Router question

Discussion in 'Computer Security' started by Toja, Jun 23, 2005.

  1. Toja

    Toja Guest

    Is it possible for an outside computer to try to log into my router that is
    behind a DSL modem? Thanks
    Toja, Jun 23, 2005
    #1
    1. Advertising

  2. Toja

    Vanguard Guest

    "Toja" <> wrote in message
    news:%bque.1663$...
    > Is it possible for an outside computer to try to log into my router
    > that is
    > behind a DSL modem? Thanks
    >
    >



    Yep. Depends on your router which you never specified. Some routers
    have remote logon. After all, they are simply running a web server for
    you to get at its admin pages. You will need to see if your router
    supports remote logon, enable it, and be damn sure to use a strong
    username and a strong password to prevent cracking.
    Vanguard, Jun 23, 2005
    #2
    1. Advertising

  3. Toja

    Leythos Guest

    In article <%bque.1663$>,
    says...
    > Is it possible for an outside computer to try to log into my router that is
    > behind a DSL modem? Thanks


    If the DSL modem provides a public IP or if the DSL modem passes all
    through, then your computer is completely exposed. If you have DSL, get
    a DSL Router from Linksys, D-Link or Netgear to block unsolicited
    inbound connections.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Jun 23, 2005
    #3
  4. Toja

    Ned Guest

    To: Toja
    Re: Router question
    By: Toja to alt.computer.security on Thu Jun 23 2005 04:41 am

    > From Newsgroup: alt.computer.security
    >
    > Is it possible for an outside computer to try to log into my router that is
    > behind a DSL modem? Thanks


    The short answer is yes. Without knowing the specifications of your router,
    (Make, Model), I can't say how you should lock it down. Most routers offer
    the option of accessing it via the internet.

    I would read the documentation that came with the router to learn how best to
    lock it down. Also make sure you have the most recent firmware updates. I
    hope this helps you out.


    --
    Ned Brickley
    Sysop/Webmaster
    Anger Central
    http://www.angry.net
    telnet://evilned.dynalias.com


    --- Synchronet 3.12a-Win32 NewsLink 1.76
    * The Anger Central BBS - Nashua, NH - telnet://evilned.dynalias.com
    Ned, Jun 23, 2005
    #4
  5. "Vanguard" <> wrote:

    > Yep. Depends on your router which you never specified. Some routers
    > have remote logon. After all, they are simply running a web server for
    > you to get at its admin pages. You will need to see if your router
    > supports remote logon, enable it, and be damn sure to use a strong
    > username and a strong password to prevent cracking.


    Most routers only offer that kind of access on the LAN interface.
    However, if you're running a proxy server on your machine and make that
    accessible from the Internet, somebody could access the router through
    the proxy...

    Juergen Nieveler
    --
    No matter how minor the ailment, a visit to the medics will result in an
    I.V.
    Arguing with the medics about this will result in your being evacuated in
    a neck brace and back board (in addition to the I.V.).
    Juergen Nieveler, Jun 23, 2005
    #5
  6. Toja

    nemo_outis Guest

    Juergen Nieveler <> wrote in
    news::

    > "Vanguard" <> wrote:
    >
    >> Yep. Depends on your router which you never specified. Some routers
    >> have remote logon. After all, they are simply running a web server for
    >> you to get at its admin pages. You will need to see if your router
    >> supports remote logon, enable it, and be damn sure to use a strong
    >> username and a strong password to prevent cracking.

    >
    > Most routers only offer that kind of access on the LAN interface.
    > However, if you're running a proxy server on your machine and make that
    > accessible from the Internet, somebody could access the router through
    > the proxy...
    >
    > Juergen Nieveler



    My cheap little d-link 604 has remote admin from the WAN side.

    Regards,
    nemo_outis, Jun 23, 2005
    #6
  7. Toja

    Jim Watt Guest

    On 23 Jun 2005 19:14:35 GMT, Juergen Nieveler
    <> wrote:

    >Most routers only offer that kind of access on the LAN interface.


