What can we do to protect people from access via WAN?

[Yota]

Just Google it and you will see a lot of people turn on access from the WAN. we can't teach everyone to use the VPN, but we can do something in the firmware, to protect them.

For example, two years ago, I gave my country friend an asus rt-ac68u router and flashed the latest Merlin firmware for him. Since then, every time I go to his house I will help him upgrade the firmware because he is old and doesn't want to learn these things. One day he called me and he said that his router might have been broken by his kid. then I went there and his kid just accidentally turned off the wifi, not a big deal.
However, I never enabled WAN access for him because I don't think he needs it, and this is more secure for him. When I checked the settings, I found that WAN access was enabled and it turned out that his kid enabled it using the asus router app.

What frightens me is that this is Merlin firmware, which means that anyone can easily run scripts. think about it, if someone accessed via WAN, hacked into the Merlin firmware router, and then implanted a malicious script. I think if wifi works, no one will find it. because most people who turn on WAN access don't care about security. they don't check for suspicious scripts in the JFFS directory and don't even know how to disable SSH.

So what can we do to protect these people.

Can we design an obvious reminder sign to remind people that you have enabled WAN access, SSH and the custom scripts? and if the router has scripts installed, can we remind people that you have custom scripts in your router? and if SSH is not disabled because of the installation script, can we remind people don't forget to disable the SSH? I think even a small and kind reminder will protect many people.

A concept picture:

I fully support the flexibility and openness of Merlin firmware, but don’t let it be a stumbling block for our security, thank you.

 

[Frankflash]

easy fix dont install scripts full stop

 

[Yota]

Perhaps it's another good idea to only allow scripts from trusted sources to run silently, unreliable sources will be warned and even run in development mode only. I know this idea maybe too radical, so I still want a kindly reminder in GUI.

 

[Yota]

easy fix dont install scripts full stop

You just turn on WAN access then set a password that is easy to guess. and the bad guys will help you install scripts.

 

[Frankflash]

then keep ssh turn off them simple as that

 

[Yota]

then keep ssh turn off them simple as that

Suppose a hacker has added a malicious script to your router JFFS, and you just now turn off SSH, but no avail. guess why? because you didn't disable custom scripts and configuration, more important is that you did not delete the malicious script.

 

[Frankflash]

well if you were silly enough to let a hacker added a Malicious script in the first place who fault that

 

[thelonelycoder]

Just Google it and you will see a lot of people turn on access from the WAN. we can't teach everyone to use the VPN, but we can do something in the firmware, to protect them.

For example, two years ago, I gave my country friend an asus rt-ac68u router and flashed the latest Merlin firmware for him. Since then, every time I go to his house I will help him upgrade the firmware because he is old and doesn't want to learn these things. One day he called me and he said that his router might have been broken by his kid. then I went there and his kid just accidentally turned off the wifi, not a big deal.
However, I never enabled WAN access for him because I don't think he needs it, and this is more secure for him. When I checked the settings, I found that WAN access was enabled and it turned out that his kid enabled it using the asus router app.

What frightens me is that this is Merlin firmware, which means that anyone can easily run scripts. think about it, if someone accessed via WAN, hacked into the Merlin firmware router, and then implanted a malicious script. I think if wifi works, no one will find it. because most people who turn on WAN access don't care about security. they don't check for suspicious scripts in the JFFS directory and don't even know how to disable SSH.

When I checked my friend's router, I saw that SSH only LAN was enabled, which shocked me a bit. but I don't see any malicious scripts. In fact, SSH may be enabled by me before because I installed some great scripts, like Skynet and Diversion for my friend.

So what can we do to protect these people.

Can we design an obvious reminder sign to remind people that you have enabled WAN access, SSH and the custom scripts, and if the router has scripts installed? can we remind people that you have custom scripts in your router, and if SSH is not disabled because of the installation script? can we remind people don't forget to disable the SSH? I think even a small and kind reminder will protect many people.

A concept picture:
View attachment 21971

I fully support the flexibility and openness of Merlin firmware, but don’t let it be a stumbling block for our security, thank you.

That kid had the routers password, which IS the root of the problem. This password allows any changes on the router to be made from within the LAN as it has admin rights. Change the password and maybe also the default username 'admin' to something more complicated and keep that info to yourself.

 

[Yota]

That kid had the routers password, which IS the root of the problem. This password allows any changes on the router to be made from within the LAN as it has admin rights. Change the password and maybe also the default username 'admin' to something more complicated and keep that info to yourself.

That's not my router, so I don't own the password, in fact the username and the password are on the sticker on the back of the router. I recommend this idea to my friend because it is easy for me to help him upgrade the firmware every time.

