What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dropbear[...]: Login attempt for nonexistent user from [External IP]

igor469

New Around Here
Hi.
I have BE88U with firmware Merlin 3006.102.3.
A week ago I started noticing the following events in its log - ... dropbear[...]: Login attempt for nonexistent user from [External IP]
The standard ADMIN password and name have long been changed to complex ones.
The standard port 22 has been changed. SSH access is open only from LAN.
I tried to connect via SSH from external IPs, but I could not get such an event in the log and connect either.
How is this possible and where to look for a hole in my security?
I searched for similar cases on the forum, but the most useful advice is a complete reset of the router.
I don't like it and I want to first find a hole in the existing security and first close it.
 
It's been happening to me as well recently. Looks like someone running a SSH brute force attack against you, and what you are seeing is the login attempts. I would highly recommend that you shut down any external SSH access and make sure that you are not using a username/password to log into your router via SSH. That's about all you can do. You can also keep track of the IP addresses and configure the router to drop anything that comes from those addresses.
 
It's been happening to me as well recently. Looks like someone running a SSH brute force attack against you, and what you are seeing is the login attempts. I would highly recommend that you shut down any external SSH access and make sure that you are not using a username/password to log into your router via SSH. That's about all you can do. You can also keep track of the IP addresses and configure the router to drop anything that comes from those addresses.
External SSH access is closed.
That's why I'm surprised by these messages in the logs.
Maybe there are a lot of attempts and every hundredth one reaches dropbear.
 
When you say "[External IP]" is that literally what it says or is it shorthand for various different IP addresses? If it's the latter could you show us a few of them, it might provide a clue.

Is there anything relevant showing under System Log - Port Forwarding ?
 
When you say "[External IP]" is that literally what it says or is it shorthand for various different IP addresses? If it's the latter could you show us a few of them, it might provide a clue.

Is there anything relevant showing under System Log - Port Forwarding ?
IP change. Here are the latest ones - 92.255.85.107, 92.255.85.253
There are my redirects in Port Forwarding, but there is no 22 and new my SSH port.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top