dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4264
share rss forum feed


Sconnie

@verizon.net

Westell 7500 - config GUI authentication

I'm trying to lock down the configuration GUI so that anyone that is on the network and types in »192.168.1.1 can't browse the modem/router's config and start hacking away. I have WEP enabled and SSID broadcast off and MAC address filtering is enabled. I live out in the sticks, but I'd prefer to be safe rather than sorry.

So - I set a password for the 'admin' user - but it seems like it almost never prompts me for the password. Just a few minutes ago, I saved the configuration file and it prompted me for the admin password then...but I would prefer it to prompt me for the password when just attempting to view the "Main" tab/page (»192.168.1.1/htmlV/welcomeMain.htm). As a test - I browsed to the "Main" page using my Evo 4G and it let me view the "Advanced" tab and even looked at the transceiver statistics - all without entering a password.

Your thoughts, ideas, suggestions would be appreciated.

Thanks,

Matt
ISP: Frontier (Verizon)

bryn987

join:2009-01-13
Antioch, TN
You will be fine. The only way someone can browse to that IP address is if they are on your network. With your security measures in place, they can't get on your network.

I do agree that it does suck that so much info is available on that main page though. My router does the same thing. Anyone on my network can browse to that IP address and see a lot of info. They can't change anything though or go to any other tabs without the password.

If I were you, I would change the router IP address to something different, like 192.168.40.300. That will make it a bit harder to find and should discourage the noob hacker. Also change from WEP to WPA-PSK (if your hardware supports it) »Wireless Security »What is WPA-PSK?
and use this site to generate secure passwords
»www.grc.com/passwords.htm

Sconnie

join:2011-04-19
Portage, WI
Very good tips - thank you!

My Kyocera KR1 (EVDO router) that I used for a few years prior to very recent DSL availablity required a password for all sorts of stuff. Maybe I can fire up and use the D-Link DSL-2640B that I originally bought and Frontier said would not work...that *should* be fairly secure since it's not something the ISP hands out for free.

I'm not well versed with 802.11x security - but this is a "the more the merrier" situation. All of my hardware on the network is pretty recent - so it should support WPA-PSK.

The Westell has quite a few options for setting up WPA-PSK that I'm not familiar with:
WPA Type: dropdown menu options are - WPA Any, WPA, WPA2
WPA2 Pre-authentication (just a checkbox option)
Data encription: TKIP, AES or TKIP + AES
Group Key Update Interval: currenty set to 3600 seconds
WPA shared key - this, I assume can be the same as the WEP key

Learning as I go - thanks for your input!

bryn987

join:2009-01-13
Antioch, TN
reply to Sconnie
WPA2 with TKIP + AES is what I use

Then you just enter the password and save. Go into your connected devices, open up the wireless card settings and set the same protocol and password and you are done. Pretty simple. There are guides all over google that can walk you through it but if you've done WEP, then it's basically the same

»www.computerworld.com/s/article/···network_

Sconnie

join:2011-04-19
Portage, WI
OK - WPA2 with TKIP + AES is how I set it up.

Setting up with WPA was almost exactly the same as regular old WEP. I don't have to muss with these types of settings very often, so it's not always fresh in my mind. Now that I think of it, my KR1 might have been setup with WPA2...oh well.

Earlier this morning, I changed the subnet mask, router IP, etc. - like you said, by not using the default "192.168.1.1" address, that might help foil a newbie hacker. Someone that really wants in will get in.

I also tried the D-link modem with various settings but could not get it to snag a DHCP assigned WAN IP from the ISP. After reading another thread, it sounds like I'd have to call the ISP to have them release the MAC address associated with the account. For now, I'll just stick with the Westell 7500, even though the D-link showed slightly better transceiver statistics.

Thanks again for your help!

