Who is logging in? Perhaps someone has an idea

[mister]

Dear all,
I have a question, where I don't know, how to proceed.
My RT-AC86U is connected with my DSL Router (192.168.0.1) via Wan port (IP 192.168.0.100). All Clients are connected with WiFi or LAN with my RT-AC86U in the net 192.168.1.0/24.

In the logging events of the DSL Router, an event is displayed, that someone from the IP 192.168.0.100 is trying to log into the DSL router but was rejected because of a wrong password.

My question is:
Is there a possibity to log which Client of the 192.168.1. 0/24 network is trying to log into 192.168.0.1?

Any ideas, what I could do?

Thanks a lot

Hugo

 

[OzarkEdge]

Dear all,
I have a question, where I don't know, how to proceed.
My RT-AC86U is connected with my DSL Router (192.168.0.1) via Wan port (IP 192.168.0.100). All Clients are connected with WiFi or LAN with my RT-AC86U in the net 192.168.1.0/24.

In the logging events of the DSL Router, an event is displayed, that someone from the IP 192.168.0.100 is trying to log into the DSL router but was rejected because of a wrong password.

My question is:
Is there a possibity to log which Client of the 192.168.1. 0/24 network is trying to log into 192.168.0.1?

Any ideas, what I could do?

Thanks a lot

Hugo

Make sure the router Web Access from WAN is disabled.

OE

 

[mister]

Make sure the router Web Access from WAN is disabled.

OE

Thanks a lot for your suggestion, but I have to use the login because of controlling smarthome pluggs controlled via the dsl router (modem) .
The web access of the RT-AC86U via wan in deactivated, but in the RT-AC86U there is no unauthorised login. it is the dsl modem prior to the asus router.

Is there a possibility to log in my asus Router the client, who tries to access the specific ip 192.168.0.1 of the dsl modem?

 

[eibgrad]

My RT-AC86U is connected with my DSL Router (192.168.0.1) via Wan port (IP 192.168.0.100).

In the logging events of the DSL Router, an event is displayed, that someone from the IP 192.168.0.100 is trying to log into the DSL router but was rejected because of a wrong password.

Is this a typo? Or are you assuming some device on 192.168.1.0/24 has been NAT'd over the WAN?

 

[OzarkEdge]

Thanks a lot for your suggestion, but I have to use the login because of controlling smarthome pluggs controlled via the dsl router (modem) .
The web access of the RT-AC86U via wan in deactivated, but in the RT-AC86U there is no unauthorised login. it is the dsl modem prior to the asus router.

Is there a possibility to log in my asus Router the client, who tries to access the specific ip 192.168.0.1 of the dsl modem?

Sorry, I see now... I got turned around.

I'm not sure how to ID the 86U client trying to login to the DSL box.

OE

 

[ColinTaylor]

How often is this happening? Was it a one-off occurrence or is it happening all the time? You could create/modify a firewall-start script on your router to log all traffic to the modem:

iptables -I FORWARD -d 192.168.0.1 -m state --state NEW -j LOG --log-prefix "XXXX "
iptables -I OUTPUT  -d 192.168.0.1 -m state --state NEW -j LOG --log-prefix "YYYY "

 

[mister]

thanks a lot for your answers. it occurs a lot of times during the day so I assume, it could be an missconfigurated alexa Device or something else. I checked a lot of apps but no success. that is the reason why i want to check, where to search.

@ColinTaylor : At which path of the RT-AC86U I have to create your Script? xxxx and yyyy are the file names, I want to create?

 

[ColinTaylor]

@ColinTaylor : At which path of the RT-AC86U I have to create your Script? xxxx and yyyy are the file names, I want to create?

firewall-start is just a standard user script, a version of which may already exist on your router. The full path would be /jffs/scripts/firewall-start.

If you're not already familiar with creating user scripts you'll have to read up on them: https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts

However, if this is happening frequently enough you could get away with just entering those two commands from an SSH terminal session. In which case be aware that those commands would be temporary and will be wiped out if you reboot the router or apply any changes in the router's GUI.

The "XXXX" and "YYYY" are just arbitrary labels I chose that will appear in your router's system log. They could be anything. As it stands "XXXX" indicates traffic from a LAN client and "YYYY" indicates traffic from the router itself.

EDIT: It occurs to me that your Asus might be configured to use the modem as its DNS server. If that's the case then you might find that the Asus' system log is flooded with DNS entries that you're not interested in. If that's the case then you'll have to slightly modify the iptables commands or change the Asus' WAN DNS settings to use a different server.

 

[PorthosJon]

You could try running a network scanner (there are a lot of them out there) to see if there is actually a device with the 192.168.0.100 address that is physically on your network before you start looking for external intrusions. Usually scanners will report device manufacturer, MAC, and any other info it can get (sometimes you even get device name). This can help you in tracking it down locally.

If it doesn't show up on a network scan, then likely it is someone who is able to get through your firewall (either via a breached IoT device, or another device) and are masking into that IP only when they are proxying.

In any case, it would help to troubleshoot once you have the info of whether it is a mis-behaving device, or it is an actual external attach.

 

[MaziahBebop]

You could try running a network scanner (there are a lot of them out there) to see if there is actually a device with the 192.168.0.100 address that is physically on your network before you start looking for external intrusions. Usually scanners will report device manufacturer, MAC, and any other info it can get (sometimes you even get device name). This can help you in tracking it down locally.

If it doesn't show up on a network scan, then likely it is someone who is able to get through your firewall (either via a breached IoT device, or another device) and are masking into that IP only when they are proxying.

In any case, it would help to troubleshoot once you have the info of whether it is a mis-behaving device, or it is an actual external attach.

I thought the same initially but upon closer reading this won't work, because the 192.168.0.100 ip is the ip of the Asus router.
@ColinTaylor 's solution looks like the best way forward I think.

 

[ColinTaylor]

@PorthosJon You're missing the point. 192.168.0.100 is his Asus router.

 

[PorthosJon]

Ah.. Sorry, didn't see the full description of the routing. I would definitely try to setup Wireshark locally and look for traffic that is headed for 192.168.0.1 on your local network. If you are seeing it fairly constantly, then you should have to capture for long with Wireshark to find the source. You can also use traffic monitoring in the ASUS router to see if you can log via the router where the NAT is coming from when the destination is specifically the 192.168.0.0/24 network.

I would also doublecheck your WAN settings and make sure that it isn't set to try to login to your ISP, which could also cause it. In addition any settings for Proxy, VPN, DDNS, of WPS to the WAN for auto configure could also cause this.

The double NAT isn't the best in any case. I would talk to your ISP and see if you can put the ISP modem/router into bridge mode and then single NAT via the ASUS router.

 

[mister]

Thanks a lot for all your comments and ideas. I will start with the firewall-start entry idea. The Asus router has its own DNS Server entries and does not use the Modem ones. VPN Servers and Clients are active, but the DNS entries are disabled as well.

Because I have cake-QOS installed, the qos web traffic is disabled in the asus router. But of course I can deactivate cake-qos for a while - that is a good idea. In the WAN section, no authentication is set. @PorthosJon : Regarding the double NAT I have to say, that I am a self learning guy with no technical or computer science background, so I have to learn step by step by myself. So thanks a lot for your comment - I will look to that suggestion later .
I will download wireshark at the weekend and will try to get it work - Wireshark is new for me as well. If you don´t mind, I will request your support in the case I will have problems.

Thanks a lot again.

Hugo.

 

[mister]

Dear all,
I found the origin of the login with the IP adress analysis. A big thanks to all of you!!!

Hugo.