IP from China attempting to login as root

Discussion in 'Tomato Firmware' started by bripab007, Jan 14, 2014.

  1. bripab007

    bripab007 Network Guru Member

    While checking my logs yesterday, I noticed an IP tried ~240 times to login to my router's web interface as root: authpriv.warn dropbear[1703]: Bad password attempt for 'root' from

    A Whois on the IP said it was from China. I only use HTTPS for remote access, and it's only accessible on port 8080 (maybe I should set that to a port that's even less common).

    I check my logs pretty reguarly, and to my knowledge, I've never had this happen until now. I suppose I'm posting this as both a warning to others as well as to see if anyone else has had this happen.
  2. jerrm

    jerrm Network Guru Member

    Pretty routine hack attempt. Look at using one of the geoip blocking options.


    That log entry is from SSH, not the web interface. If you don't use SSH remotely, then disable SSH remote access.
  3. shibby20

    shibby20 Network Guru Member

    Administration -> Admin Access -> Admin Restrictions -> Limit Connection Attempts SSH

    thats all.
  4. bripab007

    bripab007 Network Guru Member

    Oh! I completely forgot that dropbear = SSH service. Duh.

    So, by "routine," are you saying you've experienced this before? I've been running Tomato and DD-WRT for probably ten years and never noticed something this blatant.

    And, shibby, thanks for that configuration tip. Never noticed that login limits setting.
  5. gfunkdave

    gfunkdave LI Guru Member

    Yes, it happens all the time. I disable all remote web access and only do SSH with a public key pair. If I want to access the router remotely, I tunnel plain http through the SSH connection.
  6. koitsu

    koitsu Network Guru Member

    Welcome to how the Internet has been behaving since at least 2001. Random Internet IPs (doesn't matter what country) -- usually of compromised machines -- are constantly portscanning the entire Internet. Changing the port doesn't solve the problem either (in case you're considering doing that), since there are people who have distributed portscanners (think DDoS but instead of saturating a connection, all the clients are scanning small port ranges, ex. each system scans 100 ports. 65535/100 = 655 compromised systems needed).

    Using things like "geoip" isn't helpful because IPv4 space is getting adjusted all the time. ARIN announces changes regularly these days.

    The only real solution is what those of us who have been doing firewalling since the 90s have done: for inbound traffic block everything, allowing only certain IPs/netblocks through which you deem safe/acceptable. It's the only thing that works while requiring no effort on your part.

    If you roam (e.g. travel a lot, use different ISPs all over you country, etc.) then you're going to have to implement other methods which I won't go into here (ex. port knocking). TCP/IP was never invented with these kinds of problems in mind, sorry to say.
  7. bripab007

    bripab007 Network Guru Member

    Yeah, I figured it was some sort of bot since it was originating from several different ports at that IP simultaneously or near-simultaneously. With a strong password and connection attempt limiting, there's essentially no way they'd be able to brute-force in my lifetime.
  8. koitsu

    koitsu Network Guru Member


    Just an educational comment: the source port changing is normal (ex. the 4441 part of your initial post). TCP stacks are supposed to randomise or semi-randomise port allocation for applications which open a socket. This is technically called a "ephemeral port". My point was that the source IP may vary for the reasons I outlined previously.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice