dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
9129
share rss forum feed


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

4 edits

2 recommendations

Harden your router/AP in five steps

There have been a few topics here on router worms and CSRF. This article tells how to protect against them. It's relatively simple to do and provides necessary security for typical home/SOHO/Small biz users and administrators to protect against the presently existing automated exploits.

Personally, I add another step and change the default http port on the admin access. the present generation of worms and malware pages are hardwired to connect to port 80(http) or 443(https). EDIT - added - change default telnet ports too (if the device supports telnet).

EDIT 2 - for wireless routers I also disable administration from a wireless connection - just in case a wireless attached guest wants to play around

It's one small step that will trip up this code.

Last month, we discussed the possibility of a D-Link Router worm for consumer network hardware. While there were particular problems with D-Link, there are dangers in all consumer network hardware that require the attention of everyone that installs these devices regardless of the vendor. Taking a device out of the box, plugging it in and letting it go can expose you to "worms" or other remote-based exploitation. This stems from a similar problem with software and operating systems, namely, these things do not ship in a secure-by-default configuration. Here are 5 easy steps to take when you get a network device / access point to harden yourself against "easy" exploitation (and this applies to ALL hardware):


EDIT - added link here.
I'm glad redwolfe_98 See Profile found it for you

Just be sure to document your passwords, passphrases, non-standard addressing, ports etc. - no sense locking yourself out of your own box
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

Care to share a link to those 5 easy steps or do we have to pay ransom?



Elite

join:2002-10-03
Orange, CT
reply to EGeezer

I run a modified version of some Linux-based LinkSys firmware.

There's also DD-WRT.
--
QUAD!!!!


redwolfe_98
Premium
join:2001-06-11
kudos:1
reply to EGeezer

la luna, this looks like it is the article:

»isc.sans.org/diary.html?storyid=4282



elseis

@optonline.net
reply to Elite

What can be said of the security of OSS firmware projects maintained, generally, by a single coder? I use Tomato myself, but I've always been curious how secure it could really be and what unseen holes might exist. Has there been any testing against it?


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to EGeezer

Changing the default password should be a standard practice for anything.

Disabling remote administration, what router has that enabled by default? Sure you better have a really good reason to enable remote administration, and given how powerful and easy it has become to use/implement a router, I often wonder if this isn't a feature that should simply be dropped from the consumer level product.

Apply updates again should be standard practice for anything you have.

Disable unused services, makes sense but then again I've often wondered about things like SNMP and if perhaps it hasn't outlived itself and if its really needed on a consumer level system. That said every service like this should be disabled by default. If you know how to use it then you know how to enable it, so why have it enabled by default.

More often then not these services are really marketing function list fillers, meaning the vendor can say they have it, but in reality its a badly crippled implementation, such that the user only really gets a security risk without any real benefit. Logging for example drives me crazy anymore as most router have horrible logging capabilities, in that they are often very limited (logging one direction only, or only selected events etc). So what is the point of a badly implemented service?

5. Change the default settings of the device. I have a problem with this in that I think most users will end up hooping themselves while trying to do this. If the router was secure by default why would this matter and if it was secure by default then making any changes would be by definition reducing the security level. WPA should be the wireless default and of course with as per point 1, passwords should be changed, but modifying the IP range, what is that going to do?

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool



GercekSeytan
Absinthe makes the heart grow fonder.
Premium
join:2001-10-19

said by Link Logger:

Changing the default password should be a standard practice for anything.

Disabling remote administration, what router has that enabled by default? Sure you better have a really good reason to enable remote administration, and given how powerful and easy it has become to use/implement a router, I often wonder if this isn't a feature that should simply be dropped from the consumer level product.

Apply updates again should be standard practice for anything you have.

Disable unused services, makes sense but then again I've often wondered about things like SNMP and if perhaps it hasn't outlived itself and if its really needed on a consumer level system. That said every service like this should be disabled by default. If you know how to use it then you know how to enable it, so why have it enabled by default.

