Discussion on:

Security 101, Remedial Edition: use strong passwords

If you're one of those reporters who got it wrong, perhaps you should have another look at my Advice for reading about security.

My router doesn't have a password, however I have WAN access turned off, am I safe from this?

I DO have a webserver inside my network however. It is not a Nix machine however.

Whether you're at risk from this specific threat depends on what "WAN access turned off" means in the case of your specific router, and whether your router is running a vulnerable firmware version.

There's also the fact that, if your router doesn't require any kind of authentication, it might be vulnerable through other means (such as via wireless access or a potential infection of your Webserver that may then target the router).

Like you can enter the public Ip address of the router and get to its config page. This is turned off.

It doesn't require authentication, however from Wireless my wireless is secured, both guest and actual logins are both secured.

You should really protect access to the administrative interface with a password, if you're currently running it without a password (or with the default password). Also, you might consider making the admin interface inaccessible from wireless connections, if that's an option with your router.

If your router supports remote connections (from the WAN) via Telnet or SSH to access the admin interface, that provides as much a vulnerability as the Web interface, as pointed out in the DroneBL information page.

You mentioned WEP2 in another post. Are you using WEP encryption on your wireless or WPA/WPA2? It should be WPA2 unless there is specific hardware limiting you to WPA. If specific hardware limits you to WEP, consider replacing the hardware or not having it on the wireless network. WEP is about two minutes from discovery to connection for anyone that chooses to break into your network.

Apoth probably covered it all but encase I hit something:

- change your wireless channel away from default (probably 6) to something with less noise on it.

- change your SSID to something meaningful without being directly identifiable (eg. "roses" instead of "142mapledrive")

- broadcast your SSID. anyone breaking in will be able to see a hidden SSID. The only effect not broadcasting it has is to end up with more people on your channel.

- use WPA or WPA2 (preferably WPA2) and set a good strong passphrase for clients to connect with. A home network shouldn't have enough machines being added or removed for it to be an issue

- disable administration from wireless

- disable administration from WAN (internet)

- disable admin through http and only connect through https for changing router settings

- if possible, change your admin username

- choose a good strong admin password

- consider MAC address filtering (allow only). This is not really a security feature but will reduce the amount of noise your router cares about as it won't try to process network traffic from unknown MAC addresses. Again, on a small network it's not an issue to add in a MAC for regular guests.

My first night in a new building was spent without internet so I had a look-see at the wireless noise. I actually stumbled onto someone's network being broken into; when I looked at the traffice it was flooding the air with re-authentications (the magic packets). I haven't the hardware to identify where the network or the attacker are located so there's no helping that network. Hopefully, the network owner will notice my secondary router broadcasting SSID "WEP is unsafe, use WPA, this means you XYZ"

And a fancy passphrase that should be unguessable.

I still have no admin password just cause the damn thing removes the password every time it restarts the router (wtf lol).

I still have broadcasting turned on, but I am unsure how my laptop is going to deal with it, since it probably asumes it has to ask for the connection.

I believe I am not on channel 6, I think I changed the default channel as my first config option.

Saddly I cannot disable admin from wireless unless I also disable access to network drives from wireless, which is not helpful as I often use my Laptop as a netbook, where all my apps are stored on a desktop and just run over the wireless network. It's slow but, it works just fine and it saves space on its somewhat small HDD.

It doesnt support SSH or telnet config, and HTTP config is turned off since accessing my IP address on port 80 takes you to my webserver, so it would be counter productive for it to take you to my router config page (and dangerous).

I still have no admin password just cause the damn thing removes the password every time it restarts the router...

If you lose settings when you restart your wireless router, the router may be resetting instead of restarting.

You should be able to set an admin password different from the default. If you can't, it's probably time to replace the router.

To reboot, you should simply need to unplug the power for a minute or two then plug it back in. The reset button could definitely be the reason for it loosing the password unless it is time for an upgrade.

I suspect the member is referring to the fact that the user name can't be changed. I suspect that the password can.

