Orbi WiFi 7 RBE973
Reply

Re: Port forwarding of ANY kind opens all ports!!!

BRWhitecotton
Aspirant

Port forwarding of ANY kind opens all ports!!!

R7000 with FW V1.0.11.110_10.2.100

connected to the internet via cox isp through a CM1100 cable modem

 

I have configured port forwarding for ssh using nonstandard incoming "world" port to another nonstandard sshd server port on my linux box.  As soon as I apply this chanage I start getting attacks on all sorts of ports.....See small sample below from my auth logs.

 

THE ONLY WAY that all inbound attempts are stopped by the R7000 is to have NO port forwarding whatsoever enabled.

It seems, there is a HUGE bug in the NAT filtering/prot forwarding implementation!  

These needs fixing!!

 

 

Feb 8 02:10:04 archimedes sshd[1154]: Invalid user jeremy from 115.182.105.68 port 37561
Feb 8 02:10:04 archimedes sshd[1154]: pam_unix(sshd:auth): check pass; user unknown
Feb 8 02:10:04 archimedes sshd[1154]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.182.105.68
Feb 8 02:10:06 archimedes sshd[1156]: Invalid user akhan from 115.236.52.122 port 60446
Feb 8 02:10:06 archimedes sshd[1156]: pam_unix(sshd:auth): check pass; user unknown
Feb 8 02:10:06 archimedes sshd[1156]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.236.52.122
Feb 8 02:10:07 archimedes sshd[1154]: Failed password for invalid user jeremy from 115.182.105.68 port 37561 ssh2
Feb 8 02:10:07 archimedes sshd[1156]: Failed password for invalid user akhan from 115.236.52.122 port 60446 ssh2
Feb 8 02:10:08 archimedes sshd[1158]: User root from 106.121.179.45 not allowed because not listed in AllowUsers
Feb 8 02:10:08 archimedes sshd[1158]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.121.179.45 user=root
Feb 8 02:10:08 archimedes sshd[1156]: Received disconnect from 115.236.52.122 port 60446:11: Bye Bye [preauth]
Feb 8 02:10:08 archimedes sshd[1156]: Disconnected from invalid user akhan 115.236.52.122 port 60446 [preauth]
Feb 8 02:10:09 archimedes sshd[1154]: Received disconnect from 115.182.105.68 port 37561:11: Bye Bye [preauth]
Feb 8 02:10:09 archimedes sshd[1154]: Disconnected from invalid user jeremy 115.182.105.68 port 37561 [preauth]
Feb 8 02:10:10 archimedes sshd[1158]: Failed password for invalid user root from 106.121.179.45 port 61091 ssh2
Feb 8 02:10:10 archimedes sshd[1158]: Received disconnect from 106.121.179.45 port 61091:11: Bye Bye [preauth]
Feb 8 02:10:10 archimedes sshd[1158]: Disconnected from invalid user root 106.121.179.45 port 61091 [preauth]
 

Model: R7000|AC1900 Smart WIFI Router
Message 1 of 7
antinode
Guru

Re: Port forwarding of ANY kind opens all ports!!!

> I have configured port forwarding for ssh using nonstandard incoming
> "world" port [...]

 

   That's a good idea.

 

> [...] to another nonstandard sshd server port on my linux box. [...]

 

   Because you want to make your own life harder?  What's wrong with
using the default port (22) on your own LAN?

 

> [...] See small sample below from my auth logs.

 

   Have you looked at the router log?

 

> It seems, there is a HUGE bug in the NAT filtering/prot forwarding
> implementation!

 

   Or the user made a HUGE error.


   I haven't done any port forwarding on an R7000 with recent firmware,
so I know nothing, and Netgear has released some remarkable bugs, but I
find it a little hard to believe that they've broken this feature this
badly.  And this is the only such report.  It also seems unlikely that
you're getting many SSH attacks on "another nonstandard sshd server
port".  Around here, I've seen attacks on port 22, but almost none on my
own 'nonstandard incoming "world" port'.

