Logging login failures

[Mxyzptlk]

Is there some way to get Merlin to log console and Web admin GUI login failures (and possibly even successes)? I've set the logging level down to debug but neither failures nor success in Admin GUI logins is showing up. This seems like a pretty basic security feature so I figured I'm just missing something...?

 

[RMerlin]

The system will log if 5 invalid login attempts occurred, triggering a 5 minutes lockout.

 

[Mike S]

It appears that someone is trying to hack my router. Every time I try to login remotely, I am getting a message that I need to wait 5 minutes to login due to prior login attempts.

Is there any way to see the IP address and user names and passwords from invalid login attempts in the router log files?

 

[EmeraldDeer]

On mine it shows IP address but not login user for web access.
For SSH access it is showing both, but only in the context of the key pair I use to login.
Passwords are not shown as you would expect for a plain text log file.

grep -E "HTTPD|dropbear" /tmp/syslog.log*

 

[scootertramp]

It appears that someone is trying to hack my router. Every time I try to login remotely, I am getting a message that I need to wait 5 minutes to login due to prior login attempts.

Is there any way to see the IP address and user names and passwords from invalid login attempts in the router log files?

Maybe you could enable firewall logging and match timestamps to see where there coming from.

info<13>1 2025-12-22T19:09:35-05:00 rt-be88u HTTPD - - [meta sequenceId="1465"] [LOGIN][https][Web] successed (xxx.xxx.xxx.xxx)
info<13>1 2025-12-22T19:08:32-05:00 rt-be88u HTTPD - - [meta sequenceId="1462"] [LOGIN][https][Web] failed (xxx.xxx.xxx.xxx)

 

[Ripshod]

Disable remote login and use VPN instead.

 

[Tech9]

Every time I try to login remotely

If you have Access from WAN enabled bots will try to login constantly. Do what @Ripshod suggests. If you run the VPN server on default port connection attempts will happen constantly. Use non-standard port.

 

[Ripshod]

Mmmm. Coming up in my logs quite regularly, and the router has been showing all sorts of weirdness lately

Dec 31 21:11:54 ripshod HTTPD: [LOGIN][https][Web] successed (12.190.146.90)
Dec 31 21:12:07 ripshod rc_service: httpds 3791:notify_rc start_uiScribeLogFileInfoList
Dec 31 21:12:07 ripshod custom_script: Running /jffs/scripts/service-event (args: start uiScribeLogFileInfoList)

**edit** Blocked that IP in skynet, and now seeing a new IP

Jan  1 10:49:04 ripshod HTTPD: [LOGIN][https][Web] failed (96.211.88.94)
Jan  1 10:49:08 ripshod HTTPD: [LOGIN][https][Web] successed (96.211.88.94)
Jan  1 10:55:40 ripshod HTTPD: [LOGIN][https][Web] successed (96.211.88.94)

Needless to say that IP is blocked too now. Also have a zero byte file in the root, ".init_enable_core" that I never noticed before.
Both private IPs. The first is AT&T, the second Comcast. Like being hacked from the USA.
To confirm. Web access from WAN is disabled.
@RMerlin any concerns?

 

[ColinTaylor]

Mmmm. Coming up in my logs quite regularly, and the router has been showing all sorts of weirdness lately

Dec 31 21:11:54 ripshod HTTPD: [LOGIN][https][Web] successed (12.190.146.90)
Dec 31 21:12:07 ripshod rc_service: httpds 3791:notify_rc start_uiScribeLogFileInfoList
Dec 31 21:12:07 ripshod custom_script: Running /jffs/scripts/service-event (args: start uiScribeLogFileInfoList)

**edit** Blocked that IP in skynet, and now seeing a new IP

Jan  1 10:49:04 ripshod HTTPD: [LOGIN][https][Web] failed (96.211.88.94)
Jan  1 10:49:08 ripshod HTTPD: [LOGIN][https][Web] successed (96.211.88.94)
Jan  1 10:55:40 ripshod HTTPD: [LOGIN][https][Web] successed (96.211.88.94)

Needless to say that IP is blocked too now. Also have a zero byte file in the root, ".init_enable_core" that I never noticed before.
Both private IPs. The first is AT&T, the second Comcast. Like being hacked from the USA.
To confirm. Web access from WAN is disabled.
@RMerlin any concerns?

Why do you have web access from the WAN enabled? See your own post #6.

