how worried should I be at these suspicious settings?

[dcoli]

This evening, while trying to figure out why my kid can't play Dragonvale over Wifi, I discovered that DDNS was enabled on my router -- i had one of those asuscomm domain names assigned to me. Worse, Samba was turned on. I have two USB drives where I sftp restic and duplicity backups from a number of machines -- the transit is encrypted, but the restic backups are not encrypted I think, but they are behind a password. (Not sure on the security details, what it means to have a password.) I guess I'm just trying to take the temperature of my malady -- is it possible those things are on by default? I'm whistling in the dark here, aren't I?

 

[eibgrad]

DDNS certainly isn't ON by default. But given the plethora of third-party scripting associated w/ Merlin these days, who knows what's happening behind the scenes anymore. I suppose if you're NOT using third-party scripts, I'd be a whole lot more concerned. But if you are, it's mighty difficult to tell the difference between normal and malicious behavior.

 

[dave14305]

DDNS certainly isn't ON by default. But given the plethora of third-party scripting associated w/ Merlin these days, who knows what's happening behind the scenes anymore. I suppose if you're NOT using third-party scripts, I'd be a whole lot more concerned. But if you are, it's mighty difficult to tell the difference between normal and malicious behavior.

Are you aware of any third-party script discussed on these forums that make use of DDNS or Samba? I can’t think of any.

OP should be verifying that no external WAN access (SSH, HTTPS) has been enabled, and no unexpected firewall rules exist.

 

[ColinTaylor]

Are you aware of any third-party script discussed on these forums that make use of DDNS or Samba? I can’t think of any.

I can't think of any either. More likely to have been inadvertently setup as part of enabling AiDisk or AiCloud, perhaps through the mobile app?

 

[dcoli]

Thanks, yall. I haven't set up AIDisk -- not even in experimenting, I think. SSH and HTTP router access were set to Local only. But if they got to me by hacking a computer in my household, they wouldn't need WAN access to router, would they? They could have just done the sneaky stuff to the router via the hacked computer. The only third party script I'm using is YazFi. I used ikp? that package manager to install openSSH.

 

[ColinTaylor]

What router model? What firmware version?

What does the DDNS name look like? i.e. is it meaningful like "billsrouter" or is it a random string like "avgj1213138"?

 

[dcoli]

rt ac5300.
merlin 386.2
the ddns string was random, starting with a "a".

The only other things I've done to it:
- Install YazFi and set up an IoT guest network that the rest of the network could access, but couldn't access the main network.
- Created a separate guest network, closed off from the main but with internet access, for a baby cam.
- Installed openSSH and set up a few restic repos and an rclone site. I have unencrypted files on one of those hard drives that I'm still in the process of uploading to the cloud (I think. That may be done.)

My network is a mix of MacOS, Windows 10, Linux, Android, and iOS, with Alexa, Google Assistant, Sonos, Hue, and Eufy. Only one of the Macs, the iOS devices, and the Linux box don't have antivirus. I'm pretty good about network security, unencrypted files on a network drive notwithstanding ... they ARE behind SSH. Well, they were until the network share happened.

I turned the share back on momentarily to see that it was all password-protected, but the root user had 100% access, so if someone had hacked root they could get to everything. The other thing I set up to make restic and duplicity work was sharing a public key with the router and installing the private one on all my computers. (Yeah, I know, the same private one on all computers. Like I said, I'm "pretty good" with security.)

Last night at 2am I realized I could put an old business-class router between the cable modem and the Asus, so there's an extra layer of firewall that I don't believe has been hacked. It just cuts my download speed in half -- but at 100mbps it's still fine for Zoom.

 

[ColinTaylor]

the ddns string was random, starting with a "a".

Check the screen shots in this post and make sure none of your VPN servers have been enabled and/or new users created.

 

[dcoli]

I just happened to check VPN before I read this, and OpenVPN was serving. However, I might have done that when before I got sftp working, when I was trying to FTP over VPN from my laptop to the router. Hell. Unfortunately I turned it back off just now before checking if it was LAN only. When I went to turn it back on to see, it did say LAN only, but not sure if that resets when you toggle it on and off.

