bobbyb1980 Posted March 25, 2012 Share Posted March 25, 2012 Hey guys, I saw a strange IP port scanning me last night and this new office has a new router fresh from the ISP. It was unsecured during the scanning and now I want to secure it against attacks from the internet and here's what I've done and please let me know what more I can do. Disable Telnet. Disable http remote admin Disable ftp remote admin Change default password Verify DNS integrity Disable SNMP Change SNMP community string And what else? Quote Link to comment Share on other sites More sharing options...
Sparda Posted March 25, 2012 Share Posted March 25, 2012 Use a remote port scanning tool to tell if there are any listening services you don't know about. Hope it's firmware doesn't have any remotely exploitable vulnerabilities that can be deployed over the internet and cannot practically be blocked. You have done everything one can practically do, now just hope :D Quote Link to comment Share on other sites More sharing options...
digip Posted March 26, 2012 Share Posted March 26, 2012 Disable SSDP, UPNP, and SNMP, remote administration, and disable HTTP and only use HTTPS if it has the option, disable telnet and ftp, port forward tftp to a null port(for those that try to overwrite your firmware on older router devices dumb enough to listen for new firmware. tftp uses NO authentication - be warned!). And like Sparda said, scan it from the internet for open ports. You never know what a device could have open without even knowing it. Especially on things provided by an ISP that have backdoors for them to get in. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted March 26, 2012 Author Share Posted March 26, 2012 (edited) The router that was being used actually had the telnet, snmp, and ftp ports open w/a default password and logging was disabled but I checked my DNS servers and they seem to be legit and luckily no real damage seemed to be done. This machine/person was scanning ports in the 20000 range, maybe 100 or so, and all I could get from the firewall was that they were ICMP. To my understanding ICMP can be used to reroute traffic so someone could sniff from over there internet? Anyone with any theories as to what was going on? Ironic part is, I scanned the ip that was scanning me and it has no admin pw w/telnet and remote http enabled... Edited March 26, 2012 by bobbyb1980 Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted March 26, 2012 Share Posted March 26, 2012 I would also turn off ICMP protocol on the router, that will prevent someone from flooding your router with Pings requests. http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol Quote Link to comment Share on other sites More sharing options...
int0x80 Posted March 26, 2012 Share Posted March 26, 2012 Here is a great opportunity for you to sharpen your RE and assessment skills by playing with the firmware. Check out this series: Exploiting Embedded Systems – Part 1 Exploiting Embedded Systems – Part 2 Exploiting Embedded Systems – Part 3 Exploiting Embedded Systems – Part 4 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.