More often then not these services are really marketing function list fillers, meaning the vendor can say they have it, but in reality its a badly crippled implementation, such that the user only really gets a security risk without any real benefit. Logging for example drives me crazy anymore as most router have horrible logging capabilities, in that they are often very limited (logging one direction only, or only selected events etc). So what is the point of a badly implemented service?

5. Change the default settings of the device. I have a problem with this in that I think most users will end up hooping themselves while trying to do this. If the router was secure by default why would this matter and if it was secure by default then making any changes would be by definition reducing the security level. WPA should be the wireless default and of course with as per point 1, passwords should be changed, but modifying the IP range, what is that going to do?

Blake
As an "average user", I agree. If an average consumer buys a SOHO router/modem and changes the password, etc, why should he or she have to bother with the rest ( e.g., a new address for the router which may entail changing the default addresses assigned by the router, possibly the "subnet" number) and increased chance of being unable to connect to the internet at all. Or connecting to the internet without realizing that the user's changes have negated the increased security the box was bought to provide.

Such things are not easily (correctly) done if one is truly an "average user".
--
One day President Roosevelt told me that he was asking publicly for suggestions about what the war should be called. I said at once "The Unnecessary War". Sir W. Churchill, Second World War, 1948


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3
reply to redwolfe_98

said by redwolfe_98:

la luna, this looks like it is the article:

»isc.sans.org/diary.html?storyid=4282


Thanks redwolfe_98 See Profile.


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 recommendation

Now that I've answered all the IMs I got on my brain f@rt, I have edited to include the link - Thanks to redwolfe_98 See Profile, who bailed you all out with the correct link

Sorry for the screwup - I'll blame it on the antibiotics and antihistamines I'm taking for the bug I adopted.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )



La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

1 recommendation

Ok, we'll let you slide this time because you're not feeling well and are on drugs.

Feel better soon!



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 edit

1 recommendation

reply to Link Logger

I agree that most if not all routers have remote admin disabled by default. the only way I see this as an issue is if someone acquires a used router with old firmware or user-configured remote admin enabled. Given the varying quality of consumer grade products, there may be an off brand out there someplace with crappy defaults, so checking won't hurt.

I agree, most home/SOHO routers don't really need SNMP. At least the manufacturers could change the community strings to, say, the serial number of the router to foil malware or MIB browsers/scanners that may look for "public" as a string.

I also agree wholeheartedly that logging and messaging are woefully inadequate for many routers and firewalls. The log formats and content vary widely, the marketing-inspired messages that call internet noise, orphaned packets etc "attacks" are horribly misleading to the nontechnical/semitechnical user.

I modify the IP range for a couple of reasons.

First, it's not difficult to do. Changing from 192.168.0.1/24 to, say, 10.91.101.1/24 (leaving the subnet mask at 255.255.255.0). The extra step the user would need to take would be to reboot the PC or release/renew DHCP and reconnect to the router after making the change. Depending on the router, thay may need to reboot the router then the PC. The "average user"'s PC is a DHCP client anyway. However, if they changed it to fixed, they were skilled enough to change the TCP properties and changing similar network settings in the router would not be beyond them.

My second and more important reason is to present an additional hurdle to the automated malware. At present they malware looks for default everything, so a single hurdle would stop them. Working backwards from the access, they'd need to address changes in default remote admin policy(if/where applicable), default password, default community string, default access port(s), default services and default network settings. Adding one more hurdle adds the amount of complexity and effort needed to write code and overcome the various hurdles. If one is sending logs to a PC using Link Logger or a syslog daemon with alerts set up, then the noise will trigger alerts.

Personally, I also tailor the subnet mask to the maximum number of addresses I expect to use, but that's more a matter of standard practice to minimize internal broadcast activity rather than a security measure.

