dropbear bad password attempt for 'root' from <IP>
dropbear bad password attempt for 'root' from <IP>
I saw these entries in the log
dropbear[1018]: bad password attempt for 'root' from 59.39.66.30:62783
yesterday, there was a similar error telling about a failed attempt for a "non existing user".
What is this access attempt about? is someone trying to access modem configuration or is he trying to connect to router using SSH to sniff packets and steal my passwords?
Anyways, what do you suggest? I want to block all kind of router access from WAN. (im not a tech savvy. So please let me know if this does not make sense)
dropbear[1018]: bad password attempt for 'root' from 59.39.66.30:62783
yesterday, there was a similar error telling about a failed attempt for a "non existing user".
What is this access attempt about? is someone trying to access modem configuration or is he trying to connect to router using SSH to sniff packets and steal my passwords?
Anyways, what do you suggest? I want to block all kind of router access from WAN. (im not a tech savvy. So please let me know if this does not make sense)
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: dropbear bad password attempt for 'root' from <IP>
Perhaps you might care to tell us what router and firmware you are using?
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
Re: dropbear bad password attempt for 'root' from <IP>
RouterTech latest release.
Let me drop a link to my firmware flashing thread.
viewtopic.php?f=3&t=3381&p=44713
(Sorry for missing this important piece of detail in my opening message. I appreciate your patience.)
Regards,
Let me drop a link to my firmware flashing thread.
viewtopic.php?f=3&t=3381&p=44713
(Sorry for missing this important piece of detail in my opening message. I appreciate your patience.)
Regards,
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: dropbear bad password attempt for 'root' from <IP>
Well, the firmware comes with all WAN access blocked by default. Resetting to defaults will restore all those settings.
It is possible that someone is trying to hack in from the WAN - but another possible scenario is that your wireless security has been compromised, and so the attempts are coming from inside your LAN.
My suggestions are:
1. Reset to defaults, and reconfigure your router afterwards
2. Change your wireless security to WPA2, and change the encryption key.
If, after these steps you are still getting those things in your log, then we can start to consider other things.
It is possible that someone is trying to hack in from the WAN - but another possible scenario is that your wireless security has been compromised, and so the attempts are coming from inside your LAN.
My suggestions are:
1. Reset to defaults, and reconfigure your router afterwards
2. Change your wireless security to WPA2, and change the encryption key.
If, after these steps you are still getting those things in your log, then we can start to consider other things.
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
Re: dropbear bad password attempt for 'root' from <IP>
hi
thanks for the response.
I have reset to default and reconfigured my internet connection.
Ive put wireless to off and removed my computer from any sort of network.
I hope it will do the needful.
Thank you so much.
thanks for the response.
I have reset to default and reconfigured my internet connection.
Ive put wireless to off and removed my computer from any sort of network.
I hope it will do the needful.
Thank you so much.
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: dropbear bad password attempt for 'root' from <IP>
I don't think you need to disable wireless (unless you don't need it) or remove your PC from the network. You just need to ensure that WAN access remains disabled, that you set a strong password for logging on to the router, and you use WPA/WPA2 encryption with a strong key.
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
Re: dropbear bad password attempt for 'root' from <IP>
I just noticed the same problem, latest firmware as of date (2.95), which was reset to defaults before and after the update. From looking at iptables rules, it doesn't seem like anything on INPUT is dropped, except for ICMP.thechief wrote:Well, the firmware comes with all WAN access blocked by default. Resetting to defaults will restore all those settings.
I suspect the rules for ppp0 (like the INPUT chain rule to drop ALL on ppp0 interface) never got created because of connection problems after router was restarted at some point (possibly due to power loss) and which took sometime before it actually got connected and created. Why the rules didn't apply when PPPoE finally connected (on its own), is beyond me.
