Is this a record - 36,000 login attemps on my router
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: Is this a record - 36,000 login attemps on my ...
Is this a record - 36,000 login attemps on my router
23-07-2012 7:12 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
There are over 36,000 failed (fortunately!) login attempts so far this year. The vast majority are from 84.x.x.x addresses (I'm on 84.92.x.x). Why is that?
First thought - wow!
Second thought - only another billion years or so before they brute force the password (assuming they are all in collusion)
Third thought - my bandwidth is being used (which I pay for, as we all do) and it's not even me!
Yesterday's main culprit is <snip>, with well over 100 login attempts to my router.
There's also some strange activity with someone in Beijing (159.226.95.143) apparently trying to use my router as their dns, I think... Will PN mind me doing a very aggressive scan on them??? (oops, too late, lol)
[Moderator's note by Jim (Oldjim) IP address and Plusnet username removed for fairly obvious reasons but noted in the hidden forums for staff ]
Re: Is this a record - 36,000 login attemps on my router
23-07-2012 8:18 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote [Moderator's note by Jim (Oldjim) IP address and Plusnet username removed for fairly obvious reasons but noted in the hidden forums for staff ]
There are hidden forums for staff?!? Who knew?
Re: Is this a record - 36,000 login attemps on my router
23-07-2012 8:26 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Is this a record - 36,000 login attemps on my router
23-07-2012 9:53 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I've never encountered such a large number of reports of such activity, which suggests it may well have some form of pattern to it.
Do you have the last time the offending and removed IP last tried to access, so I can dig into the connection logs at that time?
Re: Is this a record - 36,000 login attemps on my router
24-07-2012 9:46 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I'll send you a PM with a link to my syslog file in case you want to have a look.
The offending IP appears much earlier in the log than I had realised - back to March!
The last entry that I can see from it is on Sun Jul 22 12:37:42; the end of a flood of telnet attempts from it.
Cheers!
Re: Is this a record - 36,000 login attemps on my router
24-07-2012 9:55 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Whilst part of the IP prefix matches, the majority does not.
I can see you have raised a ticket, which should be passed through to our networks team to handle as an abuse report.
I have passed this on to them now.
Re: Is this a record - 36,000 login attemps on my router
24-07-2012 10:17 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I'm watching a stream of probes for ports 445 and 138 coming into my IP block now, lol. From different IP's though, the that one on PN's network.
Re: Is this a record - 36,000 login attemps on my router
24-07-2012 2:04 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
You may also want to look at the Safe Surf option if you aren't aware of it.
Login required for both of those.
Re: Is this a record - 36,000 login attemps on my router
24-07-2012 2:27 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Is this a record - 36,000 login attemps on my router
24-07-2012 2:30 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Is this a record - 36,000 login attemps on my router
24-07-2012 8:19 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I use an openBSD box with PF configured as a firewall/router for my IP block. That's after the modem/router which is configured as a bridge and also has a firewall configured to reject Windows' silly ports.
I do open up some service ports at times, so using an external firewall isn't an option. I have gone so far as to set up port-knocking before now to secure my own access when out working.
The issue I had with a certain IP address was the repeated attempts (100's) to log in to my modem/router; it is a plusnet-owned address hence my report. It's a small fraction of the 36,000+ login attempts since the start of this year though. The modem drops the majority of probes (like for file sharing ports) and the openBSD box handles the rest, so I'm as safe as it gets really, short of an airwall setup. It just surprised me how may login attempts there were.
The very heavy 'quiescent' use of my allowance is still a puzzle, but I've changed my default outgoing address and that has made a big difference yesterday and today. If it continues I'll set the modem to echo all traffic to a logging port and have a look with wireshark.
I also got a bit paranoid over the weekend and rebuilt my openBSD box on the latest release from scratch and with an even longer password, just to be sure, lol.
Re: Is this a record - 36,000 login attemps on my router
26-07-2012 6:08 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Whilst doing that, even for a limited period, won't discourage any bots for obvious reasons, would it perhaps discourage others? As I don't know what the probing end may "see" in either case, and it's not something I've even tried or considered, I wouldn't know.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: Is this a record - 36,000 login attemps on my ...