Analizand din intamplate o problema de imprimanta conectata la routerul meu, observ ca in logul router-ului (/tmp/syslog.log) apar multe incercari de conectare prin ssh:
Exemplu:
Jun 27 01:02:22 dropbear[18082]: Child connection from 61.174.51.211:17406
Jun 27 01:02:25 dropbear[18082]: Login attempt for nonexistent user from 61.174.51.211:17406
Jun 27 01:02:25 dropbear[18082]: Login attempt for nonexistent user from 61.174.51.211:17406
Jun 27 01:02:26 dropbear[18082]: Login attempt for nonexistent user from 61.174.51.211:17406
Jun 27 01:02:27 dropbear[18082]: Login attempt for nonexistent user from 61.174.51.211:17406
Jun 27 01:02:28 dropbear[18082]: Login attempt for nonexistent user from 61.174.51.211:17406
Jun 27 01:02:28 dropbear[18082]: Login attempt for nonexistent user from 61.174.51.211:17406
Jun 27 01:02:28 dropbear[18083]: Child connection from 61.174.51.211:18127
Jun 27 01:02:29 dropbear[18082]: Login attempt for nonexistent user from 61.174.51.211:17406
Jun 27 01:02:30 dropbear[18082]: Login attempt for nonexistent user from 61.174.51.211:17406
Jun 27 01:02:30 dropbear[18082]: Login attempt for nonexistent user from 61.174.51.211:17406
Jun 27 01:02:31 dropbear[18082]: Login attempt for nonexistent user from 61.174.51.211:17406
Jun 27 01:02:32 dropbear[18082]: Login attempt for nonexistent user from 61.174.51.211:17406
Jun 27 01:02:32 dropbear[18082]: Exit before auth: Max auth tries reached – user ‘is invalid’ from 61.174.51.211:17406
Din ce am studiat pe forumuri am aflat ca acesta e un “brute force attack” care vine de la un server din China.
Ca prima solutie, am activat din interfata router-ului RT-n66u: “Enable SSH Brute Force Protection”=>Yes, ceea ce ii va incetini (ex. 1 incercare la 4 minute de pe un anumit IP).
UPDATE: incercarile au continuat, de aceea am dezactivat total SSH-ul pt WAN.