dropbear[...]: Login attempt for nonexistent user from [External IP]

[igor469]

Hi.
I have BE88U with firmware Merlin 3006.102.3.
A week ago I started noticing the following events in its log - ... dropbear[...]: Login attempt for nonexistent user from [External IP]
The standard ADMIN password and name have long been changed to complex ones.
The standard port 22 has been changed. SSH access is open only from LAN.
I tried to connect via SSH from external IPs, but I could not get such an event in the log and connect either.
How is this possible and where to look for a hole in my security?
I searched for similar cases on the forum, but the most useful advice is a complete reset of the router.
I don't like it and I want to first find a hole in the existing security and first close it.

 

[jeff29922]

It's been happening to me as well recently. Looks like someone running a SSH brute force attack against you, and what you are seeing is the login attempts. I would highly recommend that you shut down any external SSH access and make sure that you are not using a username/password to log into your router via SSH. That's about all you can do. You can also keep track of the IP addresses and configure the router to drop anything that comes from those addresses.

 

[igor469]

It's been happening to me as well recently. Looks like someone running a SSH brute force attack against you, and what you are seeing is the login attempts. I would highly recommend that you shut down any external SSH access and make sure that you are not using a username/password to log into your router via SSH. That's about all you can do. You can also keep track of the IP addresses and configure the router to drop anything that comes from those addresses.

External SSH access is closed.
That's why I'm surprised by these messages in the logs.
Maybe there are a lot of attempts and every hundredth one reaches dropbear.

 

[ColinTaylor]

When you say "[External IP]" is that literally what it says or is it shorthand for various different IP addresses? If it's the latter could you show us a few of them, it might provide a clue.

Is there anything relevant showing under System Log - Port Forwarding ?

 

[igor469]

When you say "[External IP]" is that literally what it says or is it shorthand for various different IP addresses? If it's the latter could you show us a few of them, it might provide a clue.

Is there anything relevant showing under System Log - Port Forwarding ?

IP change. Here are the latest ones - 92.255.85.107, 92.255.85.253
There are my redirects in Port Forwarding, but there is no 22 and new my SSH port.

 

[biribenda]

Hi, I have the same issue/question. My ssh is running on custom port and it should only be accessed from the LAN. I can see messages like this in the syslog.log:
<SYSDATE> dropbear[27087]: Login attempt for nonexistent user from 45.134.26.79:39596
<SYSDATE> dropbear[27091]: Login attempt for nonexistent user from 45.140.17.124:27836
...

Is this expected ?
<edited to remove the actual sysdate>

 

[Ripshod]

Normal probing from the Internet. Set your ssh to LAN only and they should stop.
Just background noise to me.

 

[biribenda]

My SSH is set to LAN only and that is why I am surprised to see these log messages.

 

[dave14305]

That should not be possible unless you’ve disabled the firewall or some other unusual configuration.
What is the output of:

nvram get sshd_enable
ps ww | grep dropbear
iptables-save -c

 

[biribenda]

