Open Goro2030 opened 6 years ago
I have more proof from today that bearDropper is actually not working ...
Thu Jun 14 04:42:58 2018 authpriv.info dropbear[11882]: Child connection from 193.201.224.208:29745
Thu Jun 14 04:43:07 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:07 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:07 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:07 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:08 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:08 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:10 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:10 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
**Thu Jun 14 04:43:11 2018 authpriv.notice bearDropper[20934]: Inserting ban rule for IP 193.201.224.208 into iptables chain bearDropper**
Thu Jun 14 04:43:11 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:11 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:12 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:12 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:43:14 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:14 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:15 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:15 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:43:15 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:15 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:16 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:16 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:19 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:19 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:20 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:20 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:20 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:20 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:22 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:22 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:29 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:29 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:45 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:45 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:46 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:46 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:46 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:46 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:48 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:48 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:49 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:49 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:50 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:50 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:43:51 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:51 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:52 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:52 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:43:54 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:54 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:54 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:54 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:55 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:55 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:55 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:55 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:58 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:43:59 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:59 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:43:59 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:43:59 2018 authpriv.warn dropbear[11882]: User 'ftp' has invalid shell, rejected
Thu Jun 14 04:44:01 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:01 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:02 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:02 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:02 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:02 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:03 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:03 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:04 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:04 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:07 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:07 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:44:22 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:22 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:23 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:23 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:24 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:24 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:24 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:24 2018 authpriv.warn dropbear[11882]: Bad password attempt for 'root' from 193.201.224.208:29745
Thu Jun 14 04:44:31 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:31 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:32 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:32 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:34 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:34 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:36 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:36 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:39 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:39 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:39 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:39 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:40 2018 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED 70:ee:50:03:6a:50
Thu Jun 14 04:44:43 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:43 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:44 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:44 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:44:46 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:44:46 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
Thu Jun 14 04:45:02 2018 authpriv.warn dropbear[11882]: Client trying multiple usernames from 193.201.224.208:29745
Thu Jun 14 04:45:02 2018 authpriv.warn dropbear[11882]: Login attempt for nonexistent user from 193.201.224.208:29745
I've just noticed the same on my system. It was working until recently but definitely not now. Sadly, I think this project is abandoned as it's not been updated in 2+ years :-(
is there an alternative?
I've tested this a few days ago and it was working fine. Maybe it's something about your setup.
I have been running bearDropper for ages, as part of David's build of LEDE, but now looking into the Logs , it actually doesn't seen to be blocking the offending IP's.
My current configuration has this section:
This LEDE Version from David's 502 builds: Lede SNAPSHOT, r7093-4fdc6ca31b
And the latest bearDropper version.
And I found this in the log today:
See that the "ban rule" was inserted twice ( instead of just once?) , but the offending IP kept trying after that ? It all happened within 2 seconds... maybe this is just a syslogd delay in the messages?
@robzr , can you take a look?
BTW: iptables -L has the ban rule on it .