Back to Help and Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

Is my router scanning my internal network?

davemacrae
4: Newbie

‎27-12-2024 03:38 PM

I've been noticing an increased number of invalid ssh login attempts to some, but not all, of the devices in my network:

For example:

Dec 27 09:45:27 pizw sshd[32415]: Failed password for invalid user Recorder from 192.168.1.1 port 54310 ssh2
Dec 27 09:46:29 pizw sshd[32432]: Failed password for invalid user Recorder from 192.168.1.1 port 54324 ssh2
Dec 27 09:46:33 pizw sshd[32434]: Failed password for invalid user admin from 192.168.1.1 port 54326 ssh2
Dec 27 09:46:37 pizw sshd[32443]: Failed password for invalid user admin from 192.168.1.1 port 54328 ssh2
Dec 27 09:47:40 pizw sshd[32452]: Failed password for invalid user admin from 192.168.1.1 port 54348 ssh2
Dec 27 09:47:44 pizw sshd[32454]: Failed password for invalid user admin from 192.168.1.1 port 54350 ssh2
Dec 27 09:47:48 pizw sshd[32463]: Failed password for invalid user nzbget from 192.168.1.1 port 54352 ssh2
Dec 27 09:48:52 pizw sshd[32480]: Failed password for invalid user 101 from 192.168.1.1 port 54366 ssh2

Are these being generated by my router?

0 Thanks
30 REPLIES 30

Cynric
16: Advanced member
16: Advanced member

‎27-12-2024 09:26 PM - edited ‎27-12-2024 09:30 PM

@davemacrae Your log shows multiple attempts to logon to the router.

0 Thanks

davemacrae
4: Newbie
In response to Cynric

‎28-12-2024 08:42 AM

Nope. The login attempts are coming from the router, 192.168.1.1. the logs are generated on a Pi Zero W, hence pizw!

0 Thanks

Ripshod
16: Advanced member
16: Advanced member

‎27-12-2024 09:29 PM

What device is that log from? I assume not the router? 

0 Thanks

Cynric
16: Advanced member
16: Advanced member
In response to Ripshod

‎27-12-2024 09:32 PM - edited ‎27-12-2024 09:33 PM

That depends on the router address 😁

But I thought the format looked like the router log. PIZW I think relates to the USB interface on some devices.

0 Thanks

davemacrae
4: Newbie
In response to Cynric

‎28-12-2024 08:45 AM

Router is on 192.168.1.1.

Logs are standard UNIX logs from a Raspberry Pi Zero W, hence hostname if pizw (I'm not very innovative on names 😎).

0 Thanks

Cynric
16: Advanced member
16: Advanced member
In response to davemacrae

‎28-12-2024 09:54 AM

@davemacrae If your router has sshd running turn it off. Make sure admin can only access over LAN and not WAN. If you can find the time unplug the router from the LAN for enough time (overnight?) to see if that makes any difference. Finally, what do you see in the router log?

If none of this give any clues start wondering what is on the Pi.

0 Thanks

davemacrae
4: Newbie
In response to Cynric

‎28-12-2024 11:38 AM

The Router is a standard Vodafone router. 

The LAN interface has the following open ports:

Nmap scan report for 192.168.1.1
Host is up (0.00081s latency).
Not shown: 37899 closed tcp ports (reset), 27628 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Cloudflare public DNS
80/tcp open http nginx
443/tcp open ssl/http nginx
631/tcp open ipp CUPS 2.2
1883/tcp open mosquitto version 1.6.9
6699/tcp open ssl/http nginx
8080/tcp open http nginx
49152/tcp open upnp Cisco-Linksys E4200 WAP upnpd (UPnP 1.0)
MAC Address: A0:B5:3C:AD:E0:F3 (Technicolor Delivery Technologies Belgium NV)
Service Info: CPE: cpe:/h:cisco:e4200

No sshd ports open.

UPNP is disabled in configuration. 

0 Thanks

Cynric
16: Advanced member
16: Advanced member
In response to davemacrae

‎28-12-2024 12:44 PM

@davemacrae Check your Cisco device(s) for updates as they've had a heap of issues in the last year. Did you check your router to prevent WAN access to sshd and management/admin?

0 Thanks

davemacrae
4: Newbie
In response to Ripshod

‎28-12-2024 08:42 AM

The logs are from a Pi Zero W 

0 Thanks