These are the first Digi WR21’s I have set up that have a public IP. They are being hit pretty regularly any time I turn them on by sources outside the US:
13:38:48, 11 Jan 2010,GP socket connected: xxx.xxx.xxx.xxx:22 -> 46.172.71.249:7872
13:38:44, 11 Jan 2010,GP socket connected: xxx.xxx.xxx.xxx:22 -> 46.172.71.249:46748
13:38:40, 11 Jan 2010,GP socket connected: xxx.xxx.xxx.xxx:22 -> 46.172.71.249:12232
13:38:38, 11 Jan 2010,GP socket connected: xxx.xxx.xxx.xxx:22 -> 46.172.71.249:9130
12:47:43, 11 Jan 2010,GP socket connected: xxx.xxx.xxx.xxx:22 -> 223.25.233.38:50955
Is there a ruleset that I can turn on or customize to block all connections from outside the US?
If you are using Fixed ipaddress for your Managment location I would look at using the firewall to allow by exception
remote managment rule to all ports from NOC address
pass in break end on ppp1 from x.x.x.x to addr-ppp 1
block all to PPP interface must have rules above
to cover vpn and all other wanted traffic
block in break end on PPP1 from any to addr-ppp 1
or
specific blocks
block in break end from any to any port=22
block in break end from any to any port=23
block in break end from any to any port=80
block in break end from any to any port=443
block in break end from any to any port=8022
block in break end from any to any port=8023
block in break end from any to any port=8080
block in break end from any to any port=8443
if you use the firewall you should be only allowing specific traffic into the router.
other thing to think about is changing to a private address on the cellular network and using managment over RemoteManager or over a vpn built from the router
I would use a bit of security by obscurity here.
Steps:
Move your ssh port to 22222 from 22. The bots look for 22, if its on 22222 and YOU know that, you just tell you ssh client to connect on 22222 rather than 22,
Open this port in the fw:
pass in break end proto tcp from any to any port=22222 flags S!A inspect-state