I'm a new RouterBoard user. I've configured uncountable standard web interface NAT routers, Tomato based routers etc over the years as an IT contractor and a few ciscos (Just some basic nat portfw stuff).
I recently installed for myself a RouterBoard RB750GL. Configured it behind a Draytek ADSL router that supports PPPoE/PPPoA passthrough and configured a PPPoE connection and basic NAT etc. I had a bit of fun getting the PPPoE connection to work initially and then setup the various NAT forwarding rules I needed (We run a MS SBS 2003 Server so needed 80, 443, 25, 1723 etc). Its been running now for a few weeks ok until I was notified by my ISP they had blocked my IP from connecting to their smart host due to spam relaying. I checked all the normal things re Virus's, Relay security on server etc and found nothing. I logged into my Routerboard and viewed the log and discovered someone had been logging in via SSH - Stupid me left the password blank as I wasn't aware remote access would be available "out of the box". I've since changed the password and added some firewall filter rules to drop 22,23 and 8291 on the PPPoE interface (80 and 21 are Nat Forwarding so they are already dealt with).
My concern is I have no idea what the user was doing while they were in - I expected to see some sort of Port Forwarding allowing them to relay spam via my ISP's SMTP/Smarthost but the only rules there were mine. So my questions are
If the RouterOS is Linux based does that mean someone could install additional services on the device to relay spam - At a glance it looks like a closed system with no command line access to the underlying OS (If there is one??) but I want to check if there could be additional processes running on the device.
Will any rules added to the Firewall show in the Winbox interface or should I be checking things out in the SSH interface?
What else should I be looking for that they may have compromised.
Any help here greatly appreciated.
Re: Compromised Routerboard
Hi Mobiunz
It Depends on the sensitive nature of the site,
Ideally
1) Isolate the Compromised router,
2) try to check logs and configuration for clues to the perpetrator
3) if router is running > 5.12 then try export compact to see exactly what happened,
4) audit all systems behind the router... (any more blank passwords ?) this is most important im afraid .. and most timeconsuming
5) If you find anything suspicious you may have to call in the big guns... a security consulting firm such as http://ritsgroup.com/
Being Strictly Security Concious, you should reset the configuration of the Compromised board and remove any files on the file storage
It Depends on the sensitive nature of the site,
Ideally
1) Isolate the Compromised router,
2) try to check logs and configuration for clues to the perpetrator
3) if router is running > 5.12 then try export compact to see exactly what happened,
4) audit all systems behind the router... (any more blank passwords ?) this is most important im afraid .. and most timeconsuming
5) If you find anything suspicious you may have to call in the big guns... a security consulting firm such as http://ritsgroup.com/
Being Strictly Security Concious, you should reset the configuration of the Compromised board and remove any files on the file storage
Re: Compromised Routerboard
oh yeah ,
going forward you should filter all admin services entering a router or disable them,
disable telnet http, api and ftp ( un-encrypted services) ...
Avoid Upnp like the plague, it is inherently insecure
Thanks,
going forward you should filter all admin services entering a router or disable them,
disable telnet http, api and ftp ( un-encrypted services) ...
Avoid Upnp like the plague, it is inherently insecure
Thanks,
Re: Compromised Routerboard
export compact will reveal any configs they may have added, being honest the one they probably added was web proxy ... that would allow for relaying spam/ attacks etc (TCP based Services)
Re: Compromised Routerboard
Thanks for the help. I've had a look at the files and there's nothing there except:
autosupout.rif
suport.fif
I can't do an export compact even though I'm running 5.2?? I get an expected end of command after the export command?
I've dumped the config with the export command and studied through it and socks proxy is disabled:
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
As is proxy
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
0.0.0.0
Everything else looks pretty vanilla! I'm already pretty strict with passwords on my LAN. The server is secure and has account lockout enabled for brute force due to RDP brute force attacks. I'm usually more careful but I put this device into action making assumptions without checking first! My ISP told me they will continue to monitor my connection looking for the activity they had been seeing and they'd blacklist me again - They were seeing spam emails leaving my IP but not high volumes, just trickling out so its a little odd. My PPPoE password would have been displayed plain text if they dumped the config so I've changed that at my ISP and its not one I use anywhere else so I think I'll carry on as is unless anyone has a good reason no to.
autosupout.rif
suport.fif
I can't do an export compact even though I'm running 5.2?? I get an expected end of command after the export command?
I've dumped the config with the export command and studied through it and socks proxy is disabled:
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
As is proxy
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
0.0.0.0
Everything else looks pretty vanilla! I'm already pretty strict with passwords on my LAN. The server is secure and has account lockout enabled for brute force due to RDP brute force attacks. I'm usually more careful but I put this device into action making assumptions without checking first! My ISP told me they will continue to monitor my connection looking for the activity they had been seeing and they'd blacklist me again - They were seeing spam emails leaving my IP but not high volumes, just trickling out so its a little odd. My PPPoE password would have been displayed plain text if they dumped the config so I've changed that at my ISP and its not one I use anywhere else so I think I'll carry on as is unless anyone has a good reason no to.
Re: Compromised Routerboard
HI mobinz...
Looks like you probably dodged the bullet.. .and got hit with an automated worm rather than a determined attacker,
simply Net install the router to be absolutely certain, and you should be fine...
socks / web proxy would be an ideal start point...for an attacker if they didnt use it happy days...
check Ip Firewall NAT for any spurious configuration...
I hope this helps,
Tom Smyth
Looks like you probably dodged the bullet.. .and got hit with an automated worm rather than a determined attacker,
simply Net install the router to be absolutely certain, and you should be fine...
socks / web proxy would be an ideal start point...for an attacker if they didnt use it happy days...
check Ip Firewall NAT for any spurious configuration...
I hope this helps,
Tom Smyth