RT-AC68P system log shows hacker attempts?

[staticfree]

I had updated my new AC68P to the latest Firmware Version:3.0.0.4.378_3873 yesterday from the original out of the box firmware version 376_2104.
I just noticed in the system log lots of error messages but what concerns me most is I see unauthorized attempts at trying to login to the router. The ipaddresses I traced back all come from China. Those damn hackers!

Does anyone else see such unauthorized login attempts in their logs?
Here is cut and paste of some of the ones I see in there now. There are many lines of each attacker but I am just posting a few lines from each ipaddress to save space:

Feb 1 15:40:53 dropbear[1749]: login attempt for nonexistent user from ::ffff:61.174.50.208:52746
Feb 1 15:40:54 dropbear[1749]: login attempt for nonexistent user from ::ffff:61.174.50.208:52746
Feb 1 15:40:54 dropbear[1749]: login attempt for nonexistent user from ::ffff:61.174.50.208:52746

Feb 2 01:51:36 dropbear[3519]: login attempt for nonexistent user from ::ffff:61.174.51.230:13064
Feb 2 01:51:37 dropbear[3519]: login attempt for nonexistent user from ::ffff:61.174.51.230:13064
Feb 2 01:51:37 dropbear[3519]: login attempt for nonexistent user from ::ffff:61.174.51.230:13064

Feb 2 09:32:29 dropbear[4912]: login attempt for nonexistent user from ::ffff:218.2.0.137:16135
Feb 2 09:32:31 dropbear[4912]: login attempt for nonexistent user from ::ffff:218.2.0.137:16135
Feb 2 09:32:32 dropbear[4912]: login attempt for nonexistent user from ::ffff:218.2.0.137:16135
Feb 2 09:32:34 dropbear[4912]: login attempt for nonexistent user from ::ffff:218.2.0.137:16135

Feb 2 15:33:06 dropbear[5900]: login attempt for nonexistent user from ::ffff:122.225.97.73:53189
Feb 2 15:33:07 dropbear[5900]: login attempt for nonexistent user from ::ffff:122.225.97.73:53189
Feb 2 15:33:07 dropbear[5900]: login attempt for nonexistent user from ::ffff:122.225.97.73:53189
Feb 2 15:33:08 dropbear[5900]: login attempt for nonexistent user from ::ffff:122.225.97.73:53189

Feb 2 17:18:26 dropbear[6225]: login attempt for nonexistent user from ::ffff:61.143.236.193:48863
Feb 2 17:18:30 dropbear[6226]: login attempt for nonexistent user from ::ffff:61.143.236.193:49600
Feb 2 17:18:33 dropbear[6227]: login attempt for nonexistent user from ::ffff:61.143.236.193:50284
Feb 2 17:18:36 dropbear[6229]: login attempt for nonexistent user from ::ffff:61.143.236.193:51030

Also I see a lot of these messages in the syslog. What are they from?

Feb 2 23:05:05 miniupnpd[741]: sendto(udp): Operation not permitted
Feb 2 23:06:06 miniupnpd[741]: sendto(udp): Operation not permitted
Feb 2 23:09:11 miniupnpd[741]: sendto(udp): Operation not permitted

 

[RMerlin]

Disable SSH. Asus's SSH server is exposed to the WAN by default, with no way of limiting its access to the LAN only.

 

[staticfree]

Disable SSH. Asus's SSH server is exposed to the WAN by default, with no way of limiting its access to the LAN only.

I did reset my router and manually reconfigured it and disabled ssh last evening as soon as I noticed the unauthorized login attempts.
I've also a new WAN assigned ipaddress facing outside for now, so I don't see those hackers banging away at my router any longer (for now).
Anyway, thanks.

BTW, what causes the other log message I asked about?
Feb 2 23:05:05 miniupnpd[741]: sendto(udp): Operation not permitted
Feb 2 23:06:06 miniupnpd[741]: sendto(udp): Operation not permitted
Feb 2 23:09:11 miniupnpd[741]: sendto(udp): Operation not permitted

Any need to be concerned for the above messages? Is something not configured properly or just a firmware bug?

 

[RMerlin]

I did reset my router and manually reconfigured it and disabled ssh last evening as soon as I noticed the unauthorized login attempts.
I've also a new WAN assigned ipaddress facing outside for now, so I don't see those hackers banging away at my router any longer (for now).
Anyway, thanks.

BTW, what causes the other log message I asked about?
Feb 2 23:05:05 miniupnpd[741]: sendto(udp): Operation not permitted
Feb 2 23:06:06 miniupnpd[741]: sendto(udp): Operation not permitted
Feb 2 23:09:11 miniupnpd[741]: sendto(udp): Operation not permitted

Any need to be concerned for the above messages? Is something not configured properly or just a firmware bug?

Just ignore them. They might be from expired UDP UPNP port forwards possibly - I'm not sure about the exact source of these.

 

[marcusb]

I literally just had this happen today as well with AC68P. Same story, IPs from china. Does selecting SSH access from WAN not disable external access?

 

[staticfree]

Just ignore them. They might be from expired UDP UPNP port forwards possibly - I'm not sure about the exact source of these.

Okay, Thanks. BTW, is there any way or plans for your Merlin firnwares to fix that exposed SSH to the WAN? Like can you modify the firmware so that we have an option to enable SSH and have extra option to allow WAN access or to only allow local LAN access choices? That would be a good update.

 

[RMerlin]

Okay, Thanks. BTW, is there any way or plans for your Merlin firnwares to fix that exposed SSH to the WAN? Like can you modify the firmware so that we have an option to enable SSH and have extra option to allow WAN access or to only allow local LAN access choices? That would be a good update.

My firmware has had WAN exposure configurable for years now.

 

[staticfree]

My firmware has had WAN exposure configurable for years now.

Oh, that's great! Outstanding! Okay I will look to try your firmware out on this AC68P. Which one is equivalent to the latest ASUS featured firmware. Or which one of your firmwares do you recommend I try for starters.
Thanks!

 

[RMerlin]

Oh, that's great! Outstanding! Okay I will look to try your firmware out on this AC68P. Which one is equivalent to the latest ASUS featured firmware. Or which one of your firmwares do you recommend I try for starters.
Thanks!

Get the latest non-beta release.


Sent from my Nexus 4 using Tapatalk

 

[staticfree]

Get the latest non-beta release.


Sent from my Nexus 4 using Tapatalk

Okay Thanks! I've downloaded your latest non-beta firmware as well as the latest Beta firmwares. I don't know when I will get a chance to install and reconfigure everything though. No rush as the regular ASUS firmware is running really fine for my use at this time (minus the ssh and other forum mentioned bugs and quirks which don't bother me too much). Thanks again!