FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

12682 questions

15065 answers

24137 comments

47098 members

0 votes
1,232 views 4 comments
by

Hi,  I believe I've identified a security problem with the current firmware on the RUT950.  I have noticed that SSH is accessible before the firewall rules are applied, immediately after a reboot.  My access logs show unsuccessful Remote Access attempts to SSH on my router, despite having remote SSH access to the router disabled, and having SSH port forwarded to a single host in the LAN.  The logs show 3 connection attempts from a single external IP Address within a minute after the scheduled reboot.  This leads me to believe that the firewall rules are not applied immediately on system startup, or at least that they are applied after the ssh daemon begins listening on all adapters.  Once the firewall rules are applied, then SSH traffic from the WAN is dropped and I see no further connection attempts.

Please can you advise how to either delay the SSH daemon starting, or prioritize the iptables daemon to start and load its rules before the SSH daemon loads.

Thanks

1 Answer

0 votes
by
Hi,

I've looked into this and it doesn't seem right. When using mobile WAN the interface receives an IP address about 15-20 seconds after the firewall rules are added, so it wouldn't even be possible to connect even if the SSH daemon started earlier.

I then tested with a static wired WAN configuration, where the IP address is set in the config files, but I still couldn't recreate the issue a single time, so I can't see how it could have happened three times within a minute.

Can you share more details about your configuration and test method? What changes have you made to the Firewall configuration? Which firmware version are you using?  What is the main WAN type? Can you share your Firewall config?
by

My router is :

My configuration is as follows:

I no longer need Cellular internet at this location, as there is a Fiber to the Premise service available.  the RUT950 is therefore set up as the primary roter after teh Fiber Media Converter.  I use the WAN Prt on the RUT950 to connect to the Media COnverter.  It's operating as a straightforward DSL Router, obtaining its WAN IP Address by DHCP from the service provider network.

The firewall rules are simplistic:  I port forward SSH to a server at a specific IP Address on the LAN.  I have remote HTTP/HTTPS/SSH all turned off, so if I want to remote admin the router I first have to SSH into the server and then open VNC and then open a browser window to manage the router.  SSH is the only open port to the internet, but with port forwarding I would expect it only ever to forward teh traffic to the server.  However, the router reboots every morning at 5am, and recently I spotted the following in the Acess Logs:

by
Thank you for sharing the details. I'll try your method and share my results.
by

Here's how I configured it:

  • Configured two routers:
    • RUT9a (LAN IP: 192.168.1.1; WAN IP: 192.168.10.100);
    • RUT9b (LAN IP: 192.168.2.1; WAN IP: 192.168.1.200);
  • Connected RUT9b's WAN port to RUT9a's LAN port;
  • On RUT9a I configured a Port Forwarding rule that redirects SSH login attempts coming from WAN to RUT9b at IP address 192.168.1.200 (WAN);
  • Enabled remote SSH access on RUT9b.

Here's how I tested it:

  • Connected a PC to the 192.168.10.0/24 network (RUT9a WAN);
  • SSH to 192.168.10.100 (RUT9a WAN IP) to see if the redirect works;
  • When I confirmed that it works, I opened 32 Terminal windows on my PC; each ready to SSH to 192.168.10.100 (RUT9a WAN IP);
  • Rebooted RUT9a;
  • Waited 30 seconds and started launching SSH attempts from each Terminal window every 1 sec.;
  • Tried this 5 times; each time I added 2 seconds to the original start time, i.e., the first time I started at 30 sec., second time at 32 sec., third time at 34 sec., etc.

The results:

I wasn't able to recreate the issue that you have described. I even repeated the experiment again by using a different Port Forward method (first time I configured it via the Port Forwarding page; the second time I used Custom Rules; both worked as expected.)

I recommend reviewing your rules to you see if everything is in order. Then maybe conduct some tests yourself and, if you can recreate the issue, download the Troubleshoot file and send it to me for analysis.

You can download the Troubleshoot file from the System → Administration → Troubleshoot page. However, take note that the Troubleshoot file should be downloaded after the issue occurs. Don't reboot the router before downloading the file! This way the error will not show up in the Troubleshoot logs.

Also, the Troubleshoot file contains a lot of information about your router. So you may want to consider removing information that you don't want to share (phone numbers, public IPs, etc.) before you send the file anywhere.

by

OK, Thank you very much for taking the time to do a very thorough investigation of the issue.  I will set asside some time to investigate further and will report back here if I find anything.

Best Regards

Greg.