Hi all!
Experienced sysadmin here, but not a router expert.
TL;DR – My TUF-BE3600 had system log entries (bad password/no such user account) for a Vietnamese IP address attempting to SSH in, BUT remote/WAN SSH access is disabled, the firewall is enabled, and I can't remotely SSH access to it myself, so is there a setup issue or is it a bug?
Background
Woke up to my home internet being unresponsive. Wifi was up but no websites or apps could connect. Bounced wifi on my phone then rebooted the phone and still not working so I switched to looking at the router - instead of rebooting it decided to check it out first because why not.
Netstat ơn the router listed a connection on port 22 (SSH) from vietnam, (and also two connections to AWS EC2 instances that I figure are the remote connection to ASUS for remote management via the app):
The ssh connection was only there for a few seconds as it was gone the next time I ran netstat.
In the router's system.log at the same time you can see me successfully connecting to the router with my iPhone at 9:55:25 followed shortly after by a bad password attempt from 171.243.149.253 (which resolves to dynamic-ip-adsl.viettel.vn to match what was seen in netstat), followed by some login attempts for nonexistent users (wasn't me of course):
Over the last 10 days of logs, the ONLY other dropbear events are successful logins for me connecting via its local Wifi 192.168.50.0 network. I guess the timing of me logging in to see what was broken, with this attempt was just a really massive coincidence (?). Happily the router admin password is unique, long, and randomly generated as are all my passwords.
But...correct me if I'm wrong, this shouldn't be happening!
After the reboot I checked the following:
So…how did this happen??
Experienced sysadmin here, but not a router expert.
TL;DR – My TUF-BE3600 had system log entries (bad password/no such user account) for a Vietnamese IP address attempting to SSH in, BUT remote/WAN SSH access is disabled, the firewall is enabled, and I can't remotely SSH access to it myself, so is there a setup issue or is it a bug?
Background
Woke up to my home internet being unresponsive. Wifi was up but no websites or apps could connect. Bounced wifi on my phone then rebooted the phone and still not working so I switched to looking at the router - instead of rebooting it decided to check it out first because why not.
- I could connect to the router via its local wifi network using the ASUS app and web interface
- I could also connect to it (with the app only) via mobile data
- Devices connected to the router couldn't connect to any internet sites
- On the router itself I could ping google, do dns lookups etc so its internet connection was working
- While doing all the above I then happened to notice unexpected things as per below.
- It all starting working again as soon as I rebooted the router
Netstat ơn the router listed a connection on port 22 (SSH) from vietnam, (and also two connections to AWS EC2 instances that I figure are the remote connection to ASUS for remote management via the app):
The ssh connection was only there for a few seconds as it was gone the next time I ran netstat.
In the router's system.log at the same time you can see me successfully connecting to the router with my iPhone at 9:55:25 followed shortly after by a bad password attempt from 171.243.149.253 (which resolves to dynamic-ip-adsl.viettel.vn to match what was seen in netstat), followed by some login attempts for nonexistent users (wasn't me of course):
Over the last 10 days of logs, the ONLY other dropbear events are successful logins for me connecting via its local Wifi 192.168.50.0 network. I guess the timing of me logging in to see what was broken, with this attempt was just a really massive coincidence (?). Happily the router admin password is unique, long, and randomly generated as are all my passwords.
But...correct me if I'm wrong, this shouldn't be happening!
- "Enable SSH" was set to "LAN only"! --> It shouldn't be allowing remote connections
- Router firewall was enabled
After the reboot I checked the following:
- A remote port scan using online port scanners doesn't find any open ports on my public IP4 address, and trying to SSH in remotely doesn't work either (it times out)
- I then changed “Enable SSH” to "LAN and WAN" and only then could I SSH to my router remotely (have changed it back of course), and I could see this router firewall rule appear and disappear "-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT" during this test
- SSH port was still default of 22
- There's no authorised SSH keys set up
- Unrelated, but "Enable Web Access from WAN" is "No"
- Firmware is still on latest version
So…how did this happen??
