NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
LAN access from remote (6700v3)
I am getting massive attacks looking at /val/log/auth.log on my linux machine. Reading online realized it might be due to UpnP enabled in the router. So I disabled it, however I still see the followi...
> [...] on the router port 1010 was forwarded to 22. So I am not able to
> understand why all these other random ports are alse being redirected to
> my linux box?The remote port number is not significant. If you see a connection
(attempt), then the remote client is talking to the external port in
your port-forwarding rule. Have you tried an external port other than
1010?> Initially 22 was the internal port for ssh, I changed it to 2212, but
> the bots are too smart, now i see this in the log!No one in the outside world cares about the internal port, either;
only the external port in the port-forwarding rule matters to an
external client. The only effect of changing the port used on your LAN
would be to make more work for yourself. I'd return it to 22.It's possible that your attackers are trying all possible ports, but
the router will log only the attempts which match a port-forwarding
rule. (Otherwise, there's no connection to log.)
port 22 is Secure Shell (SSH). Do you have it running? There are many, really many bots that scan port 22 and attempt to enter. If you have a weakly secure SSH, some may succeed
> UpnP and DMZ are disabled, [...]
Are you port-forwarding (external) port 22? (Not a good idea, for
just this reason.) If anyone in the outside world is getting to
"192.168.1.100" (on your LAN), then I'd expect that some rule or other
on the router must be enabling it. (Otherwise, how would it know enough
to forward the connection attempt to ".100"?)
> [...] There are many, really many bots that scan port 22 and attempt
> to enter. [...]
Yup. Which is why folks normally use an external port other than 22
for such access.
port 22 was not open externally.
Service Name External Start Port Internal Start Port Internal IP address
1 ssh 1010 22 192.168.1.100Initially 22 was the internal port for ssh, I changed it to 2212, but the bots are too smart, now i see this in the log!
[LAN access from remote] from 121.254.173.11:60428 to 192.168.1.100:2212, Tuesday, Jul 23,2019 14:12:22 [LAN access from remote] from 45.55.232.106:48422 to 192.168.1.100:2212, Tuesday, Jul 23,2019 14:12:16 [LAN access from remote] from 46.101.249.232:36310 to 192.168.1.100:2212, Tuesday, Jul 23,2019 14:11:53
> [...] on the router port 1010 was forwarded to 22. So I am not able to
> understand why all these other random ports are alse being redirected to
> my linux box?The remote port number is not significant. If you see a connection
(attempt), then the remote client is talking to the external port in
your port-forwarding rule. Have you tried an external port other than
1010?> Initially 22 was the internal port for ssh, I changed it to 2212, but
> the bots are too smart, now i see this in the log!No one in the outside world cares about the internal port, either;
only the external port in the port-forwarding rule matters to an
external client. The only effect of changing the port used on your LAN
would be to make more work for yourself. I'd return it to 22.It's possible that your attackers are trying all possible ports, but
the router will log only the attempts which match a port-forwarding
rule. (Otherwise, there's no connection to log.)Thanks for clarifying that changing ssh to anything other than 22, does not really help.
Now regarding the attempt to login here:
[LAN access from remote] from 210.69.31.8:38915 to 192.168.1.100:2022, Tuesday, Jul 23,2019 17:29:07
The IP: 210.69.31.8 is trying to login via port 38915, or via port 2022?
Are you suggesting that port 38915 does not really have any significance here?