NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

sethsa's avatar
sethsa
Aspirant
Jul 23, 2019
Solved

LAN access from remote (6700v3)

I am getting massive attacks looking at /val/log/auth.log on my linux machine. Reading online realized it might be due to UpnP enabled in the router. So I disabled it, however I still see the following in my router log:

 

[LAN access from remote] from 213.182.93.172:54967 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:59
[LAN access from remote] from 177.125.58.145:52806 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:53
[LAN access from remote] from 172.13.75.239:42916 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:51
[LAN access from remote] from 121.254.173.11:38824 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:43
[LAN access from remote] from 150.95.30.167:40798 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:30
[LAN access from remote] from 46.101.249.232:49060 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:13
[LAN access from remote] from 211.145.49.129:58103 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:06
[LAN access from remote] from 58.250.164.242:40663 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:00



 

Its a attempted login several times in a minute!

 

UpnP and DMZ are disabled, am not sure why this has not stopped yet, please help.

  • antinode's avatar
    antinode
    Jul 23, 2019

    > [...] on the router port 1010 was forwarded to 22. So I am not able to
    > understand why all these other random ports are alse being redirected to
    > my linux box?

     

       The remote port number is not significant.  If you see a connection
    (attempt), then the remote client is talking to the external port in
    your port-forwarding rule.  Have you tried an external port other than
    1010?

     

    > Initially 22 was the internal port for ssh, I changed it to 2212, but
    > the bots are too smart, now i see this in the log!

     

       No one in the outside world cares about the internal port, either;
    only the external port in the port-forwarding rule matters to an
    external client.  The only effect of changing the port used on your LAN
    would be to make more work for yourself.  I'd return it to 22.

     

       It's possible that your attackers are trying all possible ports, but
    the router will log only the attempts which match a port-forwarding
    rule.  (Otherwise, there's no connection to log.)

9 Replies

    • microchip8's avatar
      microchip8
      Master
      Jul 23, 2019

      port 22 is Secure Shell (SSH). Do you have it running? There are many, really many bots that scan port 22 and attempt to enter. If you have a weakly secure SSH, some may succeed

      • antinode's avatar
        antinode
        Guru
        Jul 23, 2019

        > UpnP and DMZ are disabled, [...]

         

           Are you port-forwarding (external) port 22?  (Not a good idea, for
        just this reason.)  If anyone in the outside world is getting to
        "192.168.1.100" (on your LAN), then I'd expect that some rule or other
        on the router must be enabling it.  (Otherwise, how would it know enough
        to forward the connection attempt to ".100"?)

         

        > [...] There are many, really many bots that scan port 22 and attempt
        > to enter. [...]

         

           Yup.  Which is why folks normally use an external port other than 22
        for such access.