Pretty bad default router settings

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

CredulousDane

Well-known member
Sep 26, 2020
66
6
Hi, I recently found out that some of the default settings in the router my mom got from the internet provider when getting fiber, were pretty bad. Should've checked it long ago. Last month Malwarebytes caught ransomware on her PC and I couldn't understand how it got there since I manage all installations, backups etc. on her PC as well as only installing software I'm using on my own and have scanned thoroughly with several scanners. So I check the router and found this:

1) UPnP was enabled
2) Firewall was set to:
LAN to WAN: Allow All
WAN to LAN: Allow All 😥

The setup is: Windows 10 with Malwarebytes Premium and Mullvad VPN launch at start-up, auto-connect ON, local network sharing ON and ads, trackers and malware content blockers ON as well as Simple Windows Hardening ON.

My question is then: What should I do - if the PC has been 'available' to the internet, that's pretty bad and I guess any rootkit could've been installed or how DOES a rootkit get installed? (I know I'll google this, I'm just writing my thoughts)

I'm installing Malwarebytes Firewall Control so any outbound connection shows a notification but of course I'm worried that neither firewall or SWH or Malwarebytes or an Emsisoft scan will find if someone's been on the PC.

Hope you'll share your thoughts without bashing me too hard :oops:
 
Unless the router supports exactly one connected device, it still has to have a NAT. This should mean that any device inside the network is not discoverable directly from the outside. An unsolicited packet coming in from the outside, has no target beyond the router unless there is a NAT entry to direct it onward into your network. You could experiment with GRC's ShieldsUp to see what it reports. It appears to be using a generated URL, I hope this link works https://www.grc.com/x/ne.dll?bh0bkyd2 . Additionally, Windows itself has some level of firewall, depending on how you configured it, so it shouldn't be that easy to exploit just because it exists.

It seems likely that some issue in the web browser might be responsible for any problem found... If an unpatched vulnerability was available, it could have led to a elevation of privilege and the install of anything dangerous. Also, are you sure whether the malware was installed for all users, or was just installed running inside the user's account?
 
  • Like
Reactions: CredulousDane
Okay, thanks *sigh* - it's a router for several devices as well as a TV box and IP telephone. Also, I've noticed that the provider does not allow changes to the DNS, don't know if that's for the TV box or some security meassure. I will definitely try ShieldsUp to see what it reports.

The thing with the ransomware was actually somewhat weird because it said ransomware in a notification and also says it, in notifications when opening the software but right after I checked the quarantine section and there was none. So I couldn't learn more about what it was exactly but maybe they just remove completely without using quarantine as no one should allow ransomware back onto the system.

I'm not sure where it was running or even if it was. Malwarebytes just showed a notification, on boot, saying ransomware has been detected/removed (something like that). And as said before, couldn't find information on it afterwards and therefore, now, I can't see where it was.

Besides using VPN I'm thinking of also adding an extra layer with fx. NextDNS - not with a lot of filters, more for the malware detection.
 
A VPN (as advertised) will not improve security over https, ssh or any other encrypted protocol. The only advantage of commodity VPNs are the ability to choose the tunnel endpoint.

A VPN in an enterprise environment is a different beast. I #WFH (since the start of the pandemic). We use a VPN that puts my work provided laptop into my employer's network. It in fact is a virtual network into their network and it is private. I do the same and have done the same for 20-25 years when I'm away from home using IPSec or a simple SSH VPN, that puts my FreeBSD laptop on a separate VPN virtual LAN on my network (actually a virtual LAN in my firewall/gateway).

The commodity VPN will only serve to hide your IP address. You can just as easily do that with HTTPS plus route through the TOR network.

If you're using a commodity router the network-based exploit vectors can be,

  • Clicking on a link and downloading some malware,
  • Some javascript or java running in the browser
  • An email
  • A compromise of your router. Once it's pwned your network and all the devices attached to it are vulnerable.
Personally, I layer my network. That does mitigate, somewhat, the last concern. My wife's side of the network consists of daisy chained commodity routers. Only because if I screw up my FreeBSD firewall (I'm a developer), I'm in the doghouse and that's no fun.

From personal experience, my wife did manage to get some ransomware on her laptop (3 laptops ago). She clicked on a link. It took me three days to remove it but Windows was never the same since then. As it was old (XP) we replaced the computer with a 64-bit Windows 8 machine and copied her files over. (I don't use Windows at home so it's not something I worry about myself, personally.)

My FreeBSD ipfilter firewall has served me well for decades. Most people are better off layering their network or maybe getting pfsense or something similar.
 
  • Like
Reactions: CredulousDane
Keep the ISP router there, but disable wireless ( or use it for guest devices that you do not care about, changing the wifi name to insecure link), and buy another router, and connect all devices to it instead. Then you can do all the things you want on the inner router, have it do the wireless, and get some better protection. All the ISP router then sees is encrypted connections, and also use secure DNS on the inner router for divulging less info.
 
Alright, thanks both for your info - taking it into consideration moving forward :)

About VPN, I actually thought that a device being connected to a VPN server would have a 'shield' in case anyone unwanted got into the network as if the encrypted tunnel would make Windows' ports 'shielded' :unsure:.
 
About VPN, I actually thought that a device being connected to a VPN server would have a 'shield' in case anyone unwanted got into the network as if the encrypted tunnel would make Windows' ports 'shielded' :unsure:.
Regarding the VPN, having the device connected to a VPN will "shield" any ports in use by the VPN, but your router is still vulnerable to direct connections targeting ports not used by the VPN.
 
Bad security on ISP routers is the rule, not the exception

The malware may have been a bad browser extension that the victim was tricked into installing. The security around browser extensions is miserable.

My suggestion is to use NextDNS with an account (not a generic user). The big upside is the optional logging feature. You can see what DNS calls the computer is making and block any you don't like that NextDNS is allowing. The service has both allow and block lists.

But, Mullvad is not great at sharing responsibility for DNS (aka Custom DNS) and they are especially poor at sharing with NextDNS. Last time I checked, they only let you provide an IP4 address for your custom DNS servers. No server name, so no NextDNS account and no NextDNS device name in the (optional) log. IVPN has a miserable UI for custom DNS, but at least it works and offers full co-operation with NextDNS.

FYI: A better router will support secure DNS, so that NextDNS can be used for all devices.

FYI: detailed VPN info: https://defensivecomputingchecklist.com/vpn.php
 
  • Like
Reactions: CredulousDane
Did a ShieldsUP checkup with the WAN to LAN set to allowed, just to see how things were before and only 'failure' was an ICMP response.

With the router firewall set to medium, blocking WAN to LAN, all tests passed in ShieldsUP.

A little while ago I requested info about what is blocked, by Mullvad, but it's not something they're are working on or at least has a very low priority, so having a log at NextDNS, it's nice to follow up on what's going on. From what you're writing @MichaelRSorg - if I understand correctly - with Mullvad it's not possible to see (at NextDNS) what device' connection was blocked, right?

And thanks for the links :)