Alert! Someone accessing my RT-AC68U from WAN

[sanke1]

I got so many tries of someone accessing my Router GUI with hundreds of failed login attempts with invalid username. I have temporarily disabled WAN access from outside.

I rebooted my router but will post a screenshot after enabling WAN https access again.

Just a heads up.

 

[AndreiV]

I got so many tries of someone accessing my Router GUI with hundreds of failed login attempts with invalid username. I have temporarily disabled WAN access from outside.

I rebooted my router but will post a screenshot after enabling WAN https access again.

Just a heads up.

How many times does it have to be said ?

Never allow WAN ACCESS .

>>>> https://www.snbforums.com/threads/enable-web-access-from-wan.34154/ <<<<

 

[bitmonster]

You deserve to be hacked if you believe WAN access is ok.
Seriously.
Isn't this stated quite clearly in even the inbuilt security scan?

Anyone with half a brain would only use VPN.

Sent from my SM-G965F using Tapatalk

 

[sanke1]

You deserve to be hacked if you believe WAN access is ok.
Seriously.
Isn't this stated quite clearly in even the inbuilt security scan?

Anyone with half a brain would only use VPN.

Sent from my SM-G965F using Tapatalk

My half brain tells me to use WAN access for remote WOL under Network tools. There is no other way to WOL my computers apart from installing custom firmware.

Stock ASUS firmware does not allow third party apps for WOL after 10 mins of PC shutdown. So I need to log into router GUI, go to network tools and wake up the required PCs from there.

BTW the login attempts are still being made even after disabling WAN access. LMAO.

I would suggest everyone to check their own logs before commenting.

 

[bitmonster]

Why can't you use VPN to access your Web GUI remotely?

Like, say, everyone else including me does. Which I do daily to WoL via the Web GUI after I VPN in.

If you open any port except VPN (on a high custom obfuscated port) it's your own fault.

This is why.

Sent from my SM-G965F using Tapatalk

 

[ColinTaylor]

@sanke1 Seriously, this is normal behaviour if you enable WAN access to your router on standard ports.

The router's web interface has a history of known security vulnerabilities. As others have said, use the router's built-in VPN server.

 

[sanke1]

Why can't you use VPN to access your Web GUI remotely?

Like, say, everyone else including me does. Which I do daily to WoL via the Web GUI after I VPN in.

If you open any port except VPN (on a high custom obfuscated port) it's your own fault.

This is why.

Sent from my SM-G965F using Tapatalk

Why do you assume that everyone is a Pro in networking? I myself don’t go beyond port forwarding on my router. I have zero clue about VPN login and it is the first time I have come across it. I get it that you guys are elite enlightened ones. But for me, I only know how to update the firmware.

Go a little easy next time.

 

[wouterv]

Why do you assume that everyone is a Pro in networking? I myself don’t go beyond port forwarding on my router. I have zero clue about VPN login and it is the first time I have come across it. I get it that you guys are elite enlightened ones. But for me, I only know how to update the firmware.

Go a little easy next time.

You are right.
Only a very small fraction of consumer router users are aware of discussions that take place on forums like these.
If they are aware of discussions, they may not get triggered by security issues that apply to them.
The far majority of consumer devices operate with the default username/password combinations. Why? Because changing it is simply a step too far for most users (yes, it seems a very simple step for us who read these forums). As long as consumer devices seems to work out of the box (good selling point), why would you read the manual?
Knowing how to log in to your router and knowing about firmware updates is already a major achievement (yes, I am serious, again: way most of the users are not even aware about this).
The consumer routers offer easy options like WAN access, FTP access, data sharing and a bunch more. The same applies to many networked consumer products like IP camera's and network storage device.
As long the manufacturers offer these easy access options, they will be used by people who are unaware of the security risks.

Can one of the above VPN users write down a simple guideline of how to use VPN for WOL purpose?

 

[bitmonster]

Why do you assume that everyone is a Pro in networking? I myself don’t go beyond port forwarding on my router. I have zero clue about VPN login and it is the first time I have come across it. I get it that you guys are elite enlightened ones. But for me, I only know how to update the firmware.

Go a little easy next time.

It's not personal, and not intended to insult you, it's for your own protection.

It's criminal how negligent manufacturers are and it's not your fault. But it's still your risk. And manufacturers won't start taking this seriously until regulations force them to.

Home routers are a huge security issue the world over. My logs are full of constant scans explicitly targeting insecure routers.

It's not about being "enlightened" it's about not unlocking your front door without knowing what you are exposing yourself to.

The good news however is you made an excellent choice and Asus is the best I've seen so far.

And it uses OpenVPN which is sooooo much easier to set up than VPN used to be.