In the end, though, the assumptions of user skill and/or competence are subjective, so mileage will vary on the feasibility of making changes.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )


mikenolan7
Premium
join:2005-06-07
Torrance, CA
reply to EGeezer

It's an interesting point about limiting subnet size to the maximum necessary addresses. I often do that, but I don't really have a reason to justify it. I just seem to feel unnecessarily exposed with 255 possible addresses in a LAN subnet, especially if I am running DHCP. But that really doesn't make a lot of sense, all it would take is one extra available address to get hurt that way. I haven't noticed that more addresses result in increased broadcast traffic. Is that effect generally associated with commercial grade routers?



GercekSeytan
Absinthe makes the heart grow fonder.
Premium
join:2001-10-19
reply to EGeezer

said by EGeezer:

My second and more important reason is to present an additional hurdle to the automated malware. At present they malware looks for default everything, so a single hurdle would stop them. Working backwards from the access, they'd need to address changes in default remote admin policy(if/where applicable), default password, default community string, default access port(s), default services and default network settings. Adding one more hurdle adds the amount of complexity and effort needed to write code and overcome the various hurdles. If one is sending logs to a PC using Link Logger or a syslog daemon with alerts set up, then the noise will trigger alerts.

Personally, I also tailor the subnet mask to the maximum number of addresses I expect to use, but that's more a matter of standard practice to minimize internal broadcast activity rather than a security measure.

In the end, though, the assumptions of user skill and/or competence are subjective, so mileage will vary on the feasibility of making changes.
Well, that convinced me to change the router's default address. Taking "l33t" script-kiddies out of the picture ought to make this worth while. As for the subnetting part, well, my SOHO router gives error messages when I attempt to change that. On the other hand, what I know about subnetting could be written on the head of a pin with plenty of room left over for several novels. Probably something simple to someone who has a clue as to what they're doing.
--
One day President Roosevelt told me that he was asking publicly for suggestions about what the war should be called. I said at once "The Unnecessary War". Sir W. Churchill, Second World War, 1948


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to mikenolan7

For most small networks I don't believe broadcast traffic degrades performance, but I must admit that when I'm sniffing traffic, I have fewer broadcast packets to deal with in logs in a fitted subnet. But then my own wired network router is a router/hub.

Switches do a better job than hubs in preventing congestion since the switch handles the request by sending (switching) packets directly to the destination node without a broadcast. Most newer routers are router/switch, but a few are router/hub. Hubs don't do the direct switching, so there is a bit more traffic on the network. See »www.windowsnetworking.com/articl···nce.html

for a nice explanation.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 edit

1 recommendation

reply to GercekSeytan

Re: subnetting

There's a neat little subnet calculator that can help demonstrate how subnetting is configured. See »www.solarwinds.com/register/More···ogram=92

Registration is required, but I don't think the information is validated..

Also a (relatively) "user level" explanation of the theory at

»www.solarwinds.com/register/More···ogram=92

BTW most routers have a "save config" and "restore config" feature so you can back up your configuration to your PC prior to making changes - just in case you mess things up..
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )



GercekSeytan
Absinthe makes the heart grow fonder.
Premium
join:2001-10-19

said by EGeezer:

There's a neat little subnet calculator that can help demonstrate how subnetting is configured. See »www.solarwinds.com/register/More···ogram=92

Registration is required, but I don't think the information is validated..

Also a (relatively) "user level" explanation of the theory at

»www.solarwinds.com/register/More···ogram=92

BTW most routers have a "save config" and "restore config" feature so you can back up your configuration to your PC prior to making changes - just in case you mess things up..
Thank you for those links. Now to press my luck. I don't suppose you know of any good links that explain "broadcast" and the security implications for SOHO router users (simplified explanations, if possible), do you?

I'd be grateful.
--
One day President Roosevelt told me that he was asking publicly for suggestions about what the war should be called. I said at once "The Unnecessary War". Sir W. Churchill, Second World War, 1948


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 edit

1 recommendation

Basically, broadcast is used to discover devices on a local network so they can be assigned IP addresses and communicate locally. Each ethernet adapter on PCs and routers have a hardwired (MAC) address. When the devices are physically powered up and connected, they send out broadcast packets to "discover" each other. From there, they can now communicate with the router's gateway address so TCP/IP communications between LAN devices, other LANs and the to the internet. That communications is secured using firewall and other security applications.

