Friends don't let friends use stock firmware in their routers

Over the years the number of security flaws that come as standard with £50 plastic-box routers have been numerous. That 'free' router that came from your ISP probably suffers from one of these;

1. UP & P enabled by default
2. PING on the WAN side enabled
3. Port 32764 left open

That last one is very serious as it allows a remote attacker to make a query of the router and dump out lots of diagnostic and configuration information. That may be of no consequence but it does allow a hacker to gain knowledge concerning your network and work on other attacks. The problem bedevils Linksys and Cisco models and SlashDot have a good write-up.

In a very real sense your router is the gateway between your network and the wild-west that is the public internet. If you can't even trust the little hardware device that sits in the cupboard under the stairs what can you do? Well, use an open source firmware in your router - Tomato is very user friendly and DD-WRT is very powerful. There are numerous others and since the source code is open it is regularly examined by the community that develops it and so many eyes spot any nasties (malicious or just bad programming) in the code.

I grabbed a couple of Buffalo models from eBay for when my eldest two went away to University and I wouldn't dream of letting my home network be based around a closed-source router.

DD-WRT and open source router firmware - New Engineer's Bench podcast

Phil & Tim Taylor go over some of the features of the DD-WRT router firmware and how they can be used to secure a home network.


Find it on iTunes, vanilla RSS, YouTube or the show notes website.

Remote access; what's the IP address?!

If, like me, you're tech support for family and friends you often have a need to take remote control of a relative's machine over the internet. There are lots of ways; the easiest being the paid-for services like GoToMyPC, TeamViewer etc which all offer NAT traversal with very  little effort required at each end to make them work. You just give the person you're helping a ticket number and a URL and before you know it (and normally by Java or some other active web content) you're controlling their screen. They have VOIP as well and it's very slick. However, I don't do enough remote support to justify keeping an account going at ten dollars a month and I quite like VNC/RDP etc.

The problem with those protocols is that you need to know the public IP address of the recipient's router and this changes by the vagaries of their ISP and DHCP etc.

So, here's my method for always knowing the public facing IP address of your Mum's computer without having to run anything clever at her end or anything as elaborate as a VPN.

1. Make sure you've made a port-forwarding rule on their router so that when you hit them on port 5900 (for VNC) or port 3389 for Windows remote desktop it gets forwarded through to the target machine; you'll probably have to have given that computer either a fixed IP address or have set the router to always assign it the same DHCP'ed IP address.
2. Have that machine genarate a file at boot-time that contains the correct external IP address along with any other salient data that you might find useful.

The first part requires you to know their router - it's not hard, you'll just need to look around in its web interface. Here's how I do the second part;

I stick these four files in a convenient directory - typically c:\tools\ but anywhere will do. 

wget.exe is an open-source Windows implementation of the common Linux/OS-X tool that fetches text fields from a web server.

GetIP.bat is a Windows batch file that sticks the output of wget into a text file and appends some extra stuff (IPConfig, date and time) and then initiates an FTP session with any web space you may have under your control. Finally index.html is the generated text file (makes the final URL easy to remember).

GetIP.bat

wget http://ipecho.net/plain -O - -q > index.html

ipconfig >> index.html
time /t >> index.html
date /t >> index.html

ftp -s:ftp.txt ftp.plus.net

exit

ftp.txt

ftp-username
ftp-password

cd htdocs
cd bob

send index.html

bye

Stick a shortcut to GetIP.bat in the startup folder (and for extra finesse have it run minimised so nobody sees it) and every time the machine boots you get uploaded to the webserver a very useful status page;

So long as you have a VNC or RDP server running at the remote end you're now only a moment away from being a tech support super-hero!

A week is a long time in Blackmagic firmware!

I recently installed a 288x288 Universal VideoHub from Blackmagic - bear in mind this thing has 576 coaxial video connection and 288 RS422 ports it takes more than a day for a wireman to do a nice job of plugging it up.

here's one we did earlier!

Also bear in mind this is a modular system with space for 72 interface cards - each one has four HD/SDi ins and outs (up to 3G 1080 50/60P fact fans!) as well as a proprietary connector with four RS422 standard machine remotes.

So - once unboxed I filled up the chassis with cards, control modules and power supply cards and bolted it into the cabinet. However - the power supply units were delayed and so I got Tony the wireman to finish dressing it in before I powered it up; what a mistake!

