Return to

A Chinese computer is trying to SSH login to my home NAS server


For days, my OpenWRT NAS server has been giving me this in the syslogs:

  • Sep 2 04:33:26 OpenWrt dropbear[24602]: Child connection from
  • Sep 2 04:33:31 OpenWrt authpriv.warn dropbear[24602]: Login attempt for nonexistent user from
  • Sep 2 04:33:31 OpenWrt dropbear[24602]: Exit before auth: Disconnect received

What do I do? It's very annoying and IP locators indicate it appears to be a Chinese IP. I don't understand WHY this has been happening but it's annoying.



Do you need SSH connection from outside of your house? You could simply close the port if you do not need to.



I need the SSH. I'm planning on using the machine for more than just a NAS and having access over the internet would be helpful.



set up an auto ban (normally you can change these settings in your /etc/ssh/sshd.config)

just make it so 3 bad login attempts within 5 minutes will ban the ip for 24 hours.


disable login for "root" "admin" "administrator" or anything like that.



OpenWRT uses Dropbear for SSH and it doesn't have the ability to do that. I'm severely disappointed as this seemed like the dream solution.



I like the fact he's hitting non-existent user errors. He's probably trying root or admin and failing.

I would recommend using SSH key's instead of passwords and then let him bang away and waste a few weeks of his life for nothing. SSH keys are your best best when it comes to security of your connections and it's actually easier to log in with.

1 Like


Agreed. I also agree with ztrain's solution because you might not have the key-file with you all the time.



I advise you change it to a different external port. That way on the outside there will appear to be no SSH available. 



oh, i should also mention that this is not a targeted attack against you... its a bot on a botnet in china that is just scanning random ipv4 addresses, and when it sees a defult ssh port open, it starts trying to dictionary attack root / admin users.


another psudo solution would be to switch your ssh port.

1 Like


One method not mentioned here is blocking brute force attempts with iptables

You can limit new connection on port by time and count


closed #11

Thread was brought back after five years. Op has not posted since 2013. Thread is locked.