I have an rbr50 as my main router/wifi in front of a cable modem running in modem mode. I recently added 2 raspberry pis devices as pi-hole dns servers on my home network. However I now find a stream of continuous sshd authentication messages on both, showing various failed logins from external ip addresses using random or no usernames. I checked https://www.whatismyip.com/port-scanner/ and could not find an open port, but the log messages keep coming on my raspberry pis, such as: Dec 26 17:47:28 <rpi-name> sshd[3854]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.253.24.166Dec 26 17:47:31<rpi-name> sshd[3854]: Failed password for invalid user web from 103.253.24.166 port 64597 ssh2Dec 26 17:47:31<rpi-name> sshd[3854]: Connection closed by 103.253.24.166 port 64597 [preauth]Dec 26 17:47:38<rpi-name> sshd[3866]: Invalid user web from 103.253.24.166 port 64810Dec 26 17:47:38<rpi-name> sshd[3866]: input_userauth_request: invalid user web [preauth]Dec 26 17:47:38<rpi-name> sshd[3866]: pam_unix(sshd:auth): check pass; user unknownDec 26 17:47:38<rpi-name> sshd[3866]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.253.24.166Dec 26 17:47:40<rpi-name> sshd[3866]: Failed password for invalid user web from 103.253.24.166 port 64810 ssh2Dec 26 17:47:40<rpi-name> sshd[3866]: Connection closed by 103.253.24.166 port 64810 [preauth] My question is, how are these attempts coming through the RBR50 and what can I do to stop them?

> The cable modem is supplied by my ISP, virgin media Ireland and, in> modem mode has, 1 option, modem mode or router mode. Still not as useful a description as, say, a maker and model numbermight be. But, if it really is in modem-only mode, it shouldn't matter.Is the IP address of the WAN/Internet interface on the RBR50v2 a publicaddress? > I have no port forwarding rules, port triggering is disabled, UPnP is> disabled. Did you verify that the ADVANCED > Advanced Setup > UPnp : UPnPPortmap Table is empty? I'm out of possible causes. If you're really getting outside-worldconnections to multiple port-22 destinations, then I don't know what,other than UPnP, could do it. Of course, with Netgear router firmware,almost any bug is possible, including leaving UPnP enabled/active whenthe indicator says that it's not. My next step would be to configure an explicit dead-endport-forwarding rule for (external) port 22, as suggested above.Presumably, that would supercede any residual/misguided UPnP activityfor that port. If UPnP actually is active, then attempting to add thatrule might fail with a complaint like: The specified port(s) are being used by other configurations. Please check your configurations of USB Readyshare, Remote Management, Port forwarding, Port Triggering, UPnP Port Mapping table, RIP, and Internet connection type. If that were to happen, then I'd disconnect everything except onecomputer from the router's LAN (wired and wireless), restart the router,and try it again. (Then restore the normal LAN connections.)

irish-rbr50

Aspirant

Dec 26, 2020

Solved

rbr50v2 and failed login attempts to rpis

I have an rbr50 as my main router/wifi in front of a cable modem running in modem mode.

I recently added 2 raspberry pis devices as pi-hole dns servers on my home network. However I now find a stream of continuous sshd authentication messages on both, showing various failed logins from external ip addresses using random or no usernames.

I checked https://www.whatismyip.com/port-scanner/ and could not find an open port, but the log messages keep coming on my raspberry pis, such as:

Dec 26 17:47:28 <rpi-name> sshd[3854]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.253.24.166
Dec 26 17:47:31<rpi-name> sshd[3854]: Failed password for invalid user web from 103.253.24.166 port 64597 ssh2
Dec 26 17:47:31<rpi-name> sshd[3854]: Connection closed by 103.253.24.166 port 64597 [preauth]
Dec 26 17:47:38<rpi-name> sshd[3866]: Invalid user web from 103.253.24.166 port 64810
Dec 26 17:47:38<rpi-name> sshd[3866]: input_userauth_request: invalid user web [preauth]
Dec 26 17:47:38<rpi-name> sshd[3866]: pam_unix(sshd:auth): check pass; user unknown
Dec 26 17:47:38<rpi-name> sshd[3866]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.253.24.166
Dec 26 17:47:40<rpi-name> sshd[3866]: Failed password for invalid user web from 103.253.24.166 port 64810 ssh2
Dec 26 17:47:40<rpi-name> sshd[3866]: Connection closed by 103.253.24.166 port 64810 [preauth]

