Hi
My service provider has been informed by CERT that my IP address has been compromised and that something on my network is using brut force shh attacks. I have rang Draytek twice and asked if they could help with setting up my 2860ac to log my traffic for outgoing ip and port numbers so if it happens again I can find the device, Draytek said they would email me the information to help but all I get is no reply? Can someone here help me with this so I can get my router setup.
Thank you.

Try this setup, which will send syslog for any new sessions going through the router's firewall:


Then set up syslog and the syslog utility:
http://www.draytek.co.uk/support/guides/kb-vigor-syslog

The Firewall tab of the syslog utility will then show which IP addresses are making sessions on TCP 22

---

Another very quick way to check this would be under [Diagnostics] > {NAT Sessions Table] in the router's web interface, if you see many sessions in there with 22 listed as the Peer IP: Port then that would show the local IP address of the computer making these SSH connection attempts.