Chinese IP in System Log

[cfdenice]

I found the following 3 lines in my system log:

6:50:18 dropbear[1424]: Child connection from 111.160.201.202:16962
Apr 27 16:50:21 dropbear[1424]: Login attempt for nonexistent user from 111.160.201.202:16962
Apr 27 16:50:22 dropbear[1424]: Exit before auth: Disconnect received

These lines repeat over and over hundreds of times in the System Log without interruption for almost 40 minutes. The IP 111.160.201.202 appears to be from China. This doesn't seem right to me. Is there a problem here?

 

[RMerlin]

I found the following 3 lines in my system log:

6:50:18 dropbear[1424]: Child connection from 111.160.201.202:16962
Apr 27 16:50:21 dropbear[1424]: Login attempt for nonexistent user from 111.160.201.202:16962
Apr 27 16:50:22 dropbear[1424]: Exit before auth: Disconnect received

These lines repeat over and over hundreds of times in the System Log without interruption for almost 40 minutes. The IP 111.160.201.202 appears to be from China. This doesn't seem right to me. Is there a problem here?

Welcome to the Internet in 2013. This is perfectly normal. Plenty of worms will try to scan IP ranges until they find one with a known service (such as SSH). Then, the worm will try to exploit known security issues, or known weak logins (such as root/root, admin/password, etc...) in hope of being able to log in. And once they do... Your server/router/whatever can be used to install malware, try to sniff passwords, relay spam from your IP, and so on.

 

[coxhaus]

This is why ACLs exist on routers. Block the IP or IP class your choice. I do it all the time.

 

[Milkman]

This is why ACLs exist on routers. Block the IP or IP class your choice. I do it all the time.

Can you talk more about this, and provide some examples on what IP or classes you ban???

Do you ban overseas stuff??? Just curious and maybe looking for suggestions for the community.

 

[vdemarco]

Can you talk more about this, and provide some examples on what IP or classes you ban???

Do you ban overseas stuff??? Just curious and maybe looking for suggestions for the community.

on my AC66u i enabled ipsets and have blocked all of china and some subnets of other countries.

from the wan on my setup you can't ssh to the router, but you can ssh to a single machine.

Search for upset and/or BlockedCountries here, you should be able to find examples of the setup.

a good place for blocklists is https://www.countryipblocks.net

(they charge for them, but you can get an older one for free if you poke around a bit)

 

[dodava]

If you use asuswrt-merlin beginning with version 3.0.0.4.354.28 Beta 1 SSH brute force protection is available. It needs to be selected on the Administration - System webui page. When enabled if more than 3 ssh connection attempts from a single ip occur within a minute the ip address will be blocked.

The same thing can be achieved on earlier versions by adding the following to your firewall-start script.

insmod xt_recent
iptables -N SSHBFP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHBFP
iptables -A SSHBFP -m recent --set --name SSH --rsource 
iptables -A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP 
iptables -A SSHBFP -j ACCEPT