My question is, how are these attempts coming through the RBR50 and what can I do to stop them?

antinode
Dec 28, 2020
> The cable modem is supplied by my ISP, virgin media Ireland and, in
> modem mode has, 1 option, modem mode or router mode.

   Still not as useful a description as, say, a maker and model number
might be. But, if it really is in modem-only mode, it shouldn't matter.
Is the IP address of the WAN/Internet interface on the RBR50v2 a public
address?

> I have no port forwarding rules, port triggering is disabled, UPnP is
> disabled.

   Did you verify that the ADVANCED > Advanced Setup > UPnp : UPnP
Portmap Table is empty?

   I'm out of possible causes. If you're really getting outside-world
connections to multiple port-22 destinations, then I don't know what,
other than UPnP, could do it. Of course, with Netgear router firmware,
almost any bug is possible, including leaving UPnP enabled/active when
the indicator says that it's not.

   My next step would be to configure an explicit dead-end
port-forwarding rule for (external) port 22, as suggested above.
Presumably, that would supercede any residual/misguided UPnP activity
for that port. If UPnP actually is active, then attempting to add that
rule might fail with a complaint like:

      The specified port(s) are being used by other configurations.
      Please check your configurations of USB Readyshare, Remote
      Management, Port forwarding, Port Triggering, UPnP Port Mapping
      table, RIP, and Internet connection type.

   If that were to happen, then I'd disconnect everything except one
computer from the router's LAN (wired and wireless), restart the router,
and try it again. (Then restore the normal LAN connections.)

6 Replies

antinode
Guru
Dec 26, 2020
> Model: RBR50|Orbi AC3000 Tri-band WiFi Router

   RBR50 or RBR50v2? Firmware version?

> [...] a cable modem running in modem mode.

   Not a very detailed description of that device.

> My question is, how are these attempts coming through the RBR50 and
> what can I do to stop them?

   The usual threats for incoming connections are explicit port
forwarding/triggering, DMZ server, and UPnP.

   Presumably, you'd remember if you had explicitly configured port
forwarding for port 22 (SSH).

   You could have no more that one DMZ server, so that wouldn't explain
such annoyances on two different R-Pi systems.

   Only UPnP could be enabled by default (because only it is automatic
enough), so I'd check (and disable) that. As the RBR50 User Manual
says:

      5. Select the Turn UPnP On check box.
         By default, this check box is selected. [...]

(Visit http://netgear.com/support , put in your (actual) model number,
and look for Documentation. Get the User Manual. Read. Look for
"UPnP".)

   If you had some good reason to keep UPnP enabled, then I'd configure
an explicit port-forwarding rule for (external) port 22, and specify
some fictional server IP address in that rule (and any-old internal
port), so that no real system ever gets bothered. (You could shrink
your DHCP pool from the usual default range of ".2" - ".254" to, say,
".2" - ".253", and use the ".254" address for your fictional/dead-end
server. ADVANCED > Setup > LAN Setup : Use Router as DHCP Server :
<addresses>. Alternatively, you could reserve some address like, say,
".254", and specify some unlikely MAC address ("00:00:00:00:00:01"?) in
that reservation, to ensure that no real system ever gets it. <Same
page> : Address Reservation.)

   If you ever do want to enable SSH access from the outside world, this
shows why using external port 22 is a bad idea. Specifying almost any
other (unpopular) external port stops almost all of those probes.
- irish-rbr50
  Aspirant
  Dec 27, 2020
  Thanks for the prompt reply.
  
  The cable modem is supplied by my ISP, virgin media Ireland and, in modem mode has, 1 option, modem mode or router mode.
  