Post a thread along the lines of newbie asking for VPN help and we will help you. Yes perhaps we do need a guide.

Step one, set up Dynamic DNS using the router built in service. Let us know when you've done that or if you need help.

Then take a look at the VPN tab and look for OpenVPN.

Just use standard / auto settings for now.

The trick with VPN is to start small and easy and gradually increase security and custom settings with testing at each change so if something breaks you know what it is.

But do use a strong password, and disable WAN access now.

Sent from my SM-G965F using Tapatalk

 

[drabisan]

+1 to all @bitmonster just said!
@sanke1 it's just a learning process! May be frustrating, annoying, you may end-up hating feedback. But it's a learning process. It's similar with "not knowing the laws doesn't save you".

In one firmware, the one Asus introduced Alexa support, they overwrite existing rule and allow WAN access. Well, f..k Alexa! No matter how she/he looks, I don't need WAN access! That crap may still be there: Alexa=WAN Access allowed. But at least they don't overwrite the existing rule without user agreement.

Basic rules are:
- DO NOT allow access from WAN unless it's encrypted and back'ed up by really strong policies (like disable the access from offending IP after a couple of attempts). WoL is not secure!
- you do need some access but you're not sure it's secure? Do a VPN back to your home. With a good protocol, not l2tp or other old crap.
- you're not sure how to do it in a secure manner? DON'T DO IT! Better safe than sorry!

Think differently: you're exposing your data to 7-8B people unless you're not cautious! You'll never get it 100% right, there will always be something that only a couple of people know, so guard your data by assuming something wrong will happen. Either don't expose yourself at all either try to learn every day how to stay safe!

(I'm aware that the last paragraph would be a decent marketing campaign against facebook )

 

[sanke1]

I already have ASUS DDNS enabled because of the dynamic IP thinggy.

 

[RMerlin]

On the router's webui there's a search field at the bottom right. Type "OpenVPN", it will give you a list of FAQs on Asus's support site. One of them will be about configuring the OpenVPN server, others will be on how to configure your clients to connect to it.

 

[OzarkEdge]

Can anyone point me to a summary of VPN options as in what's the difference between a web VPN service, a router VPN server, a router VPN client, and a client-based VPN client... if that makes any sense.

The reason I ask is because a relative knows just enough about streaming from questionable sources to ask me about using a VPN. So, I'm curious to understand the usage, but I'm not going to waste my time on his need. My only use for a VPN will be for when my ISP starts acting like Google and the rest of the data-industrial complex.

OE

 

[bitmonster]

Well that's simple.

Basically VPN plugs your device in to the end point as though it was physically there, with a bunch of complications and variations around this theme. All traffic from your device now goes across the VPN and through that end network. VPNs can also be used to link networks together in to a single private network, hence the name VPN.

So..

Home VPN via your router makes it as though your phone or whatever is actually at home on the home network hence WoL, Web GUI etc work, even share drives and the like although that can take some tweaking.

A VPN service is a bad idea for privacy and security except for streaming because it can fool services to think you are in whatever country. But at the cost of being at the mercy of that remote VPN service not being evil and intercepting or manipulating your connection.

However in dictatorships and Islamic theocracies VPNs are hugely popular to bypass censorship or being executed for just browsing something "contraband". However if privacy and security is a concern then properly using TOR may be better. That's a whole other topic. A commercial VPN is not secure or private unless that's a better option than execution by your friendly local Islamic theocracy or dictatorship.

But VPNs are used for steaming because it can route you via countries to access streaming not available in your home country, or obfuscate P2P (which is a dumb idea, because torrents, P2P etc are just always a really stupid idea as they necessitate running servers, opening yourself up, and leaving trails a mile long about what you're doing, as well as uploading which is just the legal ticket needed to sue you big time).

VPN traffic is encrypted and only visible to the end point, not along the route where it's just an encrypted stream.

Home or work VPN is used to securely connect you to that network.

Once you're connected to it, it's as good as being physically on that network. Hence rendering WAN access unnecessary.

VPN has FAR stronger authentication such as certificates and other options, plus you can (should) move it to a non standard high port.

As for protocols OpenVPN is fine. Don't waste your time or sanity on the others.

Now.

You have dynamic DNS set up, well done. Now go to the VPN tab and set it up with a STRONG password.

If you are using Android, pay for the "Open VPN Client". It's a paid app but brilliant. I now have it set to auto connect when I leave the house. As a pleasant side effect, many free WiFi hotspots also now seem to work without signing in as perhaps they don't block my high port (idiots).

That's another thing.. NEVER EVER use free WiFi or basically any hotpot without VPN. It's trivial to set up a fake spot and sit between you and your bank or whatever. Don't risk it. VPN cuts all that out, eg when you are travelling.

