Wifibre vulnerability

P

Polemus

Expert Member
Joined
Aug 12, 2009
Messages
1,083
Reaction score
11
Location
Three Rivers, Gauteng
Hi wifibre guys.

I've noticed quite a few attack attempts on my wifibre dish/router, so iv'e spent some time investigating the issue.

Please note the following:

  1. New installations does not have a strong password. If you are a client you can easily guess other people's passwords
  2. All routers have their web interface enabled on default port 80, which makes it easy to access
  3. Brute force attacks are easy as it blocks an IP for a short period after 10 attempts, there are numerous ways to get around it
  4. SSH ports are using standard port, also making it easy to probe
  5. Your high-sites all have their web interfaces enabled, exposing the same vulnerability as end users

At a minimum please action the following:
  1. Use strong passwords for new users
  2. disable the web interface, or at least change the ports for http and https access
  3. change default ssh ports

One thing i clearly noticed was that as soon as my router is being attacked i get latency spikes and network degradation. I am sure this will alleviate some of your support calls.
 
Thanks for your concerns raised Polemus.

See below comments per point

Please note the following:

New installations does not have a strong password. If you are a client you can easily guess other people's passwords
Our public IP's are dynamic and change every week so this would be very hard to guess unless you have in depth knowledge of our client base as well as our infrastructure. Intimate knowledge of anyone raises security concerns regardless. We do this so that we can do worthwhile remote access and not just ask the customer to reboot.


All routers have their web interface enabled on default port 80, which makes it easy to access
Again this is for maintenance, we will consider changing this


Brute force attacks are easy as it blocks an IP for a short period after 10 attempts, there are numerous ways to get around it
We are firewalled for all DNS massing attacks and most other DOS, again switching off WAN management would totally destroy remote support.

SSH ports are using standard port, also making it easy to probe
Your high-sites all have their web interfaces enabled, exposing the same vulnerability as end users.

This is sort of redundant as 99% of the world uses port 22 for SSH. Our radius manager uses the standard port as well as the other services for advanced client info and management. We are firewalled on these ports to a large part of the internet and have not had a single breach yet.




At a minimum please action the following:
Use strong passwords for new users - We can do this but the very very small risk here negates practicality
disable the web interface, or at least change the ports for http and https access - This is a good suggestion and we will have a look at implementing this.
change default ssh ports - We can talk to our radius programmers to see if there is a posibility for this.


At the end of the day although all you have said is true its true for 95% of the WISP industry. Like saying driving is dangerous.

If you do not have the client lists and exact IP's of specific users you have no chance of breaching anything.

There are far scarier things like ransomware to be worried about. At the moment we are all running IPV4 with a public facing IP with devices natted behind it, IPV6 will greatly change this with individual devices needing a public facing IP for future networks.

If you feel you are at risk please email [email protected] and we can help you set your network to requirements.

Thanks and regards

WiFibre
 
WiFibre said:
Thanks for your concerns raised Polemus.

See below comments per point

Please note the following:

New installations does not have a strong password. If you are a client you can easily guess other people's passwords
Our public IP's are dynamic and change every week so this would be very hard to guess unless you have in depth knowledge of our client base as well as our infrastructure. Intimate knowledge of anyone raises security concerns regardless. We do this so that we can do worthwhile remote access and not just ask the customer to reboot.
Click to expand...

Oh hey would you look at this, WiFibre's entire network sits on the IP space 154.119.144.0/20 and 154.73.224.0/21 (okay, okay, maybe not the whole network: they might have some loaner IPs from someone else).

Guess we now know where all of it is.

WiFibre said:
All routers have their web interface enabled on default port 80, which makes it easy to access
Again this is for maintenance, we will consider changing this


Brute force attacks are easy as it blocks an IP for a short period after 10 attempts, there are numerous ways to get around it
We are firewalled for all DNS massing attacks and most other DOS, again switching off WAN management would totally destroy remote support.
Click to expand...

OP's concern is reasonable. There are ways in which to do this that does not leave your network looking like swiss cheese. You should do those things.

WiFibre said:
SSH ports are using standard port, also making it easy to probe
Your high-sites all have their web interfaces enabled, exposing the same vulnerability as end users.

This is sort of redundant as 99% of the world uses port 22 for SSH. Our radius manager uses the standard port as well as the other services for advanced client info and management. We are firewalled on these ports to a large part of the internet and have not had a single breach yet.
Click to expand...

Bit of a missed concern (it's easy to identify SSH on another port anyway), but the response from WiFibre still leaves a lot to be desired.

<snip>

WiFibre said:
At the end of the day although all you have said is true its true for 95% of the WISP industry. Like saying driving is dangerous.
Click to expand...

"Almost everyone else is this bad too!" is not a very good operating principle. I'd also say it's not really an excuse.

WiFibre said:
If you do not have the client lists and exact IP's of specific users you have no chance of breaching anything.
Click to expand...

There are any number of ways to mass-scan some subnets. Beyond that (and because the login details are, as mentioned, bad) it gets very, very quick to start seeing which user is on which IP (and to track churn).

WiFibre said:
There are far scarier things like ransomware to be worried about. At the moment we are all running IPV4 with a public facing IP with devices natted behind it, IPV6 will greatly change this with individual devices needing a public facing IP for future networks.
Click to expand...

"Hey, there are big scary things out there! Like, nukes! Why are you worried about leaving the front door open and unlocked?

Don't worry, though. We'll be moving to houses with super long avenues in front of the house, soon!"

There are viable techniques for working through v6 space and finding devices even with the density as low as it is.

</comments>

WiFibre, serious suggestion: speak to a networking and operations professional to get things in better shape.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X