cancel
Showing results for 
Search instead for 
Did you mean: 

Is this a record - 36,000 login attemps on my router

LordFox
Grafter
Posts: 211
Thanks: 6
Registered: 10-03-2008

Is this a record - 36,000 login attemps on my router

I noticed over the last week an unusually high bandwidth use, when my PC's were unused and even switched off. Then I remembered that I had set up a syslog receiver some time ago...
There are over 36,000 failed (fortunately!) login attempts so far this year. The vast majority are from 84.x.x.x addresses (I'm on 84.92.x.x). Why is that?
First thought - wow!
Second thought - only another billion years or so before they brute force the password (assuming they are all in collusion)
Third thought - my bandwidth is being used (which I pay for, as we all do) and it's not even me!
Yesterday's main culprit is <snip>, with well over 100 login attempts to my router.

There's also some strange activity with someone in Beijing (159.226.95.143) apparently trying to use my router as their dns, I think... Will PN mind me doing a very aggressive scan on themHuh (oops, too late, lol)
[Moderator's note by Jim (Oldjim)  IP address and Plusnet username removed for fairly obvious reasons but noted in the hidden forums for staff ]
11 REPLIES
Community Veteran
Posts: 4,854
Thanks: 121
Fixes: 24
Registered: 14-07-2009

Re: Is this a record - 36,000 login attemps on my router

Quote
[Moderator's note by Jim (Oldjim)  IP address and Plusnet username removed for fairly obvious reasons but noted in the hidden forums for staff ]

There are hidden forums for staff?!? Who knew?
Community Veteran
Posts: 38,460
Thanks: 1,027
Fixes: 62
Registered: 15-06-2007

Re: Is this a record - 36,000 login attemps on my router

The main difference is that those forums, as well as being limited access, aren't searchable by Google and others
prichardson
Grafter
Posts: 1,503
Registered: 05-04-2007

Re: Is this a record - 36,000 login attemps on my router

I've flagged this for myself to do a little digging.
I've never encountered such a large number of reports of such activity, which suggests it may well have some form of pattern to it.
Do you have the last time the offending and removed IP last tried to access, so I can dig into the connection logs at that time?
LordFox
Grafter
Posts: 211
Thanks: 6
Registered: 10-03-2008

Re: Is this a record - 36,000 login attemps on my router

@Phil,
I'll send you a PM with a link to my syslog file in case you want to have a look.
The offending IP appears much earlier in the log than I had realised - back to March!
The last entry that I can see from it is on Sun Jul 22 12:37:42; the end of a flood of telnet attempts from it.
Cheers!
prichardson
Grafter
Posts: 1,503
Registered: 05-04-2007

Re: Is this a record - 36,000 login attemps on my router

There is no initial logical reason for this to occurs.
Whilst part of the IP prefix matches, the majority does not.
I can see you have raised a ticket, which should be passed through to our networks team to handle as an abuse report.
I have passed this on to them now.
LordFox
Grafter
Posts: 211
Thanks: 6
Registered: 10-03-2008

Re: Is this a record - 36,000 login attemps on my router

Thanks.
I'm watching a stream of probes for ports 445 and 138 coming into my IP block now, lol. From different IP's though, the that one on PN's network.
Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: 31-08-2007

Re: Is this a record - 36,000 login attemps on my router

Have you had a look at the Broadband Firewall. The low setting will block those ports and would be ok if you don't need to use the others?
You may also want to look at the Safe Surf option if you aren't aware of it.
Login required for both of those.
Community Veteran
Posts: 3,188
Thanks: 20
Fixes: 2
Registered: 31-07-2007

Re: Is this a record - 36,000 login attemps on my router

http://community.plus.net/forum/index.php?topic=6234.0 from 2004 same IP range then that was scanning, maybe both LordFox/abellingham had/have the same IP and the bot is looking for a known weak router
Unvalued customer since 2001 funding cheap internet for others / DSL/Fibre house move 24 month regrade from 8th May 2017
Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: 31-08-2007

Re: Is this a record - 36,000 login attemps on my router

Or previous P2P usage?
LordFox
Grafter
Posts: 211
Thanks: 6
Registered: 10-03-2008

Re: Is this a record - 36,000 login attemps on my router

Thanks for the information.
I use an openBSD box with PF configured as a firewall/router for my IP block. That's after the modem/router which is configured as a bridge and also has a firewall configured to reject Windows' silly ports.
I do open up some service ports at times, so using an external firewall isn't an option. I have gone so far as to set up port-knocking before now to secure my own access when out working.
The issue I had with a certain IP address was the repeated attempts (100's)  to log in to my modem/router; it is a plusnet-owned address hence my report. It's a small fraction of the 36,000+ login attempts since the start of this year though. The modem drops the majority of probes (like for file sharing ports) and the openBSD box handles the rest, so I'm as safe as it gets really, short of an airwall setup. It just surprised me how may login attempts there were.
The very heavy 'quiescent' use of my allowance is still a puzzle, but I've changed my default outgoing address and that has made a big difference yesterday and today. If it continues I'll set the modem to echo all traffic to a logging port and have a look with wireshark.
I also got a bit paranoid over the weekend and rebuilt my openBSD box on the latest release from scratch and with an even longer password, just to be sure, lol.

Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: 31-08-2007

Re: Is this a record - 36,000 login attemps on my router

I suppose it may depend on how often you want/need to open those specific ports and how much of your bandwidth these attempts consume. How inconvenient it may or may not be to turn on and off the external firewall/safe surf and drop and restart the PPP session on the particular IP address for the changes to become effective.
Whilst doing that, even for a limited period, won't discourage any bots for obvious reasons, would it perhaps discourage others? As I don't know what the probing end may "see" in either case, and it's not something I've even tried or considered, I wouldn't know.