I had two ac88u's hacked recently with last 384.5 firmware

[DonnyJohnny]

Someone at 185.200.118.xxx has recently started sending (from May 31) login attempts to my AC86U OpenVPN server. Only a few attempts per day which is interesting.

Installing add on like Skynet to blacklist these ip is a good form of preventive measure.
I used to use 443 port for testing purpose for my openvpn. There is a different between with and without Skynet on the number of attempt to knock the port.

 

[RMerlin]

You can block IPs/subnets through the Network Service Firewall.

I also have been getting a lot of connection attempts lately from 5.x.y.z and 185.x.y.z. I just block both subnets now.

 

[agilani]

You can block IPs/subnets through the Network Service Firewall.

I also have been getting a lot of connection attempts lately from 5.x.y.z and 185.x.y.z. I just block both subnets now.

using skynet or network services filter. What countries do these blocks belong to? I didn't see a way to specify a subnet through the network services filter. Any suggestions?

 

[HuskyHerder]

@agilani

A skynet ban would be main menu, option 2 (ban), option 2 (range) and input range be something like 5.x.x.x/z

 

[maxbraketorque]

You can block IPs/subnets through the Network Service Firewall.

I also have been getting a lot of connection attempts lately from 5.x.y.z and 185.x.y.z. I just block both subnets now.

I'm not sure I understand how to set this up properly. If I'm blacklisting IP ranges for the router OpenVPN server, then do I set the destination IP to the 192.168.1.1 (or whatever the private address is for the router)?

 

[kfp]

I'm not sure I understand how to set this up properly. If I'm blacklisting IP ranges for the router OpenVPN server, then do I set the destination IP to the 192.168.1.1 (or whatever the private address is for the router)?

Leave destination IP blank.

 

[bsdsource]

I would never leave SSH, UPnP or OpenVPN running on consumer grade routers for extended periods of time. Are sure this didn't originate from infected LAN computers? There's always unknown exploits in the wild too that aren't fixed until someone with enough knowledge identifies them and reports the vulnerabilities.

Check on LAN breaches.

 

[FreshJR]

Check on LAN breaches.

That’s harder than you think without any logging on the router or actively catching the infection in the act.

 

[maxbraketorque]

Leave destination IP blank.

I should leave the destination IP blank for the Network Services Filter in the ASUS firewall? The ballon help in the webui indicates using *.*.*.* to cover all IPs. I guess I'm also curious about how to fill out the port range. There is no guide for how to cover all ports. I guess I could use ">1", but seems like there should be something more intuitive than that.

 

[kfp]

I should leave the destination IP blank for the Network Services Filter in the ASUS firewall? The ballon help in the webui indicates using *.*.*.* to cover all IPs. I guess I'm also curious about how to fill out the port range. There is no guide for how to cover all ports. I guess I could use ">1", but seems like there should be something more intuitive than that.

I guess just use that then though I think leaving it blank should work too, same goes for ports.

I think the colon notation looks nicer

1:65535

 

[maxbraketorque]

I guess just use that then though I think leaving it blank should work too, same goes for ports.

I think the colon notation looks nicer

1:65535

Leaving everything blank except the source IP didn't work. Got another OVPN server access attempt last night from that same IP range. I still wonder if the network services filter actually works for blocking IP address ranges from seeing the router OVPN server.

 

[kfp]

Leaving everything blank except the source IP didn't work. Got another OVPN server access attempt last night from that same IP range. I still wonder if the network services filter actually works for blocking IP address ranges from seeing the router OVPN server.

And it doesn’t work with *.*.*.* either?

Edit: I didn’t mean leaving everything OTHER than source IP blank, I meant leaving source IP blank probably have the same effect as setting it to *.*.*.*

 

[System Error Message]

i suggest RMerlin's firmware and using IPTables. The first is that you'll want to whitelist your internet services, by that i mean DNS, NTP, DDNS, any service that your router uses. You need to white list them specifically, for example if you use google DNS, then only accept input from 8.8.8.8 source port 53 for UDP, doing the same manner of specific whitelisting before dropping the rest.

Never expose your SSH ports to the net because even if they are secure, people can DDOS your router as the act of brute forcing SSH causes the receiving devices to use up CPU. Rather than expose any service, use VPN, however i am seeing the VPN implementation to not be secure so instead, port forward and run another device internally as a VPN server but using one that has a better VPN implementation, maybe a raspberry pi 3, or something.