 

   If I believed that I had such a problem, I'd try a few things:

 

   Double-check the port-forwarding rule(s) (which I can't see from
here).  Ensure that there's no DMZ server defined.  Disable UPnP.

 

   Double-check the sshd configuration.  "netstat -an"?  Is it really
listening on some non-standard port?

 

   Scan the router log for SSH connection attempts.  Which ports are
shown there?

 

   Settings reset, and manual reconfiguration.

 

   Load some well-tested older firmware version (V1.0.9.42_10.2.44 was
popular), reset, reconfigure.

 

> These needs fixing!!

 

   Something might.

Message 2 of 7
BRWhitecotton
Aspirant

Re: Port forwarding of ANY kind opens all ports!!!


@antinode wrote:

> I have configured port forwarding for ssh using nonstandard incoming
> "world" port [...]

 

   That's a good idea.

Indeed

 

> [...] to another nonstandard sshd server port on my linux box. [...]

 

   Because you want to make your own life harder?  What's wrong with
using the default port (22) on your own LAN?

 

Port 22 is the defacto ssh port so that would be the first hit IF attackes made it through the router, so I changed it internally as a test

 

> [...] See small sample below from my auth logs.

 

   Have you looked at the router log?

 

Yes but forgot to paste that in the first post.  What I did paste was from /var/log/auth.log on my linux server. I have a nice chunck of router log I will paste below.

 

> It seems, there is a HUGE bug in the NAT filtering/prot forwarding
> implementation!

 

   Or the user made a HUGE error.

 

Agreed a possibility but given the evidence and my ability to follow simple directions.....

 


   I haven't done any port forwarding on an R7000 with recent firmware,
so I know nothing, and Netgear has released some remarkable bugs, but I
find it a little hard to believe that they've broken this feature this
badly.  And this is the only such report.  It also seems unlikely that
you're getting many SSH attacks on "another nonstandard sshd server
port".  Around here, I've seen attacks on port 22, but almost none on my
own 'nonstandard incoming "world" port'.

 

   If I believed that I had such a problem, I'd try a few things:

 

   Double-check the port-forwarding rule(s) (which I can't see from
here).  Ensure that there's no DMZ server defined.  Disable UPnP.

 

DMZ and UPnP are BOTH DISABLED.

 

   Double-check the sshd configuration.  "netstat -an"?  Is it really
listening on some non-standard port?

 

I do know how to config sshd and YES it is listening only on the specific port ( I wll need to change this now). I can not access the server except using that port ssh -p (as a second check)

 

   Scan the router log for SSH connection attempts.  Which ports are
shown there?

 

PLEASE SEE BELOW

 

   Settings reset, and manual reconfiguration.

 

   Load some well-tested older firmware version (V1.0.9.42_10.2.44 was
popular), reset, reconfigure.

 

> These needs fixing!!

 

   Something might.


Here is a short snippet of the router logs showing every attack that hit the router was directed to 51519 on 192.168.9.53 BUT the forwarding was set to allow ONLY ONE inbound port number and NONE of those identify below are it. Its as . 

 