    Generally its an option that can be turned on or off. It can be
    very useful.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Jun 23, 2005
    #7
  8. Toja

    Toja Guest

    Thanks for the replies. This particular router is Siemens Speedstream 2614.
    I dont see an option for remote management, so I guess it is ok?

    Also, would anyone know why I can't access my routers Web config while I
    have my software firewall running (Sygate Personal firewall) For some reason
    I have to close my firewall to get to it, although I used to be able to.

    "Ned" <-11rl-this> wrote in message
    news:1119531602.5d7b4684905fc292752e2f08d8df8b95@meganetnews2...
    > To: Toja
    > Re: Router question
    > By: Toja to alt.computer.security on Thu Jun 23 2005 04:41 am
    >
    > > From Newsgroup: alt.computer.security
    > >
    > > Is it possible for an outside computer to try to log into my router

    that is
    > > behind a DSL modem? Thanks

    >
    > The short answer is yes. Without knowing the specifications of your

    router,
    > (Make, Model), I can't say how you should lock it down. Most routers offer
    > the option of accessing it via the internet.
    >
    > I would read the documentation that came with the router to learn how best

    to
    > lock it down. Also make sure you have the most recent firmware updates. I
    > hope this helps you out.
    >
    >
    > --
    > Ned Brickley
    > Sysop/Webmaster
    > Anger Central
    > http://www.angry.net
    > telnet://evilned.dynalias.com
    >
    >
    > --- Synchronet 3.12a-Win32 NewsLink 1.76
    > * The Anger Central BBS - Nashua, NH - telnet://evilned.dynalias.com
    Toja, Jun 23, 2005
    #8
  9. Toja

    Toja Guest

    Hey can I ask you does traffic that is recieved by a computer or router that
    gets blocked have an effect on bandwidth?


    "Leythos" <> wrote in message
    news:...
    > In article <%bque.1663$>,
    > says...
    > > Is it possible for an outside computer to try to log into my router that

    is
    > > behind a DSL modem? Thanks

    >
    > If the DSL modem provides a public IP or if the DSL modem passes all
    > through, then your computer is completely exposed. If you have DSL, get
    > a DSL Router from Linksys, D-Link or Netgear to block unsolicited
    > inbound connections.
    >
    > --
    > --
    >
    > (Remove 999 to reply to me)
    Toja, Jun 23, 2005
    #9
  10. Toja

    Leythos Guest

    In article <IcFue.1248$>,
    says...
    > Hey can I ask you does traffic that is recieved by a computer or router that
    > gets blocked have an effect on bandwidth?


    Sort of - during the sending phase, where it tries to make a connection,
    it consumes your capacity. In many cases, if the remote device can't get
    past the negotiation phase it doesn't transmit any more, so it lessens
    the impact.

    So, all traffic reaching your IP (internal or external) does impact your
    performance, but it's only a momentary thing unless it's sustained.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Jun 24, 2005
    #10
  11. Toja

    Vanguard Guest

    "Juergen Nieveler" <> wrote in message
    news:...
    > "Vanguard" <> wrote:
    >
    >> Yep. Depends on your router which you never specified. Some routers
    >> have remote logon. After all, they are simply running a web server
    >> for
    >> you to get at its admin pages. You will need to see if your router
    >> supports remote logon, enable it, and be damn sure to use a strong
    >> username and a strong password to prevent cracking.

    >
    > Most routers only offer that kind of access on the LAN interface.
    > However, if you're running a proxy server on your machine and make
    > that
    > accessible from the Internet, somebody could access the router through
    > the proxy...