 

[maxbraketorque]

And it doesn’t work with *.*.*.* either?

Edit: I didn’t mean leaving everything OTHER than source IP blank, I meant leaving source IP blank probably have the same effect as setting it to *.*.*.*

Now I'm trying 1:65535 for source and destination port range, 185.200.*.* for source IP range and *.*.*.* for destination IP range. I'll see how that works.

i suggest RMerlin's firmware and using IPTables. The first is that you'll want to whitelist your internet services, by that i mean DNS, NTP, DDNS, any service that your router uses. You need to white list them specifically, for example if you use google DNS, then only accept input from 8.8.8.8 source port 53 for UDP, doing the same manner of specific whitelisting before dropping the rest.

Never expose your SSH ports to the net because even if they are secure, people can DDOS your router as the act of brute forcing SSH causes the receiving devices to use up CPU. Rather than expose any service, use VPN, however i am seeing the VPN implementation to not be secure so instead, port forward and run another device internally as a VPN server but using one that has a better VPN implementation, maybe a raspberry pi 3, or something.

Interesting the levels of protection that can be built-up. So far, I haven't seen a clear need for running Merlin's firmware, but if this level of protection is really needed these days, then maybe its time to reconsider.

Do you really think its important to not run the OVPN server in either the stock FW or Merlin's? My recollection is that Merlin is using an up-to-date implementation.

 

[Martineau]

Got another OVPN server access attempt last night from that same IP range. I still wonder if the network services filter actually works for blocking IP address ranges from seeing the router OVPN server.

I don't think the LAN-to-WAN Network Services Filter (NSFW chain) is appropriate - it's in the FORWARD chain whereas the OpenVPN server access is protected by the INPUT chain?

You could try manually replicating the GUI generated NSFW chain rule for both OpenVPN servers:
e.g.

iptables -I INPUT "$(iptables -nvL INPUT --line -t filter | grep -m 1 "$(nvram get nvram get vpn_server1_proto) dpt:$(nvram get nvram get vpn_server1_port)" | awk '{print $1}')" -s 185.200.118.0/24 -i $(nvram get wan0_ifname) -j logdrop
iptables -I INPUT "$(iptables -nvL INPUT --line -t filter | grep -m 1 "$(nvram get nvram get vpn_server2_proto) dpt:$(nvram get nvram get vpn_server2_port)" | awk '{print $1}')" -s 185.200.118.0/24 -i $(nvram get wan0_ifname) -j logdrop

or even in the dedicated OVPN chain.

 

[kfp]

Interesting the levels of protection that can be built-up. So far, I haven't seen a clear need for running Merlin's firmware, but if this level of protection is really needed these days, then maybe its time to reconsider.

Do you really think its important to not run the OVPN server in either the stock FW or Merlin's? My recollection is that Merlin is using an up-to-date implementation.

iptables is not exclusive to Merlin fork.

 

[akb]

Just an update, after reverting the changes on the two routers, all 7 are good again. I do not see anything strange going on on the log server either.

Will post if something new pop up.

 

[Goran]

You can block IPs/subnets through the Network Service Firewall.

I also have been getting a lot of connection attempts lately from 5.x.y.z and 185.x.y.z. I just block both subnets now.

Is this right done?

 

[System Error Message]

Now I'm trying 1:65535 for source and destination port range, 185.200.*.* for source IP range and *.*.*.* for destination IP range. I'll see how that works.



Interesting the levels of protection that can be built-up. So far, I haven't seen a clear need for running Merlin's firmware, but if this level of protection is really needed these days, then maybe its time to reconsider.

Do you really think its important to not run the OVPN server in either the stock FW or Merlin's? My recollection is that Merlin is using an up-to-date implementation.

Considering RMerlin's implementation is up to date and if he is compiling from source and adding separately rather than using ASUS preincluded stuff, perhaps. In the log however the hack happens wiithout requiring a login by having a TCP connection established. You can just use UDP only with openVPN but as long as the implementation is not faulty it should work well.

 

[RMerlin]

Is this right done?

No. You want to block the source IP, not the destination.

Also note the limitation mentioned by Martineau - this will protect you if you have forwarded ports, but not if the target is the router's built-in OpenVPN service.