Menu
What's new
By:
Filters Better Search

Alarming syslogs

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Swistheater

Swistheater

Very Senior Member
so i do not have any remote access settings turned on and yet i see this in system logs
Code: 
httpd_login_lock: Detect abnormal logins at 5 times. The newest one was from 108.33.213.8 in login

why would this happen?
 
Turn off your logs or stop looking at them. Problem solved.

J/K I haven't seen anything like that in mind, but I hope you guys figure out what is caúsing it.
 
Last edited:
Swistheater said:
so i do not have any remote access settings turned on and yet i see this in system logs
Code: 
httpd_login_lock: Detect abnormal logins at 5 times. The newest one was from 108.33.213.8 in login

why would this happen?
Click to expand...

I think it’s a warning from Skynet, letting you know bad guys are sniffing around. Via SSH?
 
^^^ Rogue players are scanning for any and all ways (ports/services) to penetrate anything listening which is connected to the public facing internet. These routers are our front door and lock! That's why I often double-nat them. Get thru one, well buddy, there's another and it's got a different set of creds and in some cases I even use a different manufacturer.

I am a surprised that the httpd (WebGUI) would even be listening on the public/WAN side of the router when that check box is turned OFF in the setup... RMerlin may have to answer that one. That's the real?

SSHing into the router is a totally different port and service NOT connected with httpd... I think sshd would be reporting kicks to that port...

Only testing or looking at the code can say for sure. Gut says having this value off in Admin > Other would mean httpd is not listening on the WAN side of the router. I am unsure what "Enable Access Restrictions" does. But maybe it is listening and reporting those port scans... which seem risker than not listening at all!! In other words, the router should should be just dropping all those packets and scans when set to No and operating in "stealth" mode.

You really don't want to give the bad guys a reason to come back to your door b/c they know you have a httpd processes listening. Most commercial FW might log the scans but drop any and all responses.

upload_2019-6-6_1-43-15.png
 
Last edited:
Swistheater said:
so i do not have any remote access settings turned on and yet i see this in system logs
Code: 
httpd_login_lock: Detect abnormal logins at 5 times. The newest one was from 108.33.213.8 in login

why would this happen?
Click to expand...

Do I have to ask when was the last time a full reset to factory defaults was performed? :)
 
gattaca said:
I am a surprised that the httpd (WebGUI) would even be listening on the public/WAN side of the router when that check box is turned OFF in the setup... RMerlin may have to answer that one. That's the real?
Click to expand...

No, it doesn't.

Code: 
admin@stargate88ax:/tmp/home/root# netstat -tpln | grep http
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      1104/httpd
tcp        0      0 192.168.10.1:80         0.0.0.0:*               LISTEN      1104/httpd
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      1103/httpds
tcp        0      0 192.168.10.1:8443       0.0.0.0:*               LISTEN      1103/httpds
 
L&LD said:
Do I have to ask when was the last time a full reset to factory defaults was performed? :)
Click to expand...
about a week ago with settings put in properly.- I think this issue was caused by security cameras. I had a brief wan down event and i am sure the router tried to redirect all connections to router.asus.com and this most likely caused this issue, because the camera system connects through verizon as a cellular backup.
 
RMerlin said:
No, it doesn't.

Code: 
admin@stargate88ax:/tmp/home/root# netstat -tpln | grep http
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      1104/httpd
tcp        0      0 192.168.10.1:80         0.0.0.0:*               LISTEN      1104/httpd
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      1103/httpds
tcp        0      0 192.168.10.1:8443       0.0.0.0:*               LISTEN      1103/httpds
Click to expand...
yea and mine looks exactly like this. but mine is 192.168.1.1.
 
gattaca said:
^^^ Rogue players are scanning for any and all ways (ports/services) to penetrate anything listening which is connected to the public facing internet. These routers are our front door and lock! That's why I often double-nat them. Get thru one, well buddy, there's another and it's got a different set of creds and in some cases I even use a different manufacturer.

I am a surprised that the httpd (WebGUI) would even be listening on the public/WAN side of the router when that check box is turned OFF in the setup... RMerlin may have to answer that one. That's the real?

SSHing into the router is a totally different port and service NOT connected with httpd... I think sshd would be reporting kicks to that port...

Only testing or looking at the code can say for sure. Gut says having this value off in Admin > Other would mean httpd is not listening on the WAN side of the router. I am unsure what "Enable Access Restrictions" does. But maybe it is listening and reporting those port scans... which seem risker than not listening at all!! In other words, the router should should be just dropping all those packets and scans when set to No and operating in "stealth" mode.

You really don't want to give the bad guys a reason to come back to your door b/c they know you have a httpd processes listening. Most commercial FW might log the scans but drop any and all responses.

View attachment 18090
Click to expand...
yea this setting is disabled for me- and ssh can only be accessed lan side.
 
Treadler said:
I think it’s a warning from Skynet, letting you know bad guys are sniffing around. Via SSH?
Click to expand...
Not Skynet but the firmware built in protection mechanism.
 
^^^ So something IS listening on whatever port you have for httpd (80/443/8443...) and reporting someone is ringing the doorbell. Hmm.. IDK.
 
You must log in or register to reply here.

Similar threads

B
AiDisks under password guessing attack
Replies
4
Views
553
rquinn19
R
spacemanspiff
Getting a lot of Abnormal Login HTTP locks - Chrome issue?
Replies
0
Views
172
spacemanspiff
spacemanspiff
H
Need help. Is something trying to hack my network?
Replies
5
Views
1K
Crimliar
Crimliar
N
(Solved - Bad router) RT-AX88U node causes network instability (3004.388.7)
Replies
2
Views
320
nbjam
N
M
OpenVPN / site to site with special security/routing constraints
Replies
7
Views
382
elorimer
E

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 634 (members: 26, guests: 608)
Top