But just use the standard / auto settings for now and export a config file to all your devices. I'm not sure if a unique account is required for each device but make one die each anyway.

Then practice connecting with WiFi off from home or from your mobile cellular network (so you are "external"). This way you can easily tweak settings if any issues.

Once you're happy with it then you can gradually tweak settings to make it more secure eg custom high port, stronger authentication and encryption etc.

But even basic out of the box VPN is light years ahead of WAN access with simple hackable exploitable password.

And then you can Web GUI in and WOL to yours hearts content.

More complex stuff such as apps, share drives etc may take some work, but Web GUI access should easily work out of the box.

Sent from my SM-G965F using Tapatalk

 

[DummyPLUG]

My half brain tells me to use WAN access for remote WOL under Network tools. There is no other way to WOL my computers apart from installing custom firmware.

Stock ASUS firmware does not allow third party apps for WOL after 10 mins of PC shutdown. So I need to log into router GUI, go to network tools and wake up the required PCs from there.

BTW the login attempts are still being made even after disabling WAN access. LMAO.

I would suggest everyone to check their own logs before commenting.

In case you still need to do WOL, there are many way to do that but may be the simplest for you is install teamviewer and enable WOL in teamviewer, sure you need to port forward udp 9 (actually I had forget it use tcp or udp).

 

[bitmonster]

you need to port forward udp 9

No, please do not do this. This is what we're talking about. This is just another form of WAN access, when VPN will work fine. I use RDP over VPN from both Linux and Windows 10 and it works great.

I just Web GUI in and run WoL from there if needed. I'm sure with some fiddling apps can work too.

I just had someone explain to me how he has his garage door and everything else in his house wired up a Samsung 'smart hub' accessible from WAN, and I thought, yep, Samsung has a great history of updates and patching here.. let alone everything else. I am fairly confident that house insurance requires a clear sign of break-in to claim, so a remotely opened garage or other door would probably void house insurance (insurance companies have teams of people pouring over claims looking for a way out).

No thanks..

Port forward is the same thing - it just exposes that particular port and service wide open to the public Internet.

I have not needed to port forward or use firewall UPnP on anything since I stopped using torrents about ten years ago. Everything seems to work fine. I use other means for my 'procurement' if necessary.

Just set up VPN and see how you go from there.

Even my laptop now auto-connects to VPN, I don't even notice it.
(As a side benefit, Diversion via the router now also blocks ads on my phone and laptop wherever I am - it's fantastic).

 

[DummyPLUG]

No, please do not do this. This is what we're talking about. This is just another form of WAN access, when VPN will work fine. I use RDP over VPN from both Linux and Windows 10 and it works great.

I just Web GUI in and run WoL from there if needed. I'm sure with some fiddling apps can work too.

I just had someone explain to me how he has his garage door and everything else in his house wired up a Samsung 'smart hub' accessible from WAN, and I thought, yep, Samsung has a great history of updates and patching here.. let alone everything else. I am fairly confident that house insurance requires a clear sign of break-in to claim, so a remotely opened garage or other door would probably void house insurance (insurance companies have teams of people pouring over claims looking for a way out).

No thanks..

Port forward is the same thing - it just exposes that particular port and service wide open to the public Internet.

I have not needed to port forward or use firewall UPnP on anything since I stopped using torrents about ten years ago. Everything seems to work fine. I use other means for my 'procurement' if necessary.

Just set up VPN and see how you go from there.

Even my laptop now auto-connects to VPN, I don't even notice it.
(As a side benefit, Diversion via the router now also blocks ads on my phone and laptop wherever I am - it's fantastic).

In case I don't know there is something new, is that the VPN server in asus don't need to have a open port for access? And when port forward everyone should consider limit the accessable IP, in this case it should limit to teamviewer server which send the WOL packet.


I am using always on IPSec between a few site in different country with fixed IP (a mix of mikrotik, draytek, cisco), port forward (or more specific a hole in firewall) is not danger if you know what are you doing, also you can't avoid it in business, sometime the bug of router is a bigger threat then a hole in firewall.
I am using policy based routing so not all traffic go through the VPN.

Now think about this, a VPN server or WOL port open to the world, which one is a bigger threat?

Lastly, I never enable UPnP in all of my network.

p.s. I am not sure about Samsung smart hub but most of these "smart device" never need to do port forward, and you can block new incoming connection and just allow established and related connection in iptable, or even better to allow specific ip access to it only.

 

[DummyPLUG]

Can anyone point me to a summary of VPN options as in what's the difference between a web VPN service, a router VPN server, a router VPN client, and a client-based VPN client... if that makes any sense.

