This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I am getting massive attacks looking at /val/log/auth.log on my linux machine. Reading online realized it might be due to UpnP enabled in the router. So I disabled it, however I still see the following in my router log:
[LAN access from remote] from 213.182.93.172:54967 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:59
[LAN access from remote] from 177.125.58.145:52806 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:53
[LAN access from remote] from 172.13.75.239:42916 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:51
[LAN access from remote] from 121.254.173.11:38824 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:43
[LAN access from remote] from 150.95.30.167:40798 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:30
[LAN access from remote] from 46.101.249.232:49060 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:13
[LAN access from remote] from 211.145.49.129:58103 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:06
[LAN access from remote] from 58.250.164.242:40663 to 192.168.1.100:22, Tuesday, Jul 23,2019 12:22:00
Its a attempted login several times in a minute!
UpnP and DMZ are disabled, am not sure why this has not stopped yet, please help.
> [...] on the router port 1010 was forwarded to 22. So I am not able to > understand why all these other random ports are alse being redirected to > my linux box?
The remote port number is not significant. If you see a connection (attempt), then the remote client is talking to the external port in your port-forwarding rule. Have you tried an external port other than 1010?
> Initially 22 was the internal port for ssh, I changed it to 2212, but > the bots are too smart, now i see this in the log!
No one in the outside world cares about the internal port, either; only the external port in the port-forwarding rule matters to an external client. The only effect of changing the port used on your LAN would be to make more work for yourself. I'd return it to 22.
It's possible that your attackers are trying all possible ports, but the router will log only the attempts which match a port-forwarding rule. (Otherwise, there's no connection to log.)
port 22 is Secure Shell (SSH). Do you have it running? There are many, really many bots that scan port 22 and attempt to enter. If you have a weakly secure SSH, some may succeed
Are you port-forwarding (external) port 22? (Not a good idea, for just this reason.) If anyone in the outside world is getting to "192.168.1.100" (on your LAN), then I'd expect that some rule or other on the router must be enabling it. (Otherwise, how would it know enough to forward the connection attempt to ".100"?)
> [...] There are many, really many bots that scan port 22 and attempt > to enter. [...]
Yup. Which is why folks normally use an external port other than 22 for such access.
ssh is enabled on the linux box (on port 22). However, on the router port 1010 was forwarded to 22. So I am not able to understand why all these other random ports are alse being redirected to my linux box?
Service Name External Start Port Internal Start Port Internal IP address 1 ssh 1010 22 192.168.1.100
Initially 22 was the internal port for ssh, I changed it to 2212, but the bots are too smart, now i see this in the log!
[LAN access from remote] from 121.254.173.11:60428 to 192.168.1.100:2212, Tuesday, Jul 23,2019 14:12:22
[LAN access from remote] from 45.55.232.106:48422 to 192.168.1.100:2212, Tuesday, Jul 23,2019 14:12:16
[LAN access from remote] from 46.101.249.232:36310 to 192.168.1.100:2212, Tuesday, Jul 23,2019 14:11:53
> [...] on the router port 1010 was forwarded to 22. So I am not able to > understand why all these other random ports are alse being redirected to > my linux box?
The remote port number is not significant. If you see a connection (attempt), then the remote client is talking to the external port in your port-forwarding rule. Have you tried an external port other than 1010?
> Initially 22 was the internal port for ssh, I changed it to 2212, but > the bots are too smart, now i see this in the log!
No one in the outside world cares about the internal port, either; only the external port in the port-forwarding rule matters to an external client. The only effect of changing the port used on your LAN would be to make more work for yourself. I'd return it to 22.
It's possible that your attackers are trying all possible ports, but the router will log only the attempts which match a port-forwarding rule. (Otherwise, there's no connection to log.)
> The IP: 210.69.31.8 is trying to login via port 38915, or via port > 2022?
Your public IP address at the port in your (invisible) port-forwarding rule is where the message was sent. "192.168.1.100:2022" is where the message was delivered (thanks to NAT and port forwarding). "210.69.31.8:38915" is where the reply (if any) should be sent.
> Are you suggesting that port 38915 does not really have any > significance here?
I thought that I did more than "suggest". It's determined by the program at the other end. It certainly tells me nothing useful. Note that every log entry shows a different source port number. Each is as useful as the others. If you (or your sshd) wanted to respond, _then_ it would be useful.
> [...] Have you tried an external port other than 1010?
Still wondering.
When I first exposed an SSH server at (external) port 22 on my site, I observed daily attempts to break in. When I changed it to use a port other than 22, these break-in attempts practically stopped. But I was looking at the security logs on the system with the SSH server, not at the router logs. In the router log, you might be seeing simple port scans, from people/programs trying every (or nearly every) port, in which case, you might see such messages no matter which external port you use for SSH. But I wouldn't bet that any of thise are serious SSH break-in attempts (unless you're using external port 22).
You might want to look into where your sshd logs its stuff, and see if you can find any more serious activity there. Around here, I practically never look at the router logs. Too much noise.
