NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

swamprat96's avatar
swamprat96
Aspirant
Nov 16, 2022

Orbi rbk 850 log question

I'm getting a ton of these :

[LAN access from remote] from 50.192.223.205 port 56640 to 192.168.86.179 port 2222 Wednesday, Nov 16,2022 09:45:57

[LAN access from remote] from 202.4.119.45 port 37479 to 192.168.86.179 port 2222 Wednesday, Nov 16,2022 09:45:56

I have two devices that have port forwarding to them on specific ports (SSH but not 22). The ports these entries show are not open but the target IP address it. 

1. Should I be concerned about these attempts and

2. If the port is not open- how do they know these IP's exist on my network?

 

 

2 Replies

  • CrimpOn's avatar
    CrimpOn
    Guru
    Nov 16, 2022

    What these log entries show is that port 2222 is forwarded to 192.168.86.179.

    • They do not show that there is actually a device present at 192.168.86.179.
      • As an experiment, I forwarded port 80 to a non-existent device (in my case 192.168.1.150)
        There was absolutely no device on my network with that IP.
        However, the log almost immediately began to fill with entries about connections being forwarded to this non-existent device.
      • In my case, port 80 was so obvious a target, that people with nothing better to do than scan for open ports hit my public IP address attempting to connect to port 80 almost immediately. (Port 2222 is not so obvious, but there are people who scan all 65535 possible ports looking for a "hit".)
      • Note that those connection requests resulted in nothing.  There was no device to respond.
    • 192.168.86.x is sort of an unusual IP address.  Most Orbi router set up the LAN on 192.168.1.x unless the ISP router has already taken that address. 
      • What is the DHCP IP space defined in this router?  Is it 192.168.86.x???
      • Is there actually a device present with this IP address (192.168.86.179)?
    • My first step is usually to connect to Gibson Shields Up! (https://www.grc.com/x/ne.dll?bh0bkyd2 )  Select Proceed, and then select a User Specified Port Probe.  (enter 2222)
      I have a suspicion that Shields Up! will say that port 2222 is Stealth, meaning that nothing responded on that port.
    • My second step would be to double check the Port Forwarding rules to ensure that I had  not set something up by accident.
    • swamprat96's avatar
      swamprat96
      Aspirant
      Nov 16, 2022

      Hi,

      yes the DHCP is 192.168.86.10 to 254 - a leftover from a google nest wifi

       

      Yes this is a real device- a raspberry Pi on 192.168.86.179 and I have a port forward to it - 2222. Shields up says stealth mode. So using your very helpful information I gather I'm ok? I use this device to wake up a PC remotely

      Thanks