R
RayLopez99
admin, password. Good, bad or indifferent? Assume some software AV suite exists in place.
RL
RL
The dangers of leaving your modem firewall with default password anduser id
D
Dustin
Bad idea. Malware can login to your router and make changes to it's
settings. This is one way in which DNSChanger ensured it had control.
Change the default admin password.
F
FromTheRafters
Always change it from the defaults. AV is irrelevant to this issue.RayLopez99 said:
R
RayLopez99
Well I'm hardly the expert you are or claim to be, but since a software AV is essentially a software firewall (or at least we can agree it's often found in the same suite) I don't see why it's irrelevant, unless you are making a Dave Lipmann type of grammatical distinction between software firewall and AV. So I would conclude from your statement that it's best to have 'belts and suspenders' by having a hardware firewall in place, rather than rely on a s/w firewall only, so I'll take the final answer as "bad". Thanks for your input.
RL
R
RayLopez99
OK then, thanks. The next question Mr. Dustin is what the password length should be? I figure 8 lowercase letters (including 1 number at least) is 'good enough', since somewhere I read it takes several hours to crack such apasscode. By that time the bad guys will have moved on to lower lying fruit to pick somewhere else on the ether, correct?
I know in theory I should be using 15 hexdecimal units or whatever but I like to use easy to remember phrases.
RL
F
FromTheRafters
It doesn't protect the modem/firewall/router - it's a separate device.
Well ... they *are* entirely different things.
The hardware firewall aspect of the router/modem isn't the only thing
exposed by leaving the defaults in place.
You're welcome.
Incidentally, my cable company didn't mention *any* of the proper
security measures for setting up their equipment in their little
do-it-yourself booklet.
D
David H. Lipman
From: "RayLopez99 said:
The AV software resides on a computer and is mutually exclusive to the Router (not modem
unless it is a modem that has a Router addded to it). The router sits on both the WAN and
LAN and thus the attack can come from either interrnal or external forces.
Thus to harden a Router a Strong Password should be used on the Router to replace the
default.
http://en.wikipedia.org/wiki/Password_strength
The Router can be further hardended by disabling replies to ICMP packets as well as
disabling adminstration from the WAN POV.
P
(PeteCresswell)
Per RayLopez99:
I'm not Mr Dustin... But I use the dead pet system of password
generation.
The name(s) of one or more dead pets in propercase plus three
digits.
Easy to recall, and I haven't been burned yet (to my knowledge,
at least).
Maybe somebody who knows can comment on the relative security of
PWs concocted thusly...
I'm not Mr Dustin... But I use the dead pet system of password
generation.
The name(s) of one or more dead pets in propercase plus three
digits.
Easy to recall, and I haven't been burned yet (to my knowledge,
at least).
Maybe somebody who knows can comment on the relative security of
PWs concocted thusly...
F
FromTheRafters
(PeteCresswell) said:
Mediocre. Most strong algorithms for password creation require $p3c14l
characters also be used.
I do something very similar to what you do, but include some special
characters in a way that I can remember.
R
RayLopez99
Yes, and in fact my installer in fact specifically told me to 'keep the defaults since it's easier for us to service the modem if you have a problem' (which got me suspicious as to whether he was going to somehow break in, since he had the default password for the wireless portion of the modem, and I know that resetting the password on the hardware is easy using a needle and the reset hole). So I changed the defaults.
RL
D
Dustin
I don't know why it would take several hours to run lower case
alphanumeric' in a set of 8 digits. Your router is pretty fast and
doesn't know when to stop letting me try...
I really don't think acouple of hours is accurate anymore on that one Ray. Even if it is, do
you really want to chance a malware sample being able to brute force
it's way in within a couple hours of you not noticing it's around?
Atleast use 10-12 characters, upper/lowercase mix with some numbers
and/or other characters in between.
If you forget the damn thing, you can always hit the reset button on the
back of the router.
Are you confusing the wifi security passphrase with the admin login for
router configuration?
D
Dustin
Easier for them to service... Heh, Yea.. I'll bet it is.
It's not really breaking in if he has a copy of the keys...
P
(PeteCresswell)
Per Dustin:
Might there be a logical switch on some routers that, when set,
does not allow access over the WAN? Seems logical...
Your router is pretty fast and
doesn't know when to stop letting me try...
Might there be a logical switch on some routers that, when set,
does not allow access over the WAN? Seems logical...
D
Dustin
I'm sure there is. Mine is configured to let a local box hardlined to it
only configure it.
However, When I mentioned the brute force attack I was considering it from
inside the network. There is no switch AFAIK, that would prevent that. One
way you could put an end to it tho is to make the router ask 3 times for
the correct login and when it fails, keep asking, but even if I get it
right, dont let me in. Say, having to wait 20 minutes before you can try
again with the right password. This would make things very hard on the
brute forcing.
Even if it did score the right password, it probably wouldn't get it in
the 3 valid tries.
R
RayLopez99
I don't know why it would take several hours to run lower case
alphanumeric' in a set of 8 digits. Your router is pretty fast and
doesn't know when to stop letting me try...
couple of hours is accurate anymore on that one Ray. Even if it is, do
you really want to chance a malware sample being able to brute force
it's way in within a couple hours of you not noticing it's around?
You may be right--the Wikipedia site David Lippman linked to suggests that a graphics card, modified, can crack a 10 digit password in one day. Which raises the question: if a hacker can get past your physical firewall on your modem/router, and assuming he CANNOT get past your PC software firewall,what damage can he do? Not much? Unless you assume he can fiddle with your hardware firewall settings to annoying things like set up 'parental filters' so you cannot surf porn? But other than that, he can't redirect you to malware sites from legitimate sites like bankofamerica.com, correct?
Apparently 10 digit characters plus numbers can be cracked in a day by a dedicated (graphics card) controller, see the Wikipedia link to passwords by Lippman in this thread.
Yes, probably, though it raises the issue of whether a wired connection is more secure than a wireless connection, which I will raise in another thread.
RL
D
Dustin
If he can reconfigure the hardware router, he can redirect you to any
page he wants by adding dns servers that your network will follow if it
relies on the router to do all the networking.
The software firewall isn't going to have any control over the dns
servers your systems are tricked into using.
Like I said... strong, long passwords are a wise wise idea these days.
It's not an issue for me. I know that hardline is more secure. I have my
router forced to only allow login from a hardline. It doesn't matter
what they try over wifi, they cannot reconfigure the router from there.
They must be linked via a physical cable.
That requires them inside my house and still breathing.
R
RayLopez99
But you suppose that only you can only access the firewall from your PC when you type http://127.0.0.1:10000 ? That you cannot access it from the ISP server on the outside? That is your assumption, and perhaps your Achilles Heal my friend.
RL
D
Dustin
The router is configured not to allow access via the WAN or wireless
side. There is no assumption on my part. Unlike yourself, I've been
doing this a long time and understand what's going on. You tend to make
bad assumptions.
You must be logged in via the LAN side, connected to a physical port on
the back of my router in order to see the login screen. I have no such
port 10000 for remote configuration, as I've told you previously. Either
hardwired in, on the LAN side, or no ****ing access. Period.
I don't suppose anything. I know. I configured it myself, I've verified
it. It will absolutely not allow you login to it and configure ANYTHING
unless you are plugged into a local port.
My ISP is on the WAN side. they have NO access.
I don't mind answering your newbie questions, but don't take a high
class tone with me. I'm not a ****ing newb.
R
RayLopez99
Nope. Wrong *again* Dustbin. When will you *ever* get it right, my reformed hacker but still a turd friend?
Nope. Simple logic tells you if that was true, then no hardware firewall would ever be breached. In fact, you can easily remotely access the hardware firewall page (and in fact I have), if you know the password. And you can reset the password remotely too, using techniques such as a remote reset which many modems support.
Oh yes you are my fiend, you are ****ing newb. You sure are. You would not recognize something if it hit you across your thick head.
You're dismissed little man. Vamos.
RL
D
Dustin
You made the assumption that my router is accessable via the WAN side
(IE: my isp could access it). That's a bad assumption on your part. My
router isn't configured to allow remote access via wireless or WAN side.
It's completely disabled. You must be hard wired into a physical port on
the back of the router itself, or it will not respond to your browser
requests.
Ray...
You seem to be confusing modem/router combination units that some ISPs
are providing. I don't have that configuration. I have a cable modem,
which feeds a linksys router. Linksys model WRT54G to be exact with
newest linksys firmware. The linksys router which feeds my network and
provides the computers with an internet connection will NOT allow access
to it's configuration from the WAN port (in this case, a cable modem)
Nor will it grant you configuration access if you are linked via wifi.
You must be hard lined in.
You can enter the routers IP address all day long and it will not
respond unless and ONLY unless you're hard line connected via a LAN
port.
Many routers are default not in this configuration, using default
password. IE: they're open and overly friendly to hostile activities.
Competent users (not you, obviously) know to turn off some settings in
order to prevent these issues from happening.
Remote management is disabled. Period. Wifi management is disabled. You
cannot access this router directly from the WAN side. It has to be done
from inside the LAN itself.
I see no reason why you couldn't configure the modem/router combo units
to do essentially the same tasks. In the event for some oddball reason
you couldn't, You could always seperate them into two devices which
would allow you the security control you should have.
You think so do you?
http://www.ehow.com/how_5808519_remote-access-linksys-router.html
Enjoy the read.
Especially this part, you stupid ****.
"A Linksys router is located between your DSL or cable modem and your
internal network. You can access the router's configuration console
anywhere from the internal network. However, to access the console from
a remote location, you need to change the settings in the administration
section. By default, the Linksys router blocks all attempts at remotely
accessing the console for security reasons. However, for administrators
who manage networks remotely, you can enable this option. "
I didn't have newbie questions. You did. Hope the education was fun.