dropbear bad password attempt for 'root' from <IP>

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
Post Reply
pkguy
Novice
Novice
Posts: 15
Joined: Sun May 09, 2010 8:47 pm

dropbear bad password attempt for 'root' from <IP>

Post by pkguy » Mon May 17, 2010 10:24 pm

I saw these entries in the log

dropbear[1018]: bad password attempt for 'root' from 59.39.66.30:62783

yesterday, there was a similar error telling about a failed attempt for a "non existing user".

What is this access attempt about? is someone trying to access modem configuration or is he trying to connect to router using SSH to sniff packets and steal my passwords?

Anyways, what do you suggest? I want to block all kind of router access from WAN. (im not a tech savvy. So please let me know if this does not make sense)
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: dropbear bad password attempt for 'root' from <IP>

Post by thechief » Tue May 18, 2010 7:56 am

Perhaps you might care to tell us what router and firmware you are using?
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
pkguy
Novice
Novice
Posts: 15
Joined: Sun May 09, 2010 8:47 pm

Re: dropbear bad password attempt for 'root' from <IP>

Post by pkguy » Tue May 18, 2010 2:06 pm

RouterTech latest release.
Let me drop a link to my firmware flashing thread.
viewtopic.php?f=3&t=3381&p=44713

(Sorry for missing this important piece of detail in my opening message. I appreciate your patience.)

Regards,
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: dropbear bad password attempt for 'root' from <IP>

Post by thechief » Tue May 18, 2010 2:19 pm

Well, the firmware comes with all WAN access blocked by default. Resetting to defaults will restore all those settings.

It is possible that someone is trying to hack in from the WAN - but another possible scenario is that your wireless security has been compromised, and so the attempts are coming from inside your LAN.

My suggestions are:
1. Reset to defaults, and reconfigure your router afterwards
2. Change your wireless security to WPA2, and change the encryption key.

If, after these steps you are still getting those things in your log, then we can start to consider other things.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
pkguy
Novice
Novice
Posts: 15
Joined: Sun May 09, 2010 8:47 pm

Re: dropbear bad password attempt for 'root' from <IP>

Post by pkguy » Tue May 18, 2010 7:20 pm

hi

thanks for the response.

I have reset to default and reconfigured my internet connection.
Ive put wireless to off and removed my computer from any sort of network.
I hope it will do the needful.

Thank you so much.
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: dropbear bad password attempt for 'root' from <IP>

Post by thechief » Tue May 18, 2010 10:59 pm

I don't think you need to disable wireless (unless you don't need it) or remove your PC from the network. You just need to ensure that WAN access remains disabled, that you set a strong password for logging on to the router, and you use WPA/WPA2 encryption with a strong key.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
geekgirl
Regular
Regular
Posts: 72
Joined: Sat Feb 27, 2010 3:23 pm
Location: Egypt
Contact:

Re: dropbear bad password attempt for 'root' from <IP>

Post by geekgirl » Fri Apr 08, 2011 12:21 am

thechief wrote:Well, the firmware comes with all WAN access blocked by default. Resetting to defaults will restore all those settings.
I just noticed the same problem, latest firmware as of date (2.95), which was reset to defaults before and after the update. From looking at iptables rules, it doesn't seem like anything on INPUT is dropped, except for ICMP.
I suspect the rules for ppp0 (like the INPUT chain rule to drop ALL on ppp0 interface) never got created because of connection problems after router was restarted at some point (possibly due to power loss) and which took sometime before it actually got connected and created. Why the rules didn't apply when PPPoE finally connected (on its own), is beyond me.
Jan 3 01:54:18 cfgmgr(sar): Could not get oam_ping_interval from boot loader env
Jan 3 01:54:18 cfgmgr(sar): Trying to retreive the value from Configuration
Jan 3 01:54:18 cfgmgr(sar): oamPingInterval(20)(20)
Jan 3 01:54:18 cfgmgr(ap): AP is disabled
Jan 3 01:54:18 cfgmgr(pppoe-107): Valid Configuration Tree
Jan 3 01:54:19 cfgmgr(resolver): stat successfull for /etc/resolv.conf.
Jan 3 01:54:19 cfgmgr(resolver): Resolver Polling Timer Started succesfully.
Jan 3 01:54:19 cfgmgr(sntp): NTP Polling Timer for DHCP Started succesfully.
Jan 3 01:54:19 cfgmgr(sar): DSL Polling Timer Started succesfully.
Jan 3 01:54:19 cfgmgr(fdb): Firewall NAT service started
Jan 3 01:54:19 cfgmgr(pppoe-107): del_iptable_rules : ppp_name not intact
Jan 3 01:54:19 root: USB is disabled
Jan 3 01:54:19 cfgmgr(lanbridge0): Bridge Created: br0
Jan 3 01:54:21 cfgmgr(lanbridge1): Bridge Created: br1
Jan 3 01:54:22 cfgmgr(lanbridge2): Bridge Created: br2
Jan 3 01:54:24 cfgmgr(lanbridge3): Bridge Created: br3
Jan 3 01:54:25 cfgmgr(lanbridge0): Bridge Interface Added: eth0
Jan 3 01:54:29 cfgmgr(sar): DSL Carrier is training
Jan 3 01:54:29 cfgmgr(pppoe-107): del_iptable_rules : ppp_name not intact
Jan 3 01:54:39 cfgmgr(sar): DSL Carrier is down
Jan 3 01:54:39 cfgmgr(pppoe-107): del_iptable_rules : ppp_name not intact
Jan 3 01:54:59 cfgmgr(sar): DSL Carrier is up
Jan 3 01:54:59 cfgmgr(sar): auto_vcc_default oamPing(0.35)result(2)
Jan 3 01:54:59 cfgmgr(sar): auto_vcc_default oamPing(0.32)result(2)
Jan 3 01:54:59 cfgmgr(sar): auto_vcc_default oamPing(0.40)result(2)
Jan 3 01:54:59 cfgmgr(sar): auto_vcc_default oamPing(0.36)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_default oamPing(0.38)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_default oamPing(0.96)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(0.35)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(8.35)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(0.43)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(0.51)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(0.59)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(8.43)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(8.51)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(8.59)result(2)
Jan 3 01:55:02 pppd[832]: pppd 2.4.4 started by root, uid 0
Jan 3 01:55:02 cfgmgr(pppoe-107): New PPP_ID: 0x3b39
Jan 3 01:55:02 cfgmgr(pppoe-107): Received pppoe server mac: 0x00-90-1a-xx-xx-xx
Jan 3 01:55:02 pppd[832]: Got connection: 3b39
Jan 3 01:55:02 pppd[832]: Saved Session ID: 0
Jan 3 01:55:02 pppd[832]: AC MAC address: 00-90-1a-xx-xx-xx
Jan 3 01:55:02 pppd[832]: Connect: ppp0 {--} nas0
Jan 3 01:55:03 pppd[832]: PAP authentication failed
Jan 3 01:55:03 pppd[832]: Modem hangup
Jan 3 01:55:03 pppd[832]: Connection terminated.
Jan 3 01:55:03 pppd[832]: Doing disconnect
Jan 3 01:55:03 cfgmgr(pppoe-107): PPPoE Exit Status = 16
Jan 3 01:55:03 cfgmgr(pppoe-107): PPPoE Send a Interface Delete Event Below
Jan 3 01:55:03 cfgmgr(pppoe-107): Terminated: Modem Hang-Up
Jan 3 01:55:03 cfgmgr(pppoe-107): Reverting Back PPPoE Session ID: 0x0
Jan 3 01:55:03 cfgmgr(pppoe-107): 15,16 exit report handling - sid set to 0 .
Jan 3 01:55:03 pppd[870]: pppd 2.4.4 started by root, uid 0
Jan 3 01:55:05 pppd[870]: Got connection: 6539
Jan 3 01:55:06 cfgmgr(pppoe-107): New PPP_ID: 0x6539
Jan 3 01:55:06 cfgmgr(pppoe-107): Received pppoe server mac: 0x00-90-1a-xx-xx-xx
Jan 3 01:55:06 pppd[870]: Saved Session ID: 0
Jan 3 01:55:06 pppd[870]: AC MAC address: 00-90-1a-xx-xx-xx
Jan 3 01:55:06 pppd[870]: Connect: ppp0 {--} nas0
Jan 3 01:55:06 pppd[870]: PAP authentication failed
Jan 3 01:55:06 cfgmgr(pppoe-107): PPPoE Exit Status = 16
Jan 3 01:55:06 cfgmgr(pppoe-107): PPPoE Send a Interface Delete Event Below
Jan 3 01:55:06 cfgmgr(pppoe-107): Terminated: Modem Hang-Up
Jan 3 01:55:06 cfgmgr(pppoe-107): Reverting Back PPPoE Session ID: 0x0
Jan 3 01:55:06 cfgmgr(pppoe-107): 15,16 exit report handling - sid set to 0 .
Jan 3 01:55:06 pppd[870]: Modem hangup
Jan 3 01:55:06 pppd[870]: Connection terminated.
Jan 3 01:55:06 pppd[870]: Doing disconnect
Jan 3 01:55:06 pppd[896]: pppd 2.4.4 started by root, uid 0
Jan 3 01:55:09 pppd[896]: Got connection: 9339
Jan 3 01:55:09 cfgmgr(pppoe-107): New PPP_ID: 0x9339
Jan 3 01:55:09 cfgmgr(pppoe-107): Received pppoe server mac: 0x00-90-1a-xx-xx-xx
Jan 3 01:55:09 pppd[896]: Saved Session ID: 0
Jan 3 01:55:09 pppd[896]: AC MAC address: 00-90-1a-xx-xx-xx
Jan 3 01:55:09 pppd[896]: Connect: ppp0 {--} nas0
Jan 3 01:55:09 pppd[896]: PAP authentication failed
Jan 3 01:55:09 cfgmgr(pppoe-107): PPPoE Exit Status = 19
Jan 3 01:55:09 cfgmgr(pppoe-107): PPPoE Send a Interface Delete Event Below
Jan 3 01:55:09 cfgmgr(pppoe-107): Authenication Failure with Peer
Jan 3 01:55:09 cfgmgr(pppoe-107): Connection Attempt Backoff (PPPoE) for 300 seconds.
Jan 3 01:55:09 pppd[896]: Connection terminated.
Jan 3 01:55:09 pppd[896]: Doing disconnect
Jan 3 02:00:10 pppd[921]: pppd 2.4.4 started by root, uid 0
Jan 3 02:00:10 cfgmgr(pppoe-107): New PPP_ID: 0xe60d
Jan 3 02:00:10 cfgmgr(pppoe-107): Received pppoe server mac: 0x00-90-1a-xx-xx-xx
Jan 3 02:00:10 pppd[921]: Got connection: e60d
Jan 3 02:00:10 pppd[921]: Saved Session ID: 0
Jan 3 02:00:10 pppd[921]: AC MAC address: 00-90-1a-xx-xx-xx
Jan 3 02:00:10 pppd[921]: Connect: ppp0 {--} nas0
Jan 3 02:00:11 pppd[921]: PAP authentication succeeded
Jan 3 02:00:11 cfgmgr(pppoe-107): PPPoE Connect with IP Address 41.xxx.xxx.172
Jan 3 02:00:11 cfgmgr(pppoe-107): PPPoE Connection Successfully Established
Jan 3 02:00:11 cfgmgr(pppoe-107): Renew PPPoE Session ID: 0xe60d
Jan 3 02:00:11 cfgmgr(pppoe-107): sys_send_event - pppoe up
Jan 3 02:00:11 cfgmgr(pppoe-107): PPPoE Connect with Gateway IP Address: 10.xxx.xxx.xxx
Jan 3 02:00:11 pppd[921]: local IP address 41.xxx.xxx.172
Jan 3 02:00:11 pppd[921]: remote IP address 10.xxx.xxx.xxx
Apr 7 13:13:06 root: onconnectWAN: cron has been disabled in the bootloader environment.
Apr 7 14:22:48 cfgmgr(sar): DSL Carrier is down
Apr 7 14:23:08 cfgmgr(sar): DSL Carrier is up
Apr 7 14:23:08 cfgmgr(sar): auto_vcc_default oamPing(0.35)result(2)
Apr 7 14:23:08 cfgmgr(sar): auto_vcc_default oamPing(0.32)result(2)
Apr 7 14:23:08 cfgmgr(sar): auto_vcc_default oamPing(0.40)result(2)
Apr 7 14:23:08 cfgmgr(sar): auto_vcc_default oamPing(0.36)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_default oamPing(0.38)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_default oamPing(0.96)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(0.35)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(8.35)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(0.43)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(0.51)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(0.59)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(8.43)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(8.51)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(8.59)result(2)
Apr 7 14:23:09 cfgmgr(pppoe-107): PPPD was Properly Stopped. Current State=7
Apr 7 14:23:09 cfgmgr(pppoe-107): PPPD Restart Filter = 0
Apr 7 14:23:09 cfgmgr(pppoe-107): sys_send_event - pppoe down
Apr 7 14:23:17 pppd[1204]: pppd 2.4.4 started by root, uid 0
Apr 7 14:23:17 pppd[1204]: Sending PADT for e60d before starting new discovery
Apr 7 14:23:17 pppd[1204]: Server MAC is: 00-90-1a-xx-xx-xx
Apr 7 14:23:17 pppd[1204]: Got connection: 1720
Apr 7 14:23:18 cfgmgr(pppoe-107): Saving PPPoE Session ID: 0x1720
Apr 7 14:23:18 cfgmgr(pppoe-107): Received pppoe server mac: 0x00-90-1a-xx-xx-xx
Apr 7 14:23:18 pppd[1204]: Saved Session ID: 0
Apr 7 14:23:18 pppd[1204]: AC MAC address: 00-90-1a-xx-xx-xx
Apr 7 14:23:18 pppd[1204]: Connect: ppp0 {--} nas0
Apr 7 14:23:18 pppd[1204]: PAP authentication succeeded
Apr 7 14:23:18 cfgmgr(pppoe-107): PPPoE Connect with IP Address 41.xxx.xxx.171
Apr 7 14:23:18 cfgmgr(pppoe-107): PPPoE Connection Successfully Established
Apr 7 14:23:19 cfgmgr(pppoe-107): sys_send_event - pppoe up
Apr 7 14:23:19 cfgmgr(pppoe-107): PPPoE Connect with Gateway IP Address: 10.xxx.xxx.xxx
Apr 7 14:23:19 pppd[1204]: local IP address 41.xxx.xxx.171
Apr 7 14:23:19 pppd[1204]: remote IP address 10.xxx.xxx.xxx
Apr 7 14:23:39 root: onconnectWAN: cron has been disabled in the bootloader environment.
Apr 7 17:12:23 login[1516]: invalid password for 'UNKNOWN' on 'pts/9'
Apr 7 17:12:54 login[1524]: invalid password for 'UNKNOWN' on 'pts/8'
Apr 7 21:50:22 dropbear[1587]: bad password attempt for 'root' from 122.57.56.68:4576
Apr 7 21:50:27 dropbear[1587]: bad password attempt for 'root' from 122.57.56.68:4576
Apr 7 21:50:33 dropbear[1587]: bad password attempt for 'root' from 122.57.56.68:4576
Apr 7 21:50:45 dropbear[1588]: bad password attempt for 'root' from 122.57.56.68:2093
Apr 7 21:50:50 dropbear[1588]: bad password attempt for 'root' from 122.57.56.68:2093
Apr 7 21:50:55 dropbear[1588]: bad password attempt for 'root' from 122.57.56.68:2093
Apr 7 21:51:07 dropbear[1589]: bad password attempt for 'root' from 122.57.56.68:2168
Apr 7 21:51:12 dropbear[1589]: bad password attempt for 'root' from 122.57.56.68:2168
Apr 7 21:51:18 dropbear[1589]: bad password attempt for 'root' from 122.57.56.68:2168

Code: Select all

/var # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
CFG        tcp  --  192.168.1.77         anywhere           tcp dpt:www Records Packet's Source Interface

CFG        tcp  --  192.168.1.77         anywhere           tcp dpt:443 Records Packet's Source Interface

ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere           icmp fragmentation-needed
DROP       icmp -f  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ipaccount  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ipaccount  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere           icmp fragmentation-needed
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere           icmp fragmentation-needed
DROP       icmp --  anywhere             anywhere           icmp destination-unreachable
DROP       icmp --  anywhere             anywhere           state INVALID

Chain ipaccount (2 references)
target     prot opt source               destination
           all  --  anywhere             anywhere           account: network/netmask: 192.168.1.0/255.255.255.0 name: mynetwork short-listing
/var #
/var # netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1050            0.0.0.0:*               LISTEN
tcp        0    549 192.168.1.1:23          192.168.1.77:1272       ESTABLISHED
udp        0      0 0.0.0.0:53              0.0.0.0:*
udp        0      0 0.0.0.0:67              0.0.0.0:*
udp        0      0 0.0.0.0:69              0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  5      [ ]         DGRAM                       698 /dev/log
unix  2      [ ]         DGRAM                       628 /var/tmp/cm_miniHttpd.ctl
unix  2      [ ]         DGRAM                       638 /var/tmp/cm_pc.ctl
unix  2      [ ]         DGRAM                       655 /var/tmp/cm_logic.ctl
unix  2      [ ]         DGRAM                      4533
unix  2      [ ]         DGRAM                      1739
unix  2      [ ]         DGRAM                      1152
unix  2      [ ]         STREAM                      624
unix  2      [ ]         DGRAM                       623
unix  2      [ ]         DGRAM                        26
/var #
By the way, what's this?
"invalid password for 'UNKNOWN' on 'pts/*'"

I searched the forum to try and determine what that is or where it comes from but to no avail..
Last edited by geekgirl on Fri Apr 08, 2011 12:31 am, edited 1 time in total.
geekgirl
Regular
Regular
Posts: 72
Joined: Sat Feb 27, 2010 3:23 pm
Location: Egypt
Contact:

Re: dropbear bad password attempt for 'root' from <IP>

Post by geekgirl » Fri Apr 08, 2011 12:28 am

As expected: After doing a "disconnect" followed by a "connect" (from Setup -> connection-name under "WAN setup"), PPPoE is properly recycled, and the iptables "DROP all" INPUT rule is automagically created.
Apr 8 00:21:48 cfgmgr(pppoe-107): PPPoE Apply Transaction
Apr 8 00:21:48 cfgmgr(pppoe-107): PPPoE Current State = 6
Apr 8 00:21:48 cfgmgr(pppoe-107): PPPoE Apple Code = 3
Apr 8 00:21:48 cfgmgr(pppoe-107): PPPoE ReStart Flag = 0
Apr 8 00:21:48 cfgmgr(pppoe-107): PPPoE Relaunch = 0
Apr 8 00:21:48 cfgmgr(pppoe-107): PPPoE process is being stopped. Current State = 6
Apr 8 00:21:48 cfgmgr(pppoe-107): Waiting for PPP to die
Apr 8 00:21:49 cfgmgr(pppoe-107): sys_send_event - pppoe down
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE AFTER Apply Transaction
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE Current State = 9
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE Apple Code = 0
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE ReStart Flag = 1
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE Relaunch = 0
Apr 8 00:21:49 cfgmgr(pppoe-107): RE-PPPoE Timer Apply...
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE Exit Status = 5
Apr 8 00:21:49 cfgmgr(pppoe-107): del_iptable_rules : ppp_name not intact
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE Exited. Relaunch = 0
Apr 8 00:21:49 pppd[1204]: Connection terminated.
Apr 8 00:21:49 pppd[1204]: Doing disconnect
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Apply Transaction
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Current State = 9
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Apple Code = 2
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE ReStart Flag = 0
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Relaunch = 0
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE AFTER Apply Transaction
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Current State = 3
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Apple Code = 0
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE ReStart Flag = 0
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Relaunch = 0
Apr 8 00:22:10 cfgmgr(pppoe-107): RE-PPPoE Timer Apply...
Apr 8 00:22:10 pppd[1763]: pppd 2.4.4 started by root, uid 0
Apr 8 00:22:11 cfgmgr(pppoe-107): Saving PPPoE Session ID: 0xfe21
Apr 8 00:22:11 cfgmgr(pppoe-107): Received pppoe server mac: 0x00-90-1a-xx-xx-xx
Apr 8 00:22:11 pppd[1763]: Got connection: fe21
Apr 8 00:22:11 pppd[1763]: Saved Session ID: 0
Apr 8 00:22:11 pppd[1763]: AC MAC address: 00-90-1a-xx-xx-xx
Apr 8 00:22:11 pppd[1763]: Connect: ppp0 {--} nas0
Apr 8 00:22:11 pppd[1763]: PAP authentication succeeded
Apr 8 00:22:11 cfgmgr(pppoe-107): PPPoE Connect with IP Address 41.xxx.xxx.63
Apr 8 00:22:11 cfgmgr(pppoe-107): PPPoE Connection Successfully Established
Apr 8 00:22:12 cfgmgr(pppoe-107): sys_send_event - pppoe up
Apr 8 00:22:12 cfgmgr(pppoe-107): PPPoE Connect with Gateway IP Address: 10..xxx.xxx.xxx
Apr 8 00:22:12 pppd[1763]: local IP address 41.xxx.xxx.63
Apr 8 00:22:12 pppd[1763]: remote IP address 10..xxx.xxx.xxx
Apr 8 00:22:32 root: onconnectWAN: cron has been disabled in the bootloader environment.

Code: Select all

/var # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
CFG        tcp  --  192.168.1.77         anywhere           tcp dpt:www Records Packet's Source Interface

CFG        tcp  --  192.168.1.77         anywhere           tcp dpt:443 Records Packet's Source Interface

ACCEPT     icmp --  anywhere             anywhere           icmp fragmentation-needed
DROP       icmp -f  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ipaccount  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ipaccount  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere           icmp fragmentation-needed
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere           icmp fragmentation-needed
DROP       icmp --  anywhere             anywhere           icmp destination-unreachable
DROP       icmp --  anywhere             anywhere           state INVALID

Chain ipaccount (2 references)
target     prot opt source               destination
           all  --  anywhere             anywhere           account: network/netmask: 192.168.1.0/255.255.255.0 name: mynetwork short-listing
The question remains, why didn't this occur automatically after the router managed a PPPoE connection (on its own), even if a while after it was booted?
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: dropbear bad password attempt for 'root' from <IP>

Post by thechief » Fri Apr 08, 2011 4:54 pm

geekgirl wrote:The question remains, why didn't this occur automatically after the router managed a PPPoE connection (on its own), even if a while after it was booted?
pppoe is troublesome - and this has been reported before (but we thought it had been fixed). As a test, try running "ppp_restore.sh" from a telnet prompt, and see whether the same thing happens. Then run "showlog.sh" and see what new entries have been made in the system log.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
geekgirl
Regular
Regular
Posts: 72
Joined: Sat Feb 27, 2010 3:23 pm
Location: Egypt
Contact:

Re: dropbear bad password attempt for 'root' from <IP>

Post by geekgirl » Wed Apr 13, 2011 1:16 pm

Nope. Unable to reproduce it after 3 attempts at doing "ppp_restore.sh" and after an attempt to reboot router, and also attempt to manually disconnect, wait a while, then connect.
In all the attempts mentioned, ppp is connected right away, and the rule to drop ALL from anywhere on ppp0 is properly added.
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: dropbear bad password attempt for 'root' from <IP>

Post by thechief » Wed Apr 13, 2011 5:54 pm

That's how it should be. This means that what you experienced arose due to exceptional circumstances that cannot readily be reproduced (which makes it hard to sort out).
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
Post Reply