Archer C3150 Blue UI - how do I block incoming traffic by IP or Subnet mask?
Long story short, some IP from China is trying to break into my network. I had a SSH server on a high port, but they found it with a port scan. I'd like to be able to block this incoming connection at the router. I've seen some instructions on doing host filtering with the "Green UI" to block hosts, but it appears to be related to local hosts going outbound. Host blocking
I can't seem to find anything in the UI that supports this method. Doesn anyone know if it is possible, and if so, provide instructions?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@Carl I don't believe there would be logs on the router unless it logged allowed traffic. It went to my internal server, but was blocked due to bad password. Here are logs from the SSH server
<event seq="2170" time="2019-12-08 15:22:10.956664 -0800" app="BvSshServer 8.32" name="I_CONNECT_ACCEPTED" desc="Connection accepted.">
<session id="1698" service="SSH" remoteAddress="122.144.179.29:60327" loc="CN/AS"/>
<location continent="Asia" country="China"/>
<sessions ssh="1" sshAuth="0" ftp="0" ftpAuth="0"/>
</event>
<event seq="2171" time="2019-12-08 15:22:11.120341 -0800" app="BvSshServer 8.32" name="I_CONNECT_VERSION_RECEIVED" desc="Client version string received.">
<session id="1698" service="SSH" remoteAddress="122.144.179.29:60327" loc="CN/AS"/>
<parameters clientVersion="SSH-2.0-libssh-0.2"/>
</event>
<event seq="2172" time="2019-12-08 15:22:11.285865 -0800" app="BvSshServer 8.32" name="I_SESSION_DISCONNECTED_NORMALLY" desc="Session disconnected normally.">
<session id="1698" service="SSH" remoteAddress="122.144.179.29:60327" loc="CN/AS"/>
<parameters disconnectReason="EofReceived" socketBytesReceived="20" socketBytesSent="852" payloadBytesReceived="0" payloadBytesSent="693" channelBytesReceived="0" channelBytesSent="0"/>
<sessions ssh="0" sshAuth="0" ftp="0" ftpAuth="0"/>
I really only have this exposed to the internet so I can automatically back up my webhost. I'm using just cert authentication, so brute force would not work, but it is still concerning. The remote port of the IP cycles through.
This IP is a known bad IP listed at http://blacklists.co/download/all.txt
- Copy Link
- Report Inappropriate Content
The selected model you have is the Archer C3150 V2 but i wanted to make sure that is correct as in the title you stated blue UI. If the C3150 V2 is you model make sure the AV software in homecare is enabled. This has a built in intrusion prevention system that should block the incomming attack attempts.
- Copy Link
- Report Inappropriate Content
Carl wrote
The selected model you have is the Archer C3150 V2 but i wanted to make sure that is correct as in the title you stated blue UI. If the C3150 V2 is you model make sure the AV software in homecare is enabled. This has a built in intrusion prevention system that should block the incomming attack attempts.
Hi, yes it is v2 and HomeCare is enabled. Maybe that IP isn't in the list to block? The website I listed earlier doesn't have that IP now, but it is in the Google cache from 12/11/19. Maybe they just spun it up and not that it is blocked have moved to a new IP? I temporarily turned my port forward back on for a few mintues last night and didn't see any new connections.
Is there not a way to add a list of IPs to block, or is that list only part of the system? Also, is the HomeCare AV free for the life of the product, or a subscription? I don't recall ever signing up for it.
- Copy Link
- Report Inappropriate Content
The Malious content and intrusion prevention system is powered by TrendMicro. There is no way for us to manually add addresses to this blocked list. Its based on thier content filters.
We can attempt to send the address to TrendMicro and have it reviewed but it would be based on the results they find.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1367
Replies: 5
Voters 0
No one has voted for it yet.