    ALL access to routers through their web server is "remote access". That
    is, you are not actually logging onto the router's own host (i.e., the
    router device) because it doesn't provide an operating system (some
    router appliances do but not the NAT routers assumed here). Instead you
    are using some other host in your intranetwork to manage that router's
    setup so all access to the router is remote. All you need for remote
    access by any intranetwork (LAN-side) host are the login credentials.
    The Remote Administration in the router is to provide WAN-side access
    so, for example, you could manage your home router from work. My D-Link
    DI-604 and Linksys BEFSR41 have that and they're considered low-end
    entry model NAT routers.
    Vanguard, Jun 24, 2005
    #11
  12. "Vanguard" <> wrote:

    > ALL access to routers through their web server is "remote access".
    > That is, you are not actually logging onto the router's own host
    > (i.e., the router device) because it doesn't provide an operating
    > system (some router appliances do but not the NAT routers assumed
    > here).


    Huh? Of course the router runs an operating system, how else could it
    be possible to operate? ;-)

    > Instead you are using some other host in your intranetwork to manage
    > that router's setup so all access to the router is remote.


    Of course you connect from a separate machine - but most decent
    routers offer you a management interface only on the interface marked
    "LAN".

    The better ones additionaly offer you to switch this functionality on
    on the WAN interface, but I wouldn't really recommend doing that...

    Juergen Nieveler
    --
    How often should we practice sex before it is safe?
    Juergen Nieveler, Jun 24, 2005
    #12
  13. Toja

    Vanguard Guest

    "Juergen Nieveler" <> wrote in message
    news:...
    > "Vanguard" <> wrote:
    >
    >> ALL access to routers through their web server is "remote access".
    >> That is, you are not actually logging onto the router's own host
    >> (i.e., the router device) because it doesn't provide an operating
    >> system (some router appliances do but not the NAT routers assumed
    >> here).

    >
    > Huh? Of course the router runs an operating system, how else could it
    > be possible to operate? ;-)


    I meant that YOU cannot log onto the "host" which was the router device
    as you would with, say, a workstation running a "user" operating system.
    For the routers discussed here, the OS in the router is embedded and
    changeable only with firmware updates. You aren't logging into that
    system through a login screen under that OS (i.e., you are not ON that
    host to login). You are logging in through a web server ran by that
    embedded OS, so your login is always remote from some other host on the
    network.

    >> Instead you are using some other host in your intranetwork to manage
    >> that router's setup so all access to the router is remote.

    >
    > Of course you connect from a separate machine - but most decent
    > routers offer you a management interface only on the interface marked
    > "LAN".


    Actually I would think ALL routers would have to provide a management
    interface on the LAN side; otherwise, you would get a fixed device that
    was never configurable. Or maybe you meant "decent" to mean that *only*
    a LAN-side management interface was available and that a WAN-side
    management interface was NOT offered (i.e., decent = LAN-side only), yet
    your next statement makes "better" sound like something higher than
    "decent".

    > The better ones additionaly offer you to switch this functionality on
    > on the WAN interface, but I wouldn't really recommend doing that...


    Same advice here regarding most users. However, it does save time and
    miles from having to drive over to Dad's to reconfigure his router for
    his SOHO setup, and without the nuisance of setting up VNC (or a
    derivative of it) or using a RAT in his OS, providing I can get through
    his router to use them, to remotely manage his router from its LAN-side
    management access. Typically I can tell Dad over the telephone how to
    use the LAN-side access to temporarily enable the WAN-side management
    function, do my stuff, and then have him disable it afterward. I don't
    want him to leave it enabled.
    Vanguard, Jun 24, 2005
    #13
  14. "Vanguard" <> wrote:

    > Actually I would think ALL routers would have to provide a management
    > interface on the LAN side; otherwise, you would get a fixed device that
    > was never configurable.


    Not necessarily. For example the Biodata Bigfire packet filters (which
    basically were routers with filtering added) could not be configured
    over the network when freshly unpacked - you had to connect via a
    serial interface and configure one of the network interfaces first so
    that it actually had an IP. The same is still true for all Cisco
    routers I've come across.

