Question

Hi all,

We have several RUT240 routers in the field. Since a few weeks we get a huge traffic and connections on 15 routers. We use a public IP with dyndns service. Strange destinations and unknown adresses are seen. 1 Destination address is named: 

all-systems.mcast.net

Can anyone help us out please? FW ver.: RUT2XX_R_00.01.13

Answer 1

Hello,

all-systems.mcast.net is a local subnetwork multicast address (224.0.0.1) and is not routable, it can't be the cause of your issue - at least not directly. There must be something else.

Regards,

Comments

Hi, we had multiple remote and unknown SSH connections on our routers when we discovered this issue. The firmware we had our RUT240 routers was Version 13.1 and 13.2

I see in the changelog that they fixed the issue "SSH reachable over sim in early boot" in Version 13.3... can this be the issue?

We have still unknown connections after a firmware update to Version 14. It's like the routers are hacked.

We tried different simcards and a reset to factory settings doesn't help.

Thanks for you replies and help.

---

There is little evidence that the "SSH reachable over sim in early boot" issue could be the cause if you see multiple ssh sessions.

You can use the firewall to enable remote ssh/http/https access from a limited list of IP source address only, the ones you use to administer the router. For example:

# allow known sources
iptables -A INPUT -s good_ip_addr -p tcp --dport 22 -j ACCEPT
# allow access from local lan
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
# reject everything else
iptables -A INPUT -p tcp --dport 22 -j DROP

Idem for ports 80 and 443.

You can also disable password authentication in ssh, but be sure to add your trusted keys before.

A better solution would be to setup a VPN between the router and a system you have full control of and only allow remote access from this source.

Regards,