 

[Viktor Jaep]

Mmmm. Coming up in my logs quite regularly, and the router has been showing all sorts of weirdness lately

Dec 31 21:11:54 ripshod HTTPD: [LOGIN][https][Web] successed (12.190.146.90)
Dec 31 21:12:07 ripshod rc_service: httpds 3791:notify_rc start_uiScribeLogFileInfoList
Dec 31 21:12:07 ripshod custom_script: Running /jffs/scripts/service-event (args: start uiScribeLogFileInfoList)

**edit** Blocked that IP in skynet, and now seeing a new IP

Jan  1 10:49:04 ripshod HTTPD: [LOGIN][https][Web] failed (96.211.88.94)
Jan  1 10:49:08 ripshod HTTPD: [LOGIN][https][Web] successed (96.211.88.94)
Jan  1 10:55:40 ripshod HTTPD: [LOGIN][https][Web] successed (96.211.88.94)

Needless to say that IP is blocked too now. Also have a zero byte file in the root, ".init_enable_core" that I never noticed before.
Both private IPs. The first is AT&T, the second Comcast. Like being hacked from the USA.
To confirm. Web access from WAN is disabled.
@RMerlin any concerns?

Have you tried running nmap against your WAN and see what ports are open? You can either try running that manually, or using it within RTRMON on the page 5/Diagnostics screen?

 

[Ripshod]

Why do you have web access from the WAN enabled? See your own post #6.

To confirm. Web access from WAN is disabled.

I've run a few online port scanners including shieldsup, and apart from one port I deliberately opened to validate the tests all ports are secure (stealthed according to shieldsup).
I'll try nmap later.

 

[Ripshod]

Result

# nmap -p- 212.229.XX.XX
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-01 16:06 GMT
Nmap scan report for static-212-229 XX-XX.vodafonexdsl.co.uk (212.229.XX.XX)
Host is up (0.000027s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
5152/tcp  open  sde-discovery
7788/tcp  open  unknown
18017/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 2.97 seconds

upnp and IPv6 pinhole are disabled.
Password changed.

 

[ColinTaylor]

Result

# nmap -p- 212.229.XX.XX
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-01 16:06 GMT
Nmap scan report for static-212-229 XX-XX.vodafonexdsl.co.uk (212.229.XX.XX)
Host is up (0.000027s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
5152/tcp  open  sde-discovery
7788/tcp  open  unknown
18017/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 2.97 seconds

upnp and IPv6 pinhole are disabled.
Password changed.

What interfaces is httpd(s) listening on?

netstat -nlp | grep http

Also check for any unexpected port forwarding rules in System Log - Port Forwarding.

 

[Ripshod]

What interfaces is httpd(s) listening on?

netstat -nlp | grep http

Also check for any unexpected port forwarding rules in System Log - Port Forwarding.

# netstat -nlp | grep http
netstat: showing only processes with your user ID
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      10498/httpds
tcp        0      0 10.0.0.1:8443           0.0.0.0:*               LISTEN      10498/httpds
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      10499/httpd
tcp        0      0 :::8443                 :::*                    LISTEN      10498/httpds

No ports forwarded other than 11943 for my OVPN server.

 

[dave14305]

Both private IPs. The first is AT&T, the second Comcast. Like being hacked from the USA.
To confirm. Web access from WAN is disabled.

There’s a theory that this is a bad conversion from your local IPv6 address. Is IPv6 enabled?

Beta - Asuswrt-Merlin 3006.102.6 Beta is now available

That's why you noticed nothing, if set to Off in Administration - System like for me, they light up wrongly after reboot. And the other things I noticed..? I can confirm LED ligts/RED WAN light were on even if they were off from admin. in GT-AX6000.

www.snbforums.com

asuswrt-merlin.ng/release/src/router/httpd/httpd.c at 4090acdc79f6bbece1daa91d347287a3c96af31a · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[Ripshod]

Is IPv6 enabled?

Indeed yes. I'll make the change and test again after a reboot.
Any word on the mystery file?

 

[dave14305]

Any word on the mystery file?

Normal part of the firmware for busybox.

asuswrt-merlin.ng/release/src-rt-5.04behnd.4916/targets/buildFS at 4090acdc79f6bbece1daa91d347287a3c96af31a · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[Ripshod]

Normal part of the firmware for busybox.

asuswrt-merlin.ng/release/src-rt-5.04behnd.4916/targets/buildFS at 4090acdc79f6bbece1daa91d347287a3c96af31a · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Bingo. Thank you.

 

[Ripshod]

Just to round things up another run without IPv6. Exactly as expected.

# netstat -nlp | grep http
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      3760/httpds
tcp        0      0 10.0.0.1:8443           0.0.0.0:*               LISTEN      3760/httpds
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      3761/httpd

I'll run without IPv6 for a while, but I have a remote server that kinda depends on it.

 

[dave14305]

Just to round things up another run without IPv6. Exactly as expected.

# netstat -nlp | grep http
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      3760/httpds
tcp        0      0 10.0.0.1:8443           0.0.0.0:*               LISTEN      3760/httpds
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      3761/httpd

I'll run without IPv6 for a while, but I have a remote server that kinda depends on it.

Do the login messages show the correct IPv4 address now?