Output:
sshd_enable=2
dropbear -p <My_port> -s -j -k

# Generated by iptables-save v1.4.15 on Mon Aug  4 13:56:35 2025
*raw
:PREROUTING ACCEPT [274953560:128261038849]
:OUTPUT ACCEPT [114393148:104668055130]
COMMIT
# Completed on Mon Aug  4 13:56:35 2025
# Generated by iptables-save v1.4.15 on Mon Aug  4 13:56:35 2025
*nat
:PREROUTING ACCEPT [164513:49153792]
:INPUT ACCEPT [69886:32013883]
:OUTPUT ACCEPT [7155:1782641]
:POSTROUTING ACCEPT [3762:981237]
:DNSFILTER - [0:0]
:GAME_VSERVER - [0:0]
:LOCALSRV - [0:0]
:MAPE - [0:0]
:PCREDIRECT - [0:0]
:PUPNP - [0:0]
:VPN_FUSION - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
[11:462] -A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
[75186:15473300] -A POSTROUTING -o eth0 -j PUPNP
[73528:15366190] -A POSTROUTING ! -s <ip_Add>32 -o eth0 -j MASQUERADE
[17119:1446765] -A VSERVER -j VUPNP
COMMIT
# Completed on Mon Aug  4 13:56:35 2025
# Generated by iptables-save v1.4.15 on Mon Aug  4 13:56:35 2025
*mangle
:PREROUTING ACCEPT [1367362:371404673]
:INPUT ACCEPT [952704:284654483]
:FORWARD ACCEPT [409791:86382486]
:OUTPUT ACCEPT [938051:608540003]
:POSTROUTING ACCEPT [1350117:695911973]
COMMIT
# Completed on Mon Aug  4 13:56:35 2025
# Generated by iptables-save v1.4.15 on Mon Aug  4 13:56:35 2025
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [936825:607143964]
:ACCESS_RESTRICTION - [0:0]
:DNSFILTER_DOT - [0:0]
:FUPNP - [0:0]
:IControls - [0:0]
:INPUT_ICMP - [0:0]
:INPUT_PING - [0:0]
:IPSECSSDN - [0:0]
:IPSEC_DROP_SUBNET_ICMP - [0:0]
:IPSEC_STRONGSWAN - [0:0]
:NWFF - [0:0]
:NWFF_0 - [0:0]
:OUTPUT_DNS - [0:0]
:OUTPUT_IP - [0:0]
:OVPNCF - [0:0]
:OVPNCI - [0:0]
:OVPNSF - [0:0]
:OVPNSI - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SDN_FF - [0:0]
:SDN_FI - [0:0]
:SDN_IA - [0:0]
:SECURITY - [0:0]
:URLFF - [0:0]
:URLFF_0 - [0:0]
:URLFI - [0:0]
:URLFI_0 - [0:0]
:VPNCF - [0:0]
:VPNCI - [0:0]
:WGCF - [0:0]
:WGCI - [0:0]
:WGNPControls - [0:0]
:WGSF - [0:0]
:WGSI - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logdrop_dns - [0:0]
:logdrop_ip - [0:0]
[246:17072] -A INPUT -p udp -m udp --dport 53 -j URLFI
[1025:779001] -A INPUT -p icmp -m icmp --icmp-type 8 -j INPUT_PING
[213448:54471332] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[3353:215446] -A INPUT -m state --state INVALID -j DROP
[329135:89201863] -A INPUT ! -i br0 -j PTCSRVWAN
[406579:140757809] -A INPUT -i br0 -j PTCSRVLAN
[1:40] -A INPUT ! -i lo -p tcp -m tcp --dport 5152 -j DROP
[406579:140757809] -A INPUT -i br0 -m state --state NEW -j ACCEPT
[312166:87753792] -A INPUT -i lo -m state --state NEW -j ACCEPT
[27:9068] -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
[0:0] -A INPUT -p icmp -j INPUT_ICMP
[1:1400] -A INPUT -p gre -j ACCEPT
[16940:1437563] -A INPUT -j WGSI
[16940:1437563] -A INPUT -j WGCI
[16940:1437563] -A INPUT -j OVPNSI
[16927:1436964] -A INPUT -j OVPNCI
[16927:1436964] -A INPUT -j SDN_FI
[16927:1436964] -A INPUT -j DROP
[409791:86382486] -A FORWARD -j NWFF
[409791:86382486] -A FORWARD -j URLFF
[409791:86382486] -A FORWARD -j IPSEC_DROP_SUBNET_ICMP
[409791:86382486] -A FORWARD -j IPSECSSDN
[409791:86382486] -A FORWARD -j IPSEC_STRONGSWAN
[72598:4105310] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[311745:69235617] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[98046:17146877] -A FORWARD -j WGSF
[98046:17146877] -A FORWARD -j OVPNSF
[40:2686] -A FORWARD -i br0 -o br0 -j ACCEPT
[696:42430] -A FORWARD -m state --state INVALID -j DROP
[45:2668] -A FORWARD -i eth0 -j SECURITY
[45:2668] -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
[96913:17069827] -A FORWARD -j WGCF
[96913:17069827] -A FORWARD -j OVPNCF
[96913:17069827] -A FORWARD -j VPNCF
[96913:17069827] -A FORWARD -j SDN_FF
[96913:17069827] -A FORWARD -i br0 -j ACCEPT
[0:0] -A FORWARD -j DROP
[1560:99377] -A OUTPUT -p udp -m udp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS
[0:0] -A OUTPUT -p tcp -m tcp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS
[937988:608534769] -A OUTPUT -j OUTPUT_IP
[0:0] -A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
[0:0] -A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
[0:0] -A INPUT_ICMP -p icmp -j ACCEPT
[189:8033] -A INPUT_PING -i eth0 -p icmp -j DROP
