A Chinese computer is trying to SSH login to my home NAS server

dylanweber · September 2, 2013, 7:10pm

For days, my OpenWRT NAS server has been giving me this in the syslogs:

Sep 2 04:33:26 OpenWrt authpriv.info dropbear[24602]: Child connection from 124.160.194.27:38947

Sep 2 04:33:31 OpenWrt authpriv.warn dropbear[24602]: Login attempt for nonexistent user from 124.160.194.27:38947

Sep 2 04:33:31 OpenWrt authpriv.info dropbear[24602]: Exit before auth: Disconnect received

What do I do? It's very annoying and IP locators indicate it appears to be a Chinese IP. I don't understand WHY this has been happening but it's annoying.

zanginator · September 2, 2013, 7:13pm

Do you need SSH connection from outside of your house? You could simply close the port if you do not need to.

dylanweber · September 2, 2013, 9:19pm

I need the SSH. I'm planning on using the machine for more than just a NAS and having access over the internet would be helpful.

ztrain · September 2, 2013, 9:25pm

set up an auto ban (normally you can change these settings in your /etc/ssh/sshd.config)

just make it so 3 bad login attempts within 5 minutes will ban the ip for 24 hours.

disable login for "root" "admin" "administrator" or anything like that.

dylanweber · September 2, 2013, 9:33pm

OpenWRT uses Dropbear for SSH and it doesn't have the ability to do that. I'm severely disappointed as this seemed like the dream solution.

homeless · September 2, 2013, 9:36pm

I like the fact he's hitting non-existent user errors. He's probably trying root or admin and failing.

I would recommend using SSH key's instead of passwords and then let him bang away and waste a few weeks of his life for nothing. SSH keys are your best best when it comes to security of your connections and it's actually easier to log in with.

wickedwig · September 2, 2013, 10:13pm

Agreed. I also agree with ztrain's solution because you might not have the key-file with you all the time.

zanginator · September 2, 2013, 10:31pm

I advise you change it to a different external port. That way on the outside there will appear to be no SSH available.

ztrain · September 2, 2013, 10:53pm

oh, i should also mention that this is not a targeted attack against you... its a bot on a botnet in china that is just scanning random ipv4 addresses, and when it sees a defult ssh port open, it starts trying to dictionary attack root / admin users.

another psudo solution would be to switch your ssh port.

crazzzik · July 2, 2018, 1:05pm

One method not mentioned here is blocking brute force attempts with iptables

You can limit new connection on port by time and count

wolfleben · July 3, 2018, 1:32am

Thread was brought back after five years. Op has not posted since 2013. Thread is locked.