How about we create a basic intrusion script

[dvohwinkel]

I have seen a few posts lately that got me to thinking about getting an alert that are router are possibly compromised would be good..

What I am thinking is record the values of certain settings and if they change then maybe send an email alert.
The questions is what should be consider suspicious changes?

To me the most obvious is..

1) Language change
2) ssh from WAN
3) GUI admin from WAN

What other changes would be suspicious?

I am thinking the script would check for a file with key values.. if that files doesn't exist then consider it the first run and create it with the values of those key setting.

If the file does exist then check the values in the file against the current config of the router.. if there are any changes send an alert.

Thoughts?

-Dave

 

[skeal]

I have seen a few posts lately that got me to thinking about getting an alert that are router are possibly compromised would be good..

What I am thinking is record the values of certain settings and if they change then maybe send an email alert.
The questions is what should be consider suspicious changes?

To me the most obvious is..

1) Language change
2) ssh from WAN
3) GUI admin from WAN

What other changes would be suspicious?

I am thinking the script would check for a file with key values.. if that files doesn't exist then consider it the first run and create it with the values of those key setting.

If the file does exist then check the values in the file against the current config of the router.. if there are any changes send an alert.

Thoughts?

-Dave

Skynet already does this except language change.

 

[dvohwinkel]

Skynet already does this except language change.

Awesome! that just made this easier Now to just get skynet to add in language changes.

 

[dvohwinkel]

does skynet do email notifications? not sure if this is feature creep on a firewall program.. let's see what @Adamm says.

 

[underdose]

Skynet already does this except language change.

But Skynet is not available for legacy models like RT-N66. A script for those models would be nice imho.

 

[martinr]

But Skynet is not available for legacy models like RT-N66. A script for those models would be nice imho.

Are you aware of the following?

“Unfortunately, to keep the project at a manageable level for a lone developer, I have decided to drop active support for the older MIPS platform, which means the RT-N66U and RT-AC66U. These will keep getting security/major fixes through the 380 legacy branch for at least a few months, but eventually they will be completely dropped. The decision to drop these two specific modelswas due to a few reasons:

https://www.snbforums.com/threads/end-of-year-2017-development-update.42965/

 

[underdose]

Are you aware of the following?

“Unfortunately, to keep the project at a manageable level for a lone developer, I have decided to drop active support for the older MIPS platform, which means the RT-N66U and RT-AC66U. These will keep getting security/major fixes through the 380 legacy branch for at least a few months, but eventually they will be completely dropped. The decision to drop these two specific modelswas due to a few reasons:

https://www.snbforums.com/threads/end-of-year-2017-development-update.42965/

I am, however end of custom firmware development for MIPS based routers doesn't mean that we can't get the type of script OP is asking, right?

 

[martinr]

I am, however end of custom firmware development for MIPS based routers doesn't mean that we can't get the type of script OP is asking, right?

100%. It’s just a question of who’s going to develop such a script. Those gifted developers who have such talents are usually too busy trying to keep on top of their existing mainstream projects.

 

[Adamm]

I am, however end of custom firmware development for MIPS based routers doesn't mean that we can't get the type of script OP is asking, right?

I think the real issue is now that development has stopped, there will always be an increasing amount of exploits these devices are vulnerable to. So you can try plug as many holes as possible with temporary solutions but the ship is going to sink eventually. The N66U for example is 7 years old, it had a good run.

Anyway, the OP has since moved on to Skynet which covers this aspect, but for a MIPS device the idea is essentially the same. You can more or less just copy/paste the same code from Skynet and modify it to your own needs.

Check_Security () {
    if [ "$securemode" = "enabled" ]; then
        if [ "$(nvram get sshd_enable)" = "1" ]; then
            logger -st Skynet "[WARNING] Insecure Setting Detected - Disabling WAN SSH Access"
            nvram set sshd_enable="2"
            nvram commit
            restartfirewall="1"
        fi
        if [ "$(nvram get misc_http_x)" = "1" ]; then
            logger -st Skynet "[WARNING] Insecure Setting Detected - Disabling WAN GUI Access"
            nvram set misc_http_x="0"
            nvram commit
            restartfirewall="1"
        fi
        if [ "$(nvram get pptpd_enable)" = "1" ] && nvram get pptpd_clientlist | grep -qE 'i[0-9]{7}|p[0-9]{7}'; then
            logger -st Skynet "[WARNING] PPTP VPN Server Shows Signs Of Compromise - Investigate Immediately!"
            nvram set pptpd_enable="0"
            nvram set pptpd_broadcast="0"
            nvram commit
            echo "Stopping PPTP Service"
            service stop_pptpd
            echo "Restarting Samba Service"
            service restart_samba
            restartfirewall="1"
        fi
    fi
}