Abnormal login attempts

[noric]

I've found this in the router's log.
I'll need to investigate what's going on on that client (192.168.1.44), but wouldn't it be wise to prevent login attempts from a specific client after such client failed a few times? Other routers do that after 5 times, while here I have 75 login attempts in two seconds.

Mar 19 18:50:35 HTTP login: Detect abnormal logins at 5 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 10 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 10 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 10 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 10 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 10 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 10 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 10 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 10 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 10 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 10 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 10 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 15 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 20 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 20 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 20 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 20 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 20 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 20 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 20 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 20 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 20 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 20 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 20 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 25 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 30 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 30 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 30 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 30 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 30 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 30 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 30 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 30 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 30 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 30 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 30 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 35 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 40 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 40 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 40 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 40 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 40 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 40 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 40 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 40 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 40 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 40 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 40 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 45 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 50 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 50 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 50 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 50 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 50 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 50 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 50 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 50 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 50 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 50 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 50 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 55 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 60 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 60 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 60 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 60 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 60 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 60 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 60 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 60 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 60 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 60 times. The newest one was from 192.168.1.44.
Mar 19 18:50:35 HTTP login: Detect abnormal logins at 60 times. The newest one was from 192.168.1.44.
Mar 19 18:50:36 HTTP login: Detect abnormal logins at 65 times. The newest one was from 192.168.1.44.
Mar 19 18:50:36 HTTP login: Detect abnormal logins at 70 times. The newest one was from 192.168.1.44.
Mar 19 18:50:36 HTTP login: Detect abnormal logins at 70 times. The newest one was from 192.168.1.44.
Mar 19 18:50:36 HTTP login: Detect abnormal logins at 70 times. The newest one was from 192.168.1.44.
Mar 19 18:50:36 HTTP login: Detect abnormal logins at 70 times. The newest one was from 192.168.1.44.
Mar 19 18:50:36 HTTP login: Detect abnormal logins at 70 times. The newest one was from 192.168.1.44.
Mar 19 18:50:36 HTTP login: Detect abnormal logins at 70 times. The newest one was from 192.168.1.44.
Mar 19 18:50:36 HTTP login: Detect abnormal logins at 70 times. The newest one was from 192.168.1.44.
Mar 19 18:50:36 HTTP login: Detect abnormal logins at 75 times. The newest one was from 192.168.1.44.

 

[coldwizard]

I've found this in the router's log.
I'll need to investigate what's going on on that client (192.168.1.44),

This happened to me too just last week. Since I am using John's fork, I also saw that it was testing a series of standard router accounts and in the same time period there were IPV6 connections attempts from outside. What I found was my virus checker had a new feature to test the "Home network security" (which was enabled by default). So check the settings on your virus checker.

 

[CiscoX]

Yes, AVAST antivirus has this feature

 

[noric]

I'll check Avast, as soon as the client comes home (it's a notebook). But I think it has an older version of Avast.

How did you guys see which login credentials this bot/Avast tried? Also, I don't see any connection attempt from outside: should they be logged by the router?
Thanks

 

[CiscoX]

I'll check Avast, as soon as the client comes home (it's a notebook). But I think it has an older version of Avast.

How did you guys see which login credentials this bot/Avast tried? Also, I don't see any connection attempt from outside: should they be logged by the router?
Thanks

Hi, you can read here: https://blog.avast.com/2014/11/04/avast-2015-new-feature-home-network-security-scanning/

1. 1. Your wireless network is not secure due to lack of encryption. Thus, anybody in range, like your neighbor, can connect to your Wi-Fi to use the bandwidth and access your other devices (printer, network disk, etc.).
2. 2. Your network router is accessible from the internet, so hackers can access the router and modify your network settings, even disabling the internet connection or stealing your personal data.
3. 3. Your router is vulnerable to hacker attacks, i.e., hackers can easily read your router settings, get access to the router, and modify it. Your personal data might be in risk.
4. 4. Your internet connection is compromised and your router could be hijacked. Your router is already hacked (i.e., some well-known sites are re-directed to fake IPs).
5. 5. Devices on your network are accessible from internet. This happens when Internet Protocol version 6 (IPv6 ) is enabled on the router and the devices get IPv6 addresses that are not firewalled. The problem is not primarily in the protocol, but in the router, which is not able to secure the devices with these addresses

 

[john9527]

I'll check Avast, as soon as the client comes home (it's a notebook). But I think it has an older version of Avast.

How did you guys see which login credentials this bot/Avast tried? Also, I don't see any connection attempt from outside: should they be logged by the router?
Thanks

Since I am using John's fork, I also saw that it was testing a series of standard router accounts

The logging of router login/logout events is an added feature of my 374.43 fork....

 

[john9527]

@noric

Since you can recreate the excessive attempts....can you test this by entering the following via telnet/ssh and see if it limits the login attempts (this should limit to 5 attempts in 5 minutes). If you changed your router address, change the 192.168.1.1 to your address.

iptables -A INPUT -p tcp -d 192.168.1.1 --dport 80 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp -d 192.168.1.1 --dport 80 -m state --state NEW -m recent --update --seconds 300 --hitcount 5 -j DROP

 

[noric]

@noric

Since you can recreate the excessive attempts....can you test this by entering the following via telnet/ssh and see if it limits the login attempts (this should limit to 5 attempts in 5 minutes). If you changed your router address, change the 192.168.1.1 to your address.

iptables -A INPUT -p tcp -d 192.168.1.1 --dport 80 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp -d 192.168.1.1 --dport 80 -m state --state NEW -m recent --update --seconds 300 --hitcount 5 -j DROP

Wow, thank you very much John! I can't test it right now, because the laptop with Avast will be back tomorrow I think. But I'll let you know as soon as I can test it.
Let's hope it was Avast, in the first place. I still don't know it.