R7000 Router Log snippit

[LAN access from remote] from 103.84.194.111:53772 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:13:47
[LAN access from remote] from 181.49.246.20:42622 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:13:32
[LAN access from remote] from 101.226.21.105:60298 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:13:29
[LAN access from remote] from 66.70.142.214:35772 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:13:29
[LAN access from remote] from 139.59.32.156:47552 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:13:27
[LAN access from remote] from 203.151.144.160:46238 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:13:27
[LAN access from remote] from 103.84.194.111:49193 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:12:49
[LAN access from remote] from 183.195.121.197:48760 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:12:45
[LAN access from remote] from 172.81.239.224:60536 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:12:31
[LAN access from remote] from 42.192.8.30:40266 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:11:57
[LAN access from remote] from 62.94.153.133:54741 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:11:52
[LAN access from remote] from 103.84.194.111:44615 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:11:51
[LAN access from remote] from 183.195.121.197:36359 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:11:00
[LAN access from remote] from 103.84.194.111:40036 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:10:54
[DHCP IP: (192.168.9.56)] to MAC address 98:09:CF:90:A8:98, Tuesday, Feb 09,2021 13:10:50
[LAN access from remote] from 203.151.144.160:57884 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:10:38
[LAN access from remote] from 181.49.246.20:56168 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:10:33
[LAN access from remote] from 181.209.23.195:58494 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:10:30
[LAN access from remote] from 66.70.142.214:53520 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:10:17
[LAN access from remote] from 172.81.239.224:47760 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:10:04
[LAN access from remote] from 120.88.46.226:51886 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:10:03
[LAN access from remote] from 103.84.194.111:35457 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:09:55
[LAN access from remote] from 101.226.21.105:47115 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:09:53
[LAN access from remote] from 139.59.32.156:60330 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:09:52
[LAN access from remote] from 42.192.8.30:55398 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:09:27
[LAN access from remote] from 183.195.121.197:52196 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:09:19
[LAN access from remote] from 103.84.194.111:59111 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:08:58
[LAN access from remote] from 62.94.153.133:60806 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:08:42
[LAN access from remote] from 103.84.194.111:54533 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:07:58
[LAN access from remote] from 203.151.144.160:41342 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:07:53
[LAN access from remote] from 181.49.246.20:41480 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:07:47
[LAN access from remote] from 172.81.239.224:34982 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:07:35
[LAN access from remote] from 120.88.46.226:36680 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:07:15
[LAN access from remote] from 66.70.142.214:43044 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:07:06
[LAN access from remote] from 103.84.194.111:49953 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:07:01
[LAN access from remote] from 42.192.8.30:42268 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:06:46
[LAN access from remote] from 181.209.23.195:43880 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:06:30
[LAN access from remote] from 101.226.21.105:33928 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:06:19
[LAN access from remote] from 139.59.32.156:44864 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:06:04
[LAN access from remote] from 103.84.194.111:45375 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:06:01
[LAN access from remote] from 62.94.153.133:38639 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:05:21
[LAN access from remote] from 183.195.121.197:39808 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:05:11
[LAN access from remote] from 203.151.144.160:52876 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:05:03
[LAN access from remote] from 103.84.194.111:40796 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:05:03
[LAN access from remote] from 181.49.246.20:55026 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:04:49
[LAN access from remote] from 194.147.140.91:44416 to 192.168.9.53:80, Tuesday, Feb 09,2021 13:04:40
[LAN access from remote] from 120.88.46.226:49704 to 192.168.9.53:51519, Tuesday, Feb 09,2021 13:04:20


 

Message 3 of 7
antinode
Guru

Re: Port forwarding of ANY kind opens all ports!!!

> [...] I can not access the server except using that port ssh -p (as a
> second check)

 

   That's on your LAN?


> Here is a short snippet of the router logs showing every attack that
> hit the router was directed to 51519 on 192.168.9.53 [...]

 

   That makes sense if the "Internal Port" in your port-forwarding rule
is 51519.

 

> [...] BUT the forwarding was set to allow ONLY ONE inbound port number
> [...]

 

   _Which_ "ONE inbound port number"?  22?

 

> [...] and NONE of those identify below are it. Its as .


   The _source_ port numbers in that log are insignificant.

 

> Double-check the port-forwarding rule(s) (which I can't see from
> here). [...]

 

   I still haven't seen your port-forwarding rule for SSH, but my
current inference is that you got its port numbers backward.  That is,
the external port number is 22, and the internal port number is 51519.


   What you _want_ in the rule is a non-standard _external_ port number
(for security/obscurity), and a standard (maximally convenient)
_internal_ port number.  And a server which listens at that standard
port, of course.

 

   The fact that you're getting apparently real SSH attacks (as
evidenced by "invalid user" messages in the server system log), with
high-frequency, also suggests that your router is listening at the
standard SSH port.

 

> Port 22 is the defacto ssh port so that would be the first hit IF
> attackes made it through the router, so I changed it internally as a
> test

 

   Not a threat if you configure port forwarding (and DMZ and UPnP)
properly.

Message 4 of 7
BRWhitecotton
Aspirant

Re: Port forwarding of ANY kind opens all ports!!!

I had all your comments/questions addressed, examples, screen captures and when I posted it found two typos so I edited it and hit post and the entire content just vanished!!!! WTH?

 

Bottom line is port forwarding is forward everything to 51519 and not just the port I designated (which is not 22).

Also Blocked Service SSH expliclity for ALL IP addresses- still doesn't help.

 

As you can see, my server auth log shows

 

Feb 9 18:20:27 archimedes sshd[22452]: pam_unix(sshd:auth): check pass; user unknown
Feb 9 18:20:27 archimedes sshd[22452]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=128.199.133.125
Feb 9 18:20:29 archimedes sshd[22452]: Failed password for invalid user cherish from 128.199.133.125 port 41522 ssh2
Feb 9 18:20:30 archimedes sshd[22452]: Received disconnect from 128.199.133.125 port 41522:11: Bye Bye [preauth]
Feb 9 18:20:30 archimedes sshd[22452]: Disconnected from invalid user cherish 128.199.133.125 port 41522 [preauth]
Feb 9 18:24:57 archimedes sshd[22469]: Invalid user gcc from 182.253.122.13 port 10638
Feb 9 18:24:57 archimedes sshd[22469]: pam_unix(sshd:auth): check pass; user unknown
Feb 9 18:24:57 archimedes sshd[22469]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.253.122.13
Feb 9 18:24:59 archimedes sshd[22469]: Failed password for invalid user gcc from 182.253.122.13 port 10638 ssh2
Feb 9 18:25:00 archimedes sshd[22469]: Received disconnect from 182.253.122.13 port 10638:11: Bye Bye [preauth]
Feb 9 18:25:00 archimedes sshd[22469]: Disconnected from invalid user gcc 182.253.122.13 port 10638 [preauth]
Feb 9 18:30:01 archimedes CRON[22487]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 9 18:30:01 archimedes CRON[22487]: pam_unix(cron:session): session closed for user root
Feb 9 18:32:09 archimedes sshd[22499]: Invalid user prince from 128.199.133.125 port 53120
Feb 9 18:32:09 archimedes sshd[22499]: pam_unix(sshd:auth): check pass; user unknown
Feb 9 18:32:09 archimedes sshd[22499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=128.199.133.125
Feb 9 18:32:11 archimedes sshd[22499]: Failed password for invalid user prince from 128.199.133.125 port 53120 ssh2
Feb 9 18:32:13 archimedes sshd[22499]: Received disconnect from 128.199.133.125 port 53120:11: Bye Bye [preauth]
Feb 9 18:32:13 archimedes sshd[22499]: Disconnected from invalid user prince 128.199.133.125 port 53120 [preauth]

 

and these correspond to my router logs

[LAN access from remote] from 128.199.133.125:53120 to 192.168.9.53:51519, Tuesday, Feb 09,2021 18:32:03
[DHCP IP: (192.168.9.59)] to MAC address 72:02:FB:58:12:FC, Tuesday, Feb 09,2021 18:25:44
[LAN access from remote] from 182.253.122.13:10638 to 192.168.9.53:51519, Tuesday, Feb 09,2021 18:24:55
[Admin login] from source 192.168.9.62, Tuesday, Feb 09,2021 18:21:16
[LAN access from remote] from 128.199.133.125:41522 to 192.168.9.53:51519, Tuesday, Feb 09,2021 18:20:25
[Admin login] from source 192.168.9.62, Tuesday, Feb 09,2021 18:13:15

 

so not secure in the least.

