[AusNOG] Vyatta PortScanning

Joseph Goldman joe at apcs.com.au
Fri Jul 25 07:15:30 EST 2014


I have to agree with James.

These days any semi-popular device thats on the internet for more than 
half a day has likely been compromised. I can provision a new 
server/router and have 1000 SSH attempts by the end of the day caught in 
the firewall.

Just tried myself and you've at least blocked vyatta/vyatta, but HTTPS 
is still open to the world.

It might be worth paying someone to consult on an initial set-up to get 
you a strong base config, that at the very least, you can revert back to 
in future should something go wrong.

On 24/07/14 22:12, James Braunegg wrote:
> Dear Daniel
>
> I’m going to suggest formatting and starting again… To be honest I was
> very surprised……
>
> One.. The router was open to HTTPS remote management without any ACL’s
>
> Two.. The default password vyatta/vyatta was enabled and provided full
> access to the GUI
>
> Three.. Anyone who would have gained access saw your configuration
> including your (encrypted-password ) hashed passwords I would suggest
> changing all passwords you use immediately
>
> Four.. At this point call it quits and do as Roland suggested start
> again its more than likely been compromised, it’s just not worth risking
>
> Five.. Happy to provide advice on securing your setup, we all need to
> learn however rule 101 always change the default password !
>
> Kindest Regards
>
> *James Braunegg
> **P:*  1300 769 972  | *M:*  0488 997 207 | *D:*  (03) 9751 7616
>
> *E:*james.braunegg at micron21.com <mailto:james.braunegg at micron21.com>  |
> *ABN:*  12 109 977 666
> *W:* www.micron21.com/ddos-protection
> <http://www.micron21.com/ddos-protection> *T:* @micron21
>
>
> Description: Description: Description: Description: M21.jpg
> This message is intended for the addressee named above. It may contain
> privileged or confidential information. If you are not the intended
> recipient of this message you must not use, copy, distribute or disclose
> it to anyone other than the addressee. If you have received this message
> in error please return the message to the sender by replying to it and
> then delete the message from your computer.
>
> *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of
> *Daniel Watson
> *Sent:* Thursday, July 24, 2014 8:35 PM
> *To:* ausnog at lists.ausnog.net
> *Subject:* [AusNOG] Vyatta PortScanning
>
> Hi Guys
>
> I have a router, which might be causing us a bit of grief at present,
>
> We were alerted to the fact that our router might be port scanning of
> some sorts
>
> Source(s): 1.0.4.76
>
> Type of Attack/Scan: Generic
>
> Hosts: 10.10.10.11
>
> Log:
>
> 1.0.4.76:58639 > 10.10.10.11:443
>
> I was wondering how I can stop this within Vyatta as I cannot see
> anything in our configuration that would be causing this
>
> Regards,
>
> Daniel Watson
>
> Network Administrator / Network Operations Manager
>
> E Daniel at GloVine.com.au <mailto:Daniel at GloVine.com.au>
>
> W www.GloVine.com.au <http://www.GloVine.com.au>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>


More information about the AusNOG mailing list