Jan 3 01:54:18 cfgmgr(sar): Could not get oam_ping_interval from boot loader env
Jan 3 01:54:18 cfgmgr(sar): Trying to retreive the value from Configuration
Jan 3 01:54:18 cfgmgr(sar): oamPingInterval(20)(20)
Jan 3 01:54:18 cfgmgr(ap): AP is disabled
Jan 3 01:54:18 cfgmgr(pppoe-107): Valid Configuration Tree
Jan 3 01:54:19 cfgmgr(resolver): stat successfull for /etc/resolv.conf.
Jan 3 01:54:19 cfgmgr(resolver): Resolver Polling Timer Started succesfully.
Jan 3 01:54:19 cfgmgr(sntp): NTP Polling Timer for DHCP Started succesfully.
Jan 3 01:54:19 cfgmgr(sar): DSL Polling Timer Started succesfully.
Jan 3 01:54:19 cfgmgr(fdb): Firewall NAT service started
Jan 3 01:54:19 cfgmgr(pppoe-107): del_iptable_rules : ppp_name not intact
Jan 3 01:54:19 root: USB is disabled
Jan 3 01:54:19 cfgmgr(lanbridge0): Bridge Created: br0
Jan 3 01:54:21 cfgmgr(lanbridge1): Bridge Created: br1
Jan 3 01:54:22 cfgmgr(lanbridge2): Bridge Created: br2
Jan 3 01:54:24 cfgmgr(lanbridge3): Bridge Created: br3
Jan 3 01:54:25 cfgmgr(lanbridge0): Bridge Interface Added: eth0
Jan 3 01:54:29 cfgmgr(sar): DSL Carrier is training
Jan 3 01:54:29 cfgmgr(pppoe-107): del_iptable_rules : ppp_name not intact
Jan 3 01:54:39 cfgmgr(sar): DSL Carrier is down
Jan 3 01:54:39 cfgmgr(pppoe-107): del_iptable_rules : ppp_name not intact
Jan 3 01:54:59 cfgmgr(sar): DSL Carrier is up
Jan 3 01:54:59 cfgmgr(sar): auto_vcc_default oamPing(0.35)result(2)
Jan 3 01:54:59 cfgmgr(sar): auto_vcc_default oamPing(0.32)result(2)
Jan 3 01:54:59 cfgmgr(sar): auto_vcc_default oamPing(0.40)result(2)
Jan 3 01:54:59 cfgmgr(sar): auto_vcc_default oamPing(0.36)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_default oamPing(0.38)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_default oamPing(0.96)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(0.35)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(8.35)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(0.43)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(0.51)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(0.59)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(8.43)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(8.51)result(2)
Jan 3 01:55:00 cfgmgr(sar): auto_vcc_search oamPing(8.59)result(2)
Jan 3 01:55:02 pppd[832]: pppd 2.4.4 started by root, uid 0
Jan 3 01:55:02 cfgmgr(pppoe-107): New PPP_ID: 0x3b39
Jan 3 01:55:02 cfgmgr(pppoe-107): Received pppoe server mac: 0x00-90-1a-xx-xx-xx
Jan 3 01:55:02 pppd[832]: Got connection: 3b39
Jan 3 01:55:02 pppd[832]: Saved Session ID: 0
Jan 3 01:55:02 pppd[832]: AC MAC address: 00-90-1a-xx-xx-xx
Jan 3 01:55:02 pppd[832]: Connect: ppp0 {--} nas0
Jan 3 01:55:03 pppd[832]: PAP authentication failed
Jan 3 01:55:03 pppd[832]: Modem hangup
Jan 3 01:55:03 pppd[832]: Connection terminated.
Jan 3 01:55:03 pppd[832]: Doing disconnect
Jan 3 01:55:03 cfgmgr(pppoe-107): PPPoE Exit Status = 16
Jan 3 01:55:03 cfgmgr(pppoe-107): PPPoE Send a Interface Delete Event Below
Jan 3 01:55:03 cfgmgr(pppoe-107): Terminated: Modem Hang-Up
Jan 3 01:55:03 cfgmgr(pppoe-107): Reverting Back PPPoE Session ID: 0x0
Jan 3 01:55:03 cfgmgr(pppoe-107): 15,16 exit report handling - sid set to 0 .
Jan 3 01:55:03 pppd[870]: pppd 2.4.4 started by root, uid 0
Jan 3 01:55:05 pppd[870]: Got connection: 6539
Jan 3 01:55:06 cfgmgr(pppoe-107): New PPP_ID: 0x6539
Jan 3 01:55:06 cfgmgr(pppoe-107): Received pppoe server mac: 0x00-90-1a-xx-xx-xx
Jan 3 01:55:06 pppd[870]: Saved Session ID: 0
Jan 3 01:55:06 pppd[870]: AC MAC address: 00-90-1a-xx-xx-xx
Jan 3 01:55:06 pppd[870]: Connect: ppp0 {--} nas0
Jan 3 01:55:06 pppd[870]: PAP authentication failed
Jan 3 01:55:06 cfgmgr(pppoe-107): PPPoE Exit Status = 16
Jan 3 01:55:06 cfgmgr(pppoe-107): PPPoE Send a Interface Delete Event Below
Jan 3 01:55:06 cfgmgr(pppoe-107): Terminated: Modem Hang-Up
Jan 3 01:55:06 cfgmgr(pppoe-107): Reverting Back PPPoE Session ID: 0x0
Jan 3 01:55:06 cfgmgr(pppoe-107): 15,16 exit report handling - sid set to 0 .
Jan 3 01:55:06 pppd[870]: Modem hangup
Jan 3 01:55:06 pppd[870]: Connection terminated.
Jan 3 01:55:06 pppd[870]: Doing disconnect
Jan 3 01:55:06 pppd[896]: pppd 2.4.4 started by root, uid 0
Jan 3 01:55:09 pppd[896]: Got connection: 9339
Jan 3 01:55:09 cfgmgr(pppoe-107): New PPP_ID: 0x9339
Jan 3 01:55:09 cfgmgr(pppoe-107): Received pppoe server mac: 0x00-90-1a-xx-xx-xx
Jan 3 01:55:09 pppd[896]: Saved Session ID: 0
Jan 3 01:55:09 pppd[896]: AC MAC address: 00-90-1a-xx-xx-xx
Jan 3 01:55:09 pppd[896]: Connect: ppp0 {--} nas0
Jan 3 01:55:09 pppd[896]: PAP authentication failed
Jan 3 01:55:09 cfgmgr(pppoe-107): PPPoE Exit Status = 19
Jan 3 01:55:09 cfgmgr(pppoe-107): PPPoE Send a Interface Delete Event Below
Jan 3 01:55:09 cfgmgr(pppoe-107): Authenication Failure with Peer
Jan 3 01:55:09 cfgmgr(pppoe-107): Connection Attempt Backoff (PPPoE) for 300 seconds.
Jan 3 01:55:09 pppd[896]: Connection terminated.
Jan 3 01:55:09 pppd[896]: Doing disconnect
Jan 3 02:00:10 pppd[921]: pppd 2.4.4 started by root, uid 0
Jan 3 02:00:10 cfgmgr(pppoe-107): New PPP_ID: 0xe60d
Jan 3 02:00:10 cfgmgr(pppoe-107): Received pppoe server mac: 0x00-90-1a-xx-xx-xx
Jan 3 02:00:10 pppd[921]: Got connection: e60d
Jan 3 02:00:10 pppd[921]: Saved Session ID: 0
Jan 3 02:00:10 pppd[921]: AC MAC address: 00-90-1a-xx-xx-xx
Jan 3 02:00:10 pppd[921]: Connect: ppp0 {--} nas0
Jan 3 02:00:11 pppd[921]: PAP authentication succeeded
Jan 3 02:00:11 cfgmgr(pppoe-107): PPPoE Connect with IP Address 41.xxx.xxx.172
Jan 3 02:00:11 cfgmgr(pppoe-107): PPPoE Connection Successfully Established
Jan 3 02:00:11 cfgmgr(pppoe-107): Renew PPPoE Session ID: 0xe60d
Jan 3 02:00:11 cfgmgr(pppoe-107): sys_send_event - pppoe up
Jan 3 02:00:11 cfgmgr(pppoe-107): PPPoE Connect with Gateway IP Address: 10.xxx.xxx.xxx
Jan 3 02:00:11 pppd[921]: local IP address 41.xxx.xxx.172
Jan 3 02:00:11 pppd[921]: remote IP address 10.xxx.xxx.xxx
Apr 7 13:13:06 root: onconnectWAN: cron has been disabled in the bootloader environment.
Apr 7 14:22:48 cfgmgr(sar): DSL Carrier is down
Apr 7 14:23:08 cfgmgr(sar): DSL Carrier is up
Apr 7 14:23:08 cfgmgr(sar): auto_vcc_default oamPing(0.35)result(2)
Apr 7 14:23:08 cfgmgr(sar): auto_vcc_default oamPing(0.32)result(2)
Apr 7 14:23:08 cfgmgr(sar): auto_vcc_default oamPing(0.40)result(2)
Apr 7 14:23:08 cfgmgr(sar): auto_vcc_default oamPing(0.36)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_default oamPing(0.38)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_default oamPing(0.96)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(0.35)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(8.35)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(0.43)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(0.51)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(0.59)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(8.43)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(8.51)result(2)
Apr 7 14:23:09 cfgmgr(sar): auto_vcc_search oamPing(8.59)result(2)
Apr 7 14:23:09 cfgmgr(pppoe-107): PPPD was Properly Stopped. Current State=7
Apr 7 14:23:09 cfgmgr(pppoe-107): PPPD Restart Filter = 0
Apr 7 14:23:09 cfgmgr(pppoe-107): sys_send_event - pppoe down
Apr 7 14:23:17 pppd[1204]: pppd 2.4.4 started by root, uid 0
Apr 7 14:23:17 pppd[1204]: Sending PADT for e60d before starting new discovery
Apr 7 14:23:17 pppd[1204]: Server MAC is: 00-90-1a-xx-xx-xx
Apr 7 14:23:17 pppd[1204]: Got connection: 1720
Apr 7 14:23:18 cfgmgr(pppoe-107): Saving PPPoE Session ID: 0x1720
Apr 7 14:23:18 cfgmgr(pppoe-107): Received pppoe server mac: 0x00-90-1a-xx-xx-xx
Apr 7 14:23:18 pppd[1204]: Saved Session ID: 0
Apr 7 14:23:18 pppd[1204]: AC MAC address: 00-90-1a-xx-xx-xx
Apr 7 14:23:18 pppd[1204]: Connect: ppp0 {--} nas0
Apr 7 14:23:18 pppd[1204]: PAP authentication succeeded
Apr 7 14:23:18 cfgmgr(pppoe-107): PPPoE Connect with IP Address 41.xxx.xxx.171
Apr 7 14:23:18 cfgmgr(pppoe-107): PPPoE Connection Successfully Established
Apr 7 14:23:19 cfgmgr(pppoe-107): sys_send_event - pppoe up
Apr 7 14:23:19 cfgmgr(pppoe-107): PPPoE Connect with Gateway IP Address: 10.xxx.xxx.xxx
Apr 7 14:23:19 pppd[1204]: local IP address 41.xxx.xxx.171
Apr 7 14:23:19 pppd[1204]: remote IP address 10.xxx.xxx.xxx
Apr 7 14:23:39 root: onconnectWAN: cron has been disabled in the bootloader environment.
Apr 7 17:12:23 login[1516]: invalid password for 'UNKNOWN' on 'pts/9'
Apr 7 17:12:54 login[1524]: invalid password for 'UNKNOWN' on 'pts/8'
Apr 7 21:50:22 dropbear[1587]: bad password attempt for 'root' from 122.57.56.68:4576
Apr 7 21:50:27 dropbear[1587]: bad password attempt for 'root' from 122.57.56.68:4576
Apr 7 21:50:33 dropbear[1587]: bad password attempt for 'root' from 122.57.56.68:4576
Apr 7 21:50:45 dropbear[1588]: bad password attempt for 'root' from 122.57.56.68:2093
Apr 7 21:50:50 dropbear[1588]: bad password attempt for 'root' from 122.57.56.68:2093
Apr 7 21:50:55 dropbear[1588]: bad password attempt for 'root' from 122.57.56.68:2093
Apr 7 21:51:07 dropbear[1589]: bad password attempt for 'root' from 122.57.56.68:2168
Apr 7 21:51:12 dropbear[1589]: bad password attempt for 'root' from 122.57.56.68:2168
Apr 7 21:51:18 dropbear[1589]: bad password attempt for 'root' from 122.57.56.68:2168
Code: Select all
/var # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
CFG tcp -- 192.168.1.77 anywhere tcp dpt:www Records Packet's Source Interface
CFG tcp -- 192.168.1.77 anywhere tcp dpt:443 Records Packet's Source Interface
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
DROP icmp -f anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ipaccount all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ipaccount all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
DROP icmp -- anywhere anywhere icmp destination-unreachable
DROP icmp -- anywhere anywhere state INVALID
Chain ipaccount (2 references)
target prot opt source destination
all -- anywhere anywhere account: network/netmask: 192.168.1.0/255.255.255.0 name: mynetwork short-listing
/var #
/var # netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1050 0.0.0.0:* LISTEN
tcp 0 549 192.168.1.1:23 192.168.1.77:1272 ESTABLISHED
udp 0 0 0.0.0.0:53 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
udp 0 0 0.0.0.0:69 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 5 [ ] DGRAM 698 /dev/log
unix 2 [ ] DGRAM 628 /var/tmp/cm_miniHttpd.ctl
unix 2 [ ] DGRAM 638 /var/tmp/cm_pc.ctl
unix 2 [ ] DGRAM 655 /var/tmp/cm_logic.ctl
unix 2 [ ] DGRAM 4533
unix 2 [ ] DGRAM 1739
unix 2 [ ] DGRAM 1152
unix 2 [ ] STREAM 624
unix 2 [ ] DGRAM 623
unix 2 [ ] DGRAM 26
/var #
"invalid password for 'UNKNOWN' on 'pts/*'"
I searched the forum to try and determine what that is or where it comes from but to no avail..
Last edited by geekgirl on Fri Apr 08, 2011 12:31 am, edited 1 time in total.
Re: dropbear bad password attempt for 'root' from <IP>
As expected: After doing a "disconnect" followed by a "connect" (from Setup -> connection-name under "WAN setup"), PPPoE is properly recycled, and the iptables "DROP all" INPUT rule is automagically created.
The question remains, why didn't this occur automatically after the router managed a PPPoE connection (on its own), even if a while after it was booted?
Apr 8 00:21:48 cfgmgr(pppoe-107): PPPoE Apply Transaction
Apr 8 00:21:48 cfgmgr(pppoe-107): PPPoE Current State = 6
Apr 8 00:21:48 cfgmgr(pppoe-107): PPPoE Apple Code = 3
Apr 8 00:21:48 cfgmgr(pppoe-107): PPPoE ReStart Flag = 0
Apr 8 00:21:48 cfgmgr(pppoe-107): PPPoE Relaunch = 0
Apr 8 00:21:48 cfgmgr(pppoe-107): PPPoE process is being stopped. Current State = 6
Apr 8 00:21:48 cfgmgr(pppoe-107): Waiting for PPP to die
Apr 8 00:21:49 cfgmgr(pppoe-107): sys_send_event - pppoe down
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE AFTER Apply Transaction
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE Current State = 9
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE Apple Code = 0
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE ReStart Flag = 1
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE Relaunch = 0
Apr 8 00:21:49 cfgmgr(pppoe-107): RE-PPPoE Timer Apply...
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE Exit Status = 5
Apr 8 00:21:49 cfgmgr(pppoe-107): del_iptable_rules : ppp_name not intact
Apr 8 00:21:49 cfgmgr(pppoe-107): PPPoE Exited. Relaunch = 0
Apr 8 00:21:49 pppd[1204]: Connection terminated.
Apr 8 00:21:49 pppd[1204]: Doing disconnect
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Apply Transaction
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Current State = 9
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Apple Code = 2
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE ReStart Flag = 0
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Relaunch = 0
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE AFTER Apply Transaction
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Current State = 3
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Apple Code = 0
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE ReStart Flag = 0
Apr 8 00:22:10 cfgmgr(pppoe-107): PPPoE Relaunch = 0
Apr 8 00:22:10 cfgmgr(pppoe-107): RE-PPPoE Timer Apply...
Apr 8 00:22:10 pppd[1763]: pppd 2.4.4 started by root, uid 0
Apr 8 00:22:11 cfgmgr(pppoe-107): Saving PPPoE Session ID: 0xfe21
Apr 8 00:22:11 cfgmgr(pppoe-107): Received pppoe server mac: 0x00-90-1a-xx-xx-xx
Apr 8 00:22:11 pppd[1763]: Got connection: fe21
Apr 8 00:22:11 pppd[1763]: Saved Session ID: 0
Apr 8 00:22:11 pppd[1763]: AC MAC address: 00-90-1a-xx-xx-xx
Apr 8 00:22:11 pppd[1763]: Connect: ppp0 {--} nas0
Apr 8 00:22:11 pppd[1763]: PAP authentication succeeded
Apr 8 00:22:11 cfgmgr(pppoe-107): PPPoE Connect with IP Address 41.xxx.xxx.63
Apr 8 00:22:11 cfgmgr(pppoe-107): PPPoE Connection Successfully Established
Apr 8 00:22:12 cfgmgr(pppoe-107): sys_send_event - pppoe up
Apr 8 00:22:12 cfgmgr(pppoe-107): PPPoE Connect with Gateway IP Address: 10..xxx.xxx.xxx
Apr 8 00:22:12 pppd[1763]: local IP address 41.xxx.xxx.63
Apr 8 00:22:12 pppd[1763]: remote IP address 10..xxx.xxx.xxx
Apr 8 00:22:32 root: onconnectWAN: cron has been disabled in the bootloader environment.
Code: Select all
/var # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
CFG tcp -- 192.168.1.77 anywhere tcp dpt:www Records Packet's Source Interface
CFG tcp -- 192.168.1.77 anywhere tcp dpt:443 Records Packet's Source Interface
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
DROP icmp -f anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ipaccount all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ipaccount all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
DROP icmp -- anywhere anywhere icmp destination-unreachable
DROP icmp -- anywhere anywhere state INVALID
Chain ipaccount (2 references)
target prot opt source destination
all -- anywhere anywhere account: network/netmask: 192.168.1.0/255.255.255.0 name: mynetwork short-listing
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: dropbear bad password attempt for 'root' from <IP>
pppoe is troublesome - and this has been reported before (but we thought it had been fixed). As a test, try running "ppp_restore.sh" from a telnet prompt, and see whether the same thing happens. Then run "showlog.sh" and see what new entries have been made in the system log.geekgirl wrote:The question remains, why didn't this occur automatically after the router managed a PPPoE connection (on its own), even if a while after it was booted?
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
Re: dropbear bad password attempt for 'root' from <IP>
Nope. Unable to reproduce it after 3 attempts at doing "ppp_restore.sh" and after an attempt to reboot router, and also attempt to manually disconnect, wait a while, then connect.
In all the attempts mentioned, ppp is connected right away, and the rule to drop ALL from anywhere on ppp0 is properly added.
In all the attempts mentioned, ppp is connected right away, and the rule to drop ALL from anywhere on ppp0 is properly added.
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: dropbear bad password attempt for 'root' from <IP>
That's how it should be. This means that what you experienced arose due to exceptional circumstances that cannot readily be reproduced (which makes it hard to sort out).
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.