feb 2011
Posts: 115

PostPosted: Sun Apr 11, 2021 20:17    Post subject: Reply with quote
kernel-panic69 wrote:
Disable password login for dropbear and use key authentication, especially if you are opening it up to remote access via WAN.


Hi kernel-panic69,

Thanks for the quick reply! I am currently researching how to enable key authentication and found some things about using puttygen to set it up. I will have it set up soon.

One question though - how do I close remote access via WAN? I don't think my settings don't allow for remote access, so is there some other issue I have? I attached a screenshot of my administration tab showing my settings and I have SSH management disabled.

If I try to disable "Allow any remote IP" then it opens up a box that forces me to choose some IP address so I kept that enabled.



Capture.PNG
 Description:
 Filesize:  19.61 KB
 Viewed:  2574 Time(s)

Capture.PNG


kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sun Apr 11, 2021 20:27    Post subject: Reply with quote
Are those the settings you had set up when this happened? If so, then something is definitely amiss if a remote client from the internet connected and was able to login. I don't think the "allow any IP" is effective until remote management of WebUI, ssh, or telnet is enabled.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
buffpatel
DD-WRT User


Joined: 22 Feb 2011
Posts: 115

PostPosted: Sun Apr 11, 2021 20:39    Post subject: Reply with quote
Those have always been my settings (disabled remote access) - and that's why this does not make any sense at all. I looked through my log more carefully and interestingly, the connection was closed immediately after it was opened. Does that mean anything? Here is my full log around the event. Of note - it occurred while my router was rebooting and had just updated it's time and was connecting to wifi clients. (I deleted MAC addresses).


Apr 11 13:29:01 R8000 daemon.info process_monitor[2906]: cyclic NTP Update success (servers 2.pool.ntp.org 212.18.3.19 88.99.174.22)
Apr 11 13:29:01 R8000 daemon.info hostapd: wlan2: STA 04:1e:64:f0:65:bb WPA: group key handshake completed (RSN)
Apr 11 13:29:02 R8000 authpriv.info dropbear[3013]: Child connection from 78.128.113.150:58538
Apr 11 13:29:02 R8000 daemon.warn openvpn[1812]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Apr 11 13:29:02 R8000 daemon.notice openvpn[1812]: UDPv4 link local (bound): [AF_INET][undef]:43081
Apr 11 13:29:02 R8000 daemon.notice openvpn[1812]: UDPv4 link remote: [AF_UNSPEC]
Apr 11 13:29:02 R8000 daemon.notice openvpn[1812]: Initialization Sequence Completed
Apr 11 13:29:03 R8000 user.info : vpn modules : vpn modules successfully unloaded
Apr 11 13:29:03 R8000 user.info : vpn modules : nf_conntrack_proto_gre successfully loaded
Apr 11 13:29:03 R8000 user.info : vpn modules : nf_nat_proto_gre successfully loaded
Apr 11 13:29:03 R8000 user.info : vpn modules : nf_conntrack_pptp successfully loaded
Apr 11 13:29:03 R8000 user.info : vpn modules : nf_nat_pptp successfully loaded
Apr 11 13:29:04 R8000 authpriv.notice dropbear[3013]: Password auth succeeded for 'root' from 78.128.113.150:58538
Apr 11 13:29:04 R8000 user.info : sfe : shortcut forwarding engine successfully stopped
Apr 11 13:29:04 R8000 daemon.info hostapd: wlan0: STA XX:XX:XX:XX:XX:XX IEEE 802.11: associated
Apr 11 13:29:04 R8000 daemon.info hostapd: wlan0: STA XX:XX:XX:XX:XX:XX RADIUS: starting accounting session C0F33F9B50B2BA16
Apr 11 13:29:04 R8000 daemon.info hostapd: wlan0: STA XX:XX:XX:XX:XX:XX WPA: pairwise key handshake completed (RSN)
Apr 11 13:29:04 R8000 authpriv.info dropbear[3013]: Exit (root) from <78.128.113.150:58538>: Exited normally
Apr 11 13:29:05 R8000 daemon.debug process_monitor[2906]: Restarting cron (time sync change)
Apr 11 13:29:05 R8000 user.info : cron : daemon successfully stopped
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sun Apr 11, 2021 20:42    Post subject: Reply with quote
It could mean someone has attempted to gain access. On your firewall settings (Security tab), under "Impede WAN DoS/Bruteforce", do you have all of those checked (enabled) as well?
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
buffpatel
DD-WRT User


Joined: 22 Feb 2011
Posts: 115

PostPosted: Sun Apr 11, 2021 20:49    Post subject: Reply with quote
No, I did not have any of the Impede WAN DoS/Bruteforce options enabled at the time this all happened. I have since checked them all and applied settings.

Perhaps that's all that I can do at this point? Reformatting, redoing all my settings, using key authentication, and enabling the Impede WAN/DoS options in security.