  Correct, there was no port forwarding configured (I even disabled port triggering even though there was no rule added).
  
  And correct again, UPnP was enabled, by default. I have promptly disabled it and have not seen a login attempt on my RPIs since.
  
  Thanks again.
  - irish-rbr50
    Aspirant
    Dec 28, 2020
    ... and the messages are back.
    
    It appeared to work for an hour or so and I went off doing other things. However the error messages came back, but initially the ssh attempts appeared to be coming from the Orbi itself. Then after a while the IP addresses switched back to external ones.
    
    I have no port forwarding rules, port triggering is disabled, UPnP is disabled.
    
    I did find a mention of similar symptom on a "unraid" box in a different thread and their conclusion was that it was Armor. I logged into https://armor.netgear.com/... and looked atm my router but there is no configuration detail to say what it is doing, but the error messages continue on my RPIs
    
    pi@pi2:/var/log $ tail -f auth.log
    Dec 28 15:25:15 pi2 sshd[22684]: Failed password for invalid user duser from 91.121.30.186 port 58788 ssh2
    Dec 28 15:25:15 pi2 sshd[22684]: Received disconnect from 91.121.30.186 port 58788:11: Bye Bye [preauth]
    Dec 28 15:25:15 pi2 sshd[22684]: Disconnected from 91.121.30.186 port 58788 [preauth]
    Dec 28 15:25:15 pi2 sshd[22686]: Invalid user ubuntu from 49.234.101.196 port 54414
    Dec 28 15:25:15 pi2 sshd[22686]: input_userauth_request: invalid user ubuntu [preauth]
    Dec 28 15:25:15 pi2 sshd[22686]: pam_unix(sshd:auth): check pass; user unknown
    Dec 28 15:25:15 pi2 sshd[22686]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.234.101.196
    Dec 28 15:25:18 pi2 sshd[22686]: Failed password for invalid user ubuntu from 49.234.101.196 port 54414 ssh2
    Dec 28 15:25:18 pi2 sshd[22686]: Received disconnect from 49.234.101.196 port 54414:11: Bye Bye [preauth]
    Dec 28 15:25:18 pi2 sshd[22686]: Disconnected from 49.234.101.196 port 54414 [preauth]
    Dec 28 15:25:58 pi2 sshd[22702]: Invalid user teamspeak3 from 51.105.5.16 port 58178
    Dec 28 15:25:58 pi2 sshd[22702]: input_userauth_request: invalid user teamspeak3 [preauth]
    Dec 28 15:25:58 pi2 sshd[22702]: pam_unix(sshd:auth): check pass; user unknown
    Dec 28 15:25:58 pi2 sshd[22702]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=51.105.5.16
    Dec 28 15:26:00 pi2 sshd[22702]: Failed password for invalid user teamspeak3 from 51.105.5.16 port 58178 ssh2
    Dec 28 15:26:00 pi2 sshd[22702]: Received disconnect from 51.105.5.16 port 58178:11: Bye Bye [preauth]
    Dec 28 15:26:00 pi2 sshd[22702]: Disconnected from 51.105.5.16 port 58178 [preauth]
    Dec 28 15:26:07 pi2 sshd[22714]: Invalid user ftpuser from 51.254.102.19 port 47660
    Dec 28 15:26:07 pi2 sshd[22714]: input_userauth_request: invalid user ftpuser [preauth]
    Dec 28 15:26:07 pi2 sshd[22714]: pam_unix(sshd:auth): check pass; user unknown
    Dec 28 15:26:07 pi2 sshd[22714]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=51.254.102.19
    Dec 28 15:26:09 pi2 sshd[22714]: Failed password for invalid user ftpuser from 51.254.102.19 port 47660 ssh2
    Dec 28 15:26:09 pi2 sshd[22714]: Received disconnect from 51.254.102.19 port 47660:11: Bye Bye [preauth]
    Dec 28 15:26:09 pi2 sshd[22714]: Disconnected from 51.254.102.19 port 47660 [preauth]

Forum Discussion

rbr50v2 and failed login attempts to rpis