[Security] - reminder to stay secure

[SwampKracker]

The ideal security device specializes in one thing - security. It is not fear mongering to recommend best practices for your router, especially when nothing stops an uninformed person from allowing WAN connections to ssh/webgui.

 

[wouterv]

Enable the built in firewall, change authentication to be MD5 hashed

Can you further explain the authentication part?

 

[swetoast]

All good - advice I provided is not "fear mongering" but intended for the better...

Anyways - RMerlin's firmware builds are pretty solid, as are the factory builds for the most part - and Asus, I've been hinted here on the forums, is going down a different path perhaps...

As for me - I'm a ex-developer/systems engineer/product dev/architect guy, and have self-funded something entirely new...

So you can do padovan or whatever... perhaps DDWRT or OpenWRT are your friends here...

But do not call me a fear monger for stating basic advice that most should consider...

sure i can apologize for saying that, but to the common user thats not a developer or a technician reading those statements says only one thing dont do anything on your router.

what we should encourage is that read about the features and learn about your router dont just go on your buddies advice that the router they recommended is the shirt cause it has cool features, i rather have the most dull interface if i know it works and is working as intended its when corporations lock users out of the process with proprietary stuff that users have no control over then lets it stagnate and get exploitable.

think we both agree on that atleast as for your new project ive been keeping an eye on it it looks nice and i hope you pull it off both with the hardware and the software.

 

[unclebuk]

I would like to add, just use Ctrl+F and search for "Password auth succeeded" in system logs. If any line show "Password auth succeeded" with unknown IP at the back, then it is likely that the router had been hacked.

For example, this was what happened to mine:

dropbear[18810]: Password auth succeeded for 'admin' from 37.8.101.9:50693

37.8.101.9 IP is not my country's IP, so I think my router was hacked.

I checked and discovered same entries as you, slightly different IP address which is listed as being in Palestine!

Can someone explain the worst case scenario if the above is true and my router was "hacked"??

 

[swetoast]

I checked and discovered same entries as you, slightly different IP address which is listed as being in Palestine!

Can someone explain the worst case scenario if the above is true and my router was "hacked"??

yes

turn off remote administration etc. follow the advice given by sfx2000 and remember that services thats not needed shouldnt be active on wan interface.

 

[unclebuk]

remember that services thats not needed should be active on wan interface.

I don't really understand this comment, can you explain further and clarify?

 

[swetoast]

read the thread! there is good advice in the thread about security and what settings you should turn off in order to secure your router.

 

[unclebuk]

read the thread! there is good advice in the thread about security and what settings you should turn off in order to secure your router.

yeah...read it already. But it seems you are saying to "activate services not needed..." A tad confusing to me.

 

[swetoast]

i didnt say activate the services not needed... i said the opposite turn off shirt thats not needed.. sry your on your own im way too busy today to help out.

 

[Wutikorn]

I checked and discovered same entries as you, slightly different IP address which is listed as being in Palestine!

Can someone explain the worst case scenario if the above is true and my router was "hacked"??

It seems like automated attack from other something like botnets, so the IPs come from any worldwide infected device(won't get specific IP as I got almost 10 different IPs worldwide).

The worst cases would probably be that it uses your router as botnet to infect more people, help to launch DDOS attack, collect your private information, redirect you to malicious/ads websites instead of the real websites your devices request, etc.

Swetoast means that no services should be exposed to WAN. It's probably typing mistake.

 

[swetoast]

It's probably typing mistake.

yupp been super busy today so indeed that was so sorry for the confusion

 

[unsynaps]

Padavan raised my eyebrows when I heard "wireless client mode" was made possible on Asus routers. If I have to name one feature that how 3rd party developers achieves it..that'll be it.

Look..I used to hear ppl come here to ask for "wireless client mode" on asuswrt/merlin, it still isn't available.

Why this does not sink in I will never know. Adding "wireless client mode" is completely outside what Merlin is doing with the firmware. If you want it go to Asus and ask or find another router. People continually fail to understand the scope of this project.

 

[swetoast]

padavan imho is secure its all open source review it and compile it.

 

[sfx2000]

Adding "wireless client mode" is completely outside what Merlin is doing with the firmware.

And it's completely out of scope of this thread

 

[wouterv]

What is the status of the scope of this thread?

 

[sfx2000]

What is the status of the scope of this thread?

Security - not wireless as wan

 

[leon]

May I know how is the ftp server on Asus router. Is is secured, assuming I use long password?

 

[wouterv]

May I know how is the ftp server on Asus router. Is is secured, assuming I use long password?

FTP by nature is not secure, user name and password are send in clear text and easy to sniff.

 

[swetoast]

its better to set up sftp but still iffy

since this thread is about security i made a little script that checks for dropbear offenders via syslog and bans ip

https://gitlab.com/swe_toast/dropbear-offenders/blob/master/dropbear_offenders

its dead simple so i dont think i have to explain it just set your whitelist and let it tick via services_start or use the init.d file

 

[leon]

I have an Asus router at a remote site, which I plug in a USB HDD. I am using ftp to backup my files to this site. Looks like this is not a good idea.

Any suggestion how I can do this more securely? I can vpn to the remote sit but I don't think I can have the ftp server to reject external connection...