RV082 Log file showing authentication failure

Unanswered Question
Mar 13th, 2010

Log is showing several attack attempts on our network.

RGFW-RATELIMIT: 1 messages of type BLOCK-SYNFLOOD reported 6 second(s) ago
Sat Mar 13 09:06:12 2010
LOGIN-WBM: Authentication Failure (2010/03/13 09:06:12 Bad login attempt for user: )

RGFW-RATELIMIT: 1 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sat Mar 13 09:06:09 2010

LOGIN-WBM: Authentication Failure (2010/03/13 09:06:06 Bad login attempt for user: )

Sat Mar 13 09:06:05 2010

RGFW-RATELIMIT: 2 messages of type BLOCK-SYNFLOOD reported 4 second(s) ago
Sat Mar 13 09:05:36 2010

As a precaution I changed the admin name and password. Password is now over 10 characters. admin name do not think they would ever guess.

Question-Could this be why we are starting to notice slow downs on our internet?

Second-is there anything we can do to stop some of this?

Third MOST IMPORTANT - Looking to upgrade router to a 10/1000 router. Which router is cisco putting out that has the same security and stable running as this RV082. Love the router and want one that is as good or better. Do not want wireless, and VPN not needed, but if have VPN that is ok.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Darren DeCroock Sat, 03/13/2010 - 10:33

Looks like someone or something is trying to hit your router...  Could be a port scan, or some other attack.  Not really much you can do about it, but at least your router is recognizing this, and blocking it from coming though.  If these scans or whatever they are are happening constantly, it could cause your internet speeds to slow down.

The only thing I can think of the you could try, is to get a new IP address if it is static, or try releasing and renewing your IP if you are receiving a DHCP address.

The replacement for the RV082, or the RV0xx series are the SA520, SA520W, and SA540, which are security appliances/routers.  There are also the SR520 routers that are available in 3 models.  (Ethernet, DSL, T1)    (The SA routers support 10/100/100, the SR routers only support 10/100.)

SA520, SA520W, & SA540 -

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps9932/data_sheet_c78-542899.html

SR520's

http://www.cisco.com/en/US/partner/products/ps9305/products_data_sheets_list.html

Now, since these routers are new, I can't say they are as stable as the RV0xx series at this point, or at least don't have enough data to confirm, but I have no doubt that they will be as the products mature.

Thank you,

Darren

nbisolutions Mon, 07/26/2010 - 06:02

I have the same issue and have also changed the user id/password.  However, in order to stop such an attack, it would be necessary, it seems to me, to get the IP address of the offending party.  I cannot seem to get that information from the router.

At least one could report that to the domain's authority and theoretically they could match the ongoing attack to the individual host, even via DHCP, allowing them to act against them.  Maybe we could start shutting these jokers down and get an actual prosecution going.  The fact that they are attempting break-ins and wasting significant amounts of our bandwidth should be sufficient cause if one could get a local prosecutor interested.

Perhaps there are other remedies as well, but I'm not a security expert by any stretch of the imagination.