Anti-attack of ADSL Modem "cultivating secrets"

My ADSL "CAT" was under attack. For this reason, I asked the kitten to cultivate "internal strength" and "security. The following describes how to cultivate secrets ".

Recently, my ADSL Modem often experienced problems. Sometimes I can work normally when I start the system, but most of the time I cannot connect to the web page. After a while, I restarted the ADSL Modem again. At first, I thought it was a problem with the ISP. I called to ask, and was told that everything was normal on the console. Maybe my ADSL Modem was under attack from the Internet. Taking advantage of the weekend's time, I asked ADSL Modem to cultivate "internal strength" and "security strength. Next, I will introduce the "Cultivation Tips" to you ".

　　I was attacked.

　　1. No alarm is triggered by Skynet Firewall

My access method is PPPoE, And the ADSL Modem enables the routing method, and uses the built-in dialing software to automatically dial; when the DHCP service is enabled, the Intranet machine automatically obtains the IP address from the DHCP server. The IP address used by the ADSL Modem is a public IP address, and the system is installed with the personal version of the Skynet firewall.

Recently, when the ADSL Modem was just started, it was hard to get online. At first, I thought it was a problem with the domain name server, but it was still the same for another Domain Name Server. When a fault occurs, the configuration software cannot be connected to the ADSL Modem, And the Ping to the ADSL Modem does not respond. I suspect there is a problem with the ADSL Modem. I have to borrow a new one. The parameter configuration is the same as the previous one. Alas, it is still the same fault. It seems that it is not an "error. No, it's not because the ISP has a problem. I called to ask, saying that I was under attack.

It's no wonder that these days, I found that every time I open the machine, Skynet firewall began to issue an alarm, and some IP addresses were constantly scanning my port (figure 1). At first I did not pay attention to it, but then I became more and more frequent, an alert is reported every second when an IP address from the Internet tries to connect to a port on my machine. However, frequent alerts are always annoying.

500) this. width = 500; "border = 0>

Figure 1

　　2. attacks due to insufficient security measures

Later, I found that the main cause of the above fault was that the ADSL Modem obtained the legal IP address of the public network after dialing the Internet through a route, anyone on the internet can access my ADSL Modem through this IP address. In this way, some malicious attackers or viruses (such as the shock wave virus) can scan and detect them in a targeted manner, and then launch attacks to exhaust ADSL Modem resources, resulting in abnormal operations of the ADSL Modem.

To enable users to achieve optimal performance at full speed, the ADSL Modem Manufacturer uses the lowest default security level in the device, after the purchase is made, the user does not further set the security. In addition, users are not aware of network security and do not take any security measures when configuring the route sharing mode (such as changing the Root password, changing or limiting the Management port of Web/Telnet ), thus, the ADSL Modem is exposed to malicious attackers without any protection.

In this case, if an open port in the ADSL Modem has a vulnerability and is discovered by an illegal attacker, it is very likely to be used for remote attacks. If the attacker obtains the administrator password of the ADSL Modem, he can remotely log on to the ADSL Modem, learn the IP address of the Intranet machine through the NAT table, and map the Intranet machine to the Internet, I am not miserable if I use other attack tools to plant a "backdoor" for me. In addition, attackers can also write a bad firmware program to the Flash of the ADSL Modem after obtaining the Administrator's permissions, so that my ADSL Modem will not be completely decommissioned. I can't imagine it.

Note: users using PPPoE/PPPoA/1483 fixed IP address + NAT/1577 + NAT access may be attacked. Users using route sharing are more vulnerable to attacks.

Tips 1: "reinforce" ADSL Modem

1. Change the password of the Root user

The default logon username and password are set when the ADSL Modem is released. Generally, the default user name and password of a product of the same model are the same. Most of us have never modified the default username and password after installing the ADSL Modem, which leaves a great security risk. To modify the default Root user name and password, enter the address of the ADSL Modem in the browser address bar (generally 192.168.1.1), enter the correct user name and password, and go to the ADSL Modem configuration page, click the "manage" tab, click the "user settings" symbol (2) next to the Root user, type the original password and new password, and click "Submit" to change the settings. Of course, you must first change the IP address of the computer Nic used for configuration to the same network segment as the address of the ADSL Modem.

500) this. width = 500; "border = 0>

Figure 2

I found that some models of ADSL Modem have restored the user name and password to the default password after correct modification. In this case, we can use Telnet to log on to the ADSL Modem, then, run the Passwd command at the $ prompt to modify the password of the Root user, and then run the commit command to submit your changes. This method can also be used to successfully modify the user name and password.

2. Change the Web/Telnet Management Port

After a complex password is set, the ADSL Modem cannot be completely protected from attacks. Generally, ADSL Modem can be locally or remotely managed through Web/Telnet. Many malicious attackers specify these default ports, scan an IP address segment using a scanning tool to determine the target of the attack. The ports 80, 21, and 23 opened by our ADSL Modem are the first scanning points. By modifying the service port, you can avoid testing by most scanning tools. Go to the ADSL Modem configuration page, click the "manage" tab, and change the HTTP, Telnet, and FTP ports in "Port Settings. For example, if we change the HTTP port to 8080 and the Telnet port to 8023 (figure 3), we will use http: // 192.168.1.1: 8080 for Web access, telnet 192.168.1.1: 8023 is used for access through Telnet.

500) this. width = 500; "border = 0>

Figure 3

3. Map non-existent ports

The ADSL Modem that enables the routing function is implemented through NAT ing. NAT ing can transfer the connection to a port of the ADSL Modem from the Internet to a port specified by an IP address in the intranet. Virus or malicious attackers generally attack several typical ports (such as 135, 139, 445, and 3127) of the ADSL Modem, we can try to transfer all these port attacks to an IP address that does not actually exist in the Intranet, so as to reduce the burden on the ADSL Modem caused by handling a large number of connections. In common ADSL Modem, we can map ports to non-existent IP addresses through RDR rules and BIMAP rules.

1) Use RDR rule ing

How can I use RDR to map ports such as Web/Telnet/FTP/TFTP to a non-existent IP address? Go to the ADSL Modem configuration page, click the "service" tab, select "NAT Rule Entry" in "NAT Settings", and click "add" to add RDR rules. Taking the Web port as an example, we map it to a non-existent IP Address: 192.168.1.100 (figure 4), select Rule Flavor as RDR, and fill in the Rule ID, fill in 192.168.1.100 at the beginning and end of the local IP address, and select HTTP (80) in the Start/end values of the target port and the local port respectively. Select the default value for all other options. For Telnet/FTP/TFTP port, refer to this setting.

500) this. width = 500; "border = 0>

Figure 4

2) use BIMAP rule ing

Use the BIMAP transparent rules to map all ports to a non-existent IP address. Go to the ADSL Modem configuration page, click the "service" tab, select "NAT Rule Entry" in "NAT Settings", and click "add" to add a BIMAP Rule. For example, we map the BIAMP rule to a non-existent IP Address: 192.168.1.200. Set Rule Flavor to BIAMP, enter the Rule ID, and enter 192.168.1.200 at the beginning and end of the local IP address.

Through this setting, all attacks against the common service port (or all ports) of the ADSL Modem are transferred to a non-existent IP address 192.168.100 (or 200) in the intranet.

4. Update firmware

Because some ADSL Modem has invested a little time in the market, and the original software version is relatively low, it has certain security defects. Many manufacturers now have the latest firmware programs available for download on their respective homepages. We have made changes to these problems by upgrading the firmware of the ADSL Modem. The specific methods are described on the vendor's official website. I will not detail them here.

Tip 2: Enable the firewall Function

The above operations must change the configuration of the ADSL Modem, which may sometimes affect the current settings. For many users who are not familiar with the NAT settings, the operation may be difficult.

The following describes a method to prevent further attacks without changing the original configuration of the ADSL Modem. The current ADSL Modem has a firewall function, but the default status is usually disabled. We only need to enable the firewall function. Generally, the firewall function is implemented through IP address filtering. The specific method of setting up IP address filtering rules is not described here because of the long length. Only two simple methods are introduced. If you use the Globespan technical solution for ADSL Modem, continue with this article.

1. Use firewall Patches

On the TP-Link website there is a TD-8800 ADSL Modem firewall patch download, the author found that TD-8800 is using Globespan technology solution, this patch can be used completely on the ADSL Modem Globespan chip. I tried it on my own ADSL Modem. Everything is normal (of course, it is not a TP-Link product ). In fact, it enables several filtering rules in the IP filtering settings of the ADSL Modem, eliminating the trouble of manual addition.

Patch usage is very simple. You only need to enter the IP address of the ADSL Modem in the address bar, enter the user name and password, and then click "execute" (figure 5 ).

<