[Security] - reminder to stay secure

[sfx2000]

Seeing chatter on the threads where folks are suspecting their Asus routers may be compromised...

From SecurityFocus/Bugtrak - this is from the 2013 incident, but bodes well today...

Mitigation and temporary fixes:

- Users need to be alerted to turn off AiCloud service immediately
- All Web access to both the http and https need to be halted until proven safe
- UPnP services need to be turned off
- Disable FTP and Samba services until the problem is fully understood/patched if possible
- Enable the built in firewall, change authentication to be MD5 hashed
- CHANGE THE DEFAULT USERNAME AND PASSWORD!!!!
- End Users should try to avoid using the default gateway of 192.168.1.1 and pick something unusual
- Turn off IPSEC, PPTP and the other NAT passthroughs if the VPN is not explicitly being utilized
- Not clear if this is related to AsusWRT factory firmware only, or third parties are also impacted​

I would add ensure that WAN facing SSH/Telnet be disabled for the the moment, pending outcome of investigation by Asus and the Third Party community.

As additional steps - use the WebGUI sparingly - log in to check status/make changes, but then logout and Quit the Browser - additionally, when using the WebGUI. I would be careful not to have other Windows/Tabs open in the same browser.

I would even go as far as removing any external USB shared devices for now, and ensuring that SMB/FTP/AFP/NFS services are turned off.

Might also consider Entware/Optware packages - if not absolutely needed, it's not recommended to have them on board...

Please, be safe out there!

 

[Wutikorn]

I would like to add, just use Ctrl+F and search for "Password auth succeeded" in system logs. If any line show "Password auth succeeded" with unknown IP at the back, then it is likely that the router had been hacked.

For example, this was what happened to mine:

dropbear[18810]: Password auth succeeded for 'admin' from 37.8.101.9:50693

37.8.101.9 IP is not my country's IP, so I think my router was hacked.

Edit: Another specific setting that one will see in this attack is that SSH setting has been changed to WAN+LAN on port 2222. If you see this setting, and don't remember doing it, then your router is likely be compromised.

 

[martinr]

I would like to add, just use Ctrl+F and search for "Password auth succeeded" ....

Do you search (Ctrl F) on the sysllog page in the GUI or are you exporting/accessing the logfile another way? If on the syslog page does Ctrl F find entries not visible in the window? I've only tried a search on an Apple device so far - not a great success.

 

[Wutikorn]

Do you search (Ctrl F) on the sysllog page in the GUI or are you exporting/accessing the logfile another way? If on the syslog page does Ctrl F find entries not visible in the window? I've only tried a search on an Aplle device so far.

I searched in System log page in the GUI using Windows 10 device through Chrome. It will search all text in the log file without us having to scroll up and down, not sure if this is what you asked. you can also try searching another common words to see if, in your browser, it searches the whole thing or just a visible one. Chrome tells how many of that phrase was found and link me to each of it without me having to manually scroll up/down to find.

 

[VANT]

Info from Jun 22 2013
Still not fixed ????

 

[swetoast]

urgh this is just fear mongering... turn off ssh from outside dont have shirt open towards the outside like admin interface etc and you will be just fine ..

 

[martinr]

I searched in System log page in the GUI using Windows 10 device through Chrome. It will search all text in the log file without us having to scroll up and down, not sure if this is what you asked. you can also try searching another common words to see if, in your browser, it searches the whole thing or just a visible one. Chrome tells how many of that phrase was found and link me to each of it without me having to manually scroll up/down to find.

Works a treat on a Windows device. Many thanks for such a simple tip.

 

[swetoast]

here is the deal with any security tip, they tell you that turn off this and that but even with that your only as secure as your last update.. cause lets face no software is secure they all have flaws and there is only one golden rule too all of this that is how you as the end user set it up.

opening up services is a calculated risk, its as simple as that.

having ssh open torwards the net is imho dumb but you can secure it with 2 step verfication or keys that it one way to strengthen it having only password is like asking for trouble.

as for samba on a router well im not a fan either you have a NAS or you dont use smb from a comp cause mostly updates are horrible and trailing until something bad is discovered like badlock a couple of years ago.

so again there are just calculated risks when doing stuff on the net no real security exists doesnt matter what platform your running.

 

[Wutikorn]

Info from Jun 22 2013
Still not fixed ????

I don't think it is the same issue. I'm not sure if the linked issue was fixed, but since there is new problem, sfx just quoted fixes that normally help in most of the case.

 

[sfx2000]

Info from Jun 22 2013
Still not fixed ????

That one was fixed - but the advice rings true even today -- basically be very mindful of what services are running, which services/ports are exposed on the WAN side, and browsers are all targets - good passphrase practices are also a big one...

One of the other vendors has been beat up pretty hard over the last month, and many of those gaps can be covered by similar means as above...

 

[sfx2000]

here is the deal with any security tip, they tell you that turn off this and that but even with that your only as secure as your last update.. cause lets face no software is secure they all have flaws and there is only one golden rule too all of this that is how you as the end user set it up.

opening up services is a calculated risk, its as simple as that.

Part of the challenge here is that it's relatively easy to set up and configure these services, however, many users/customers may not fully grasp the potential consequences of doing so...