Not being there to see what's happening limits us to pure speculation. But I've had problems in the past where some wireless equipment won't take the configuration completely until I run through the process two or three times (resetting each time, of course) before the settings will stick.

At least it means getting into your wireless passphrase before getting into your admin forms. What is the router type? You may want to consider Tommato or ddWRT firmware if it's supported. Based on your current firmware not retaining a password or allowing you to disable admin over wireless anyhow.

With your SSID broadcast, your wireless devices can listen for it and know when to try and connect which should avoid them calling out constantly when not at home. Any new OS platforms your mucking with can pull your wireless SSID out of an "available networks" scan provided they have the correct passphrase of course.

I forward my port ssh from the outside similar to your webserver setup. It's fun watching the attempts hit my snort and firewall.

So far its best router I've ever had, I don't want to mess with it.

Rebooting it will occasionally make it forget the password. It doesn't forget anything else though so It's no big deal to me. Disabling admin of wireless would probably be frustrating anyways since I do most my admin stuff over wireless.

If I may humbly add those two popular TPV firmwares are affected by this exploit.

I guess it would be as it allows telnet, ssh and http connections from the WAN interface. It's one of the first things I disable. If config backup was not limited too http, I wouldn't need to enable that again at all after the initial flash.

hm.. time to keep a closer eye on the website for the next v24 sp.

Chad mentioned in the article that this particular version was vulnerable. I know that many members are using some version of WRT firmware, that's why I thought it would be important to mention that specifically.

I have to believe that your password is bullet-proof. Right??

It's not something blatantly weak but I can rainbow table it pretty quickly. I'd be concerned if I also didn't pay attention to logs and connection attempts.

For that. Still I won't as I'm sure you would be able to give it to me as well. Just disable all public-side exposure.

About mid last week I took Cain to all my machines at home having discovered that it read ophcrack rainbow tables. Now it's a matter of regular guest machines slowly getting the updated passphrase.

Definately not anything open to the outside on my routers though. I may reflash it tonight just for fun though. The ports that do listen on the WAN device forward to a hardened Debian back end so I've been watching the port scans and login attempts through snort and psad.. Muwahahahahaa..

OK, what are you forwarding? That in of itself is an opening. Still most exploits are using ports that are wide open to begin with.

With ssh, scp and sftp, my machine is all but beside me when not at home. Cloud-shmoud, I have all those benefits already and without involving a third party storage provider.

Firewall rules limit where connection attempts can be made from. Failed attempts have to come from an IP within three local ISP subnets so emailing "abuse@" is possible for anyone that shows too much interest in my systems.

Any other ports are forwarded on a temporary need basis; that pretty much only means opening 80 and 443 on occasion when needing a remote user to test something off my inhouse dev server.

I figure it's no worse than having WPA2 broadcasting. In both cases, someone would have to bruteforce a stupid long passphrase. Each time I manage to break into my own network, passwords change to something that won't break under my dictionary lists, rainbow tables and reasonable bruteforce times.

But, my paranoia is always open to peer review and suggestions.

....that the "100,000" routers that are said to already be infected must be running with the default factory password. I have seen that so many times in my work, I'm surprised it's not 1,000,000 of 'em. And anybody who has ever set up routers knows what every manufacturers default password is.

... disable all public-side exposure, I mean. I can do all the web testing I need inside my firewall, and deny all incoming at the perimeter. Not even port 80 is open.

Things like DeICE and DVL that I'm going to leave booted up for a while get blocked at the router; no internet traffic in or out to those nodes. The other nodes are hardened so it'd be an issue for someone to break my workstation then use that to bridge into one of the trainer systems. If they have my workstation, why would they bother with the weak machines anyhow? My NAS gets the same treatment; no reason for it to talk to the outside world so it get's blocked.

My one or two open ports are for me to use within known subnets so that limits the sources for attempts. I have had to open up port 80 and 443 though for remote clients looking at sites or server builds on my dev box. That's a temporary thing within an even more limited source scope though.