Someone tried to hack into my Network

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
kalrez
DD-WRT Novice


Joined: 28 Jan 2022
Posts: 39

PostPosted: Fri Sep 09, 2022 18:09    Post subject: Someone tried to hack into my Network Reply with quote
This is odd as in usually after 5 attempts IP's are blocked for 5 minutes (and usually don't show up again trying to penetrate my network).

This one IP address attempting is from Hong Kong belongs to HGC Global Communications Limited (HGC) I had 450+ attempts within 10 minutes with no 5 minute blocking by Router.

Sep 9 13:37:52 (@)v(@) daemon.info telnetd[902]: [telnetd] : client 221.127.24.95 is blocked, terminate connection

From all I can tell they did not get any farther. I am using SPI firewall is there any other settings I should be utilizing in DD-WRT ?



Hacker.PNG
 Description:
 Filesize:  103.94 KB
 Viewed:  960 Time(s)

Hacker.PNG



Hacker.PNG
 Description:
Hack attempt
 Filesize:  103.94 KB
 Viewed:  957 Time(s)

Hacker.PNG


Sponsor
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Fri Sep 09, 2022 19:05    Post subject: Reply with quote
Looks as if they are trying to guess the timing of attempts before it blocks them. If "limit telnet" is set, this is "normal". If anything, you should have ssh key authentication open on the WAN and nothing else, not even https.
_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
kalrez
DD-WRT Novice


Joined: 28 Jan 2022
Posts: 39

PostPosted: Fri Sep 09, 2022 20:55    Post subject: Reply with quote
Impede WAN DoS / Bruteforce

Limit Telnet Access

Was / is check marked.

I've been doing a Load of changes in SmartDNS trying to understand and get Adsguard running. Maybe something got FUed with Limit Telnet Access along the many changes and various soft restarts. I have done a hard reboot on the router and so far I don't see any Funky incursions beyond the normal 5 denials and wait 5 minutes etc.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sat Sep 10, 2022 7:50    Post subject: Reply with quote
Telnet = Vulnerable !!! especially over WAN...(i disable it totally)

as dale_gribble39 noted, use SSh with key authorisation only...use min RSA SSh-II 2048bit key..i even password protect the key too...
(i used to use 3072bit ssh key protected with complex password)

Limit SSh Access too...

IMPORTANT disable router SSh Password Authorisation... so, no way to authorise via ssh with password only...

finally you can block all belonging range or just this IP (save firewall script )

iptables -I INPUT -s 221.127.24.95 -j DROP
iptables -I FORWARD -s 221.127.24.95 -j DROP

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat Sep 10, 2022 10:53    Post subject: Reply with quote
Telnet has no security whatsoever and is typically owned inside 60 seconds.

I recommend you disable telnet then reboot so any non-persistent malware that may have gotten through to be removed and then after reboot change your passwords, not before.

5 minute blocking only applies to HTTP/S failed logins if Im not mistaken.

PS. nope it applies around all.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum