My router has open ssh port so that I can connect from Internet to home, and recently I’ve noticed in logs that someone is scanning my ports:
Jun 5 15:13:49 dropbear: login attempt for nonexistent user from 220.127.116.11:47311
Jun 5 15:13:50 dropbear: exit before auth: Disconnect received
It seems like some one is looking for vulnerabilities. But why – you ask? It could be worm which is infecting mipsel routers running under Linux. That’s life, devices become more powerful, they become like servers and if infected they could pose a big threat.
There are a few rules on how protect yourself from being hacked.
1. First, share as minimum ports as possible.
2. Use non standard login names. Default is admin/admin. So it has to be changed into something different. Luckily Oleg’s firmware & DD-WRT allows to change user name
3. Make passwords more complex for ssh and| or http administration page.
4. Use Brute Force Attack protection for ssh / http page. I use 1 hit count per 600 seconds.
Now, the most interesting thing. In oleg’s firmware you can change the user name, and password. But it seems like the password changes affects only http configuration page. The ssh daemon still uses old password. In order to solve this problem login to router via ssh and run:
It will ask you to enter new password and confirm it.Afterwards you will have to store the password using:
flashfs save && flashfs commit && flashfs enable
I also hit another bug when changing password in http page 🙂 It’s length is limited to 17 characters. If you specify longer password it just cuts. It is hard then to understand why you can’t login and why the previous password does not work.