Just like it's a crime trying to ssh into a box that is not yours right? And besides I didn't do anything to the router. I was simply pointing out that you should change your default credentials and hide your router.
... should be a crime to not change the default credentials.
Dude, it's not funny. You're coming across like a script kiddie and it's not welcome here. You've just posted the credentials to someone's site that has probably been compromised and you're treating it like a joke. Go back and redact the IP addresses of those sites & devices before you get yourself into trouble.
Um. I guaran-damn-tee you that the router in question was compromised within a day or seven of it being stood up.
The default credentials on every bit of UBNT hardware that I've used grant access to both the web UI and admin SSH access. So, the access attempts that WillieStevenson has noticed coming from that IP are most likely coming from the router itself.
I can't see any reasonable reason for redacting the IPs that are making those access attempts, and I see no reason at all for redacting static, factory default usernames and passwords.
Look. Malicious boxes are attacking me. Although I must be politically correct in this situation to probably please everyone, while I probably shouldn't have logged into the router in question, I would prefer to publish such IPs because they have the potential to harm other machines.
Actually that particular IP attacked me more than 170 times.
It may be useful to others to keep this address on their "naughty" list of hosts to ban.
I don't think there's a need to publish those addresses. There are already lists with those IPs available (https://www.openbl.org/). Telling people that the IP had default password on the router will only cause the problem to the owner who may not even be aware of the attack. Proxies / worms for ssh scanning are very common, so maybe you just helped people break some Joe Random's home network.
> I don't think there's a need to publish those addresses. There are already lists with those IPs available...
Interestingly, the IP address of that router is _not_ present in either the base (attacks within the past 360 days) list or the delisted (manually removed from the base list by the person in question) list.
It's almost like no single list is terribly likely to be complete, and that publishing collation of a master list is required for completeness. :)
Pretty clear that he'd been popped already, you realize that's what all of those ptr records that are IP.ISP are, right? Some random person who clicked on something they shouldn't have and is now part of a botnet which is continuously trying to brute force other boxes.
> Some random person who clicked on something they shouldn't have and is now part of a botnet which is continuously trying to brute force other boxes.
No. Some random sysadmin stood up some business-tier gear and failed to change the factory default, static username and password. He then also failed to restrict access to the built-in web server and SSH server to only a trusted set of machines.
I'm not saying the machines attacking you aren't violating the law. I'm saying that publishing an IP address of someone's router, along with step by step directions of how to log into it, along with screenshots of you logging into it, is a violation of the computer fraud and abuse act. The law doesn't care where you got the address. And the reality is that that router's owner probably has no idea they are part of a botnet attacking other machines. I suggest you go back to university and take a few computer ethics courses before you wind up with a criminal record from your next project.
tdicola: To authenticate myself, I use an ssh key. However, the goal of this project was to log all attacks over ssh. So setting up fail2ban and disabling password login would prohibit this collection of data. I have a massive password in place, so I'm not worried in the least.
Similar - got the kids one for Xmas thinking "this will last a while". They are still in the packaging while I fuss about other things. Ah well, they can get faster boards in a while.
https://livesshattack.net