    > Or maybe you meant "decent" to mean that *only*
    > a LAN-side management interface was available and that a WAN-side
    > management interface was NOT offered (i.e., decent = LAN-side only), yet
    > your next statement makes "better" sound like something higher than
    > "decent".


    Good = Only LAN-side management
    Better = WAN-side management available, but OFF by default
    Total and utter crap = WAN-side management with no password on by
    default :)


    Juergen Nieveler
    --
    Microsoft manager to programmer: You start coding. I'll go find out what
    they want.
    Juergen Nieveler, Jun 24, 2005
    #14
  15. Toja

    Vanguard Guest

    "Juergen Nieveler" <> wrote in message
    news:...
    > Good = Only LAN-side management
    > Better = WAN-side management available, but OFF by default
    > Total and utter crap = WAN-side management with no password on by
    > default :)


    Whoa, geez, there are routers that don't require a non-blank password
    for the WAN-side management access? That's stupid even for the LAN-side
    access (although many do offer that ability).
    Vanguard, Jun 24, 2005
    #15
  16. Toja

    Leythos Guest

    In article <>, lid
    says...
    > Actually I would think ALL routers would have to provide a management
    > interface on the LAN side; otherwise, you would get a fixed device that
    > was never configurable. Or maybe you meant "decent" to mean that *only*
    > a LAN-side management interface was available and that a WAN-side
    > management interface was NOT offered (i.e., decent = LAN-side only), yet
    > your next statement makes "better" sound like something higher than
    > "decent".


    Many routers, in the older days, only had a serial port or a telnet port
    to configured them with their initial IP, after that you could browse to
    them, but I'm remembering days before Microsoft learned about the
    Internet.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Jun 25, 2005
    #16
  17. Leythos <> wrote:

    > Many routers, in the older days, only had a serial port or a telnet
    > port to configured them with their initial IP, after that you could
    > browse to them, but I'm remembering days before Microsoft learned
    > about the Internet.


    Still true of all non-home-user routers. After all, how should the
    router know which IP to use? :)


    Juergen Nieveler
    --
    Confucius say - 'He who stands on toilet is high on pot'
    Juergen Nieveler, Jun 25, 2005
    #17
  18. Toja

    Jim Watt Guest

    On 25 Jun 2005 15:37:50 GMT, Juergen Nieveler
    <> wrote:

    >how should the router know which IP to use? :)


    Most devices come with a predefined address so you
    can access them to set the wanted one, otherwise they
    have a serial port. Some even look for a DHCP server
    by default.

    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Jun 25, 2005
    #18
  19. Jim Watt <_way> wrote:

    > Most devices come with a predefined address so you
    > can access them to set the wanted one, otherwise they
    > have a serial port. Some even look for a DHCP server
    > by default.


    Both DHCP and predefined address would be rather impractical for
    professional routers, though, as both would mean that the router would
    start off with a wrong address. Of course Cisco et all can assume that
    anybody who buys THEIR products is smart enough to do the basic
    configuration via serial console, anyway.

    I wonder why Cisco includes the question-answer-style interface used at
    first startup, though - I've never seen anybody actually using it,
    activating a new Cisco device (router, switch, PIX) usually comprises
    of logging in via serial with the default password, ena, conf t, and
    sending a text file with the pre-made configuration.

    Juergen Nieveler
    --
    Microsoft is not the answer. Microsoft is the question. 'No' is the
    answer!
    Juergen Nieveler, Jun 25, 2005
    #19
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Wayne
    Replies:
    0
    Views:
    677
    Wayne
    Mar 2, 2004
  2. Voitec
    Replies:
    6
    Views:
    701
    Voitec
    Sep 12, 2004
  3. Replies:
    0
    Views:
    418
  4. garlic
    Replies:
    10
    Views:
    5,330
    Vincent C Jones
    Jan 10, 2006
  5. Replies:
    0
    Views:
    373
Loading...

Share This Page