The dangers of leaving your modem firewall with default password anduser id


R

RayLopez99

admin, password. Good, bad or indifferent? Assume some software AV suite exists in place.

RL
 
Ad

Advertisements

D

Dustin

admin, password. Good, bad or indifferent? Assume some software AV
suite exists in place.
Bad idea. Malware can login to your router and make changes to it's
settings. This is one way in which DNSChanger ensured it had control.

Change the default admin password.
 
F

FromTheRafters

RayLopez99 said:
admin, password. Good, bad or indifferent? Assume some software AV suite exists in place.
Always change it from the defaults. AV is irrelevant to this issue.
 
R

RayLopez99

Always change it from the defaults. AV is irrelevant to this issue.
Well I'm hardly the expert you are or claim to be, but since a software AV is essentially a software firewall (or at least we can agree it's often found in the same suite) I don't see why it's irrelevant, unless you are making a Dave Lipmann type of grammatical distinction between software firewall and AV. So I would conclude from your statement that it's best to have 'belts and suspenders' by having a hardware firewall in place, rather than rely on a s/w firewall only, so I'll take the final answer as "bad". Thanks for your input.

RL
 
R

RayLopez99

Bad idea. Malware can login to your router and make changes to it's
settings. This is one way in which DNSChanger ensured it had control.

Change the default admin password.
OK then, thanks. The next question Mr. Dustin is what the password length should be? I figure 8 lowercase letters (including 1 number at least) is 'good enough', since somewhere I read it takes several hours to crack such apasscode. By that time the bad guys will have moved on to lower lying fruit to pick somewhere else on the ether, correct?

I know in theory I should be using 15 hexdecimal units or whatever but I like to use easy to remember phrases.

RL
 
F

FromTheRafters

Well I'm hardly the expert you are or claim to be, but since a
software AV is essentially a software firewall (or at least we can
agree it's often found in the same suite) I don't see why it's
irrelevant,
It doesn't protect the modem/firewall/router - it's a separate device.
unless you are making a Dave Lipmann type of grammatical distinction
between software firewall and AV.
Well ... they *are* entirely different things.
So I would conclude from your statement that it's best to have 'belts
and suspenders' by having a hardware firewall in place, rather than
rely on a s/w firewall only, so I'll take the final answer as "bad".
The hardware firewall aspect of the router/modem isn't the only thing
exposed by leaving the defaults in place.
Thanks for your input.
You're welcome.

Incidentally, my cable company didn't mention *any* of the proper
security measures for setting up their equipment in their little
do-it-yourself booklet.
 
Ad

Advertisements

D

David H. Lipman

From: "RayLopez99 said:
Well I'm hardly the expert you are or claim to be, but since a software AV is
essentially
a software firewall (or at least we can agree it's often found in the same suite) I
don't
see why it's irrelevant, unless you are making a Dave Lipmann type of grammatical
distinction between software firewall and AV. So I would conclude from your statement
that it's best to have 'belts and suspenders' by having a hardware firewall in place,
rather than rely on a s/w firewall only, so I'll take the final answer as "bad". Thanks
for your input.

RL
The AV software resides on a computer and is mutually exclusive to the Router (not modem
unless it is a modem that has a Router addded to it). The router sits on both the WAN and
LAN and thus the attack can come from either interrnal or external forces.

Thus to harden a Router a Strong Password should be used on the Router to replace the
default.
http://en.wikipedia.org/wiki/Password_strength

The Router can be further hardended by disabling replies to ICMP packets as well as
disabling adminstration from the WAN POV.
 
P

(PeteCresswell)

Per RayLopez99:
The next question Mr. Dustin is what the password length should be? I figure 8 lowercase letters (includi
I'm not Mr Dustin... But I use the dead pet system of password
generation.

The name(s) of one or more dead pets in propercase plus three
digits.

Easy to recall, and I haven't been burned yet (to my knowledge,
at least).

Maybe somebody who knows can comment on the relative security of
PWs concocted thusly...
 
F

FromTheRafters

(PeteCresswell) said:
Per RayLopez99:

I'm not Mr Dustin... But I use the dead pet system of password
generation.

The name(s) of one or more dead pets in propercase plus three
digits.

Easy to recall, and I haven't been burned yet (to my knowledge,
at least).

Maybe somebody who knows can comment on the relative security of
PWs concocted thusly...
Mediocre. Most strong algorithms for password creation require $p3c14l
characters also be used.

I do something very similar to what you do, but include some special
characters in a way that I can remember.
 
R

RayLopez99

Incidentally, my cable company didn't mention *any* of the proper
security measures for setting up their equipment in their little
do-it-yourself booklet.
Yes, and in fact my installer in fact specifically told me to 'keep the defaults since it's easier for us to service the modem if you have a problem' (which got me suspicious as to whether he was going to somehow break in, since he had the default password for the wireless portion of the modem, and I know that resetting the password on the hardware is easy using a needle and the reset hole). So I changed the defaults.

RL
 
D

Dustin

OK then, thanks. The next question Mr. Dustin is what the password
length should be? I figure 8 lowercase letters (including 1 number
at least) is 'good enough', since somewhere I read it takes several
hours to crack such a passcode. By that time the bad guys will have
moved on to lower lying fruit to pick somewhere else on the ether,
correct?
I don't know why it would take several hours to run lower case
alphanumeric' in a set of 8 digits. Your router is pretty fast and
doesn't know when to stop letting me try... :) I really don't think a
couple of hours is accurate anymore on that one Ray. Even if it is, do
you really want to chance a malware sample being able to brute force
it's way in within a couple hours of you not noticing it's around?

Atleast use 10-12 characters, upper/lowercase mix with some numbers
and/or other characters in between.

If you forget the damn thing, you can always hit the reset button on the
back of the router. :)
I know in theory I should be using 15 hexdecimal units or whatever
but I like to use easy to remember phrases.
Are you confusing the wifi security passphrase with the admin login for
router configuration?
 
Ad

Advertisements

D

Dustin

Yes, and in fact my installer in fact specifically told me to 'keep
the defaults since it's easier for us to service the modem if you
have a problem' (which got me suspicious as to whether he was going
to somehow break in, since he had the default password for the
wireless portion of the modem, and I know that resetting the password
on the hardware is easy using a needle and the reset hole). So I
changed the defaults.

RL
Easier for them to service... Heh, Yea.. I'll bet it is. :)
It's not really breaking in if he has a copy of the keys...
 
P

(PeteCresswell)

Per Dustin:
Your router is pretty fast and
doesn't know when to stop letting me try... :)
Might there be a logical switch on some routers that, when set,
does not allow access over the WAN? Seems logical...
 
D

Dustin

Per Dustin:

Might there be a logical switch on some routers that, when set,
does not allow access over the WAN? Seems logical...
I'm sure there is. Mine is configured to let a local box hardlined to it
only configure it.

However, When I mentioned the brute force attack I was considering it from
inside the network. There is no switch AFAIK, that would prevent that. One
way you could put an end to it tho is to make the router ask 3 times for
the correct login and when it fails, keep asking, but even if I get it
right, dont let me in. Say, having to wait 20 minutes before you can try
again with the right password. This would make things very hard on the
brute forcing.

Even if it did score the right password, it probably wouldn't get it in
the 3 valid tries.
 
R

RayLopez99

I don't know why it would take several hours to run lower case
alphanumeric' in a set of 8 digits. Your router is pretty fast and
doesn't know when to stop letting me try... :) I really don't think a
couple of hours is accurate anymore on that one Ray. Even if it is, do
you really want to chance a malware sample being able to brute force
it's way in within a couple hours of you not noticing it's around?
You may be right--the Wikipedia site David Lippman linked to suggests that a graphics card, modified, can crack a 10 digit password in one day. Which raises the question: if a hacker can get past your physical firewall on your modem/router, and assuming he CANNOT get past your PC software firewall,what damage can he do? Not much? Unless you assume he can fiddle with your hardware firewall settings to annoying things like set up 'parental filters' so you cannot surf porn? But other than that, he can't redirect you to malware sites from legitimate sites like bankofamerica.com, correct?
Atleast use 10-12 characters, upper/lowercase mix with some numbers
and/or other characters in between.
Apparently 10 digit characters plus numbers can be cracked in a day by a dedicated (graphics card) controller, see the Wikipedia link to passwords by Lippman in this thread.
Are you confusing the wifi security passphrase with the admin login for
router configuration?
Yes, probably, though it raises the issue of whether a wired connection is more secure than a wireless connection, which I will raise in another thread.

RL
 
D

Dustin

You may be right--the Wikipedia site David Lippman linked to suggests
that a graphics card, modified, can crack a 10 digit password in one
day. Which raises the question: if a hacker can get past your
physical firewall on your modem/router, and assuming he CANNOT get
past your PC software firewall, what damage can he do? Not much?
Unless you assume he can fiddle with your hardware firewall settings
to annoying things like set up 'parental filters' so you cannot surf
porn? But other than that, he can't redirect you to malware sites
from legitimate sites like bankofamerica.com, correct?
If he can reconfigure the hardware router, he can redirect you to any
page he wants by adding dns servers that your network will follow if it
relies on the router to do all the networking.

The software firewall isn't going to have any control over the dns
servers your systems are tricked into using.
Apparently 10 digit characters plus numbers can be cracked in a day
by a dedicated (graphics card) controller, see the Wikipedia link to
passwords by Lippman in this thread.
Like I said... strong, long passwords are a wise wise idea these days.
Yes, probably, though it raises the issue of whether a wired
connection is more secure than a wireless connection, which I will
raise in another thread.
It's not an issue for me. I know that hardline is more secure. I have my
router forced to only allow login from a hardline. It doesn't matter
what they try over wifi, they cannot reconfigure the router from there.
They must be linked via a physical cable.

That requires them inside my house and still breathing. :)
 
Ad

Advertisements

R

RayLopez99

It's not an issue for me. I know that hardline is more secure. I have my
router forced to only allow login from a hardline. It doesn't matter
what they try over wifi, they cannot reconfigure the router from there.
They must be linked via a physical cable.
But you suppose that only you can only access the firewall from your PC when you type http://127.0.0.1:10000 ? That you cannot access it from the ISP server on the outside? That is your assumption, and perhaps your Achilles Heal my friend.

RL
 
D

Dustin

But you suppose that only you can only access the firewall from your
PC when you type http://127.0.0.1:10000 ? That you cannot access it
from the ISP server on the outside? That is your assumption, and
perhaps your Achilles Heal my friend.
The router is configured not to allow access via the WAN or wireless
side. There is no assumption on my part. Unlike yourself, I've been
doing this a long time and understand what's going on. You tend to make
bad assumptions.

You must be logged in via the LAN side, connected to a physical port on
the back of my router in order to see the login screen. I have no such
port 10000 for remote configuration, as I've told you previously. Either
hardwired in, on the LAN side, or no ****ing access. Period.

I don't suppose anything. I know. I configured it myself, I've verified
it. It will absolutely not allow you login to it and configure ANYTHING
unless you are plugged into a local port.

My ISP is on the WAN side. they have NO access.

I don't mind answering your newbie questions, but don't take a high
class tone with me. I'm not a ****ing newb.
 
R

RayLopez99

The router is configured not to allow access via the WAN or wireless
side. There is no assumption on my part. Unlike yourself, I've been
doing this a long time and understand what's going on. You tend to make
bad assumptions.
Nope. Wrong *again* Dustbin. When will you *ever* get it right, my reformed hacker but still a turd friend?
You must be logged in via the LAN side, connected to a physical port on
the back of my router in order to see the login screen. I have no such
port 10000 for remote configuration, as I've told you previously. Either
hardwired in, on the LAN side, or no ****ing access. Period.
Nope. Simple logic tells you if that was true, then no hardware firewall would ever be breached. In fact, you can easily remotely access the hardware firewall page (and in fact I have), if you know the password. And you can reset the password remotely too, using techniques such as a remote reset which many modems support.
I don't suppose anything. I know. I configured it myself, I've verified
it. It will absolutely not allow you login to it and configure ANYTHING
unless you are plugged into a local port.

My ISP is on the WAN side. they have NO access.

I don't mind answering your newbie questions, but don't take a high
class tone with me. I'm not a ****ing newb.
Oh yes you are my fiend, you are ****ing newb. You sure are. You would not recognize something if it hit you across your thick head.

You're dismissed little man. Vamos.

RL
 
Ad

Advertisements

D

Dustin

Nope. Wrong *again* Dustbin. When will you *ever* get it right, my
reformed hacker but still a turd friend?
You made the assumption that my router is accessable via the WAN side
(IE: my isp could access it). That's a bad assumption on your part. My
router isn't configured to allow remote access via wireless or WAN side.
It's completely disabled. You must be hard wired into a physical port on
the back of the router itself, or it will not respond to your browser
requests.
Nope. Simple logic tells you if that was true, then no hardware
firewall would ever be breached. In fact, you can easily remotely
access the hardware firewall page (and in fact I have), if you know
the password. And you can reset the password remotely too, using
techniques such as a remote reset which many modems support.
Ray...

You seem to be confusing modem/router combination units that some ISPs
are providing. I don't have that configuration. I have a cable modem,
which feeds a linksys router. Linksys model WRT54G to be exact with
newest linksys firmware. The linksys router which feeds my network and
provides the computers with an internet connection will NOT allow access
to it's configuration from the WAN port (in this case, a cable modem)
Nor will it grant you configuration access if you are linked via wifi.
You must be hard lined in.

You can enter the routers IP address all day long and it will not
respond unless and ONLY unless you're hard line connected via a LAN
port.

Many routers are default not in this configuration, using default
password. IE: they're open and overly friendly to hostile activities.

Competent users (not you, obviously) know to turn off some settings in
order to prevent these issues from happening.

Remote management is disabled. Period. Wifi management is disabled. You
cannot access this router directly from the WAN side. It has to be done
from inside the LAN itself.

I see no reason why you couldn't configure the modem/router combo units
to do essentially the same tasks. In the event for some oddball reason
you couldn't, You could always seperate them into two devices which
would allow you the security control you should have.


Oh yes you are my fiend, you are ****ing newb. You sure are. You
would not recognize something if it hit you across your thick head.

You think so do you? :)

http://www.ehow.com/how_5808519_remote-access-linksys-router.html

Enjoy the read.

Especially this part, you stupid ****.

"A Linksys router is located between your DSL or cable modem and your
internal network. You can access the router's configuration console
anywhere from the internal network. However, to access the console from
a remote location, you need to change the settings in the administration
section. By default, the Linksys router blocks all attempts at remotely
accessing the console for security reasons. However, for administrators
who manage networks remotely, you can enable this option. "

You're dismissed little man. Vamos.
I didn't have newbie questions. You did. Hope the education was fun.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top