@Carl I don't believe there would be logs on the router unless it logged allowed traffic. It went to my internal server, but was blocked due to bad password. Here are logs from the SSH server

 <event seq="2170" time="2019-12-08 15:22:10.956664 -0800" app="BvSshServer 8.32" name="I_CONNECT_ACCEPTED" desc="Connection accepted.">
    <session id="1698" service="SSH" remoteAddress="122.144.179.29:60327" loc="CN/AS"/>
    <location continent="Asia" country="China"/>
    <sessions ssh="1" sshAuth="0" ftp="0" ftpAuth="0"/>
  </event>

  <event seq="2171" time="2019-12-08 15:22:11.120341 -0800" app="BvSshServer 8.32" name="I_CONNECT_VERSION_RECEIVED" desc="Client version string received.">
    <session id="1698" service="SSH" remoteAddress="122.144.179.29:60327" loc="CN/AS"/>
    <parameters clientVersion="SSH-2.0-libssh-0.2"/>
  </event>

  <event seq="2172" time="2019-12-08 15:22:11.285865 -0800" app="BvSshServer 8.32" name="I_SESSION_DISCONNECTED_NORMALLY" desc="Session disconnected normally.">
    <session id="1698" service="SSH" remoteAddress="122.144.179.29:60327" loc="CN/AS"/>
    <parameters disconnectReason="EofReceived" socketBytesReceived="20" socketBytesSent="852" payloadBytesReceived="0" payloadBytesSent="693" channelBytesReceived="0" channelBytesSent="0"/>
    <sessions ssh="0" sshAuth="0" ftp="0" ftpAuth="0"/>

I really only have this exposed to the internet so I can automatically back up my webhost. I'm using just cert authentication, so brute force would not work, but it is still concerning. The remote port of the IP cycles through.

This IP is a known bad IP listed at  http://blacklists.co/download/all.txt

@Carl 

Carl wrote

@Stettin 

 

The selected model you have is the Archer C3150 V2 but i wanted to make sure that is correct as in the title you stated blue UI.   If the C3150 V2 is you model make sure the AV software in homecare is enabled.  This has a built in intrusion prevention system that should block the incomming attack attempts. 

Hi, yes it is v2 and HomeCare is enabled. Maybe that IP isn't in the list to block? The website I listed earlier doesn't have that IP now, but it is in the Google cache from 12/11/19. Maybe they just spun it up and not that it is blocked have moved to a new IP? I temporarily turned my port forward back on for a few mintues last night and didn't see any new connections.

Is there not a way to add a list of IPs to block, or is that list only part of the system? Also, is the HomeCare AV free for the life of the product, or a subscription? I don't recall ever signing up for it.