1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

child connection attemps when behind a VPN

Discussion in 'Tomato Firmware' started by Mowax, Dec 23, 2012.

  1. Mowax

    Mowax Serious Server Member

    Just wondering, notice a few of these.....this is like an attempt to connect to my router via SSH no?

    I might kill it....

    Where do you report these again?

    Dec 23 21:27:01 tomato authpriv.info dropbear[3718]: Exit before auth (user 'root', 1 fails): Disconnect received
    Dec 23 21:27:01 tomato authpriv.info dropbear[3719]: Child connection from 85.214.222.253:45433
    Dec 23 21:27:02 tomato authpriv.info dropbear[3719]: Exit before auth (user 'root', 1 fails): Disconnect received
    Dec 23 21:27:02 tomato authpriv.info dropbear[3721]: Child connection from 85.214.222.253:45860
    Dec 23 21:27:03 tomato authpriv.info dropbear[3721]: Exit before auth (user 'root', 1 fails): Disconnect received
    Dec 23 21:27:03 tomato authpriv.info dropbear[3722]: Child connection from 85.214.222.253:46282
    Dec 23 21:27:04 tomato authpriv.info dropbear[3722]: Exit before auth (user 'root', 1 fails): Disconnect received
    Dec 23 21:27:04 tomato authpriv.info dropbear[3723]: Child connection from 85.214.222.253:46821
    Dec 23 21:27:05 tomato authpriv.info dropbear[3723]: Exit before auth (user 'root', 1 fails): Disconnect received
    Dec 23 21:27:08 tomato authpriv.info dropbear[3726]: Child connection from 85.214.222.253:47302
    Dec 23 21:27:09 tomato authpriv.info dropbear[3726]: Exit before auth (user 'root', 1 fails): Disconnect received



    [​IMG]
     
  2. koitsu

    koitsu Network Guru Member

    These are SSH attempts from a random Internet IP, attempting to log in as user root, and disconnecting when authentication fails.

    This happens constant on the Internet, usually from European and Asian IP space. The machines are either compromised, backdoored, and/or are being used for nefarious purposes.

    There's nothing you can do about this with 100% accuracy. People who tell you to "block certain countries" then give you a bunch of firewall rules or scripts are short-sighted; ARIN is reallocating IPv4 blocks for many countries, so what country has what netblocks changes every few weeks.

    I would recommend disallowing SSH access into your router from the Internet -- or alternately, see about blocking inbound connections to port 22 and instead use another port (some people use port 2222, for example). There are examples how to do this in a different forum post, which is very long and convoluted so maybe start from the bottom.
     
    Mowax likes this.
  3. Mowax

    Mowax Serious Server Member

    Thanks for taking the time to explain, appreciated.

    I just noticed them in syslogger which runs on a "revo" it's a small stand alone PC, and it was just pure chance that I'd fired it up for a look.

    This is the thing, it must have been when I disconnected the VPN that I am behind....

    I've been using the SSH so I could browse at work using my home network. then just the other day I decided that I'd find a decent VPN which is what I am now sat behind. So it was a bit of a shock that I seen the "child" connection attempts, I was trying to connect to my home network SSH via putty and couldn't even get it to the log in page.

    So had 1 x Putty connection from work to home and also now running a VPN to the net via "HMA" (Hide my ass) but couldn't get the tunnel from work to home to work and yet that spammer/hacker has.

    I'll have a read when I get a minute then, thanks for that, I'll disable the tunnel as well for now....

    I must admit that I noticed NO LOGS pretty much when I'm connected from behind the VPN, I thought syslog watcher pro wasn't working! had to re-check and check again.

    so had a SSH using putty from work to home which I will now disconnect until I've read about the ports.

    Now from home I'm sat behind a VPN to the net.


    Thanks
     
  4. gfunkdave

    gfunkdave LI Guru Member

    Like Koitsu said, it's someone trying to SSH into your router. Disable password auth and use a public key pair, and you won't need to worry about it. Or just switch to a different port. I used to use port 443 for a long time for this purpose.
     
  5. Mowax

    Mowax Serious Server Member

    Thanks a lot for that, I'll have a look into that, all though as you say in the other thread that I have going if I can connect and leave the VPN in place and use SSH from work to home then I won't need to worry about these, I think it might have only happened when I dropped the VPN connection as syslog watcher hardly comes back with any thing when connected.

    I followed this tut to make it here
     

Share This Page