How active the remote web admin ?

All about firmwares for routers. Support for RouterTech firmwares is here too.
cybor
Novice
Novice
Posts: 29
Joined: Fri Oct 06, 2006 10:49 pm
Location: Parma (Italy)

How active the remote web admin ?

Post by cybor » Thu May 10, 2007 2:18 pm

Hi to all,

first of all, thanks the RouterTech staff for this good work.

Excuse me if I'm asking for a before descussed subject, but I tried with the search form and I red tens of messagges without find what I needed.

My configuration:

Hardware: Roper Flynet Adsl/Adsl2+
Firmware: routertech-ar7wrd-pspboot-firmware-20070227
LAN IP : 192.168.1.254
WAN IP : (Alice - Telecom Italia) Dynamic Ip - NAT and Firewall active
DDNS : No-Ip.info
DHCP : Server and Relay Off


The firmware is really better than the original (This was easy, original is really bad :-) with several nice things I like alot (DDNS no-ip.info the first) a real uptime connections also after a ntp sync plus some others things I need to discover, I flashed my router only few days ago.

My problem, that I had also with the original firmware is that I'm unable to set up a remote web admin feature, I tried in this way:

PortForward : No rule for port 80, 8080 or 23 (I'll glad to remote telnet too :-)
IP fileters : Block All Traffic=Disable Block Outgoing Pig=Disable
LAN IP:Any = No Rule
Custom IP Filters: WebAdmin Source IP 0.0.0.0 / Netmask 255.255.255.255
Dest. IP 192.168.1.254 / Netmask 255.255.255.255
PortStart 80 / portEnd 80

Access Control : Enable - WAN = Web / Telnet LAN = Web / Telnet
IP Access List = Nothings

Remote Web Access : Enable or Disbable (At the moment disable I don't understand the meaning of this)

That's all :-) does someone understand where am I wrong ?

Thanks in advance,

Carlo.

P.S.: What is "IP Connect" ? and there some document/posts that explain it ?
P.P.S.: Sorry for my english, I hope to be comprensible.
User avatar
SyBorg
Ex RouterTech Team
Ex RouterTech Team
Posts: 1621
Joined: Mon Apr 17, 2006 4:09 pm
Location: Berkshire
Contact:

Post by SyBorg » Thu May 10, 2007 8:16 pm

Hi cybor, welcome to RouterTech.

The simple thing to enable access to the web admin remotely is to go to 'Remote Web Access' and change the 'Remote netmask' to 0.0.0.0
You might want to forward port 80 to an invalid address as well.

(I nod at biro here as I think this is the third time I've repeated this wisdom and yet this still remains a pain to find info on - I spot a very-mini-faq coming on).
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
cybor
Novice
Novice
Posts: 29
Joined: Fri Oct 06, 2006 10:49 pm
Location: Parma (Italy)

Post by cybor » Fri May 11, 2007 11:07 am

SyBorg wrote:Hi cybor, welcome to RouterTech.

The simple thing to enable access to the web admin remotely is to go to 'Remote Web Access' and change the 'Remote netmask' to 0.0.0.0
Thanks it works fine now.
SyBorg wrote:You might want to forward port 80 to an invalid address as well.
I didn't understand this, but it works without it :-)
SyBorg wrote:(I nod at biro here as I think this is the third time I've repeated this wisdom and yet this still remains a pain to find info on - I spot a very-mini-faq coming on).
I hope it too, there're few new things in this firmware that really I would understand and maybe use, like IPconnect and telnet remote admin.

Thanks again,

Ciao.
User avatar
biro
RouterTech Team
RouterTech Team
Posts: 1274
Joined: Wed Jan 25, 2006 10:03 pm
Location: Letchworth Garden City, ENGLAND
Contact:

Post by biro » Fri May 11, 2007 12:08 pm

cybor wrote:
SyBorg wrote:You might want to forward port 80 to an invalid address as well.
I didn't understand this, but it works without it :-)
Not required but recommended as when 'remote web access' is enabled it opens up connections on the port specified AND on port 80 the reason for forwarding port 80 is to add a bit more security as anyone accessing your WAN IP will get the router login screen and will tempt them to try and login !!!!

cybor wrote:I hope it too, there're few new things in this firmware that really I would understand and maybe use, like IPconnect and telnet remote admin.