The reason I ask is because a relative knows just enough about streaming from questionable sources to ask me about using a VPN. So, I'm curious to understand the usage, but I'm not going to waste my time on his need. My only use for a VPN will be for when my ISP starts acting like Google and the rest of the data-industrial complex.

OE

Basically it's all about where the traffic get into the VPN and who is the provider of the VPN.
In short when you enable VPN server in router A, and use VPN client in router B connect to it, then the router B will be able to Router A network.

Most VPN client in consumer router will force all traffic go through the VPN tunnel, so eveything go through the router will go through the VPN too.

if you are using a Client-base VPN client, such as the OpenVPN client for windows, then only that PC traffic will go through the VPN.

I am not mis underatnding what you mean a web VPN server, usually it works like a proxy and will let the only "web" traffic go thought the VPN, usually you can see these service require you set your browser to use a local proxy.

p.s. in real world it can be a more flexible setup, but normally it work like the above.

 

[OzarkEdge]

Well that's simple.

Basically VPN plugs your device in to the end point as though it was physically there, with a bunch of complications and variations around this theme. All traffic from your device now goes across the VPN and through that end network. VPNs can also be used to link networks together in to a single private network, hence the name VPN.

So..

Home VPN via your router makes it as though your phone or whatever is actually at home on the home network hence WoL, Web GUI etc work, even share drives and the like although that can take some tweaking.

A VPN service is a bad idea for privacy and security except for streaming because it can fool services to think you are in whatever country. But at the cost of being at the mercy of that remote VPN service not being evil and intercepting or manipulating your connection.

However in dictatorships and Islamic theocracies VPNs are hugely popular to bypass censorship or being executed for just browsing something "contraband". However if privacy and security is a concern then properly using TOR may be better. That's a whole other topic. A commercial VPN is not secure or private unless that's a better option than execution by your friendly local Islamic theocracy or dictatorship.

But VPNs are used for steaming because it can route you via countries to access streaming not available in your home country, or obfuscate P2P (which is a dumb idea, because torrents, P2P etc are just always a really stupid idea as they necessitate running servers, opening yourself up, and leaving trails a mile long about what you're doing, as well as uploading which is just the legal ticket needed to sue you big time).

VPN traffic is encrypted and only visible to the end point, not along the route where it's just an encrypted stream.

Home or work VPN is used to securely connect you to that network.

Once you're connected to it, it's as good as being physically on that network. Hence rendering WAN access unnecessary.

VPN has FAR stronger authentication such as certificates and other options, plus you can (should) move it to a non standard high port.

As for protocols OpenVPN is fine. Don't waste your time or sanity on the others.

Now.

You have dynamic DNS set up, well done. Now go to the VPN tab and set it up with a STRONG password.

If you are using Android, pay for the "Open VPN Client". It's a paid app but brilliant. I now have it set to auto connect when I leave the house. As a pleasant side effect, many free WiFi hotspots also now seem to work without signing in as perhaps they don't block my high port (idiots).

That's another thing.. NEVER EVER use free WiFi or basically any hotpot without VPN. It's trivial to set up a fake spot and sit between you and your bank or whatever. Don't risk it. VPN cuts all that shirt out, eg when you are travelling.

But just use the standard / auto settings for now and export a config file to all your devices. I'm not sure if a unique account is required for each device but make one die each anyway.

Then practice connecting with WiFi off from home or from your mobile cellular network (so you are "external"). This way you can easily tweak settings if any issues.

Once you're happy with it then you can gradually tweak settings to make it more secure eg custom high port, stronger authentication and encryption etc.

But even basic out of the box VPN is light years ahead of WAN access with simple hackable exploitable password.

And then you can Web GUI in and WOL to yours hearts content.

More complex stuff such as apps, share drives etc may take some work, but Web GUI access should easily work out of the box.

Sent from my SM-G965F using Tapatalk

Thanks! I think I've got it now.

OE

 

[OzarkEdge]

Basically it's all about where the traffic get into the VPN and who is the provider of the VPN.
In short when you enable VPN server in router A, and use VPN client in router B connect to it, then the router B will be able to Router A network.

Most VPN client in consumer router will force all traffic go through the VPN tunnel, so eveything go through the router will go through the VPN too.

if you are using a Client-base VPN client, such as the OpenVPN client for windows, then only that PC traffic will go through the VPN.

I am not mis underatnding what you mean a web VPN server, usually it works like a proxy and will let the only "web" traffic go thought the VPN, usually you can see these service require you set your browser to use a local proxy.

p.s. in real world it can be a more flexible setup, but normally it work like the above.

Thanks! I think I'll try the Android VPN to home router setup to secure public WiFi use.

OE