I just wanted to make sure this wasn't some sort of security issue with dropbear, because it still leaves me with the question of why it even accepted a connection through the WAN when it was disabled in the Administration tab.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Apr 11, 2021 20:57    Post subject: Reply with quote
Do you use Openvpn?
If so do you have the Firewall of openvpn enabled?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
buffpatel
DD-WRT User


Joined: 22 Feb 2011
Posts: 115

PostPosted: Sun Apr 11, 2021 20:59    Post subject: Reply with quote
egc wrote:
Do you use Openvpn?
If so do you have the Firewall of openvpn enabled?


I do use openVPN and i noticed I do not have the Inbound Firewall on TUN option checked.

I will enable it. Do you think it's an openVPN issue? I will say last night while at work, I did login to my router using my openvpn connection and all this started after that.

If it's an openvpn issue, does this mean I need to reissue my keys for it?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Apr 12, 2021 10:24    Post subject: Reply with quote
well do we know your router model and current firmware number on it... its very important...

are you part of fibernet network....??
as they have a virtual network (VPS), where they claim its safe and isolated form each other and they provide you with a static IP address where it's open/visible to the WEB..but they kindly do not exclude the option of VLAN hopping...
You can limit dropbear use, to a specific macc address or IP, as well change its port a lock SSh with a kay log in only (passprotected key) and see if this will work...if you are not part of 'fibernet network', you can limit all its IP range via iptables rules..

iptables -I FORWARD -s 78.128.113.0/24 -j DROP
iptables -I INPUT -s 78.128.113.0/24 -j DROP

those 2 will limit that network, so it wont see you...

there was a current issue with a firmware (number), that if you had anything in 'access restrictions' was causing that issue, do you have anything there..?? that why I asked for your current firmware build ?

also disable upnp and ping, if by any chance you run those on your router side...

P.S. if all those come from the VPN side than its a another game...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Mon Apr 12, 2021 12:12; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Apr 12, 2021 10:38    Post subject: Reply with quote
buffpatel wrote:
egc wrote:
Do you use Openvpn?
If so do you have the Firewall of openvpn enabled?


I do use openVPN and i noticed I do not have the Inbound Firewall on TUN option checked.

I will enable it. Do you think it's an openVPN issue? I will say last night while at work, I did login to my router using my openvpn connection and all this started after that.

If it's an Openvpn issue, does this mean I need to reissue my keys for it?


I was not very clear but I was referring to an OpenVPN client.
For the server you cannot enable the Firewall otherwise you cannot reach your server.

Running a server you should be fine (if you have a recent build) of course someone can try to log into your OpenVPN server but not into the router itself.

Of course if your keys are out in the wild that is possible.

Are you sure it is not a login from yourself via the OpenVPn server from somewhere else (maybe the client you used to login to the OVPNserver is routed via a VPN?)

If not I would reset the router to defaults and make new OpenPVN keys etc.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
buffpatel
DD-WRT User


Joined: 22 Feb 2011
Posts: 115

PostPosted: Mon Apr 12, 2021 18:48    Post subject: Reply with quote
Alozaros wrote:
well do we know your router model and current firmware number on it... its very important...

are you part of fibernet network....??
as they have a virtual network (VPS), where they claim its safe and isolated form each other and they provide you with a static IP address where it's open/visible to the WEB..but they kindly do not exclude the option of VLAN hopping...
You can limit dropbear use, to a specific macc address or IP, as well change its port a lock SSh with a kay log in only (passprotected key) and see if this will work...if you are not part of 'fibernet network', you can limit all its IP range via iptables rules..

iptables -I FORWARD -s 78.128.113.0/24 -j DROP
iptables -I INPUT -s 78.128.113.0/24 -j DROP

those 2 will limit that network, so it wont see you...

there was a current issue with a firmware (number), that if you had anything in 'access restrictions' was causing that issue, do you have anything there..?? that why I asked for your current firmware build ?

also disable upnp and ping, if by any chance you run those on your router side...

P.S. if all those come from the VPN side than its a another game...


Hi Alozaros,

Thank you for the very detailed reply and suggestions! So for my router:

R8000
Firmware affected: BOTH 4/7/21 - r46301 and 4/9/21 - r46316 were affected as in I had strange login messages on my Syslog. I use the Administration->syslog page, and it highlighted these logins in a bright green color, so I am 100% certain that I did not miss seeing these on any previous firmware and I usually scroll through my logs every 2-3 days.

Prior to the 4/7/21 firmware, I was using 4/3/21 - r46259 which was NOT affected.

I don't have anything added to the access restrictions in my firmware setup. I did have uPNP enabled on my router, but have since turned it off. Not sure how to disable ping.

I am not part of a fibernet network. Not even sure what that it to be honest. I have Spectrum cable internet with a cable modem. My router is connected directly to the modem. No special set up at all in my case.

In terms of my set up, I do have an OpenVPN Server running on my R8000. I use it to login to my network whenever I'm on a public wifi hotspot for security. I believe that's the intended use for it. I always thought using OpenVPN in that way was secure, but am starting to wonder if that could be a security issue - ie. do I need to switch to a paid VPN for security when traveling (like PureVPN, or HideMyAss, etc?).

