I've noticed from both my Gargoyle routers running v1.8 that the log captures public attempts to login to the router. The IP addresses vary, but when I tried one out (not the IP's listed below), I got someone's QNAP NAS... and they had factory default passwords! Below is an example of what I'm seeing on a router that has only 32 Mb of memory and no TOR. Its an Asus WL500G Premium v2. I also observed this issue with a Buffalo WZR-HP-G300NH2 which did have TOR. On both I did download some plugins and themes.
What is this?....
Fri Aug 28 22:17:46 2015 authpriv.info dropbear[8087]: Child connection from 43.229.53.16:59685
Fri Aug 28 22:17:52 2015 authpriv.info dropbear[8087]: Exit before auth: Disconnect received
Fri Aug 28 22:36:54 2015 authpriv.info dropbear[8092]: Child connection from 201.76.116.157:58515
Fri Aug 28 22:37:02 2015 authpriv.warn dropbear[8092]: Bad password attempt for 'root' from 201.76.116.157:58515
Fri Aug 28 22:37:02 2015 authpriv.info dropbear[8092]: Exit before auth (user 'root', 1 fails): Exited normally
Unknown or Unauthorized Access
Moderator: Moderators
Unknown or Unauthorized Access
rfdude
------------------
1.09.2 Buffalo WZR-HP-G300NH2 -> 8 OpenMesh AP's
1.10.0 Archer C7 -> Multiple Cisco 1702i Autonomous Mode
------------------
1.09.2 Buffalo WZR-HP-G300NH2 -> 8 OpenMesh AP's
1.10.0 Archer C7 -> Multiple Cisco 1702i Autonomous Mode
Re: Unknown or Unauthorized Access
Is the source coming from the WAN or LAN?
Re: Unknown or Unauthorized Access
All LAN are private IP 192.168...
Buffalo router is on a DSL service.
ASUS router is on an HSPA cellular data service at a remote location.
So the unidentified IP's are coming from external (WAN) sources.
Buffalo router is on a DSL service.
ASUS router is on an HSPA cellular data service at a remote location.
So the unidentified IP's are coming from external (WAN) sources.
rfdude
------------------
1.09.2 Buffalo WZR-HP-G300NH2 -> 8 OpenMesh AP's
1.10.0 Archer C7 -> Multiple Cisco 1702i Autonomous Mode
------------------
1.09.2 Buffalo WZR-HP-G300NH2 -> 8 OpenMesh AP's
1.10.0 Archer C7 -> Multiple Cisco 1702i Autonomous Mode
Re: Unknown or Unauthorized Access
Just found a previous forum post that might be related... from 2009.... OpenWRT/DDWRT-based botnet attack from infected routers or equipment. Interesting that a few others have posted log results (for other reasons) into this forum which contain the dropbear interaction below...
Per the DroneBL botnet web site, I've changed the SSH port to non-standard and am seeing the unauthorized attempts cease.
Per the DroneBL botnet web site, I've changed the SSH port to non-standard and am seeing the unauthorized attempts cease.
rfdude
------------------
1.09.2 Buffalo WZR-HP-G300NH2 -> 8 OpenMesh AP's
1.10.0 Archer C7 -> Multiple Cisco 1702i Autonomous Mode
------------------
1.09.2 Buffalo WZR-HP-G300NH2 -> 8 OpenMesh AP's
1.10.0 Archer C7 -> Multiple Cisco 1702i Autonomous Mode
Re: Unknown or Unauthorized Access
well there is your problemPer the DroneBL botnet web site, I've changed the SSH port to non-standard and am seeing the unauthorized attempts cease.
don't open port 22 for SSH, they will still scan for open ports of any number
Use OpenVPN for SSH
This is not a gargoyle problem more a user configuration problem