Cheers,

Matt

bryn987

join:2009-01-13
Antioch, TN
reply to Sconnie
WPA2 with TKIP + AES with a totally random, 20 character password has yet to be beaten so you are safe. I have something similar to this but only use 10 characters or so:

[nzNsqDpir)K!X)&%


wayjac
Premium,MVM
join:2001-12-22
Indy
kudos:1
reply to Sconnie
If you have a dhcp account you should release the ip address before changing modems
Click the connected link on the main/home page of the westell the next page has a release button


eibgrad

join:2010-03-15
reply to Sconnie
Once you're using good wireless security (WPA/WPA2 w/ a long, random password based on a large character set), not broadcasting your SSID and MAC filtering are totally worthless. In fact, they often cause needless headaches. Some things just don't work right w/ SSID broadcasts disabled.

Btw, my dd-wrt router also defaults to allowing anyone view the status/info page, but I'm also able to disable this “feture” on the administration page. Are you sure the Evo 4G doesn't as well?

Sconnie

join:2011-04-19
Portage, WI
reply to Sconnie
Excellent info once again - thank you!
For my passcode,I used something I could remember and something that's easily entered. Certain devices without QWERTY keyboards make it tough to enter non-alphanumeric characters.

Thanks for the hint about releasing the IP with DHCP. I figured it would automatically release when disconnecting, but if the lease hasn't expired I can see how it would try to use the same IP. I'll give that a whirl since I'd like to see how the D-link compares to the Westell in terms of performance, security, etc..

So far I haven't had any issues with the SSID and MAC address filtering in addition to the WPA-WPA2/TKIP+AES - but I see what you mean...it's overkill. I have some of my family member's laptops entered into the MAC filtering list so they can gain access when they visit a few times per year. Other than that, the list of devices just doesn't change. BTW, the HTC Evo 4G is a smartphone. I'm still searching to see if the D-link modem/router has the option to disallow access to the admin page...so far it seems like it always asks for the admin username/password. The Westell isn't terribly impressive in terms of security.

Thanks again for your input - this has been a great help!

Regards,

Matt

Sconnie

join:2011-04-19
Portage, WI
reply to Sconnie
Got the D-Link DSL-2640B modem/router up and running!

All I had to do was release the DHCP assigned IP with the Westell and the D-Link connected no problem at all. Yesterday, I did enter in some custom settings (as found by searching around online) since it wouldn't connect automatically - but I really like this router so far. It ALWAYS prompts you for a password when attempting to access the configuration GUI...both on the wireless and the wired networks. Nice.

Connection speed is the same, but the margin and line attenuation is better and it seems to load webpages much faster...hard to explain.

The D-Link shows attainable rates - the Westell did not. This makes me wonder if I could get ~3MB instead of ~1.5. I'm dang near 30,000ft from the CO and am on a range extender.

Downstream Upstream
SNR Margin (dB): 13.1 6.0
Attenuation (dB): 56.0 31.5
Output Power (dBm): 16.9 11.6
Attainable Rate (Kbps): 2912 320
Rate (Kbps): 1792 224

Thanks again for the tips!

Cheers,

Matt


wayjac
Premium,MVM
join:2001-12-22
Indy
kudos:1
said by Sconnie:

The D-Link shows attainable rates - the Westell did not. This makes me wonder if I could get ~3MB instead of ~1.5

The (sync) rate cannot be greater than the attainable rate

I doubt that the loop length between the modem and dslam is greater than 18,000ft

If you raise the (sync) rate the stability dsl will likely decrease

Sconnie

join:2011-04-19
Portage, WI
Ahh - OK. That makes sense. Based on the transceiver stats, I know I'm on the ragged edge of even having connectivity.

When the tech came out to do the "install" (he didn't have to do anything - I was ready to rock, but Frontier insisted and they didn't charge me for the house call...), he said that my line goes all the way to the CO but that I was on a "range extender".

When he used that term I asked if he meant that I was on an outlying "DSLAM" and he said no. Perhaps he misspoke...but that's all the info I have to go on.

The good news is that things on my end are just fine. Just last week, I installed all new wiring in the house (Cat.5e). The attenuation reading didn't drop at all when comparing it at the one and only wall jack and at the NID with the house wiring disconnected - he had his meter hooked up with alligator clips there.

Cheers,

Matt