Failed password form Chinese IP / Hacking?

Hi friends

In my log I have hundreds of these entries:

2018-04-15T13:12:01+02:00 info sshd[14344]: Failed password for root from 182.100.67.120 port 40522 ssh2
2018-04-15T15:12:05+02:00 info sshd[14372]: Last message 'Failed password for ’ repeated 5 times, suppressed by syslog-ng on turris
2018-04-15T13:12:05+02:00 err sshd[14344]: error: maximum authentication attempts exceeded for root from 182.100.67.120 port 40522 ssh2 [preauth]
2018-04-15T13:12:05+02:00 info sshd[14344]: Disconnecting authenticating user root 182.100.67.120 port 40522: Too many authentication failures [preauth]

The IP belongs to a chinese owner.I am not an expert, therefore my question: Does somebody try to hack my router. What should I do?

Thanks and best regards

Heinz

It’s perfectly normal to get many such attempts every week on a public IPv4. You should have a password that isn’t easy to guess (or restrict to auth. via ssh key only). BTW, you may prefer to hide your IP from the logs here.

@HeLy If the sshd port requires exposure to the WAN it is commonly recommended to change the sshd port to somewhere within the ephemeral ip4 port range in order to mitigate such attacks.

I suppose there’s a misunderstanding. I was just notifying that usually one doesn’t want to post their IP address on forum for everyone to read. It’s really unrelated to firewalling. EDIT: and I didn’t immediately notice that it’s the attacker’s IP and not the target IP :slight_smile:

Yep, my bad - happens sometimes with (improper) speed reading

Thx for this answer, as I wrote I am not an expert, so for me this was just too high “it is commonly recommended to change the sshd port to somewhere within the ephemeral ip4 port range”

SSHD Port?
ephemeral ip4 port range?
How to…

Sorry and thx!

Unfortunately what you are seeing in the logs is not “too high” in a sense that it is the common frequency of public ip addresses being scanned/attacked, often with malicious intent. Of course it is too high in the sense that those scanners/attackers should not have any malicious interest in your ip address in the first place but that would be like telling a burglar not to scan/browse a house or car for potential entry points.

It sounds that you are not using a (sshd) terminal to adminstrate the router and yet it seems that the sshd service is not only running but also exposing its (communication) port to the WAN side and thus offering a potenial attack surface.

If you do not require sshd then it would be best to stop it altogether and disable it from autostart -> login into LuCI -> System -> Startup -> SSHD -> press Stop button and then press the Enable button, latter should show then Disabled.

You may also check the firewall settings whether the sshd port is still opened to the WAN, if so you may close it.

Hi again and thanks!

I managed to stop and deactivate the sshd service, but I cannot find anything in the firewall settings. :frowning:

We bought this router because he was appraised as the safest router on the market, but it seems to be something for real experts only…

Have a nice day!

Hello,

but it seems to be something for real experts only…

That’s not true. During first step in Wizard you can find a check for Use the same password for advanced configuration and when you click to the bubble with ? you can find there:

Same password would be used for accessing this administration interface, for root user in LuCI web interface and for SSH login. Use a strong password! (If you choose not to set the password for advanced configuration here, you will have the option to do so later. Until then, the root account will be blocked.)

It depends if you want to use SSH. My personal experience is that most users don’t use it, because they don’t need it and there is no reason to use it on a router, but if you use SSH then you need to know what you are doing.

First at all if you have SSH enabled and you want to use it then it’s better to disallow login via password, but allow it e.g via public keys, only from remote/local IP address from which you want to use SSH and so on.

Or you can install SSH honeypot, which you can find in Foris, which will redirect all SSH connection (by default on port 22) from outside to honeypot, but you can access SSH on your router via LAN and of course if you need remote administration you can allow it and it’s explained in our documentation.

//EDIT: Look at top 20 SSH best security practices:

1 Like

Second to Pepe, I also dont think its for experts only.

SSH i usually enabled on default, as it is the “native” path to system. As you are user, which is actually able to read logs, you are also aware user, then best way is explanation what it is, and you can choose path to follow; Password complexity, used port, key-only access, or disable sshd, which is option just for those, who dont need it.

I am just little bit surprised, that you got those log entrys, as I think that by default, no port is opened to the internet from router (that means, that only wired clients can access router through SSH).

