1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Mayday! Mayday! I'm under attack!

Discussion in 'ASUS AC Routers & Adapters' started by AppleBag, Oct 15, 2019.

  1. AppleBag

    AppleBag Occasional Visitor

    Joined:
    Dec 20, 2017
    Messages:
    39
    o_O

    Hi all,

    I've been having issues with my NVRAM filling up the last couple of days, and have been looking over all my settings (currently using 384.13 Merlin on an ASUS RT-AC68U), and just noticed this filling up my log. I'm certainly no expert but it appears that someone(s) trying to brute force into my router admin using TOR nodes....

    While it appears that it's all being blocked properly (again, I'm no expert so I may be wrong), it seems like it must(?) be causing a lot of unnecessary traffic on my router, maybe even having a DOS-like effect, causing the issues with my NVRAM? Is there some way to block any and all incoming traffic from TOR nodes, so they don't even make it to my router in the first place? Or some other similar type of protection?

    Here's just a quick copy of my log activity over the short time I looked at the system log area:
    https://pastebin.com/8wttak9N

    Apologies if this sounds noob, but I kinda am one in this area. :p
     
    Last edited: Oct 15, 2019
  2. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,348
    Turn off SSH from WAN.
     
    AppleBag and sfx2000 like this.
  3. Greg72

    Greg72 Regular Contributor

    Joined:
    Sep 24, 2019
    Messages:
    137
    Location:
    Central Illinois
    They are TOR Nodes. Disable access from WAN and tighten up your security along with blocking ICMP in Firewall. You can expect to get attacked on the Dark Web.
     
    AppleBag likes this.
  4. AppleBag

    AppleBag Occasional Visitor

    Joined:
    Dec 20, 2017
    Messages:
    39
    Thank you guys, i will try disabling ssh from wan.

    What are your opinions of that add-on named Skynet? Is it worth using?

    Also, i don't really use the "dark web", but i do use bittorrent here and there, could those possibly be torrent connection attempts to my bittorrent client, even if I've shut the client down hours or even a day or so ago? (Rather than actual router login attempts as listed in the log file?)
     
  5. AppleBag

    AppleBag Occasional Visitor

    Joined:
    Dec 20, 2017
    Messages:
    39
    Also, sorry for so many questions at once but could this also be causing a problem with my nvram? I know nvram basically just keeps settings but maybe the Merlin software is adding some other stuff, like logs or something, that may be adding to the nvram size?
     
  6. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,348
    Short answer, yes.
    Short answer, no. Usually it’s large dhcp static lists or ssh keys or dnsfilter rules or vpn server/client settings. There’s a one line command posted a while back by john9527 that will show the largest nvram variables.
     
    AppleBag likes this.
  7. AppleBag

    AppleBag Occasional Visitor

    Joined:
    Dec 20, 2017
    Messages:
    39
    So I ran this command and here's the result:

    Code:
    ASUSWRT-Merlin RT-AC68U 384.13-0 Wed Jul 31 17:27:27 UTC 2019
    [email protected]:/tmp/home/root# nvram show | awk '{print length(), $0 | "sort -n -r"}' | cut -d"=" -f 1 | head -n 20
    size: 65486 bytes (50 left)
    4758 MULTIFILTER_TMP_T
    3085 custom_clientlist
    1084 dhcp_hostnames
    943 dhcp_staticlist
    810 nc_setting_conf
    716 wl0_maclist_x
    715 wl_maclist_x
    713 wl0_maclist
    694 wl_maclist
    512 rc_support
    410 wl1_maclist_x
    407 wl1_maclist
    237 webdav_smb_pc
    151 wollist
    131 wl1_chansps
    120 qos_rulelist
    92 1:pa5ga2
    92 1:pa5ga1
    92 1:pa5ga0
    84 asus_device_list
    [email protected]:/tmp/home/root# 
    Any idea what MULTIFILTER_TMP_T is? And if it's ok to clear it (since it's apparently some temp folder), and if so, how to specifically clear that variable? I googled that var name and came up empty.
     
  8. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,348
    I believe it’s related to parental time scheduling, but I’ve never seen it with _T. If you don’t use parental time scheduling, you can try running (after backing up settings)
    Code:
    nvram unset MULTIFILTER_TMP_T
    nvram commit
    If you do use time scheduling, examine all the related nvram
    Code:
    nvram show 2>/dev/null | grep ^MULTIF
    Also using a wireless MAC filter is questionable these days.
     
    AppleBag likes this.
  9. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,257
    Location:
    San Diego, CA
    turn off SSH from WAN side, and you should be ok - these are all scripts that run in the cloud from folks that are looking for vulnerabilities in certain devices - sometimes there is Routers, but many times it's IOT devices...

    If you don't need ssh directly into the router from WAN (and most folks do not), best to limit the threat surface there - same with WAN side HTTP/HTTPS access...

    really though - it's all background chatter these days on the internet in general.

    From a dev perspective, I do question why Asus writes logs to flash... but that's another discussion entirely...
     
    AppleBag and dave14305 like this.
  10. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,257
    Location:
    San Diego, CA
    Search the forums - it's actively maintained by the author, and has support of 3rd party devs that contribute here...
     
  11. AppleBag

    AppleBag Occasional Visitor

    Joined:
    Dec 20, 2017
    Messages:
    39
    Thanks @dave14305 , I really appreciate all the help.

    I don't run any Parental options at all. I ran that command and it shows this:

    Code:
    MULTIFILTER_TMP_T=<>1591100980aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    Does that look weird to you?
     
  12. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,348
    Not unless my parent is Fonzie, “Aaaayyyy!”
    Unset it.
     
    Last edited: Oct 15, 2019
    AppleBag, royarcher and L&LD like this.
  13. #TY

    #TY Senior Member

    Joined:
    Mar 27, 2019
    Messages:
    244
    If you're not sure you have all the proper settings on your router (there are quite a few), I would recommend a nuclear reset as per the amazing L&LD guideline. I just re-did my router yesterday and its been fantastic. Then, I would definitely recommend you install Diversion and SkyNet.

    Here are the links in case you're interested to set everything up flawlessly:

    Step 1: https://www.snbforums.com/threads/major-issues-w-rt-ac86u.56342/page-4#post-495710

    Step 2: https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/

    Hope it helps.
     
    AppleBag and L&LD like this.