- Community home
- Home broadband & landline
- Other broadband queries
- Is my router scanning my internal network?
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Ask
Reply
Solution
Is my router scanning my internal network?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
27-12-2024 03:38 PM
I've been noticing an increased number of invalid ssh login attempts to some, but not all, of the devices in my network:
For example:
Dec 27 09:45:27 pizw sshd[32415]: Failed password for invalid user Recorder from 192.168.1.1 port 54310 ssh2
Dec 27 09:46:29 pizw sshd[32432]: Failed password for invalid user Recorder from 192.168.1.1 port 54324 ssh2
Dec 27 09:46:33 pizw sshd[32434]: Failed password for invalid user admin from 192.168.1.1 port 54326 ssh2
Dec 27 09:46:37 pizw sshd[32443]: Failed password for invalid user admin from 192.168.1.1 port 54328 ssh2
Dec 27 09:47:40 pizw sshd[32452]: Failed password for invalid user admin from 192.168.1.1 port 54348 ssh2
Dec 27 09:47:44 pizw sshd[32454]: Failed password for invalid user admin from 192.168.1.1 port 54350 ssh2
Dec 27 09:47:48 pizw sshd[32463]: Failed password for invalid user nzbget from 192.168.1.1 port 54352 ssh2
Dec 27 09:48:52 pizw sshd[32480]: Failed password for invalid user 101 from 192.168.1.1 port 54366 ssh2
Are these being generated by my router?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
28-12-2024 06:55 PM - edited 28-12-2024 06:58 PM
That's just a tag that Nmap gives. The route is not an E4200.
No idea why it's open, upnp is switched off. Nmap is quite known for false positives on high ports. It doesn't really know what's running on that port.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
28-12-2024 08:39 PM
What is the device that is tagged E4200?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
28-12-2024 09:28 PM
The Vodafone router, which isn't an E4200.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
28-12-2024 09:50 PM - edited 28-12-2024 09:53 PM
Have you got a managed switch on the LAN which is being used to select ports using tags or setup for remote management over ssh?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
28-12-2024 11:12 PM
No
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
28-12-2024 11:45 PM
I had a play with Wireshark before making my previous post, and the problem is that from a third device, it has to be somewhere "in-line" or using a snooping dongle that is - great for broadcast data, not quite so great otherwise. On the RPi-alikes I use you could run Wireshark on the targetted device, but I think our OP is running Pi-Hole on a lesser device!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
28-12-2024 05:16 PM
Hi All - I had exactly the same issue at the beginning of December. I never got to the bottom of the problem. I did not have UPnp enabled on the router but I was seeing connections coming from the router attemtping to make an SSH login to my synology NAS using admin, root and other standard usernames. These failed to connect because I have a stong password and also have MFA enabled. However, the NAS started to defend itself and block connections from the router IP (both V4 and V6 addresses). I then suffered connectivity issues within my network such that I could not connect to the NAS.
I managed to stop the SSH connections only by disabling the SSH listener on my NAS (which I did not really need). I also enabled uPNP and forced an update of the uPNP settings from the NAS. Synology has a nice feature where you can manually send uPNP configurations to the router. This seemed to resolve most of the issues.
However, one really annoying symptom remained - my printer (quite old Canon one) was really slow to respond on the network. Complex print jobs were failing, or being delayed. This problem only persisted with connections from Windows PCs. Printing from mobile devices was fine. I ended up having to save anything I wanted to print to OneDrive and then print it from my iPAD.
