A sort of attack...

[Ciuflingar]

Hi,

I have the last version from olegs firmware on my asus wl500gP.
I set connection limit to "2" and I cannot connect to my FTP because connection limit is reached.

It seems that there is somebody connected because I have in my sys logs the folowing lines...

Is there anybody that knows how I can stop/block this "211.48.190.67" IP?
Is there anything as spam blocker beside firewall...?

Code:

vsftpd[17532]: CONNECT: Client "211.48.190.67"
Sep 23 22:43:41 vsftpd[17531]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 22:43:43 vsftpd[17531]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 22:43:45 vsftpd[17531]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 22:43:46 vsftpd[17534]: CONNECT: Client "211.48.190.67"
Sep 23 22:43:47 vsftpd[17533]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 22:43:49 vsftpd[17533]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 22:43:50 vsftpd[17533]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 22:43:52 vsftpd[17536]: CONNECT: Client "211.48.190.67"
Sep 23 22:43:53 vsftpd[17535]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 22:43:54 vsftpd[17535]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
..........................
.........................
..........................
vsftpd[18443]: CONNECT: Client "211.48.190.67"
Sep 23 23:03:40 vsftpd[18442]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 23:03:42 vsftpd[18442]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 23:03:44 vsftpd[18442]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 23:03:45 vsftpd[18445]: CONNECT: Client "211.48.190.67"
Sep 23 23:03:46 vsftpd[18444]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 23:03:48 vsftpd[18444]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 23:03:49 vsftpd[18444]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 23:03:51 vsftpd[18447]: CONNECT: Client "211.48.190.67"
Sep 23 23:03:52 vsftpd[18446]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 23:03:53 vsftpd[18446]: [Administrator] FAIL LOGIN: Client "211.48.190.67"
Sep 23 23:03:55 vsftpd[18446]: [Administrator] FAIL LOGIN: Client "211.48.190.67"

[raas]

Hi,

a couple of days ago The_29 suggested a solution which can be found here: http://www.wl500g.info/showthread.php?t=16105

[Kenny]

i'm encoutering the same type of problem but through dropbear

Code:

Sep 24 11:06:04 dropbear[11737]: login attempt for nonexistent user from ::ffff:210.207.177.231:51565
Sep 24 11:06:05 dropbear[11737]: exit before auth: Disconnect received
Sep 24 11:06:08 dropbear[11744]: login attempt for nonexistent user from ::ffff:210.207.177.231:51718
Sep 24 11:06:10 dropbear[11744]: exit before auth: Disconnect received
Sep 24 11:06:13 dropbear[11745]: login attempt for nonexistent user from ::ffff:210.207.177.231:51877
Sep 24 11:06:15 dropbear[11745]: exit before auth: Disconnect received
Sep 24 11:06:18 dropbear[11746]: login attempt for nonexistent user from ::ffff:210.207.177.231:52035
Sep 24 11:06:19 dropbear[11746]: exit before auth: Disconnect received
Sep 24 11:06:23 dropbear[11747]: login attempt for nonexistent user from ::ffff:210.207.177.231:52194
Sep 24 11:06:24 dropbear[11747]: exit before auth: Disconnect received
Sep 24 11:06:28 dropbear[11748]: login attempt for nonexistent user from ::ffff:210.207.177.231:52354
Sep 24 11:06:30 dropbear[11748]: exit before auth: Disconnect received
Sep 24 11:06:34 dropbear[11749]: login attempt for nonexistent user from ::ffff:210.207.177.231:52513
Sep 24 11:06:35 dropbear[11749]: exit before auth: Disconnect received

any help is appreciated

[raas]

Kenny,

the solution in post #2 should also work for you.

further you have port 22/23 open to the internet.
If you don't really need it, (putty access from somewhere else (the internet) than your house), close it.

[al37919]

These problems can be solved also using ipt_recent module of the iptables

[wpte]

iprecent never worked for me...
you can also try portforwarding on different ports
most hackers are stupid and just scan for obvious ports, so if you change them to some random ports, it's not likely to be noticed.
every program does send it's signature tho, so with an advanced scanner you can see wheather its ftp or dropbear.

[al37919]

iprecent never worked for me...

However, for me it works pretty well At least for ssh.
Here I described my experience (in Russian, and in German )
http://wl500g.info/showpost.php?p=69964&postcount=63
http://wl500g.info/showpost.php?p=86141&postcount=7

[Kenny]

finally i used the "dropbear-s" solution, is it the most secure of all?

[gouryella]

Im using another port of dropbear with best results no attacks on SSH from the internet:

Code:

dropbear -p 123

do not forgot change the port in putty / or create forwarding and deny SSH from web

Code:

iptables -t nat -A PREROUTING -i $1 -p tcp --dport 123 -j DNAT --to-destination $4:22