Gargoyle Forum

I've noticed from both my Gargoyle routers running v1.8 that the log captures public attempts to login to the router. The IP addresses vary, but when I tried one out (not the IP's listed below), I got someone's QNAP NAS... and they had factory default passwords! Below is an example of what I'm seeing on a router that has only 32 Mb of memory and no TOR. Its an Asus WL500G Premium v2. I also observed this issue with a Buffalo WZR-HP-G300NH2 which did have TOR. On both I did download some plugins and themes.

What is this?....

Fri Aug 28 22:17:46 2015 authpriv.info dropbear[8087]: Child connection from 43.229.53.16:59685
Fri Aug 28 22:17:52 2015 authpriv.info dropbear[8087]: Exit before auth: Disconnect received

Fri Aug 28 22:36:54 2015 authpriv.info dropbear[8092]: Child connection from 201.76.116.157:58515
Fri Aug 28 22:37:02 2015 authpriv.warn dropbear[8092]: Bad password attempt for 'root' from 201.76.116.157:58515
Fri Aug 28 22:37:02 2015 authpriv.info dropbear[8092]: Exit before auth (user 'root', 1 fails): Exited normally

Is the source coming from the WAN or LAN?

All LAN are private IP 192.168...

Buffalo router is on a DSL service.
ASUS router is on an HSPA cellular data service at a remote location.

So the unidentified IP's are coming from external (WAN) sources.

Just found a previous forum post that might be related... from 2009.... OpenWRT/DDWRT-based botnet attack from infected routers or equipment. Interesting that a few others have posted log results (for other reasons) into this forum which contain the dropbear interaction below...

Per the DroneBL botnet web site, I've changed the SSH port to non-standard and am seeing the unauthorized attempts cease.

Per the DroneBL botnet web site, I've changed the SSH port to non-standard and am seeing the unauthorized attempts cease.

well there is your problem

don't open port 22 for SSH, they will still scan for open ports of any number

Use OpenVPN for SSH

This is not a gargoyle problem more a user configuration problem