I mean, if someone has a Merlin firmware router and WAN access is enabled, this will cause a lot of problems, and this is the point of this thread. because there was no obvious reminder that no one knew that the WAN access was turned on and even don't remember it's enabled, because there were hundreds of settings there, and no one would check them every day.

And thanks for your reply.

 

[Jack Yaz]

That's not my router, so I don't own the password, in fact the username and the password are on the sticker on the back of the router. I recommend this idea to my friend because it is easy for me to help him upgrade the firmware every time.

Use a password manager like Keepass. Sticking admin info to the router is hilariously bad security practise.

 

[Jack Yaz]

I mean, if someone has a Merlin firmware router and WAN access is enabled, this will cause a lot of problems, and this is the point of this thread. because there was no obvious reminder that no one knew that the WAN access was turned on and even don't remember it's enabled, because there were hundreds of settings there, and no one would check them every day.

Using the Skynet script https://www.snbforums.com/threads/release-skynet-router-firewall-security-enhancements.16798 ,by default, shuts WAN access to prevent the user from causing themselves trouble.

 

[Yota]

Use a password manager like Keepass. Sticking admin info to the router is hilariously bad security practise.

Trust me, Non-electronic storage is a safer way. and another reason is I don't want to own the password, and he didn't want me to ask him for the password every time.

Using the Skynet script https://www.snbforums.com/threads/release-skynet-router-firewall-security-enhancements.16798 ,by default, shuts WAN access to prevent the user from causing themselves trouble.

I know, but this example means hoping to be alerted in the gui.

 

[Jack Yaz]

Trust me, Non-electronic storage is a safer way.

One day he called me and he said that his router might have been broken by his kid. then I went there and his kid just accidentally turned off the wifi, not a big deal.

That's not my router, so I don't own the password, in fact the username and the password are on the sticker on the back of the router. I recommend this idea to my friend because it is easy for me to help him upgrade the firmware every time.

I'm not convinced

 

[Yota]

I'm not convinced

You are right, I may need to solve this problem, but I know how to solve it, and I am more concerned about the people who enable WAN access without this problem. :thinkingface: <-- and one more question, please can you tell me how do I enter emoticons? EDIT: Found the way, thanks guys.:ROFL: EDIT: <-- not work? EDIT:

Thanks for your reply.

 

[OzarkEdge]

I setup routers for friends and family. I use stock firmware that doesn't run scripts. I secure the router. I give them a printed copy of all of the router details including non-default settings and admin credentials. I tell them not to use any admin apps. And I don't leave admin credentials posted in the clear.

I never hear back from them. If I visit, I'll check and upgrade the router firmware, if it's time.

If the owner permits their kids to login to their router, that's their problem.

OE

 

[Ronald Schwerer]

I am more concerned about the people who enable WAN access without this problem

I think of them as "low hanging fruit". The more of them there are, the less chance a determined hacker will spend time trying to get into my "protected" router using some new vulnerability.

 

[dev_null]

Another contributing factor is the Asus Router app. I don't expect that many on this forum use it, but out of curiosity I loaded it just to see what it did.

Under the "Insights" tab, the app "encourages" the user to "Enable Remote Connection when you are away from home" without providing details on the risks.

The app also notes that the admin password is strong/not strong, but doesn't do an adequate job of explaining either.

But this is not strictly a user-space issue (well it is, but it is caused in part by non-user misinformation).

 

[Yota]

I use stock firmware that doesn't run scripts.

Even with the stock firmware, it still has a persistent JFFS partition, and you can run anyscripts using nvram variables. Don't ask me how to know that, I'm not a hacker. The stock firmware even once had a webui terminal page, and bad guys could even run any command using a browser cross-site script. Merlin was the first to remove the page. so many security fixes and updates, It's more secure than stock, which is why I use Merlin firmware.

I give them a printed copy of all of the router details including non-default settings and admin credentials. I tell them not to use any admin apps. And I don't leave admin credentials posted in the clear.

Another contributing factor is the Asus Router app. I don't expect that many on this forum use it, but out of curiosity I loaded it just to see what it did...

I done the same thing. but, I will not stop them from using the asus router app because it is not my business and I think I paid for the development of this app, so why should I reject it? even it is really bad.

If the owner permits their kids to login to their router, that's their problem.

Absolutely agree, so my question is not about that kid, but protecting countless people who have unwittingly turned on WAN and SSH.

Thanks for your reply.

 

[Yota]

I think of them as "low hanging fruit". The more of them there are, the less chance a determined hacker will spent time trying to get into my "protected" router using some new vulnerability.

Hello 911, we have a bad guy here. lol

 

[RMerlin]

Enabling WAN access will show an alert, warning you of the risks.