From the security standpoint, these packets and requests never get out of the local subnet since MAC addresses aren't routed to other subnets or networks(unless there are bridges, which is rare in SOHO implementations). They are a necessary part of the communications process.

Without these broadcast packets your PC would never connect to the router since to wouldn't know which ethernet adapter to communicate with.

Broadcast traffic is normally very small compared to the capacity of the LAN. You can reduce broadcast traffic by turning off protocols you aren't using like IPX or IPV6 which is turned off by default in Windows. Setting the subnet mask to the next value above the expected number of devices you will have on the net will reduce traffic. However, the performance will probably be unnoticed. I do it out of habit and personal preference.

Sometimes (rarely) an adapter will break and start sending out continuous streams of packets - we called them hot bits - and the network would slow down until the offending device was disconnected. I haven't heard of that happening for several years, though.

As for links, I don't have any specifically discussion security, but here is a link that explains broadcast. The subject is about 2/3 of the way down the page.

Maybe others have more - or corrections to my attempt at a layman's explanation, and will chime in.

EDIT - ARP is a broadcast you'll see in your subnet - a nice flowchart on ARP communications is here.

--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )



altermatt
Premium
join:2004-01-22
White Plains, NY
Reviews:
·Verizon FiOS
reply to EGeezer

Re: Harden your router/AP in five steps

Thanks, EGeezer, for the heads-up on a good, basic primer for those new to routers. I have one additional step I'd like to get some opinions on: MAC filtering. My SMC wired router (and I'd assume most) allow you to set the specific MAC addresses that are allowed to access the network/router; by listing the MAC addys of our desktops and laptops (and the config screens show the MAC addys of any devices attached so they were easy to find) and turning MAC filtering on, a "foreign" computer can't use the router to access the network, right? If a guest is visiting with their laptop, it's a simple matter to just add that MAC addy to the list.

What would be the downsides to doing this? Have I missed something?
--
The truth of a thing is the feel of it, not the think of it. -- Stanley Kubrick



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

You can use MAC filtering, but I'd only use it in addition to WPA/WPA2 encryption. MAC addresses can be sniffed by wardriving tools. MAC filtering will keep out those who are only looking for "open" wireless access points.

Once the wardriver has captured MAC addresses using NetStumbler, Kismet or other common tools, it's simple for the wardriver to change his MAC to one he's seen in the comm traps and connect. If you have WPA/WPA2 and a strong key, he can't connect.

If your wired and wireless networks are not separated, the wireless freeloader will have access to your wired as well as wireless network. See »www.smallbusinesscomputing.com/w···/3575721

for one more opinion.

If your wireless router has built-in RADIUS authentication, you can set up user profiles and passwords. Some have a simple RADIUS server built in, others require a separate server. My ZyAir G200+ has the RADIUS server for up to 32 users, but I still just use WPA2/PSK because I have only one wireless "guest" - my kid when she comes to visit.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )



altermatt
Premium
join:2004-01-22
White Plains, NY
Reviews:
·Verizon FiOS

said by EGeezer:

You can use MAC filtering, but I'd only use it in addition to WPA/WPA2 encryption.
But, but...I am on a WIRED connection only. Thought I'd specified that. Though I'm glad you clarified this for those on wireless.
--
The truth of a thing is the feel of it, not the think of it. -- Stanley Kubrick


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

I saw you referred to your SMC wired router, but didn't know whether that device had wireless capability. Since you didn't say wired-only and I didn't search for SMC router specs, I included the wireless caveats. If you have "wired-only", the MAC lists should provide a basic authentication for the PC. Filtering should prevent casual ad hoc connections to wired networks.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )


mikenolan7
Premium
join:2005-06-07
Torrance, CA

1 recommendation

reply to EGeezer

I use a method to protect my external firewall/router that I don't see recommended much, but I think should be pretty effective. My desktops all get a software firewall rule that prevents outgoing traffic to the external firewall/router. When I'm using a NAT router, and want to login to administer it, I temporarily disable the rule.

