Urgent - someone trying to hack into my VPN server router

Internet service provider emailed me saying someone's trying to access my device or exploit my device...and it provided the device name it's my gl axt 1800x, which I am using as a VPN server while I am overseas. For now I have unplugged it but, can't keep it unplugged for more than a few hours. Please help urgently.

1. Any advice on what I should do

2. What are all the passwords I should change and how?

3. And what type of password combination is supported or what can I do to Make it a very hard password so hardest to break? Ie Alphanumeric 67 letters with special characters. Annoying but I am happy to do it if it prevents easy exploitation.

4. Is there anyway to do two factor authentication

5. what else I can do do really harden my security of you will.

I have 3 ports open all pointing to that device. 2 for WG VPN Server (common wg port & 1 backup) and 1 for openvpn(443).

Thanks

Reset the device first, and next time check inside the security options ssh is not open to wan.

There is only one password the one you have setup by first use.

You can use a password manager, however usually in the correct configuration stanza your web ui is only accessible from local/and wifi, and from inside the vpn tunnels on the gateway ip of the vpn, note for vpn that a hacker still has to authenticate with keys which is one of the higher standards than a password, so that is unlikely.

You can use key authentication but that is not default by the gl ui, you need luci for that + you still need to use password only for the web ui so not 2FA its only more secure to ssh.

and you can also limit ssh or completely disable it then key authentication is also not important, again in a correct healthy firewall configuration its unlikely you get hacked via this, but a good practice always keeps: strong passwords, also if the attack was leveraged over wifi which is more rare compared if it was towards the internet

A firewall works like:

Client -> internet (since cliënt is origin source, its accepted for the destination to talk back on the same line)

However it should never be: only with the exception as described above:

Internet -> client.

well lets guess what i think what happened here:

A: you bought a pre configured second handed router from amazon?, always reset such things.

B: it could be, your router was misconfigurated where your firewall wasn't working which indeed grants access to ssh and other things, trust me but there are alot of bots out there which easily bruteforce ssh, i can know that because when you try to install windows server on a ovh datacenter server, these bots already come in within the post installation of windows server and usually they use it to make it into a seedbox and other bad stuff, the securest way is long strong passwords or even keys.

C: it can also be it is a infected device other than your router, the issue here in is you need a little more time figuring which one it is, the isp cannot see your devices and is only aware of the orginating traffic so it only sees your router.

you could try intercepting dns with adguard or check with wireshark for suspicious traffic but best is to contact isp about what kind of type traffic it is.

You can also try disconnecting all devices and then slowly connect one for one while checking if it logs suspicioun unexpected domains or other suspicioun traffic.

Based on your level of skill you can now kinda make your assessment and try to figure out what just happened

Could you please post the whole mail they send to you? Usually they are not able to detect “hacking” like this, so I assume that they gave you another information which you need to share with us

Years ago at my parent place the isp blocked internet and emailed that there was a malicious detection.

One of these heuristics are outgoing spam mail, if isp received abuse complaints they will check it and freeze.

But the odd thing is that they also mentoin the router model, that is a very non standard response, you more likely would expect the kind of automated mails like when they detect illegal download activity.

Won't hurt to see mail, and if spf or dmarc ip is valid with the isp domain .

I've received messages like this for some of my customers. This doesn't necessarily mean that somebody hacked your devices, but it does indicate that someone attempted to gain unauthorized access.

To investigate this further, you need more information. Please ask your provider for the following:

• Exact time of the attempted access
• Any relevant log files or traces
• Any other information you may have received about the incident

Without this information, it will be difficult to determine the full extent of the attempted breach.

Just make sure it isn't some bogus phishing email that you have actually received...

It's not fake, it's a real notification from the isp(At&t)

Thank you so much for the thorough response. I'm using the generic AT&t modem router that they officially sell or lease out every month.

IMG-20240923-WA0003860×1600 70.7 KB

This might help I'll try to get more of the info too

I think they might mention the router name maybe because when I did try to set up partial port forwarding to set up the VPN I had to select the device that the port would point to and it would actually come up with the name they are automatically of the device and I'm using the ISPs at&t in USA) original modem router combination.

I have taken the blocked ip against the abuseipdb and it looks it is a ssh bot, so it tries to bruteforce ssh and scans ports.

So in your situation you want to make sure your router is not open to the internet than only the vpn server listening ports.

Did you accidentally put the router on DMZ?

No need to be alarmed, to be honest. SSH brute forcing is so common, most admins won't even monitor it ...

Firstly, as @xize11 said: Disable SSH on your WAN interface and triple check what is going on there.

Second: If you want to be reachable via SSH (which is totally fine!) adjust SSH to work only with public key authentication, see SSH key authentication - #2 by RVer

Though lets not get in conclusions yet, i also wanna know the more info bit about the isp

According abuseipdb hostname is ucloud it can also be a infected site or a local client conmunicating with it with evil intends, but the blocked ip clearly shows signs of a compromised host.

I switched from port 22 to something different and the brute force attacks are down to zero.

If you can add something like fail2ban to block an attacker after x attempts.

That's another approach, yeah.

Interesting...
The message says it's an exploit attack.
Which firmware version are you using in your GL-AXT1800?

That IP is from HK. Is not you? Because you said you are abroad

I believe it was 4.6.2 for the firmware.
Yes, I am abroad but nowhere close to there

I have installed fail2ban as a plugin, is that all I need to do for it to work or is there some configs I need to do on top of it? Thanks!