[SOLVED] Unwanted activity on router

[ackoman]

Hello,

I recently started using Papertrail and have been logging all the incoming activity on my dd wrt firmware router. It's been a bit of an eye opener - every few minutes I get IP addresses from Russia and China probing various ports on my router. Most of them don't seem to get in (the activity is logged as "dropped") however every now and again I see one which was apparently accepted.

Is this normal?

As a follow up question, is it possible to bar specific IP addresses from getting into my router? There is one IP address which tries to gain access every two minutes or so, and even though every connection is apparently dropped I'd quite like to add it to a blacklist, if such a thing is possible.

Thanks,

Ackoman

 

[bill001g]

So what do you think adding it to a blacklist is going to do. Drop the packet a second time ?

You can do nothing about data until you actually receive it and by the time you receive it the bandwidth is already been consumed.

Unless you open a hole with port forwarding no traffic will ever get past your router. The NAT function is really stupid. Since it does not know which of your internal machines to send the traffic to drops it instead. Pretty much this is the same as the best firewall rule which prevents sessions from being established from the internet.

The router itself should be pretty much immune from attack. Most are configured to not allow any session into the router itself from the wan port.

In many ways it would be better if the router did not put out messages. You can do nothing about it anyway so it just makes people nervous.

 

[SamirD]

Yep, pretty normal. I see something about every 2 seconds in my logs.

I like your idea of blocking china or russia, but I don't know if that's a request isps are willing to take on. I know I would be all for it--there's no need for those people to be talking to me.

 

[ackoman]

Unless you open a hole with port forwarding no traffic will ever get past your router. The NAT function is really stupid. Since it does not know which of your internal machines to send the traffic to drops it instead...

So how come some of the attempts do get through? Or at the very least, they are described in the log as "Accept"

This is typically on Port 21.

 

[bill001g]

Port 21 is FTP. I doubt you have a ftp server. The router may have some ftp ability. You want to disable that if you can find it.

 

[stonecarver]

Or at the very least, they are described in the log as "Accept"

Just wondering if some of those weird logs your getting are from just being on this forum. We are talking to each other through language translators and in every corner of the world. IDK ?