I eventually got around to firing it up expecting to start programming it the same day but imagine my horror when I discovered 20 of the 72 modules were not showing up in the GUI. Swapping cards around showed that I did indeed seems to have twenty duff interface cards; pretty poor quality control I thought. BM UK's tech support department gave me the impression they didn't believe me and after lots more swapping of cards they agreed to take them back. 

I called them the following day only for them to tell me they couldn't find any faults with the cards we'd returned! I asked them to go over their testing methodology and the engineer started with "...I upgraded the firmware on the cards and inserted them into our test chassis"; exactly how I'd started - well, long story short, in the three days between me starting and them getting the cards to test BM had issued a new version of firmware. They'd gone from 5.0.4 to 5.0.5 without giving any indication to UK support as to what the changes were. It turns out that 5.0.4 disables some revisions of the card! How many of that version of the cards did I have? Twenty.

It seems like 5.0.4 was only out for less than two weeks...?!

Using a DD-WRT router to NAT between two wireless segments

I've mentioned DD-WRT firmware in the past - it's an open-source replacement firmware for lots of cheap domestic internet routers. If the stock firmware on your router isn't doing it for you or you just want to see what all the fuss is about it is a superb way to make your £50 beige plastic router really sing; enterprise level network control for not much effort. It can terminate VPNs, do QOS and lots of the things you'd normally expect from a Cisco business class device.

Not all routers can take a different firmware image, but if yours is based on the Broadcom 54G chipset (an awful lot are) then you're away to the races; otherwise it's £15 on eBay!

Now then, my two eldest boys are away to university this month and it turns out that one of them is going to live in a student house that only has WiFi - I intended that they would both take DD-WRT routers with them to isolate their little dorm-room networks from IT ne'er do wells (NAT - Network Address Translation, the kind you get with a router, is an excellent defense against port-scanners). BUT, without a wired connection to place on the WAN side of the router how do you isolate and provide both wired and wireless connections behind the router's firewall? My first thought was to buy one of those "connect your Sky+ box Ethernet to your WiFi" adapters. It would turn the insecure WiFi into a wired connection that would sit on the WAN side of the router. 

BUT, it's one more thing to go wrong and I was sure that DD-WRT could do it with a bit of tinkering. I looked at a few of the guides online and they were very convoluted with warnings about obscure settings causing trouble and so I decided to figure it out from scratch. It went surprisingly well and now I have a Linksys router that can attach to an existing WiFi access point and then NAT that connection through to another WiFi segment as well as the wired RJ45 links.

So, couple of things to point out.

• My home WiFi's SSID is thorpedale4 and the IP range is 10.100.100.x (.8 is the router)
• I wanted all the hosts on the other side of the Linksys to be on a 192.168.1.x network

First up - I set the Linksys to not be an Access Point but to be a client wireless device (taking baby steps; I just wanted to make sure I could attach it to the house WiFi)

This is done under wireless>basic settings>wireless mode and is set to client and then go to wireless security and make sure you've entered the necessary settings (WPA key etc)

Reboot the router and check it is connecting to the external WiFi - see above. After this make sure you can get out to the internet from a wired connection on the Linksys. At this point the Linksys will be passing back all protocols to the main router and so you'll find the laptop is on the same IP range as the main network and there is no link-isolation (no firewall between the two networks) - we're not there yet!

Next, set the wireless>basic settings>wireless mode to repeater and add in a second virtual wireless interface (this will be your new wireless segment);

Then set up the security - again, the first is for the wireless you're attaching to;

BUT, the second is for the new network you're creating. As the router is now in repeater mode the new wireless segment is on a separate IP subnet (found in the setup>basic settings tab) and by default on the 192.168.1.x segment. The same applies to the wired connections on the Linksys - job done!

Attaching to the new network is as you'd expect;

and looking at the network details shows we're not on the house's 10.100.100.x network;

In fact, trying to reach the new network from the "outer" network;

As far as I can tell there is only one downside to this method - speed; the 54G wireless is now only running around 22Mbits/sec on both segments and that's no surprise as the Linksys is having to hold up two 802.11 links (different frequencies) using only one radio.
BUT, I have a router than can happily attach to a potentially insecure wireless network and produce a new wireless segment as well as wired Ethernet with the SPI (state-full packet inspection) firewall in the way. I paid around a tenner for the router!