Yes, it's definitely worth checking. It's better than assuming that a router isn't opening anything up to the outside world.

I submitted some logs to Zyxel & they told me its not an attack & that its nothing to worry about.

Why would Russian hackers want to get into my router? Im not a corporation or government department. Can they be stopped?

I reset my router last week because i was changing the wifi settings & for some reason it wouldn't accept my password. So i had to reset the router.

BTW i cannot get the log settings to work in my router, it did this before but i dont know what i did in the log settings. How do i get it working again?

Log
Log Settings

I went to the GRC Shield website & ran their test.

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
(That's good news!)

In reply to a post by Natty:

Why would Russian hackers want to get into my router?

It's nothing personal. They want to get into everyone's router. If you reset the router, I hope you changed any default passwords. I suggest this site, and be sure to make it 30 characters (router being kinda important and all that).

If a hacker can potentially control a router they can use it to bounce their traffic, and it makes you look like the source of attacks. Or, they can use it with others to attempt DoS attacks on bigger targets. Having said all that, they'll be happy to take any of your personal data they can get from hacking your router.

In reply to a post by Natty:

I submitted some logs to Zyxel & they told me its not an attack & that its nothing to worry about.

Strictly speaking it's a reconnaissance for an attack but they didn't get in this time. Interestingly, had they got in, there would have been zero evidence in the logs as the router isn't logging allowed traffic.

As for logging settings, they appear to be correct. If you've only just enabled logging again it may be a while before anything is there to see. Sometimes routers hold log file information in memory and only dump it to a file after a set period of time or they may not display it when the log file is below a certain size. Try again later to see if there's anything new.

Edited by caffn8me (Thu 26-Nov-20 17:41:24)

So what can be done about these attacks? Report it to my ISP? Zyxel support?

These reconnaissance probes/attacks affect every single device which faces the internet with a real IP address; routers and firewalls or devices behind a modem or bridge mode router. You can't do anything to stop them, short of disconnecting your router from the internet completely.

What your router logs are showing you is that these attacks are being stopped, which is good. They're more of academic interest rather than something you can do anything about.

If you want to make something on your home network available to the internet at large, such as a file server, Windows Remote Desktop or CCTV camera, the router logs serve to remind you that attackers are trying to compromise your network and they will find your open ports which they can then directly target with carefully crafted attacks.

Anyone running a service on their home network which is available to the outside world should take extra precautions to ensure it is protected. This includes things like using software to detect and prevent intrusions, logging access attempts and reviewing the logs, using strong password protection and multifactor authentication, and ensuring that the server software or device firmware is fully up to date with recommended security settings.

Above all, you've disabled UPnP, so let the logs reassure you that things aren't getting through.

Edited by caffn8me (Fri 27-Nov-20 10:28:58)

As an aside, I've been amazed in the past when I've read reports of how quickly 'honeypots' got compromised but that's going back to the late 90's early 00's. I wonder if the default security of current routers has been largely successful in keeping intruders out?

In reply to a post by caffn8me:

[SNIP]

Anyone running a service on their home network which is available to the outside world should take extra precautions to ensure it is protected. This includes things like using software to detect and prevent intrusions, logging access attempts and reviewing the logs, using strong password protection and multifactor authentication, and ensuring that the server software or device firmware is fully up to date with recommended security settings.

The last one of that list is by far the most important. Every device on your network needs to be patched in a timely manner. Further unfortunately the manufactures of most consumer grade routers are appallingly bad at supplying any updates and if they do generally for a couple of years at most. Which is why I steer clear of them and pay the premium for kit from vendors like Ubiquiti, Mikrotik and Draytek that provide security updates for many years after product launch.

Another important trick is to have your firewall/router/server rate limit connection attempts, especially if the connection is unsuccessful. Apart from anything else it can free up a surprising amount of bandwidth on your connection.

The vast majority of known compromises of home networks/kit is leaving default passwords on Internet facing devices. Things like cameras, smart door bells, connected toys, etc are almost always compromised due to poor password security - either because bad passwords are baked in or because they have a default that doesn't get changed.

There are few compromises that I have seen reported where a 3rd party has actually actively hacked a home network using more advanced techniques - and mostly little benefit to them doing so.

EDIT : Just to add the other most likely way of being "hacked" is by visiting dodgy links that install malware on the device - passwords and users following dodgy links are by far the most likely way a home user will be compromised.

Edited by ian72 (Fri 27-Nov-20 11:41:35)