Router security questions

I've beefed up the security on my Actiontec router after someone got into it a few days ago and tried to access LastPass. I found a few changes made and undid them, changed the account name/password, etc. I plan to reset to factory soon, but for various reasons I can't do that immediately.

I'm wondering if there is utility in blocking *outgoing* connections from the *router* itself to the WAN? Conversely, is there harm? I'm guessing I'd want to open that if I have issues that require remote troubleshooting by my ISP, but are there any routine maintenance actions by the ISP that I'd need to take?

It's someone running silly scripts, not a dedicated hacker, because I found plenty of logs that had been left untouched to tell me what was going on. So I'm going to see what effect making these changes has before I decide to nuke everything. I also know that an old password of mine that I reused for low-security things (bad practice which I've fixed) was compromised in the last few months, so the scenario that comes to mind is that that was sold to someone who is scanning for vulns. It happened to be on the router through an oversight on my part.

So I'm wondering what will break if I block outgoing connections from the router?

Doesn't all outgoing traffic come from the router regardless?

Assuming all non-NAT outbound from the router itself is blocked and it's somehow able to differentiate NAT traffic to allow only it to originate from the router, then I would imagine the router would need to be configured with a static WAN address (so it doesn't try to use DHCP) and internal systems would need to be configured with external DNS sources (so the router isn't used for DNS).

EDIT: I'm also pondering the logic of distrusting connections from my router while entrusting it with all of my internet traffic. Haven't quite reached a conclusion there.

What I mean is traffic *originating* at the router ip. Doing this has not cut me off from the Internet.

Ah. So what will happen is when the DHCP lease for the router is up, it will be cut off. Got it.

Robear wrote:

What I mean is traffic *originating* at the router ip. Doing this has not cut me off from the Internet.

Ah. So what will happen is when the DHCP lease for the router is up, it will be cut off. Got it.

From the internet side of things all traffic does originate from your router's IP. Well... unless you own a section of public IP space.

To state it plainly: "Block all outgoing traffic from the router's IP." does mean, "Block all outgoing traffic." unless you have something in the ruleset which detects NAT and allows it through. I'm not certain that's much more secure though.

Well, all I can say is that with that turned on, I did not lose connectivity. I assume the firewall distinguishes between traffic originating from the router's ip, and traffic initiated from interior ips. Otherwise, the router itself would never be able to filter its own traffic, which seems... odd.

Gotcha. That's interesting. There must be a more complex ruleset allowing a subset of traffic out then. I haven't heard of that setting on a router before, as security is usually focused on not allowing an attacker in.

So the built-in ruleset handles NAT. It probably also allows DHCP and DNS then, as well as any port forwarding rules you may put in place. Those would be the main concerns. I'd go ahead and use it in that case.

Aside from all of that, I would assume UPnP is turned off as that's a more common vector.

You should be able to disable remote management on any router. Which is I assume how they managed to get access to your routers management console. If they were sitting on your physical network they were either inside your location or on your wifi network.

No, they got in with a compromised password and the default username. I turned off remote admin when the router was installed.

Pretty sure uPnP is off too. I did find that they had enabled a vpn protocol to the router, and also tftp, which made the hair go up on the back of my neck. Killed those fast.

But like I said, the fact that they didn't wipe any logs and used a straight brute-force attack on Lastpass (presumably with variants of that compromised password) tells me they are just running through lists they bought somewhere with basic tools and some manual login attempts.

Assholes. They didn't even know to change my router password to lock me out.

How did they access it if not remotely?.. did you have an open SSID? or did they literally sneak onto your network with a 50 foot Ethernet cable?

I'm missing something obvious apparently.

Yeah, the question of just how they got access to the router strikes me as critical. It should not normally be reachable from the outside, so if it's been compromised, chances are pretty good that a machine inside your network has been hacked, and used as a launch point for further exploitation.

As far as your firewall questions go.... it really depends on what the router is running. Do you know the OS installed on it? Linux is quite likely, but there are other possibilities.

Robear wrote:

I've beefed up the security on my Actiontec router after someone got into it a few days ago and tried to access LastPass. I found a few changes made and undid them, changed the account name/password, etc. I plan to reset to factory soon, but for various reasons I can't do that immediately.

I'm wondering if there is utility in blocking *outgoing* connections from the *router* itself to the WAN? Conversely, is there harm? I'm guessing I'd want to open that if I have issues that require remote troubleshooting by my ISP, but are there any routine maintenance actions by the ISP that I'd need to take?

It's someone running silly scripts, not a dedicated hacker, because I found plenty of logs that had been left untouched to tell me what was going on. So I'm going to see what effect making these changes has before I decide to nuke everything. I also know that an old password of mine that I reused for low-security things (bad practice which I've fixed) was compromised in the last few months, so the scenario that comes to mind is that that was sold to someone who is scanning for vulns. It happened to be on the router through an oversight on my part.

So I'm wondering what will break if I block outgoing connections from the router?

Are you saying they were logging into your router, and then connecting to LastPass from it? What's the router running, does it have a login shell?

Depending on what it's running, short answer is yes, you can block outgoing connections sourced from the router itself while still allowing NAT. This can help limit the sort of damage you ran into. But depending on the sort of exploit used, it can still be used to DoS you, exploit something else on your internal network, etc.

Edit: Just for reference, I'm running fail2ban on my router, and have 299 hosts blocked in the last 10 minutes alone.

Again, in case this wasn't clear:

No, they got in with a compromised password and the default username. I turned off remote admin when the router was installed.

That should not have been possible. That means they had an attack launch point from *inside* your network. This means the compromise may go deeper than you believe. It might be something simple, like a browser hijack that didn't compromise the host directly, but rather attacked the router. But it could be a symptom of something much worse.

Malor wrote:

Again, in case this wasn't clear:

No, they got in with a compromised password and the default username. I turned off remote admin when the router was installed.

That should not have been possible. That means they had an attack launch point from *inside* your network. This means the compromise may go deeper than you believe. It might be something simple, like a browser hijack that didn't compromise the host directly, but rather attacked the router. But it could be a symptom of something much worse.

Yuuuuup. Thems bad tidings.

As far as I can tell, the router was scanned from another host in Verizon’s network. I was not black-holing it, because Verizon likes to be able to ping things if something is wrong. (It’s now black-holed.)

From there, the attacker would have tried the default admin user/password, which failed. However, I didn’t realize that the old password I had on it was the compromised one. I believe they used that and got into the management shell. From there, they enabled tftp and vpn connections to the router itself, as well as Remote Management for good measure. Then, they scanned for password management software and found LastPass. (Or they had info from a LastPass breach, I dunno.)

They attempted up to 15 guesses on my LastPass password, which locked LastPass 3 times and left me several email messages that I found a few days later. They failed to get in.

Again, from the indicators, the attack came through Verizon’s network, with the router as the outer layer, and then proceeded into my network. I found no evidence that the attacks on my system came from anywhere but the router. I *did* find several logs that showed that traffic, so to me, it’s very unlikely that if they were good enough to completely cover up *internal* connections, that they’d be stupid enough not to wipe a security log on the router. (And indeed, the changes were designed to allow outside access through the router.)

If they had been inside already, they would not have needed to use the router to get to my system.

I should add that before I black-holed it, the router showed constant, 15-30 times a second port scanning, so clearly that’s a possible vector. The browser hijack would be plausible *except* that it was used in concert with a cracked password, which would imply I was targeted in a much more specific way.

I didn’t see evidence of that kind of sophistication (and I expect I would not until they dropped the boom and crippled everything, or emptied my bank account or whatever). I *did* see evidence of script-kiddy activity.

Deftly, I’m running the Verizon FIOS issue software for their latest Actiontec router. I want to say... 40.21.24 or something like that? But in the Verizon flavor.

Okay, that sounds like a very reasonable diagnosis for where the attack came from. Had you used your firewall password on another site somewhere? With 30 tries a second, they could have just gotten lucky, but if you know you've had that password compromised elsewhere, that would be an excellent explanation, where your old password just went into the general attack library, and they eventually scored with it. It could still be a generalized attack, rather than a targeted one, and the fact that they failed to get into LastPass is reassuring. Plus, like you say, they sound pretty ignorant.

I don't know anything about how the Actiontec routers work, unfortunately. I've gotten the impression that the FIOS routers are not popular with customers. You may want to replace it if you can, but others have said that their TV service was all bound up in using that specific one, and that replacing it would cause havoc. I think the only way a replacement is at all likely is if the service shows up as an Ethernet drop, and if you're only buying Internet from them.

Is replacement possible, or are you stuck with what you have? edit: and would expensive solutions be acceptable, and would you prefer technoid or user-friendly options?

Robear wrote:

They attempted up to 15 guesses on my LastPass password, which locked LastPass 3 times and left me several email messages that I found a few days later. They failed to get in.

Is that a default feature of LastPass? I just looked through the settings and I don't see that anywhere.

Malor wrote:

Had you used your firewall password on another site somewhere?

Yes. I had transitioned it over the years into a password for accounts I didn't care about, but forgot to remove it from my router shell.

I'm stuck with the Actiontec, but in fairness, it's fast and reliable. I live in a small house so the wifi range is not important. It does everything I need it to, and Verizon does not give a damn what I do to it. If I disable one of their features, not their problem.

PaladinTom, I think that's a built-in feature of LastPass, but I didn't know about it before this. I'm grateful for it. I know I didn't turn it on, anyway, but it was there.

Thanks for all the help and advice, folks.

Can you disable NAT on the Actiontec, and put it in 'stupid' mode? That is, where it passes through its one IP address directly without doing anything else with the traffic?

I'm not sure, but then, it's easy to just turn it back on when needed.

Well, if you can put it in stupid mode, then you could get a good router, and use that as your 'real' external device.

You could also go to a layered, dual-NAT approach, where you put your main network behind another firewall that you control. This will typically work fine, but it's awkward for port forwarding, and of course you're exposed to any NAT bugs in either router; some lousy routers may have fairly low limits on the number of connections they can support.

As a secondary option, you could do a VPN tunnel with the good router out to some provider, which would almost entirely bypass your Actiontec; it would just see the one connection, no matter what you were doing. But then your bandwidth will be limited by your VPN provider, and that's likely to be a substantail bottleneck, coming from FIOS, unless you're willing to do something quite expensive. (eg, run your own OpenVPN endpoint in the Amazon EC2 cloud: this would give you awesome throughput, but it would be pricey as heck.)

A dedicated server with a big bandwidth allotment might also work, but you're not likely to find anything decent for less than $50/mo, and $100/mo is more likely. That's getting into the 'way stupidly expensive' level. But almost any VPN provider that's more reasonably priced is, by necessity, going to be a lot slower than FIOS.

Thanks Malor, I need to think about this for a bit.