That should prevent most automated attacks on the router from within your LAN. Of course, it requires that you use fixed IP's. I usually use a DIY firewall without any services running, in which case I never have to disable the rule. The rule doesn't affect ARP traffic, so the desktops and router/firewall can still identify each other.



candyass365

@optonline.net
reply to EGeezer

Re: subnetting

"Hot Bits" very cute! A less sexier term is "a Broadcast Storm" Does this ring a bell? In the old days a failure of a NIC's transceiver or a very piss poor NIC driver design could bring down an entire LAN to its knees. Another point to mention is that some routers allow the user to specify an IP address for the router to send its logs instead of broadcasting the logs to all such as xxx.xxx.xxx.255.



altermatt
Premium
join:2004-01-22
White Plains, NY
Reviews:
·Verizon FiOS
reply to EGeezer

Re: Harden your router/AP in five steps

said by EGeezer:

If you have "wired-only", the MAC lists should provide a basic authentication for the PC. Filtering should prevent casual ad hoc connections to wired networks.
Excellent; reassuring. I wonder why I rarely see that recommended in such lists, as it seems to add another layer of security, and I've yet to find a downside (which doesn't mean there isn't one ).

Thanks again!
--
The truth of a thing is the feel of it, not the think of it. -- Stanley Kubrick


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to candyass365

Re: subnetting

said by candyass365 :

Does this ring a bell? In the old days a failure of a NIC's transceiver or a very piss poor NIC driver design could bring down an entire LAN to its knees.
Ah yes, I remember not-so fondly. Token ring cards were also prone to the storms, and the IBM Cabling system with those easily damaged hermaphroditic connectors didn't help either. Bridging Token ring to ethernet meant manually assigning canonical MAC addresses that read the same forward as backwards.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to altermatt

Re: Harden your router/AP in five steps

said by altermatt:

said by EGeezer:

If you have "wired-only", the MAC lists should provide a basic authentication for the PC. Filtering should prevent casual ad hoc connections to wired networks.
Excellent; reassuring. I wonder why I rarely see that recommended in such lists, as it seems to add another layer of security, and I've yet to find a downside (which doesn't mean there isn't one ).

Thanks again!
The biggest downside is for a corporate or institutional network administrator. Someone has to keep track of all the valid MAC addresses and manually enter new ones as new equipment is added to the network. I do however know of a few fairly large networks where the network administrators not only use MAC address filtering, but carry it so far as to use managed switches to only allow specific MAC addresses on specific switch ports (which are often also assigned to specific VLANs)
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.

mikenolan7
Premium
join:2005-06-07
Torrance, CA

1 recommendation

reply to EGeezer

It still happens. Remember this one?

"U.S. Customs officials said Tuesday that they had traced the source of last weekend's system outage that left 17,000 international passengers stranded in airplanes to a malfunctioning network interface card on a single desktop computer in the Tom Bradley International Terminal at LAX."

»blog.wired.com/sterling/2007/08/···s-b.html



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 recommendation

reply to NetFixer

said by NetFixer:

I do however know of a few fairly large networks where the network administrators not only use MAC address filtering, but carry it so far as to use managed switches to only allow specific MAC addresses on specific switch ports (which are often also assigned to specific VLANs)
I worked at one of those companies, a Fortune 500 pharmaceutical distribution company.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits
reply to EGeezer

Nice..when you get it all the way you want..could you submit it for a FAQ at the Wireless Security Forum at DSLR?

Good work Guys and Gals

»Wireless Security

Then I can stop just referencing this old one.

How to secure your wireless network

»www.download.com/1200-2023_4-5162406.html



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

2 recommendations

Sure will - I should be able to compose and edit a list from this topic geared to the new or near-new wireless router owner.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )