Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexey Green2014-05-05 12:32:44
SSH
Alexey Green, 2014-05-05 12:32:44

Attempts to guess passwords in SSH, OpenWRT

I was sitting as usual, suddenly I felt like reading the logs of the router's system log and found the following dropbear logs:

May  4 20:18:08 router authpriv.warn dropbear[14525]: Bad password attempt for 'root' from 113.108.211.131:50685
May  4 20:18:08 router authpriv.info dropbear[14525]: Exit before auth (user 'root', 1 fails): Disconnect received
May  4 20:18:09 router authpriv.info dropbear[14526]: Child connection from 113.108.211.131:50934
May  4 20:18:11 router authpriv.warn dropbear[14526]: Bad password attempt for 'root' from 113.108.211.131:50934
May  4 20:18:12 router authpriv.info dropbear[14526]: Exit before auth (user 'root', 1 fails): Disconnect received
May  4 20:18:12 router authpriv.info dropbear[14527]: Child connection from 113.108.211.131:51185
May  4 20:18:15 router authpriv.warn dropbear[14527]: Bad password attempt for 'root' from 113.108.211.131:51185
May  4 20:18:15 router authpriv.info dropbear[14527]: Exit before auth (user 'root', 1 fails): Disconnect received
May  4 20:18:16 router authpriv.info dropbear[14528]: Child connection from 113.108.211.131:51417
May  4 20:18:18 router authpriv.warn dropbear[14528]: Bad password attempt for 'root' from 113.108.211.131:51417
May  4 20:18:19 router authpriv.info dropbear[14528]: Exit before auth (user 'root', 1 fails): Disconnect received
May  4 20:18:19 router authpriv.info dropbear[14529]: Child connection from 113.108.211.131:51647

I realized that the password is being picked up, I checked the WHOIS of IP addresses:
de5463abbaa94562868c6e374e2a7cb3.JPG
Chinese ... The
question to the community is how to stop this, provided that I need external access via ssh.
PS - The password is thermonuclear, it is unlikely that they will pick it up, but it still worries me.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
V
Vit, 2014-05-05
@lexforceterror

1. Prohibit ssh login as root.
2. Move ssh to another port other than 22.
3. Remove authorization by password, make authorization by keys.

Report
S
Stanislav Somov, 2014-10-02
@DarkDemon

Fail2ban and a slightly complicated password)) will make life difficult for the Chinese.

Report
A
abcdeiko, 2014-08-16
@abcdeiko

MAC address filtering??
If you have a home router and you want access only from your local network, then write a rule in iptables that allows access only from your internal network.
To disable access to ssh from the external network:
iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j DROP , where eth0 is the interface that looks to the "world"
You can also change the port on which ssh will run , to do this, edit the file /etc/config/dropbear
config dropbear
option Port '555' , where 555 is the new port on which ssh will hang.
Save and reboot your router

Similar questions
V
Vova Putsyk2016-02-08 21:13:10
How to connect via SSH to cloud9? 0Reply
P
PoliceDogs2018-07-01 01:50:34
How to redirect ssh commands? 4Reply
M
makaroff2013-10-25 12:26:57
Nas4Free - do not enable SSH 2Reply
D
DarkMatter2016-03-01 19:47:06
Putty how to re-login? 1Reply
B
bismoney2016-03-02 12:50:59
Search for such ssh virus how? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question