And many aren't aware of tools that they can use proactively to scan their own network (load up nmap on a laptop and go to the local coffee shop) to see first hand what might be exposed..

Even then, NMAP can only look for what it knows about, and interpreting the results does take some foreknowledge.

 

[swetoast]

thats why everyone should take the time to RTFM just because something is cool or good doesnt mean that you shouldnt know what it can or cant do and if it has features what the perks are or the drawback.

if a user has SSH open towards wan then either that person has a relatively good grasp on security or is a jackass that didnt know how vulnerable it is, ive seen the hacked posts and im sorry but they made me chuckle cause a simple password is so easy to hack. Why these users thought it was a good idea to have SSH open beats me cause nothing is worth having it open on was then it might be better to set up a openvpn tunnel instead and then securing it that way.. less hackable.

as for users scanning their own net i would more recommend Nessus instead of NMAP that gives better advice on how vulnerable you are.

so here is the point of my little rant just because the option is there doesnt mean you have to have it enabled

ohh and here is a good link for nessus
http://www.tenable.com/products/nessus-home

play around and see how messed up your stuff is

 

[SoCalReviews]

Now that devices are being locked down with more security router hacking is the next major front in the war on individual privacy. Most users aren't going to have any idea or desire to fiddle with their router default settings with the exception of changing the admin logon and password.

I hope the major router manufacturers address these concerns and take security more seriously than ever before it gets completely out of control.

 

[Xentrk]

I would like to add, just use Ctrl+F and search for "Password auth succeeded" in system logs. If any line show "Password auth succeeded" with unknown IP at the back, then it is likely that the router had been hacked.

For example, this was what happened to mine:

dropbear[18810]: Password auth succeeded for 'admin' from 37.8.101.9:50693

37.8.101.9 IP is not my country's IP, so I think my router was hacked.

I never thought of doing it that way but it works! I normally open up a ssh session and issue the command "cat syslog.log | grep msg" where msg is the keyword being search for from/jffs directory. Or, just open up the log in an editor.

So this makes me ask what is the recommended settings for logging in the Administration, System tab to see the "password auth succeeded" message. I have "default message log level" and "Log only messages more urgent than" set to "warning". I don't have any outside services open so not too worried. The options available are alert, critical, error, warning, notice, info, debug and all.

 

[sfx2000]

Might also consider Entware/Optware packages as possibly being suspect - if not absolutely needed, it's not recommended to have them on board...

I need to back off on the comment about entware/optware as being suspect - they're fine as they are - but having these package managers does make it much more interesting for a hacker to grab additional tools via the package manager vs. having to be more creative - and we don't need to make things any easier for the bad guys.

If one not exposing services hosted on the router itself to the WAN, then entware/optware is fine...

Just understand the risks and potential consequences with anything done on the GW/Firewall itself.

 

[swetoast]

please do... the work that the entware managers do is vital for hobbiest again its just stupid to fear monger..

anything is exploitable, nothing is secure its all about risk and reward.. so if a user isnt that techical maybe they should ask if they really need additional packages on their router like entware.

 

[sfx2000]

the work that the entware managers do is vital for hobbiest again its just stupid to fear monger..

anything is exploitable, nothing is secure its all about risk and reward.. so if a user isnt that techical maybe they should ask if they really need additional packages on their router like entware.

One shouldn't be doing "hobby" things on the bullwark of one's own LAN security without understanding what they're doing...

In any event, there are better platforms to do those "hobby" things with more RAM and storage capabilities - and they're more modern to boot...

 

[swetoast]

well we cant all get what we want can we so in the meanwhile we settle with the things we got.

im not recommending every user to run any of my scripts here on the forum i dont claim i can stop every malware attack on their router with the blocking script i made.. its an additional layer that comes with the risk / reward of installing a package handler like entware or simply just letting the script run and configure the firewall.

the software is only as good as its last update and its a shame that we are on that old kernel on asuswrt but there isnt much to do about that cause i dont think @ASUS_ASUSWRT cares what i think.

personally my favorite firmware isnt merlin its Padavan.

my plan is to scrap my asus router in the future for something better whatever that is but i want it to be opensource so i can follow progress and not have proprietary stuff that i dont have control over inside the router.

again its all about the risk and reward and the knowledge.

 

[sfx2000]

All good - advice I provided is not "fear mongering" but intended for the better...

Anyways - RMerlin's firmware builds are pretty solid, as are the factory builds for the most part - and Asus, I've been hinted here on the forums, is going down a different path perhaps...

As for me - I'm a ex-developer/systems engineer/product dev/architect guy, and have self-funded something entirely new...

So you can do padovan or whatever... perhaps DDWRT or OpenWRT are your friends here...

But do not call me a fear monger for stating basic advice that most should consider...

 

[kvic]

personally my favorite firmware isnt merlin its Padavan.

Padavan raised my eyebrows when I heard "wireless client mode" was made possible on Asus routers. If I have to name one feature that how 3rd party developers achieves it..that'll be it.

Look..I used to hear ppl come here to ask for "wireless client mode" on asuswrt/merlin, it still isn't available.