NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

sethsa's avatar
sethsa
Aspirant
Jul 23, 2019
Solved

LAN access from remote (6700v3)

I am getting massive attacks looking at /val/log/auth.log on my linux machine. Reading online realized it might be due to UpnP enabled in the router. So I disabled it, however I still see the followi...
  • antinode's avatar
    antinode
    Jul 23, 2019

    > [...] on the router port 1010 was forwarded to 22. So I am not able to
    > understand why all these other random ports are alse being redirected to
    > my linux box?

     

       The remote port number is not significant.  If you see a connection
    (attempt), then the remote client is talking to the external port in
    your port-forwarding rule.  Have you tried an external port other than
    1010?

     

    > Initially 22 was the internal port for ssh, I changed it to 2212, but
    > the bots are too smart, now i see this in the log!

     

       No one in the outside world cares about the internal port, either;
    only the external port in the port-forwarding rule matters to an
    external client.  The only effect of changing the port used on your LAN
    would be to make more work for yourself.  I'd return it to 22.

     

       It's possible that your attackers are trying all possible ports, but
    the router will log only the attempts which match a port-forwarding
    rule.  (Otherwise, there's no connection to log.)

sethsa's avatar
sethsa
Aspirant
Jul 23, 2019

port 22 was not open externally.

 

Service Name    External Start Port    Internal Start Port    Internal IP address
      1    ssh    1010    22    192.168.1.100

Initially 22 was the internal port for ssh, I changed it to 2212, but the bots are too smart, now i see this in the log!

 

[LAN access from remote] from 121.254.173.11:60428 to 192.168.1.100:2212, Tuesday, Jul 23,2019 14:12:22
[LAN access from remote] from 45.55.232.106:48422 to 192.168.1.100:2212, Tuesday, Jul 23,2019 14:12:16
[LAN access from remote] from 46.101.249.232:36310 to 192.168.1.100:2212, Tuesday, Jul 23,2019 14:11:53
antinode's avatar
antinode
Guru
Jul 23, 2019

> [...] on the router port 1010 was forwarded to 22. So I am not able to
> understand why all these other random ports are alse being redirected to
> my linux box?

 

   The remote port number is not significant.  If you see a connection
(attempt), then the remote client is talking to the external port in
your port-forwarding rule.  Have you tried an external port other than
1010?

 

> Initially 22 was the internal port for ssh, I changed it to 2212, but
> the bots are too smart, now i see this in the log!

 

   No one in the outside world cares about the internal port, either;
only the external port in the port-forwarding rule matters to an
external client.  The only effect of changing the port used on your LAN
would be to make more work for yourself.  I'd return it to 22.

 

   It's possible that your attackers are trying all possible ports, but
the router will log only the attempts which match a port-forwarding
rule.  (Otherwise, there's no connection to log.)

  • sethsa's avatar
    sethsa
    Aspirant
    Jul 23, 2019

    Thanks for clarifying that changing ssh to anything other than 22, does not really help.

     

    Now regarding the attempt to login here:

    [LAN access from remote] from 210.69.31.8:38915 to 192.168.1.100:2022, Tuesday, Jul 23,2019 17:29:07

     

    The IP: 210.69.31.8 is trying to login via port 38915, or via port 2022?

    Are you suggesting that port 38915 does not really have any significance here?

     

    • antinode's avatar
      antinode
      Guru
      Jul 24, 2019

      > The IP: 210.69.31.8 is trying to login via port 38915, or via port
      > 2022?

       

         Your public IP address at the port in your (invisible)
      port-forwarding rule is where the message was sent.
      "192.168.1.100:2022" is where the message was delivered (thanks to NAT
      and port forwarding).  "210.69.31.8:38915" is where the reply (if any)
      should be sent.

       

      > Are you suggesting that port 38915 does not really have any
      > significance here?

       

         I thought that I did more than "suggest".  It's determined by the
      program at the other end.  It certainly tells me nothing useful.  Note
      that every log entry shows a different source port number.  Each is as
      useful as the others.  If you (or your sshd) wanted to respond, _then_
      it would be useful.


      > [...] Have you tried an external port other than 1010?

       

         Still wondering.

       

         When I first exposed an SSH server at (external) port 22 on my site,
      I observed daily attempts to break in.  When I changed it to use a port
      other than 22, these break-in attempts practically stopped.  But I was
      looking at the security logs on the system with the SSH server, not at
      the router logs.  In the router log, you might be seeing simple port
      scans, from people/programs trying every (or nearly every) port, in
      which case, you might see such messages no matter which external port
      you use for SSH.  But I wouldn't bet that any of thise are serious SSH
      break-in attempts (unless you're using external port 22).

       

         You might want to look into where your sshd logs its stuff, and see
      if you can find any more serious activity there.  Around here, I
      practically never look at the router logs.  Too much noise.

      • sethsa's avatar
        sethsa
        Aspirant
        Jul 24, 2019
        I switched to a new random port, and now the attacks seems to have stopped (at least for the past 2hrs).

        I previously had UPnP enabled, which might have made the router more vulnerable.

        See this as a 2 barrier system, with router serving the first and fail2ban as the second (to jail abusive IPs).

        Thanks!