Thanks again,

Ciao.
Firmware doesn't allow remote telnet login except from IP's specified in the 'access control' screen.
It can be enabled 'manually' by using iptables commands if really require it from any WAN IP.
ImageImageImage
All my posts on RouterTech.org are Copyright RouterTech.org
G'Day Laura
cybor
Novice
Novice
Posts: 29
Joined: Fri Oct 06, 2006 10:49 pm
Location: Parma (Italy)

Post by cybor » Mon May 14, 2007 8:06 am

biro wrote:
cybor wrote:
SyBorg wrote:You might want to forward port 80 to an invalid address as well.
I didn't understand this, but it works without it :-)
Not required but recommended as when 'remote web access' is enabled it opens up connections on the port specified AND on port 80 the reason for forwarding port 80 is to add a bit more security as anyone accessing your WAN IP will get the router login screen and will tempt them to try and login !!!!

Ok, good.

cybor wrote:I hope it too, there're few new things in this firmware that really I would understand and maybe use, like IPconnect and telnet remote admin.

Thanks again,

Ciao.
Firmware doesn't allow remote telnet login except from IP's specified in the 'access control' screen.
It can be enabled 'manually' by using iptables commands if really require it from any WAN IP.
It's clear this too.
On remote admin doesn't work the "SYSTEM" / "RUN COMMAND" , IE report me and error in the page and Opera too don't show the internal area with the space to write the command. Is it due to the telnet permission or is an anormal situation maybe due to my hardware ?

Thanks anyway.
User avatar
SyBorg
Ex RouterTech Team
Ex RouterTech Team
Posts: 1621
Joined: Mon Apr 17, 2006 4:09 pm
Location: Berkshire
Contact:

Post by SyBorg » Mon May 14, 2007 9:46 am

cybor wrote: It's clear this too.
On remote admin doesn't work the "SYSTEM" / "RUN COMMAND" , IE report me and error in the page and Opera too don't show the internal area with the space to write the command. Is it due to the telnet permission or is an anormal situation maybe due to my hardware ?

Thanks anyway.
This is normal and is a deliberate way to help secure the router. This will not change.
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
cybor
Novice
Novice
Posts: 29
Joined: Fri Oct 06, 2006 10:49 pm
Location: Parma (Italy)

Post by cybor » Mon May 14, 2007 2:07 pm

SyBorg wrote:
cybor wrote: It's clear this too.
On remote admin doesn't work the "SYSTEM" / "RUN COMMAND" .
This is normal and is a deliberate way to help secure the router. This will not change.
Ok, fine, thanks.

Can you suggest me a way to wake up a computer on the lan from a remote dynamic address ?
User avatar
Shotokan101
RouterTech Team
RouterTech Team
Posts: 4775
Joined: Thu Jan 26, 2006 3:17 pm
Location: Glasgow, Scotland

Post by Shotokan101 » Mon May 14, 2007 2:16 pm

cybor wrote:
SyBorg wrote:
cybor wrote: It's clear this too.
On remote admin doesn't work the "SYSTEM" / "RUN COMMAND" .
This is normal and is a deliberate way to help secure the router. This will not change.
Ok, fine, thanks.

Can you suggest me a way to wake up a computer on the lan from a remote dynamic address ?
You could start by checking this thread :-

viewtopic.php?t=332&highlight=wake+lan
Jim

.....I'm Sorry But I Can't Do That Dave.....
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12066
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Post by thechief » Mon May 14, 2007 9:47 pm

cybor wrote:Can you suggest me a way to wake up a computer on the lan from a remote dynamic address ?
Connect via ssh, and use the "wakelan" command.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
cybor
Novice
Novice
Posts: 29
Joined: Fri Oct 06, 2006 10:49 pm
Location: Parma (Italy)

Post by cybor » Tue May 15, 2007 8:38 am

Shotokan101 wrote:
Can you suggest me a way to wake up a computer on the lan from a remote dynamic address ?
You could start by checking this thread :-

viewtopic.php?t=332&highlight=wake+lan
I did, thanks, but my problem is the access from the internet to that fuction not the wlan fuction itself.
cybor
Novice
Novice
Posts: 29
Joined: Fri Oct 06, 2006 10:49 pm
Location: Parma (Italy)

Post by cybor » Tue May 15, 2007 8:41 am

thechief wrote:
cybor wrote:Can you suggest me a way to wake up a computer on the lan from a remote dynamic address ?
Connect via ssh, and use the "wakelan" command.
This is my main problem, I'm unable to setup a remote access to the ssh/telnet from a dynamic internet adresses.

I configure a rule for the port 22 and 23 too in the IP Table page but still I don't have no access.

Thanks for the interesting in my problem :-)
User avatar
biro
RouterTech Team
RouterTech Team
Posts: 1274
Joined: Wed Jan 25, 2006 10:03 pm
Location: Letchworth Garden City, ENGLAND
Contact:

Post by biro » Tue May 15, 2007 11:06 am

If you really want telnet / SSH from any WAN IP then can use iptables to enable it.
From local telnet / SSH session.

to enable remote telnet (on default port)

Code: Select all

iptables -I FORWARD -i ppp0 -p tcp --dport 23 -j ACCEPT
iptables -I INPUT -i ppp0 -p tcp --dport 23 -j ACCEPT 
to enable remote SSH (on default port)

Code: Select all

iptables -I FORWARD -i ppp0 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT 
to enable non standard ports ( standard ports should then be forwarded to an invalid ip)

for telnet where **** is required port

Code: Select all

iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport **** -j REDIRECT --to-ports 23
for SSH where **** is required port

Code: Select all

iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport **** -j REDIRECT --to-ports 22
Note will need to be re-entered when router is rebooted.
Can use the RT 'autoexec' feature to enable on reboot.

telnet

Code: Select all

setenv ip1.sh ";/sbin/iptables -I FORWARD -i ppp0 -p tcp --dport 23 -j ACCEPT"
setenv ip2.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 23 -j ACCEPT" 
SSH

Code: Select all

setenv ip3.sh ";/sbin/iptables -I FORWARD -i ppp0 -p tcp --dport 22 -j ACCEPT" 
setenv ip4.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT" 
non standard ports
telnet

Code: Select all

 setenv ip5.sh ";/sbin/iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport **** -j REDIRECT --to-ports 23"  
SSH

Code: Select all

 setenv ip6.sh ";/sbin/iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport **** -j REDIRECT --to-ports 22"  
ImageImageImage
All my posts on RouterTech.org are Copyright RouterTech.org
G'Day Laura
cybor
Novice
Novice
Posts: 29
Joined: Fri Oct 06, 2006 10:49 pm
Location: Parma (Italy)

Post by cybor » Tue May 22, 2007 8:43 am

biro wrote:If you really want telnet / SSH from any WAN IP then can use iptables to enable it.
From local telnet / SSH session.

Code: Select all

 setenv ip6.sh ";/sbin/iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport **** -j REDIRECT --to-ports 22"  
Thanks alot, I'll try it soon.
User avatar
biro
RouterTech Team
RouterTech Team
Posts: 1274
Joined: Wed Jan 25, 2006 10:03 pm
Location: Letchworth Garden City, ENGLAND
Contact:

Post by biro » Tue May 22, 2007 10:41 am

cybor wrote:
biro wrote:If you really want telnet / SSH from any WAN IP then can use iptables to enable it.
From local telnet / SSH session.

Code: Select all

 setenv ip6.sh ";/sbin/iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport **** -j REDIRECT --to-ports 22"  
Thanks alot, I'll try it soon.
Above code only sets up the redirection from a non standard port
Also require

Code: Select all

setenv ip3.sh ";/sbin/iptables -I FORWARD -i ppp0 -p tcp --dport 22 -j ACCEPT" 
setenv ip4.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT" 
to enable SSH

and use webadmin fortforwards to forward port 22 to nonexistant LAN IP to 'disable' connections on port 22
or could use

Code: Select all

setenv ip7.sh ";/sbin/iptables -t nat -A PREROUTING -p TCP -i ppp0 --dport 22 -j DNAT --to 192.168.1.x"
instead of via webadmin portforwards 192.168.1.x can be any non used IP.

Note re "ip*.sh" can be anything I only used ip as is for iptables entries followed by a number as is more than one entry.
ImageImageImage
All my posts on RouterTech.org are Copyright RouterTech.org
G'Day Laura
pierissimo
Novice
Novice
Posts: 15
Joined: Thu Jul 10, 2008 6:47 pm
Contact:

Post by pierissimo » Thu Jul 10, 2008 6:54 pm

Hi! I post on a old thread. However I opened the 22 port on router to get ssh remote login, and I made a nessus scan test... It found a vulnerability hole! How about that?

Code: Select all

Vulnerability  	ssh (22/tcp)  	
You are running a version of OpenSSH which is older than 3.7.1

Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on this
host.

An exploit for this issue is rumored to exist.


Note that several distribution patched this hole without changing
the version number of OpenSSH. Since Nessus solely relied on the
banner of the remote SSH server to perform this check, this might
be a false positive.

If you are running a RedHat host, make sure that the command :
rpm -q openssh-server

Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)

Solution : Upgrade to OpenSSH 3.7.1
See also : http://marc.info/?l=openbsd-misc&m=106375452423794&w=2
http://marc.info/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CVE-2003-0682, CVE-2003-0693, CVE-2003-0695
BID : 8628
Other references : IAVA:2003-t-0020, OSVDB:2557, OSVDB:3456, RHSA:RHSA-2003:279, SuSE:SUSE-SA:2003:039
Nessus ID : 11837
thanx
Post Reply