Hi again, I have the honeypot installed and it is working, But these attacks were on other ports than 22. Nevertheless they disappeared now! So everything ok!?

@Pepe I am not sure that it is good pratice when setting a password for advanced configuration sshd being automatically activated. Even those utilizing advanced configuation, which is still a gui (LuCI), may have no use for sshd, or even being aware of it or know what it is/does.

@Jirka Been thinking along the same line that it is strange for those logs to show considering that the sshd port is not open to the WAN by default. From the logs there is mentioning of port 40522 but it is not clear to me whether that belongs to the attacking ip or to the ip being attacked. If latter it would indicate that port somehow been opened to the WAN.

@HeLy Like mentioned by @Jirka it is somewhat strange that those entries appeared in the logs at all considering that the sshd is commonly not open to the WAN unless explicity set by the user.
As mentioned above the logs showing port 40522 but it is not clear whether that is the sshd port opened on your router and being attacked or belonging to the attacker.

Not meaning to sound patronzing but just double check the firewall entries, that incl. custom rules.

Did you set up the router all by yourself or another person assist and had access to the router?

Since sshd is now disabled that potential attack surface is removed and that there are no further such log enrties is a positive indicator.

Hi all

I am the only who “understands” and sets this router, and there are absolutely no extra entries in the Firewall. Neither me nor anybody else did edit the Firewall or give instructions to this. The log looks clean now.

Personally, I am glad, that sshd is on by default (considering its open only for LAN).

I dont have serial cable, and if I imagine doin bad click on initial wizard or power outtage, or whatever what bricks “frontend”, I would be screwed, without sshd option…

Those ssh ports I believe are internal, Ive got similiar, when I log into ssh. So I believe HeLy’s system are worth checking firewall, I would be afraid if it isnt turned down (by whatever reason).

You could send an email to the abuse contact and ask. It’s an ip from China Unicom, one of the big net providers in China. However, I found the ip at two chinese university ssh blacklists as well.

whois 182.100.67.120
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '182.96.0.0 - 182.111.255.255'

% Abuse contact for '182.96.0.0 - 182.111.255.255' is 'anti-spam@ns.chinanet.cn.net'

inetnum:        182.96.0.0 - 182.111.255.255
netname:        CHINANET-JX
descr:          CHINANET JIANGXI PROVINCE NETWORK
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN
admin-c:        XY1-AP
tech-c:         WZ1-CN
status:         ALLOCATED PORTABLE
notify:         18979177369@189.cn
remarks:        service provider
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
mnt-by:         APNIC-HM
mnt-lower:      MAINT-IP-WWF
mnt-routes:     MAINT-IP-WWF
last-modified:  2016-05-04T00:22:14Z
source:         APNIC
mnt-irt:        IRT-CHINANET-CN

irt:            IRT-CHINANET-CN
address:        No.31 ,jingrong street,beijing
address:        100032
e-mail:         anti-spam@ns.chinanet.cn.net
abuse-mailbox:  anti-spam@ns.chinanet.cn.net
admin-c:        CH93-AP
tech-c:         CH93-AP
auth:           # Filtered
mnt-by:         MAINT-CHINANET                                                                                                               
last-modified:  2010-11-15T00:31:55Z                                                                                                         
source:         APNIC                                                                                                                        
                                                                                                                                             
person:         Wanshu Zhou                                                                                                                  
address:        Data Communication Bureau  MPT
address:        40 Xueyuan  Rd.
address:        Beijing  China  100083
country:        CN
phone:          +86-10-205-3992
fax-no:         +86-10-205-3994
e-mail:         zhouws@public.bta.net.cn
nic-hdl:        WZ1-CN
notify:         zhouws@public.bta.net.cn
notify:         zhang@usai.asiainfo.com
mnt-by:         MAINT-NULL
last-modified:  2011-12-22T05:14:24Z
source:         APNIC

person:         Xu Yongzhong
address:        Data Communication Bireau
address:        Ministry of Posts and Telecommunications
address:        A12 Xin-jie-kou-wai Street
address:        Beijing   100088
country:        CN
phone:          +86-10-62053991
fax-no:         +86-10-62053995
e-mail:         yzxu@publicf.bta.net.cn
nic-hdl:        XY1-AP
mnt-by:         MAINT-NULL
last-modified:  2008-09-04T07:29:32Z
source:         APNIC