[0:0] -A OUTPUT_DNS -m string --hex-string "|10706f697579747975696f706b6a666e6603636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0d72666a656a6e666a6e65666a6503636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|1131306166646d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0f376d667364666173646d6b676d726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0d386d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0f3966646d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|1265666274686d6f6975796b6d6b6a6b6a677403636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|086861636b7563647403636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|076c696e77756469056633333232036e657400|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0f6c6b6a68676664736174727975696f03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0b6d6e627663787a7a7a313203636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|077131313133333303746f7000|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|057371353230056633333232036e657400|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|077563746b6f6e6503636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0e7a786376626d6e6e666a6a66777103636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0a65756d6d6167766e627003636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_IP -d 193.201.224.0/24 -j logdrop_ip
[0:0] -A OUTPUT_IP -d 51.15.120.245/32 -j logdrop_ip
[0:0] -A OUTPUT_IP -d 45.33.73.134/32 -j logdrop_ip
[0:0] -A OUTPUT_IP -d 190.115.18.28/32 -j logdrop_ip
[0:0] -A OUTPUT_IP -d 51.159.52.250/32 -j logdrop_ip
[0:0] -A OUTPUT_IP -d 190.115.18.86/32 -j logdrop_ip
[333:23212] -A OVPNSF -o tun21 -j ACCEPT
[19:6054] -A OVPNSF -i tun21 -j ACCEPT
[0:0] -A OVPNSF -o tun21 -j ACCEPT
[0:0] -A OVPNSF -i tun21 -j ACCEPT
[3:179] -A OVPNSI -i tun21 -j ACCEPT
[10:420] -A OVPNSI -p udp -m udp --dport 1194 -j ACCEPT
[96913:17069827] -A SDN_FF -j SDN_IA
[0:0] -A SDN_IA -i br+ -o br+ -j DROP
[45:2668] -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
[0:0] -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[0:0] -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
[0:0] -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
[0:0] -A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
[0:0] -A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
[0:0] -A SECURITY -j RETURN
[0:0] -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
[0:0] -A logaccept -j ACCEPT
[0:0] -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
[0:0] -A logdrop -j DROP
[0:0] -A logdrop_dns -j LOG --log-prefix "DROP_DNS " --log-tcp-sequence --log-tcp-options --log-ip-options
[0:0] -A logdrop_dns -j DROP
[0:0] -A logdrop_ip -j LOG --log-prefix "DROP_IP " --log-tcp-sequence --log-tcp-options --log-ip-options
[0:0] -A logdrop_ip -j DROP
COMMIT
# Completed on Mon Aug  4 13:56:35 2025

 

[Tech9]

My SSH is set to LAN only

My SSH is not even enabled:

One example of the many similar records above.

 

[biribenda]

The firewall was disabled when I got those messages in the log. Is "Enable SSH option (LAN only)" only applicable if firewall is running ?

 

[Tech9]

The firewall was disabled when I got those messages

What was the reason behind disabling the firewall?

 

[dave14305]

The firewall was disabled when I got those messages in the log. Is "Enable SSH option (LAN only)" only applicable if firewall is running ?

The ssh daemon (dropbear) listens on all interfaces. The firewall would normally block external access, unless enabled on WAN specifically. No firewall means no protection.

 

[biribenda]

What was the reason behind disabling the firewall?

New router, not configured properly

 

[biribenda]

Shouldn't the "Enable SSH option (LAN only)" be part of the firewall setting then? Or at least documented ...

 

[Ripshod]

New router, not configured properly

These routers, from new or after a reset, have the firewall enabled.

 

[Tech9]

New router, not configured properly

The Firewall is ON by default. Someone turned it OFF intentionally. Did you touch the CUT OFF switches?

 

[biribenda]

what are cut off switches ?

 

[dave14305]

what are cut off switches ?

Likely a sick reference to the Air India crash.