How active the remote web admin ?
How active the remote web admin ?
Hi to all,
first of all, thanks the RouterTech staff for this good work.
Excuse me if I'm asking for a before descussed subject, but I tried with the search form and I red tens of messagges without find what I needed.
My configuration:
Hardware: Roper Flynet Adsl/Adsl2+
Firmware: routertech-ar7wrd-pspboot-firmware-20070227
LAN IP : 192.168.1.254
WAN IP : (Alice - Telecom Italia) Dynamic Ip - NAT and Firewall active
DDNS : No-Ip.info
DHCP : Server and Relay Off
The firmware is really better than the original (This was easy, original is really bad with several nice things I like alot (DDNS no-ip.info the first) a real uptime connections also after a ntp sync plus some others things I need to discover, I flashed my router only few days ago.
My problem, that I had also with the original firmware is that I'm unable to set up a remote web admin feature, I tried in this way:
PortForward : No rule for port 80, 8080 or 23 (I'll glad to remote telnet too
IP fileters : Block All Traffic=Disable Block Outgoing Pig=Disable
LAN IP:Any = No Rule
Custom IP Filters: WebAdmin Source IP 0.0.0.0 / Netmask 255.255.255.255
Dest. IP 192.168.1.254 / Netmask 255.255.255.255
PortStart 80 / portEnd 80
Access Control : Enable - WAN = Web / Telnet LAN = Web / Telnet
IP Access List = Nothings
Remote Web Access : Enable or Disbable (At the moment disable I don't understand the meaning of this)
That's all does someone understand where am I wrong ?
Thanks in advance,
Carlo.
P.S.: What is "IP Connect" ? and there some document/posts that explain it ?
P.P.S.: Sorry for my english, I hope to be comprensible.
first of all, thanks the RouterTech staff for this good work.
Excuse me if I'm asking for a before descussed subject, but I tried with the search form and I red tens of messagges without find what I needed.
My configuration:
Hardware: Roper Flynet Adsl/Adsl2+
Firmware: routertech-ar7wrd-pspboot-firmware-20070227
LAN IP : 192.168.1.254
WAN IP : (Alice - Telecom Italia) Dynamic Ip - NAT and Firewall active
DDNS : No-Ip.info
DHCP : Server and Relay Off
The firmware is really better than the original (This was easy, original is really bad with several nice things I like alot (DDNS no-ip.info the first) a real uptime connections also after a ntp sync plus some others things I need to discover, I flashed my router only few days ago.
My problem, that I had also with the original firmware is that I'm unable to set up a remote web admin feature, I tried in this way:
PortForward : No rule for port 80, 8080 or 23 (I'll glad to remote telnet too
IP fileters : Block All Traffic=Disable Block Outgoing Pig=Disable
LAN IP:Any = No Rule
Custom IP Filters: WebAdmin Source IP 0.0.0.0 / Netmask 255.255.255.255
Dest. IP 192.168.1.254 / Netmask 255.255.255.255
PortStart 80 / portEnd 80
Access Control : Enable - WAN = Web / Telnet LAN = Web / Telnet
IP Access List = Nothings
Remote Web Access : Enable or Disbable (At the moment disable I don't understand the meaning of this)
That's all does someone understand where am I wrong ?
Thanks in advance,
Carlo.
P.S.: What is "IP Connect" ? and there some document/posts that explain it ?
P.P.S.: Sorry for my english, I hope to be comprensible.
Hi cybor, welcome to RouterTech.
The simple thing to enable access to the web admin remotely is to go to 'Remote Web Access' and change the 'Remote netmask' to 0.0.0.0
You might want to forward port 80 to an invalid address as well.
(I nod at biro here as I think this is the third time I've repeated this wisdom and yet this still remains a pain to find info on - I spot a very-mini-faq coming on).
The simple thing to enable access to the web admin remotely is to go to 'Remote Web Access' and change the 'Remote netmask' to 0.0.0.0
You might want to forward port 80 to an invalid address as well.
(I nod at biro here as I think this is the third time I've repeated this wisdom and yet this still remains a pain to find info on - I spot a very-mini-faq coming on).
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
—Bill Vaughan
Thanks it works fine now.SyBorg wrote:Hi cybor, welcome to RouterTech.
The simple thing to enable access to the web admin remotely is to go to 'Remote Web Access' and change the 'Remote netmask' to 0.0.0.0
I didn't understand this, but it works without itSyBorg wrote:You might want to forward port 80 to an invalid address as well.
I hope it too, there're few new things in this firmware that really I would understand and maybe use, like IPconnect and telnet remote admin.SyBorg wrote:(I nod at biro here as I think this is the third time I've repeated this wisdom and yet this still remains a pain to find info on - I spot a very-mini-faq coming on).
Thanks again,
Ciao.
- biro
- RouterTech Team
- Posts: 1274
- Joined: Wed Jan 25, 2006 10:03 pm
- Location: Letchworth Garden City, ENGLAND
- Contact:
Not required but recommended as when 'remote web access' is enabled it opens up connections on the port specified AND on port 80 the reason for forwarding port 80 is to add a bit more security as anyone accessing your WAN IP will get the router login screen and will tempt them to try and login !!!!cybor wrote:I didn't understand this, but it works without itSyBorg wrote:You might want to forward port 80 to an invalid address as well.
Firmware doesn't allow remote telnet login except from IP's specified in the 'access control' screen.cybor wrote:I hope it too, there're few new things in this firmware that really I would understand and maybe use, like IPconnect and telnet remote admin.
Thanks again,
Ciao.
It can be enabled 'manually' by using iptables commands if really require it from any WAN IP.
It's clear this too.biro wrote:Not required but recommended as when 'remote web access' is enabled it opens up connections on the port specified AND on port 80 the reason for forwarding port 80 is to add a bit more security as anyone accessing your WAN IP will get the router login screen and will tempt them to try and login !!!!cybor wrote:I didn't understand this, but it works without itSyBorg wrote:You might want to forward port 80 to an invalid address as well.
Ok, good.
Firmware doesn't allow remote telnet login except from IP's specified in the 'access control' screen.cybor wrote:I hope it too, there're few new things in this firmware that really I would understand and maybe use, like IPconnect and telnet remote admin.
Thanks again,
Ciao.
It can be enabled 'manually' by using iptables commands if really require it from any WAN IP.
On remote admin doesn't work the "SYSTEM" / "RUN COMMAND" , IE report me and error in the page and Opera too don't show the internal area with the space to write the command. Is it due to the telnet permission or is an anormal situation maybe due to my hardware ?
Thanks anyway.
This is normal and is a deliberate way to help secure the router. This will not change.cybor wrote: It's clear this too.
On remote admin doesn't work the "SYSTEM" / "RUN COMMAND" , IE report me and error in the page and Opera too don't show the internal area with the space to write the command. Is it due to the telnet permission or is an anormal situation maybe due to my hardware ?
Thanks anyway.
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
—Bill Vaughan
Ok, fine, thanks.SyBorg wrote:This is normal and is a deliberate way to help secure the router. This will not change.cybor wrote: It's clear this too.
On remote admin doesn't work the "SYSTEM" / "RUN COMMAND" .
Can you suggest me a way to wake up a computer on the lan from a remote dynamic address ?
- Shotokan101
- RouterTech Team
- Posts: 4779
- Joined: Thu Jan 26, 2006 3:17 pm
- Location: Glasgow, Scotland
You could start by checking this thread :-cybor wrote:Ok, fine, thanks.SyBorg wrote:This is normal and is a deliberate way to help secure the router. This will not change.cybor wrote: It's clear this too.
On remote admin doesn't work the "SYSTEM" / "RUN COMMAND" .
Can you suggest me a way to wake up a computer on the lan from a remote dynamic address ?
viewtopic.php?t=332&highlight=wake+lan
Jim
.....I'm Sorry But I Can't Do That Dave.....
.....I'm Sorry But I Can't Do That Dave.....
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Connect via ssh, and use the "wakelan" command.cybor wrote:Can you suggest me a way to wake up a computer on the lan from a remote dynamic address ?
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
I did, thanks, but my problem is the access from the internet to that fuction not the wlan fuction itself.Shotokan101 wrote:You could start by checking this thread :-Can you suggest me a way to wake up a computer on the lan from a remote dynamic address ?
viewtopic.php?t=332&highlight=wake+lan
This is my main problem, I'm unable to setup a remote access to the ssh/telnet from a dynamic internet adresses.thechief wrote:Connect via ssh, and use the "wakelan" command.cybor wrote:Can you suggest me a way to wake up a computer on the lan from a remote dynamic address ?
I configure a rule for the port 22 and 23 too in the IP Table page but still I don't have no access.
Thanks for the interesting in my problem
- biro
- RouterTech Team
- Posts: 1274
- Joined: Wed Jan 25, 2006 10:03 pm
- Location: Letchworth Garden City, ENGLAND
- Contact:
If you really want telnet / SSH from any WAN IP then can use iptables to enable it.
From local telnet / SSH session.
to enable remote telnet (on default port)
to enable remote SSH (on default port)
to enable non standard ports ( standard ports should then be forwarded to an invalid ip)
for telnet where **** is required port
for SSH where **** is required port
Note will need to be re-entered when router is rebooted.
Can use the RT 'autoexec' feature to enable on reboot.
telnet
SSH
non standard ports
telnet
SSH
From local telnet / SSH session.
to enable remote telnet (on default port)
Code: Select all
iptables -I FORWARD -i ppp0 -p tcp --dport 23 -j ACCEPT
iptables -I INPUT -i ppp0 -p tcp --dport 23 -j ACCEPT
Code: Select all
iptables -I FORWARD -i ppp0 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
for telnet where **** is required port
Code: Select all
iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport **** -j REDIRECT --to-ports 23
Code: Select all
iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport **** -j REDIRECT --to-ports 22
Can use the RT 'autoexec' feature to enable on reboot.
telnet
Code: Select all
setenv ip1.sh ";/sbin/iptables -I FORWARD -i ppp0 -p tcp --dport 23 -j ACCEPT"
setenv ip2.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 23 -j ACCEPT"
Code: Select all
setenv ip3.sh ";/sbin/iptables -I FORWARD -i ppp0 -p tcp --dport 22 -j ACCEPT"
setenv ip4.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT"
telnet
Code: Select all
setenv ip5.sh ";/sbin/iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport **** -j REDIRECT --to-ports 23"
Code: Select all
setenv ip6.sh ";/sbin/iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport **** -j REDIRECT --to-ports 22"
Thanks alot, I'll try it soon.biro wrote:If you really want telnet / SSH from any WAN IP then can use iptables to enable it.
From local telnet / SSH session.
Code: Select all
setenv ip6.sh ";/sbin/iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport **** -j REDIRECT --to-ports 22"
- biro
- RouterTech Team
- Posts: 1274
- Joined: Wed Jan 25, 2006 10:03 pm
- Location: Letchworth Garden City, ENGLAND
- Contact:
Above code only sets up the redirection from a non standard portcybor wrote:Thanks alot, I'll try it soon.biro wrote:If you really want telnet / SSH from any WAN IP then can use iptables to enable it.
From local telnet / SSH session.
Code: Select all
setenv ip6.sh ";/sbin/iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport **** -j REDIRECT --to-ports 22"
Also require
Code: Select all
setenv ip3.sh ";/sbin/iptables -I FORWARD -i ppp0 -p tcp --dport 22 -j ACCEPT"
setenv ip4.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT"
and use webadmin fortforwards to forward port 22 to nonexistant LAN IP to 'disable' connections on port 22
or could use
Code: Select all
setenv ip7.sh ";/sbin/iptables -t nat -A PREROUTING -p TCP -i ppp0 --dport 22 -j DNAT --to 192.168.1.x"
Note re "ip*.sh" can be anything I only used ip as is for iptables entries followed by a number as is more than one entry.
-
- Novice
- Posts: 15
- Joined: Thu Jul 10, 2008 6:47 pm
- Contact:
Hi! I post on a old thread. However I opened the 22 port on router to get ssh remote login, and I made a nessus scan test... It found a vulnerability hole! How about that?
thanx
Code: Select all
Vulnerability ssh (22/tcp)
You are running a version of OpenSSH which is older than 3.7.1
Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on this
host.
An exploit for this issue is rumored to exist.
Note that several distribution patched this hole without changing
the version number of OpenSSH. Since Nessus solely relied on the
banner of the remote SSH server to perform this check, this might
be a false positive.
If you are running a RedHat host, make sure that the command :
rpm -q openssh-server
Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)
Solution : Upgrade to OpenSSH 3.7.1
See also : http://marc.info/?l=openbsd-misc&m=106375452423794&w=2
http://marc.info/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CVE-2003-0682, CVE-2003-0693, CVE-2003-0695
BID : 8628
Other references : IAVA:2003-t-0020, OSVDB:2557, OSVDB:3456, RHSA:RHSA-2003:279, SuSE:SUSE-SA:2003:039
Nessus ID : 11837