 

[dcoli]

I just happened to check VPN before I read this, and OpenVPN was serving. However, I might have done that when before I got sftp working, when I was trying to FTP over VPN from my laptop to the router. Hell. Unfortunately I turned it back off just now before checking if it was LAN only. When I went to turn it back on to see, it did say LAN only, but not sure if that resets when you toggle it on and off.

So far I've changed my router password and put my sensitive machines on their own isolated guest network. And turned off all the open stuff. Next I'm going to try to get antivirus on my kid's linux box.

 

[dcoli]

I had enabled that Downloader package on my router so that I could get the package manager that I installed openSSH with. Do you think that's a problem?

 

[ColinTaylor]

I don't know what you mean by "enabled that Downloader package" or are you referring to Entware? Merlin's firmware would then have opkg if that's what you mean, but you don't "enable" it as such. From what you've said I suspect that you didn't actually install the whole of openSSH but rather just added openssh-sftp-server to the built-in ssh server, which is not a problem.

 

[dcoli]

I must have read old information that said to install the SFTP server you had to install the Downloader option (I think it's an Asus provided thing) to get ipkg. I didn't realize Merlin already had opkg.

I guess the good news is now all my stuff is backed up in two places: within my network and in the cloud. The bad news is that while doing so I might have left something open that someone was exploiting. I'll check back in a few days and see if those vulnerabilites are open again. I'm not sure what else I can do, other than change my passwords. I might further cordon off my IoT devices, too.

 

[dcoli]

I don't know what you mean by "enabled that Downloader package" or are you referring to Entware? Merlin's firmware would then have opkg if that's what you mean, but you don't "enable" it as such. From what you've said I suspect that you didn't actually install the whole of openSSH but rather just added openssh-sftp-server to the built-in ssh server, which is not a problem.

I read on these forums that I needed to install this:

... to be able to use the package manager.

 

[ColinTaylor]

I read on these forums that I needed to install this:

... to be able to use the package manager.

Ah, OK that's very old information. Download Master is Asus' BitTorrent software which used to install the old Optware package manager behind the scenes. It's only useful if you're running stock firmware.

Optware is obsolete and has been replaced in Merlin's firmware with Entware so you shouldn't be installing Download Master just to get a package manager, you should be installing Entware by itself.

 

[dcoli]

Okay, I'll remove the Downloader then.

I have everyone now on a per user isolated guest network. The IoT stuff can all see each other but I use absolutely no station to station networking except for printing. Now that they've discontinued Google Cloud printing I'll just have to show everyone how to get on the IoT network momentarily to print.

I moved the printer off the main network that has access to the router administration. It would be nice if you could restrict that administration site access page to just one guest network, so I could have the dynamically allocated root network for users' computers and not give everyone access to the control panel.

Many thanks for the great advice from everyone on this thread.

 

[dcoli]

Hello,

I never found evidence of a virus on any computer, so I've put everyone on an isolated (no intranet, no internal communication) network. They just have to choose a different wifi network to print. The IoT stuff is all on its own network with one way access into it. All Sonos speaker access has to happen from smart devices like Alexa.

And with my automated restic backups over SSH to two USB drives on the router, I did something I want your opinion on: I opened SSH to the WAN and created a noip ddns to reach it. The SSH can only be accessed via certificate -- no passwords. I did this because the isolated network couldn't reach the router over the LAN. Does this sound sane? Is there a safer way for them to reach the router just for SSH, but not access each other?

 

[ColinTaylor]

If you're going to expose the SSH port to the internet make sure you change it from the default port (22) to an unregistered user port (5001 to 32767) otherwise every bot and script kiddie on the planet will be trying to hack it.

 

[dcoli]

Thanks. I actually have an old router acting as a gatekeeper with a port exposed in the 9000's range, which forwards it to something in the 2000s range, which the asus router listens for.

 

[MartinF]

If you're going to expose the SSH port to the internet make sure you change it from the default port (22) to an unregistered user port (5001 to 32767) otherwise every bot and script kiddie on the planet will be trying to hack it.

I've read that this is a false sense of security. But even if it's not, I'd think disabling password login, and only using RSA keys, would stop just about any anonymous attempts. And adding a password to the key would stop someone who got access to your private keys, at least for a little while until you change the locks.