I just looked at my logs and they are littered with someone trying to ssh into my openwrt box. I'm on x86, 23.05.2. I'm relatively new, but is there something I can do to mitigate this? I believe someone is trying to brute force it.
I'm getting a lot of this:
Thu Mar 28 15:01:22 2024 authpriv.info dropbear[9957]: Child connection from 183.81.169.238:34104
Thu Mar 28 15:01:23 2024 authpriv.warn dropbear[9957]: Bad password attempt for 'root' from 183.81.169.238:34104
Thu Mar 28 15:01:24 2024 authpriv.info dropbear[9957]: Exit before auth from <183.81.169.238:34104>: (user 'root', 1 fails): Exited normally
But the port keeps switching in the log. It's always a different port. As far as I know, I don't have anything forwarded for the firewall, and the only thing I've done is add Openvpn with Nord.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
34104 is the remote port of the attacker, & upon every retry that changes. Thats not the issue. @bigsleezy Some how your port 22 is exposed to external network.
This guy has tried from at least 4 IP address I can see in my logs. 3 went back to a VPN IP after I checked them. Then a static address in China. Is there any way to force drop packets coming in on port 22?
Assuming you have exposed your device intentionally to the internet for your private intentions (for example remote access) then you have to deal with it and accept those annoying connection attempts. The best short term solution is to install fail2ban that will blacklist the IPs from failed connection attempts.
The web is full of scanning bots knocking up to doors with number 22 stamped on them. You can additionally change your default ssh port to something way higher for increased security.
There are 3 tick marks "```" at the end of this rule... can you check that this is purely a copy-paste issue in the forum? If the ticks are in the in the actual config file, that might do strange things.
Also, although it is disabled, you should probably remove it... this doesn't have a port number associated, and anything that points to the router itself should be a rule, not a redirect.
I think I may have figured it out. I had a firewall rule to open to the outside for my plex port 32400 for my router IP (the one hosting my plex app). I think he was using that. I haven't had an ssh login attempt since I closed that port.
I initially opened that port to allow access for my movies and shows outside of my house. According to my logs, after I shut that port down on my firewall, I haven't had another attempt.
This is what it looked like in the log.
Thu Mar 28 15:01:19 2024 authpriv.info dropbear[9948]: Child connection from 183.81.169.238:34060
Thu Mar 28 15:01:20 2024 authpriv.warn dropbear[9948]: Bad password attempt for 'root' from 183.81.169.238:34060
Thu Mar 28 15:01:20 2024 authpriv.info dropbear[9948]: Exit before auth from <183.81.169.238:34060>: (user 'root', 1 fails): Exited normally
Thu Mar 28 15:01:21 2024 authpriv.info dropbear[9956]: Child connection from 183.81.169.238:34064
Thu Mar 28 15:01:21 2024 authpriv.warn dropbear[9956]: Bad password attempt for 'root' from 183.81.169.238:34064
Thu Mar 28 15:01:22 2024 authpriv.info dropbear[9956]: Exit before auth from <183.81.169.238:34064>: (user 'root', 1 fails): Exited normally
Thu Mar 28 15:01:22 2024 authpriv.info dropbear[9957]: Child connection from 183.81.169.238:34104
Thu Mar 28 15:01:23 2024 authpriv.warn dropbear[9957]: Bad password attempt for 'root' from 183.81.169.238:34104
Thu Mar 28 15:01:24 2024 authpriv.info dropbear[9957]: Exit before auth from <183.81.169.238:34104>: (user 'root', 1 fails): Exited normally
Thu Mar 28 15:03:35 2024 user.notice pbr: Reloading pbr due to firewall action: includes
Thu Mar 28 15:03:35 2024 user.notice pbr: Activating traffic killswitch [✓]
Thu Mar 28 15:03:36 2024 user.notice pbr: Setting up routing for 'wan/eth2/73.15.132.1' [✓]
Thu Mar 28 15:03:36 2024 user.notice pbr: Setting up routing for 'nordvpntun/tun0/10.8.1.3' [✓]
Thu Mar 28 15:03:36 2024 user.notice pbr: Routing 'qbit' via nordvpntun [✓]
Thu Mar 28 15:03:36 2024 user.notice pbr: Deactivating traffic killswitch [✓]
Thu Mar 28 15:03:36 2024 user.notice pbr: service monitoring interfaces: wan nordvpntun
Thu Mar 28 15:03:36 2024 user.notice SQM: Stopping SQM on eth2
Thu Mar 28 15:03:36 2024 daemon.notice ttyd[8368]: [2024/03/28 15:03:36:9386] N: rops_handle_POLLIN_netlink: DELADDR
Thu Mar 28 15:03:37 2024 user.notice SQM: Starting SQM script: piece_of_cake.qos on eth2, in: 1400000 Kbps, out: 220000 Kbps
Thu Mar 28 15:03:37 2024 user.notice SQM: piece_of_cake.qos was started on eth2 successfully
Thu Mar 28 15:07:15 2024 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth2)
Thu Mar 28 15:07:18 2024 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth2)
Thu Mar 28 15:08:34 2024 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth2)
Thu Mar 28 15:08:38 2024 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth2)
Edit: @psherman, it was a copy error. I may sound stupid, but how do I make it a rule, not a redirect?
Also, my firewall did have a port number on it when I made it initially. I'm thinking somehow he got in and changed it? I don't think I'd have been that stupid and opened ALL of my ports to my router and not caught it.
I can't say if they got in or not... I would think they wouldn't have continued the 'attempts' if they already had access. But I could be wrong.
If you are in any doubt, though, reset to defaults and configure from scratch. Make a backup if you'd like, but don't restore it directly since it would just restore whatever config changes they might have made (if they actually did gain access)..
