0

From time to time, my router starts to scan ports on all the connected devices. I have an internal RPi server which I restricted its access to the internet from the router. I checked the "/var/log/auth.log" on the RPi and many ssh attempts were made (192.168.1.254 is my router's IP):

Sep  8 08:58:54 homebridge sshd[3812]: Failed password for root from 192.168.1.254 port 49917 ssh2
Sep  8 08:58:54 homebridge sshd[3815]: Failed password for root from 192.168.1.254 port 49923 ssh2
Sep  8 08:58:54 homebridge sshd[3811]: Failed password for root from 192.168.1.254 port 49916 ssh2
Sep  8 08:58:55 homebridge sshd[3813]: Bad packet length 831689700. [preauth]
Sep  8 08:58:55 homebridge sshd[3813]: ssh_dispatch_run_fatal: Connection from authenticating user root 192.168.1.254 port 49919: message authentication code incorrect [preauth]
Sep  8 08:58:55 homebridge sshd[3814]: Bad packet length 4102269566. [preauth]
Sep  8 08:58:55 homebridge sshd[3814]: ssh_dispatch_run_fatal: Connection from authenticating user root 192.168.1.254 port 49920: message authentication code incorrect [preauth]
Sep  8 08:58:55 homebridge sshd[3815]: Bad packet length 724579712. [preauth]
Sep  8 08:58:55 homebridge sshd[3815]: ssh_dispatch_run_fatal: Connection from authenticating user root 192.168.1.254 port 49923: message authentication code incorrect [preauth]
Sep  8 08:58:55 homebridge sshd[3809]: Bad packet length 4156118696. [preauth]
Sep  8 08:58:55 homebridge sshd[3809]: ssh_dispatch_run_fatal: Connection from authenticating user root 192.168.1.254 port 49914: message authentication code incorrect [preauth]
Sep  8 08:58:55 homebridge sshd[3811]: Bad packet length 1343634757. [preauth]
Sep  8 08:58:55 homebridge sshd[3811]: ssh_dispatch_run_fatal: Connection from authenticating user root 192.168.1.254 port 49916: message authentication code incorrect [preauth]
Sep  8 08:58:55 homebridge sshd[3812]: Bad packet length 112696055. [preauth]
Sep  8 08:58:55 homebridge sshd[3812]: ssh_dispatch_run_fatal: Connection from authenticating user root 192.168.1.254 port 49917: message authentication code incorrect [preauth]
Sep  8 08:58:55 homebridge sshd[3810]: Bad packet length 1804220845. [preauth]
Sep  8 08:58:55 homebridge sshd[3810]: ssh_dispatch_run_fatal: Connection from authenticating 
.
.
.
Sep  8 08:58:59 homebridge sshd[3863]: pam_unix(sshd:auth): check pass; user unknown
Sep  8 08:58:59 homebridge sshd[3863]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.254
Sep  8 08:58:59 homebridge sshd[3848]: Failed password for invalid user user from 192.168.1.254 port 49945 ssh2
Sep  8 08:59:00 homebridge sshd[3854]: Bad packet length 425104342. [preauth]
Sep  8 08:59:00 homebridge sshd[3854]: ssh_dispatch_run_fatal: Connection from invalid user support 192.168.1.254 port 49951: message authentication code incorrect [preauth]
Sep  8 08:59:00 homebridge sshd[3855]: Bad packet length 1129344487. [preauth]
Sep  8 08:59:00 homebridge sshd[3855]: ssh_dispatch_run_fatal: Connection from invalid user support 192.168.1.254 port 49952: message authentication code incorrect [preauth]
Sep  8 08:59:00 homebridge sshd[3865]: Invalid user oracle from 192.168.1.254 port 49958
Sep  8 08:59:00 homebridge sshd[3865]: pam_unix(sshd:auth): check pass; user unknown
Sep  8 08:59:00 homebridge sshd[3865]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.254
Sep  8 08:59:00 homebridge sshd[3853]: Bad packet length 4277706447. [preauth]
Sep  8 08:59:00 homebridge sshd[3853]: ssh_dispatch_run_fatal: Connection from invalid user 888888 192.168.1.254 port 49949: message authentication code incorrect [preauth]
Sep  8 08:59:00 homebridge sshd[3840]: Bad packet length 3501965975. [preauth]
Sep  8 08:59:00 homebridge sshd[3840]: ssh_dispatch_run_fatal: Connection from invalid user Administrator 192.168.1.254 port 49941: message authentication code incorrect [preauth]
Sep  8 08:59:00 homebridge sshd[3868]: Invalid user default from 192.168.1.254 port 49960
Sep  8 08:59:00 homebridge sshd[3867]: Invalid user security from 192.168.1.254 port 49959
Sep  8 08:59:00 homebridge sshd[3851]: Bad packet length 307794145. [preauth]
Sep  8 08:59:00 homebridge sshd[3851]: ssh_dispatch_run_fatal: Connection from invalid user 666666 192.168.1.254 port 49947: message authentication code incorrect [preauth]
.
.
.
Sep  8 08:59:00 homebridge sshd[3851]: ssh_dispatch_run_fatal: Connection from invalid user 666666 192.168.1.254 port 49947: message authentication code incorrect [preauth]
Sep  8 08:59:00 homebridge sshd[3868]: pam_unix(sshd:auth): check pass; user unknown
Sep  8 08:59:00 homebridge sshd[3868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.254
Sep  8 08:59:00 homebridge sshd[3867]: pam_unix(sshd:auth): check pass; user unknown
Sep  8 08:59:00 homebridge sshd[3867]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.254
Sep  8 08:59:00 homebridge sshd[3848]: Bad packet length 3380216880. [preauth]
Sep  8 08:59:00 homebridge sshd[3848]: ssh_dispatch_run_fatal: Connection from invalid user user 192.168.1.254 port 49945: message authentication code incorrect [preauth]
Sep  8 08:59:01 homebridge sshd[3876]: Invalid user info from 192.168.1.254 port 49965
Sep  8 08:59:01 homebridge sshd[3872]: Invalid user ftp from 192.168.1.254 port 49963
Sep  8 08:59:01 homebridge sshd[3873]: Invalid user info from 192.168.1.254 port 49964
Sep  8 08:59:01 homebridge sshd[3876]: pam_unix(sshd:auth): check pass; user unknown
Sep  8 08:59:01 homebridge sshd[3876]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.254
Sep  8 08:59:01 homebridge sshd[3872]: pam_unix(sshd:auth): check pass; user unknown
Sep  8 08:59:01 homebridge sshd[3872]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.254
Sep  8 08:59:01 homebridge sshd[3873]: pam_unix(sshd:auth): check pass; user unknown
Sep  8 08:59:01 homebridge sshd[3873]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.254
Sep  8 08:59:01 homebridge sshd[3878]: Invalid user public from 192.168.1.254 port 49966

These are just a small portion of the attempts. I talked to the internet provider and they said everything is fine. They didn't sound very convincing. Is this a protocol that a router has (it doesn't have a schedule, the router scans ports without any routine) or is my router or any of the other devices infected. The router is a "Arris BGW210".

POD
  • 101
  • 1
  • 1
    assuming there is some local admin interface where you can configure this device, you may wish to consider forcing a factory reset on it, then logging in as admin and 1) changing all of the passwords and disabling wifi, 2) limiting admin functions to local networks only, 3) updating the device itself if possible, 4) 'quarantine' it upstream and then move all your local/wifi network activity onto a separate downstream device that uses this device as its wan route - this discussion may be of relevance [... "Bad packet length" with sshd?](https://security.stackexchange.com/q/124767/228961) – brynk Sep 08 '21 at 23:02
  • Thank you, I'll try to improve the network security – POD Sep 09 '21 at 20:41
  • 1
    no worries: keep in mind the possibility that someone nearby has gained access to your router via wifi - you may wish to enforce wired ethernet access only (or mac filter) to the admin interface, if the device settings allow it – brynk Sep 09 '21 at 20:44

0 Answers0