My OpenVPN server also has a site to site OpenVPN tunnel from my parents router to my router. I have an OpenVPN client running on their router and it's connected to my network so whenever they have network issues (or problems with their printer) I can directly login to their devices to help them troubleshoot. I checked all of their syslog's and did not see any dropbear logins for them.

I think for my purposes, perhaps I can try to use the key access for SSH along with another very simple protective measure. I can keep SSH disabled until I specifically need it. If/when I need to SSH into the router, I can first remotely login to my router with openVPN first and enable it. Then make sure to disable SSH once I'm done with it. Lastly, I think I will turn off my router and cable modem for like 4-5 hours and then turn them both on later. This way I should get a completely new IPV4 and IPV6 address which should also help shield me from whoever made the logins on my router. They can't really login to my router if they no longer have my ip address, right?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon Apr 12, 2021 18:56    Post subject: Reply with quote
Could be a possible botnet scanning for vulnerable routers. I hadn't thought about that until I saw a post in another thread about something similar.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
buffpatel
DD-WRT User


Joined: 22 Feb 2011
Posts: 115

PostPosted: Mon Apr 12, 2021 19:03    Post subject: Reply with quote
egc wrote:
buffpatel wrote:
egc wrote:
Do you use Openvpn?
If so do you have the Firewall of openvpn enabled?


I do use openVPN and i noticed I do not have the Inbound Firewall on TUN option checked.

I will enable it. Do you think it's an openVPN issue? I will say last night while at work, I did login to my router using my openvpn connection and all this started after that.

If it's an Openvpn issue, does this mean I need to reissue my keys for it?


I was not very clear but I was referring to an OpenVPN client.
For the server you cannot enable the Firewall otherwise you cannot reach your server.

Running a server you should be fine (if you have a recent build) of course someone can try to log into your OpenVPN server but not into the router itself.

Of course if your keys are out in the wild that is possible.

Are you sure it is not a login from yourself via the OpenVPn server from somewhere else (maybe the client you used to login to the OVPNserver is routed via a VPN?)

If not I would reset the router to defaults and make new OpenPVN keys etc.


Hello,

Haha - I unfortunately learned the hard way about the OpenVPN Firewall pretty much stopping my VPN from connecting! I have since disabled the OpenVPN firewall on BOTH my OpenVPN server on my router and on the OpenVPN client on my parents router.

Please see my post above, but my setup is: my router only has OpenVPN server running. I use it to login from my cellphone when traveling or when at work. I work in a hospital and they apparently blocked the dd-wrt website as it's listed as "controversial" on their security settings. Funny story, but I had logged into my OpenVPN server 2 nights ago while at work to read to forum when all this started!

My parents router also has OpenVPN client running which is connected to my routers server in a site to site tunnel so I can help them with any network issues from my home.

Your thought about the login being me is a good one, but I know that's not possible because I don't use any other VPN service so I should not have any routing to europe or elsewhere. Also, this occurred while I was at work in the hospital 2 nights ago after I connected from the hospital, but the messages occurred after I disconnected. For safety I only connect to my VPN to browse the web, then immediately disconnect once I'm done using it. Lastly, when it occurred yesterday morning, it happened while I was at home and had just flashed the newest firmware - 4/9/21 version upon the first startup of the router after the flash. Interestingly, it occurred right after the router had set the clock, but BEFORE the openVPN service was enabled so I just don't know if my OpenVPN connection was the way the connection occurred.

One thought I had was it seems strange to me if someone maliciously got access to my router, that they'd login, and then immediately logoff in the same second as my log posted a few messages above show. Like why would anyone, once they gain access to a computer, logoff before they did anything? Could it be possible this was something related to the firmware itself and I'm misinterpreting a normal function of the firmware?

Either way, I've already reset my router, painfully re-entered all my settings (including over 30 static IP addresses), and reset up my OpenVpn network and issued new keys, and also disabled SSH access. I am planning on powering down my whole network for 4-5 hours to get a new IP address and I don't know what else I can do above that.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Apr 12, 2021 19:41    Post subject: Reply with quote
here are egc guides regarding VPN server set up
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

client must match the server settings, try to use a decent encryption...
if not used... telnet and ssh over the WAN must be disabled or use ssh with key only if needed...

log-in and immediately log-off may mean they didn't match the requirements and dropbear dropped it off..
yep its a good idea to reset/redo...settings, you can add static leases in DNSmasq advanced config box, instead of GUI, it easy...use this format

dhcp-host=xx:xx:xx:xx:xx:xx,my-phone,192.168.1.116,infinite
dhcphost=xx:xx:xx:xx:xx:xx,tv,192.168.1.106,infinite

xx=replace those with mac addresses

i would advise you to disable upnp its a very bad practice...
disable ping is where security page is
Block WAN Requests - Block Anonymous WAN Requests (ping)

on server VPN setting and client, use this option turned on Inbound Firewall on TUN (thick that box),
unless it does not interfere with your settings... than you can specify route in advanced set up...but have a look on the guide, as well deeply search trough the ddwrt forum...lots of info on the subject..i just dont have a time to find those to share with you... Laughing Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum