Security Basics mailing list archives
Re: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?
From: John Doe <security.department () tele2 ch>
Date: Fri, 28 Jan 2005 13:00:19 +0100
Hi David Thanks a lot for your answer!
4. (my main question!): The reason given by the ISP to expose the router is totaly weird, because the IP range for _outgoing_ ADSL-connections is irrelevant for router remote administration, which is performed in the opposite direction and need's only one IP, p.ex. the one of the target router.Uh, no. Any TCP connection needs both source and target addresses.
Oh yes, I know this - but maybe my question was not clear, or I have another basic misunderstanding? I used severel IPs (as target, not as source) to telnet the router, all of them where, _at_the_time_ I used them, in use by a ISP customer which is located in the same building and visiting my website. All these IPs I tried are within the ISPs IP pool used for their customers (most of them ADSL and non in the same building I think). So, I thought: - the IP (the router was reachable at) belonged to a PC somehow _within_ their network - there is no need for the ISP to use their _own_ IPs (as source IP) when remote administering (but maybe this provides a basic restriction of source IPs?) - why must the router be reachable _at_ (not from) some hundreds IP adresses (of their IP pool)?
What the ISP said is: We've considered only allowing telnet connections to this box from specific source addresses (assigned to those who should be able to administer the router).
yes, I understand this; but the customer the IPs where assigned to is neither allowed nor capable to administer the router. I suppose none of their customers should aminister it
We haven't restricted access to only those sources yet;
they even don't plan to do so.
it's entirely possible that the administrators need the option to access it from wherever they are on the Internet *today*, and that changes, either because they travel and/or they get an address via DHCP or other dynamic mechanism.
ok, clear. So, independent from within what range those IPs at the moment of remote administration are: Is it common practice to admin a router by telnet from outside, exposing plain text password? Why not use ssh somehow? Is there no danger that anybody brute forces the router password and can disable internet access for all the ISPs customers?
[...]
You are an expert, and I really hope not annoying you with bullshit... and if so, I really apologize, and I won't do more postings to this subject. thanks again J. P.S. Shouldn't I have post this answer to the list?
Current thread:
- Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? John Doe (Jan 27)
- RE: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? David Gillett (Jan 27)
- Re: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? John Doe (Jan 28)
- Re: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? david kuhlman (Jan 28)
- RE: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? David Gillett (Jan 27)