August 11, 2011
The latest news on the security front is the "psyb0t" worm. This the first known case of a worm that infects routers and creates a botnet. At last count, one group of security researchers estimated that over 100,000 routers had been affected. You can get all the gory details from my [url=http://itknowledgeexchange.techtarget.com/security-corner/worm-targets-home-networking-equipment/:34al2mo3]Security Corner[/url:34al2mo3] blog and these articles:
[u:34al2mo3]What you should do[/u:34al2mo3]
1. Power cycle your router.
2. Disable WAN-facing telnet, SSH or web-based configuration interfaces.
3. Change the passwords to something unguessable (see [url=http://www.davescomputertips.com/articles/security/create_and_use_an_unguessable_password_pt2.php:34al2mo3]this article[/url:34al2mo3]).
4. Upgrade to the latest firmware.
Wow, I did some reading on this. Looks like a couple providers sent out quite a few routers with WAN side access to the web interface and SSH telnet access enable. Of course with the default password of "admin". What were they thinking?! Who would enable SSH and telnet, knowing most users don't even know what it is? Amazing.
Hey Ken - I just changed my router's access password from 'admin' to 'Jimmysvistamachine'..........just kidding!!
I was told very early on to always change the password from default to something, anything else....and preferably very difficult to guess.
Okay Dave - I put my hand up. So what are 'Wan side access' and 'SSH telnet access'? Since I am among the 'most users who don't even know what it is'...please enlighten.
August 11, 2011
"WAN side access" means there's a way to access the configuration screens of the router from the Internet. Not a good thing if it's enabled by default. WAN stands for [u:2hjc9ph9]W[/u:2hjc9ph9]ide [u:2hjc9ph9]A[/u:2hjc9ph9]rea [u:2hjc9ph9]N[/u:2hjc9ph9]etwork--in this case, it's all the computers on the Internet--as opposed to LAN which stands for [u:2hjc9ph9]L[/u:2hjc9ph9]ocal [u:2hjc9ph9]A[/u:2hjc9ph9]rea [u:2hjc9ph9]N[/u:2hjc9ph9]etwork--all the computers in your home or business that are connected to the router.
SSH stands for [u:2hjc9ph9]S[/u:2hjc9ph9]ecure [u:2hjc9ph9]SH[/u:2hjc9ph9]ell. It's a way to connect to a remote device so that your login, password, and any information flowing on the connection is encrypted making it impossible to sniff out anything of value. Telnet stands for [u:2hjc9ph9]TEL[/u:2hjc9ph9]ecommunications [u:2hjc9ph9]NET[/u:2hjc9ph9]work. It's the unsecure way to connect to a remote device, as everything is transmitted both directions in clear text. Anyone sniffing a telnet session can see everything going back and forth.
So, armed with that information and knowing what the default password is, anyone can connect to a router that has these outside connection interfaces open. And that's exactly what the writer of psyb0t did. Once connected, he was able to dump his malware into the router's operating system and make it join the botnet.
If you want to see telnet at work, open a command prompt and type [b:2hjc9ph9]telnet smtp.fuse.net 25[/b:2hjc9ph9] the server will connect to you. Type [b:2hjc9ph9]HELO kennyhart.com[/b:2hjc9ph9] and watch the server open up an Internet mail session.
Hope this helps.
Only for you Jim!
LAN - Local Area Network. This is everything on your side of a router or switch. All of your connected computers reside on the same LAN (generally in home use).
WAN - Wide Area Network. Almost everything else with an internet connection is on your WAN! It's more complicated than that, but that pretty much sums it up. Businesses can be connected by a WAN with remote locations, etc.
Think of your Router as the door to your house, only in this case the door is monitored by a doorman (no tips required). The doorman monitors the doorway and controls who enters and leaves your home.
Every connected computer inside your home is your LAN. Computers on the LAN do not necessarily have to have internet access. Every internet connected computer outside of your home is the WAN, usually a connection provided by your ISP. In the case of the internet this is quite a few million computers, each who can access your 'door' (router or single pc) if they know or guess your IP. That is one of the most important reasons to run a router, so it can control access to your LAN from the WAN.
Telnet - Telecommunication Network. Basically a command line interface to the machine you are connected to Generally using port 23 that generally does not require authentication and not quite so secure.
SSH - Secure Shell. Originally designed to replace telnet in the mid 90's, hence the 'secure' in Secure Shell, and generally uses port 22. SSH does require authentication.
Think of these as a way to issue commands to a remote computer. Another way to look at these is - imagine a super powerful version of WinVNC/UltraVNC that uses a command line interface. If you have Telnet or SSH access to a computer, switch, or router (routers and switches are slimmed down computers - many run a version of Linux) you have access to everything beyond that device in one way or another. NOT a good thing! Don't get me wrong. SSH has many useful purposes (managing remote computers and servers), but allowing access to the wrong thing will get you in a world of hurt in a hurry.
Sorry Ken! I just hit reply after Jim's msg. I'm a goofball.
August 11, 2011
[quote="ozbloke":ye430up0]Wow, thanks guys.....great explanations, both. Now I fully understand Ken's advisory and the amazement you expressed in your post Dave....seems too stupid to be true!!!
Glad to help, as always, Mate! And I agree--great job, Dave
Most Users Ever Online: 2303
Currently Browsing this Page:
Guest Posters: 10
Administrators: Jim Hillier, Richard Pedersen, David Hartsock, Marc Thomas
Moderators: Carol Bratt, dandl, Jason Shuffield, Jim Canfield, Terry Hollett, Sergey Grankin