 

@antinode Thanks for your help but I need to just turn off port forwarding as it is the ONLY way that attacks cease completely.

 

Message 5 of 7
antinode
Guru

Re: Port forwarding of ANY kind opens all ports!!!

> I had all your comments/questions addressed, [...]

 

   Sadly, what I need is actual information; excuses are much less
helpful.

 

> As you can see, my server auth log shows [...]
> and these correspond to my router logs [...]

 

   I see nothing new there.  Especially not your actual port-forwarding
rule.

 

> [...] I need to just turn off port forwarding as it is the ONLY way
> that attacks cease completely.

 

   "ONLY" is a very dangerous word to throw around with no actual
evidence.  I'd expect that not having the router listen at port 22 would
solve that attack problem, unless there's someone out there who doesn't
like you, and has plenty of time to invest.

 

> so not secure in the least.

 

   Also not visible to someone with my weak psychic powers.

 

   What I know:

 

   1. I've seen port forwarding work as expected on an R7000 with an
older firmware version.

 

   2. Valid complaints here about port forwarding problems on an R7000
(with any firmware version) are approximately nonexistent.

 

   3. User errors involving port forwarding on various router models
and/or firmware versions appear here frequently.


   4. Your SSH server configuration is perverse.

 

   5. Your actual port-forwarding rule remains invisble.  Hence suspect.

 

   For an example of a (different, even more?) confused user, see, for
example:

 

      https://community.netgear.com/t5/x/x/m-p/1767803

 

Much (most?) of that exchange is a waste of time and bits, but it does
include a couple of example SSH port-forwarding rules.

 

   If your router's (invisible) configuration actually does appear
correct, then I'd try a settings reset and manual reconfiguration.  With
an SSH server which listens on port 22, and a port-forwarding rule which
doesn't.

 

   Posting more duplicative log excerpts, and not posting the actual
port-forwarding rule, would, I'd expect, waste more of everyone's time.

Message 6 of 7
antinode
Guru

Re: Port forwarding of ANY kind opens all ports!!!

> [...] opens all ports!!!

 

   Presumably, you were misled by the miscellaneous _source_ port
numbers in the logs.  For example, "53120" in:

 

      Feb 9 18:32:09 archimedes sshd[22499]: Invalid user prince from
       128.199.133.125 port 53120

 

      [LAN access from remote] from 128.199.133.125:53120 to
       192.168.9.53:51519, Tuesday, Feb 09,2021 18:32:03

 

> The _source_ port numbers in that log are insignificant.

 

   To fill in the fine print behind that statement:

 

   The source <address>:<port> information (like
"128.199.133.125:53120") has nothing to do with how the message is
handled at your (router's) end; it specifies where the _reply_ is to be
sent (by the server program).


   You can think of it as the return address on an envelope for a postal
message.  (Perhaps as a street address and an apartment number.)  It
does not affect delivery of the message; it only tells the recipient
where to send a reply.


   No matter what you specified as the External Port in your
port-forwarding rule (I infer 22), those source port numbers will be
scattered over a wide range of values, determined by the IP software at
the client end of the transaction.  On the server end of the
transaction, they're of interest to only the SSH server program ("sshd")
which needs to know where to send its reply.  The router generally
ignores them.

 

   On the local side, "192.168.9.53:51519" shows the LAN IP address of
the server, and the Internal Port in the relevant port-forwarding rule.
(The router log doesn't record the External Port, which can be deduced
from the Internal Port and the port-forwarding rules.)

Message 7 of 7
Top Contributors
Discussion stats
  • 6 replies
  • 571 views
  • 0 kudos
  • 2 in conversation
Announcements

Orbi WiFi 7