Community home

davemacrae · ‎27-12-2024

I've been noticing an increased number of invalid ssh login attempts to some, but not all, of the devices in my network:

For example:

Dec 27 09:45:27 pizw sshd[32415]: Failed password for invalid user Recorder from 192.168.1.1 port 54310 ssh2
Dec 27 09:46:29 pizw sshd[32432]: Failed password for invalid user Recorder from 192.168.1.1 port 54324 ssh2
Dec 27 09:46:33 pizw sshd[32434]: Failed password for invalid user admin from 192.168.1.1 port 54326 ssh2
Dec 27 09:46:37 pizw sshd[32443]: Failed password for invalid user admin from 192.168.1.1 port 54328 ssh2
Dec 27 09:47:40 pizw sshd[32452]: Failed password for invalid user admin from 192.168.1.1 port 54348 ssh2
Dec 27 09:47:44 pizw sshd[32454]: Failed password for invalid user admin from 192.168.1.1 port 54350 ssh2
Dec 27 09:47:48 pizw sshd[32463]: Failed password for invalid user nzbget from 192.168.1.1 port 54352 ssh2
Dec 27 09:48:52 pizw sshd[32480]: Failed password for invalid user 101 from 192.168.1.1 port 54366 ssh2

Are these being generated by my router?

chistery · ‎28-12-2024

Is your router source natting connections from the internet?

davemacrae · ‎28-12-2024

Nope

davemacrae · ‎28-12-2024

@Cynric I've just unplugged the router from the internet (and powered off the 4g backup) and there was attempted access. Definitely looks it's router itself that's the source of the "attack".

Cynric · ‎28-12-2024

@davemacrae That is odd. I think it will have to be a factory reset if you're quite sure that it is the router.

davemacrae · ‎28-12-2024

Resetting the router would be annoying. I think I'll wait until a Vodafone rep responds first.

I set up a SSH honeytrap to see what happens if a login attempt succeeds but no commands get issued and stops after each successful login attempt (honeytrap allows any combination of username/password).

I suspect that it's something to do with SecureNet but can't be sure.

Cynric · ‎28-12-2024

@davemacrae This is really odd. I can only think of things like someone has a remote logon to the router, after all there's a lot of stories going around that TP-LINK routers are risky, or perhaps there's something on that Pi that's wrong. But that first log just looks like a brute force attack rolling the port numbers. What port number is the Pi ssh2 listening to, the usual 22? If your Pi has a browser it may be worth going to the GRC site and running the Shields Up test just to see if it is leaking.

davemacrae · ‎28-12-2024

Sorry, but I think you have the wrong end of the stick here.

The router is the standard Vodafone supplied one, nor a TP-Link one.

The log entries are all hitting the normal SSH port, 22, on the Pi. No other ports are open to be hit. The second port you see is just the response port, nothing unusual.

It's not a brute force attack, more one using known dumb passwords like root/none, root/password, root/admin.

The Pi is not internet facing (nothing on my internal network is) so GRC won't show anything but an nmap check shows only 22 open.

My money is still on Vodafone trying to be "helpful" trying to find something mis-configured or default passwords being left set.

Cynric · ‎28-12-2024

@davemacrae But you have uPNP on, so anyone can try to connect, see "CallStranger" flaw. I suspected brute force because of the rolling port number in the log. I gave up on the VF router ages ago, so I can't comment on what they have done under the guise of "being helpful". I was using TP-LINK as an example because they are being accused of leaving backdoors in their firmware.

davemacrae · ‎28-12-2024

Upnp is, and always has been, disabled in the router config.

Cynric · ‎28-12-2024

@davemacrae But you are letting devices make uPNP handshakes. There are 7 open CVEs for the E4200 that have not been patched, one has a score of 10.0 and another 9.8. The top one is a bug opening ports to unauthenticated access. The other six are not nice either.

"49152/tcp open upnp Cisco-Linksys E4200 WAP "

Community home

Is my router scanning my internal network?