I treid everything I could think of. 1) Putting in exception rules in the Windows PC Firewall (as advised by Bitdefender help pages), 2) Rebooting the router, 3) Competely removing the AV software from the Laptop, 4) Factory reset of the printer, 5) Disconnectingd devices from the LAN 6) Wireshark trace to see if I could still see SSH connections on the LAN - but I'm not really an expert in Wireshark and did not find anything useful. 7) Changing the printer to a fixed IP address outisde the DHCP Range
Finally today I rang Vodafone and talked them through the issues. They were helpful and as I exlained the issue to them I started to think of other options (like the factory reset on the printer and the fixed IP change). They did suggest a factory reset of the router. This was my last ditch attempt - I saved the config of the router. Did the factory reset and then tested with just my Printer and Laptop connected. All printed fine with no delays. I then loaded up the saved config, tested again with just Laptop and Printer - worked OK. I then went through my home network setup re-connecting each hub, booster, device one by one. Checking each time that the printing was no longer being delayed. So far (2 hours in) - everything is now working as expected.
My take away from this is that there is very probably a serious vulnerability in the Vodafone Ultrahub Router supplied for use with the PRO 2 service. Even if the attack was begun by something inside my network making an outbound connection via uPNP - this should not have been possible given that it was disabled. I have asked Vodafone to open a security incident. I doubt they will but will keep you posted. I'll also upload some logs if I can find anything useful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
28-12-2024 05:18 PM
@davemacrae did you have Vodafone Protect enabled? I did turn it on, but I turned it off again. Your suspistion about Vodafone doing some "helpful" network scanning was one I also thought of. Or even Bitdefender doing it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
28-12-2024 05:22 PM
Level Log Time User Event
| Warning | Connection | 2024/12/04 04:24:32 | 666666 | User [666666] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/04 04:23:24 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/04 04:23:18 | admin | User [admin] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/04 04:23:11 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/04 04:22:05 | admin | User [admin] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/04 04:21:57 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/04 04:21:52 | admin | User [admin] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/04 04:20:46 | user | User [user] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/04 04:20:38 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/04 04:20:31 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 22:20:25 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 22:20:19 | admin | User [admin] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 22:19:12 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 22:19:05 | support | User [support] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 22:18:57 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 22:17:50 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 22:17:43 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 22:17:33 | 888888 | User [888888] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 22:16:26 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 22:16:20 | admin | User [admin] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 16:16:10 | admin | User [admin] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 16:16:03 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 01:04:31 | admin | User [admin] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 01:03:22 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 01:03:15 | support | User [support] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 01:03:08 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 01:02:00 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 01:01:53 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 01:01:48 | 888888 | User [888888] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 01:00:41 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 01:00:35 | admin | User [admin] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 01:00:28 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 00:38:45 | 666666 | User [666666] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 00:37:37 | SYSTEM | User [root] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 00:37:32 | admin | User [admin] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 00:37:24 | SYSTEM | User [root] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 00:36:18 | admin | User [admin] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 00:36:11 | SYSTEM | User [root] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 00:36:05 | admin | User [admin] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 00:35:00 | user | User [user] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 00:34:52 | SYSTEM | User [root] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 00:34:45 | SYSTEM | User [root] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 00:12:11 | admin | User [admin] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/12/03 00:12:03 | SYSTEM | User [root] from [192.168.0.1] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/11/30 06:34:41 | SYSTEM | User [root] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/11/30 06:34:34 | admin | User [admin] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/11/30 06:33:30 | SYSTEM | User [root] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/11/30 06:33:24 | support | User [support] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/11/30 06:33:16 | SYSTEM | User [root] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/11/30 06:32:13 | SYSTEM | User [root] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/11/30 06:32:05 | SYSTEM | User [root] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/11/30 06:32:00 | 888888 | User [888888] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/11/30 06:30:53 | SYSTEM | User [root] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/11/30 06:30:47 | admin | User [admin] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/11/30 00:30:38 | admin | User [admin] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
| Warning | Connection | 2024/11/30 00:30:31 | SYSTEM | User [root] from [fe80::a2b5:3cff:fe8f:10be%eth0] failed to log in via [SSH] due to authorization failure. |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
28-12-2024 08:00 PM
Just as a thought. I wonder if you were to set up the RPi as the DHCP server (the router is still the gateway) it might help. Otherwise, I would have gone down pretty much every route that @Cynric would have done.
