[Security] Strange open connection to ssh port of dropbear

Hello

I maintain an Archer C7 with Chaos Calmer (15.05.1, r48532) for a family member. I am located in Europe. I logged remotely into the gateway via ssh using a keypair. Typing netstat, I saw my own connection, but next to it was an ssh connection from Australia. There was a dropbear instance for it. But logread gave me no info about that PID or IP. So whatever there is or was, it was not a recent thing.

There were no other suspicious processes running. The connection just lingered on and on.

I tried to kill the associated dropbear instance, but it refused to die. Doing a kill -9 finally did it, and the state of the connection in netstat went from ESTABLISHED to FIN_WAIT1.

I tried two concurrent logins using my keypair. The associated dropbear is normally killable without the -9 from within the session and from the other session's shell. So there was something special in that dropbear instance.

I am going to update the affected gateway to the newest LEDE release soon. But I'd wish to know if there are any explanations for this.

Sounds like an incoming random port scanning and login attempt. Probably waiting at the login prompt. (or if you are using a non-standard port for ssh, then just an incoming connection but not even at login stage, yet.) Not quite sure how dropbear reacts if you just ping the port with a packet.

As you have opened firewall, connections from others will reach dropbear. There is not much you can do about it.

You might at least configure firewall to allow a different port than 22.
Or install some port knocking tool so that you would need to first knock a different port, before the ssh port gets opened for traffic.