cancel
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

Is my router scanning my internal network?

davemacrae
4: Newbie

I've been noticing an increased number of invalid ssh login attempts to some, but not all, of the devices in my network:

For example:

Dec 27 09:45:27 pizw sshd[32415]: Failed password for invalid user Recorder from 192.168.1.1 port 54310 ssh2
Dec 27 09:46:29 pizw sshd[32432]: Failed password for invalid user Recorder from 192.168.1.1 port 54324 ssh2
Dec 27 09:46:33 pizw sshd[32434]: Failed password for invalid user admin from 192.168.1.1 port 54326 ssh2
Dec 27 09:46:37 pizw sshd[32443]: Failed password for invalid user admin from 192.168.1.1 port 54328 ssh2
Dec 27 09:47:40 pizw sshd[32452]: Failed password for invalid user admin from 192.168.1.1 port 54348 ssh2
Dec 27 09:47:44 pizw sshd[32454]: Failed password for invalid user admin from 192.168.1.1 port 54350 ssh2
Dec 27 09:47:48 pizw sshd[32463]: Failed password for invalid user nzbget from 192.168.1.1 port 54352 ssh2
Dec 27 09:48:52 pizw sshd[32480]: Failed password for invalid user 101 from 192.168.1.1 port 54366 ssh2

Are these being generated by my router?

33 REPLIES 33

Cynric
16: Advanced member
16: Advanced member

@davemacrae Your log shows multiple attempts to logon to the router.

Nope. The login attempts are coming from the router, 192.168.1.1. the logs are generated on a Pi Zero W, hence pizw!

Ripshod
16: Advanced member
16: Advanced member

What device is that log from? I assume not the router? 

Cynric
16: Advanced member
16: Advanced member

That depends on the router address 😁

But I thought the format looked like the router log. PIZW I think relates to the USB interface on some devices.

Router is on 192.168.1.1.

Logs are standard UNIX logs from a Raspberry Pi Zero W, hence hostname if pizw (I'm not very innovative on names 😎).

Cynric
16: Advanced member
16: Advanced member

@davemacrae If your router has sshd running turn it off. Make sure admin can only access over LAN and not WAN. If you can find the time unplug the router from the LAN for enough time (overnight?) to see if that makes any difference. Finally, what do you see in the router log?

If none of this give any clues start wondering what is on the Pi.

The Router is a standard Vodafone router. 

The LAN interface has the following open ports:

Nmap scan report for 192.168.1.1
Host is up (0.00081s latency).
Not shown: 37899 closed tcp ports (reset), 27628 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Cloudflare public DNS
80/tcp open http nginx
443/tcp open ssl/http nginx
631/tcp open ipp CUPS 2.2
1883/tcp open mosquitto version 1.6.9
6699/tcp open ssl/http nginx
8080/tcp open http nginx
49152/tcp open upnp Cisco-Linksys E4200 WAP upnpd (UPnP 1.0)
MAC Address: A0:B5:3C:AD:E0:F3 (Technicolor Delivery Technologies Belgium NV)
Service Info: CPE: cpe:/h:cisco:e4200

No sshd ports open.

UPNP is disabled in configuration. 

Cynric
16: Advanced member
16: Advanced member

@davemacrae Check your Cisco device(s) for updates as they've had a heap of issues in the last year. Did you check your router to prevent WAN access to sshd and management/admin?

The logs are from a Pi Zero W