 

[john9527]

Wow, thank you very much John! I can't test it right now, because the laptop with Avast will be back tomorrow I think. But I'll let you know as soon as I can test it.
Let's hope it was Avast, in the first place. I still don't know it.

Thanks....not sure it will work...may need some 'tweaking'

 

[noric]

Thanks....not sure it will work...may need some 'tweaking'

Yes, I know that iptables are quite a pita.

 

[coldwizard]

@noric

Since you can recreate the excessive attempts....can you test this by entering the following via telnet/ssh and see if it limits the login attempts (this should limit to 5 attempts in 5 minutes).
If you changed your router address, change the 192.168.1.1 to your address.

Failed. Only first few got accepted. But I could not login after. Will try again in 5 minutes.

Waited over 5 minutes, but still cannot login. Get message in log file
" HTTP login: login 'admin' successful from xxx" but I am not...
Thinking about this, I suspect that each connection is counted, not just the login part. So as the page is formed, the count is exceeded.

I deleted the part about the ip address since rule is in the INPUT chain, so gets all my addresses.
Had to change port 80 to the port I use for the HTTPS.
Made them inserts behind the first two rules for performance.

iptables -I INPUT 3 -p tcp  --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT 4 -p tcp  --dport 80 -m state --state NEW -m recent --update --seconds 300 --hitcount 5 -j DROP

 

[john9527]

But I could not login after. Will try again in 5 minutes.

Was going to ask you to check that

 

[john9527]

Not working, updated my post above.
After deleting these new rules, back to normal

Back to the drawing board.....

Actually I was thinking that the --state NEW would handle the case you were concerned about in navigating pages after logging in.

 

[john9527]

Just to follow up....I did some more testing last evening and it looks like each frame in the gui is opened as a NEW connection, so an iptables solution won't work. Any blocking will have to be done in the firmware.

 

[noric]

Just to follow up....I did some more testing last evening and it looks like each frame in the gui is opened as a NEW connection, so an iptables solution won't work. Any blocking will have to be done in the firmware.

Sad news...
Thanks for your efforts, John.

 

[noric]

What I found was my virus checker had a new feature to test the "Home network security" (which was enabled by default).

The client does have Avast 2015 installed. I've tried to test "Home network security" a few times, but it never gave me those "Detect abnormal logins" in the router's log. Instead, it gave me "Maximum number of concurrent DNS queries reached (max: 150)", which I never saw before.

Are you able to replicate the "Detect abnormal logins" by testing "Home network security"?
Or maybe that message appears during Avast's realtime control, without manual testing?
Thanks.

 

[coldwizard]

The client does have Avast 2015 installed. I've tried to test "Home network security" a few times, but it never gave me those "Detect abnormal logins" in the router's log. Instead, it gave me "Maximum number of concurrent DNS queries reached (max: 150)", which I never saw before.

I don't get that DNS message, but I think it is controlled in the file /etc/dnsmasq.conf by the variable cache-size=1500 for me on John's fork.
Check your file, and see what that value is. You can change it on Merlin's or John's firmware with a dnsmasq.postconf script

Are you able to replicate the "Detect abnormal logins" by testing "Home network security"?
Or maybe that message appears during Avast's realtime control, without manual testing?
Thanks.

Yes I see them my log. I do manual scan using Avast under scan, "scan for network threats" (note in settings - tools- "Home network security" must be "On" the see this tool in the scan menu).

 

[coldwizard]

Just to follow up....I did some more testing last evening and it looks like each frame in the gui is opened as a NEW connection, so an iptables solution won't work. Any blocking will have to be done in the firmware.

Looks like the current best solution is to limit the GUI access to Specified IP addresses. I am fine with that.

 

[noric]

I don't get that DNS message, but I think it is controlled in the file /etc/dnsmasq.conf by the variable cache-size=1500 for me on John's fork.

I have cache-size=1500 too, but I get that message every time I run Home Network Security. That's not really a problem, anyway.

Yes I see them my log. I do manual scan using Avast under scan, "scan for network threats" (note in settings - tools- "Home network security" must be "On" the see this tool in the scan menu).

What I was doing wrong is that I was logged into the web UI with my main desktop, so the other client running Home Network Security couldn't attempt to login. Now I've logged out on my desktop and I see "detect abnormal logins" as you see.
Thanks.

Looks like the current best solution is to limit the GUI access to Specified IP addresses. I am fine with that.

I did that too. Shame that Asus took away the feature, as Merlin said here.

 

[coldwizard]

I have cache-size=1500 too, but I get that message every time I run Home Network Security. That's not really a problem, anyway.

Looking for other possible limits I found this:
dns-forward-max=<queries>
Set the maximum number of concurrent DNS queries. The default value is 150, which should be fine for most setups. The only known situation where this needs to be increased is when using web-server log file resolvers, which can generate large numbers of concurrent queries.

I don't have that option in my config so defaults to 150. I must be just under it and your going over. Likely depending on how fast the queries are resolved. If you want to try a larger number (maybe 300) to prove this is the cause, put the option in the file
/jffs/configs/dnsmasq.conf.add