OK thanks. I will log a support ticket and see how it goes...
If I get something positive back I will share it with you.
Regards,

Hi,
I did log a ticket and NOTHING positive came back.
Draytek UK support are saying that is how it is meant to work! Much to my frustration, this wasn't going anywhere with them. A big part of me thinks they did not understand the problem, or indeed are keen to go just brush it away....

Here is what they had to say......
On a 2830n running the latest code 3.6.8.2, if there is NO ACL DEFINED, ***ANYONE*** can connect to my Draytek router and be presented the login page! Granted, they will never be able to access my router because their source IP is not defined in my ACL. From my perspective any keen hacker now see what equipment is attached to my line!!!

This is something Draytek UK just failed to comprehend. They still stated this is not a flaw and is how it is meant to work. Really? Their other feeble suggestion was I can change the port number from 443 to something else, making it difficult for someone to connect, but there are many port-scanners out there which will ultimately connect. That is no solution! They also suggested I can VPN into the router and then connect. Again, this still does not prohibit anyone from being able to connect and be presented the login page (with a VPN).

I then gave an example to them connecting to any other vendors devices (in my case Cisco), for this there is no ACL, and upon connecting you just get a blank window. Again, I don't think they understood because they went onto say "its because there is no ACL you don't get a login window".! Urgh!!!!

I then demonstrated to them that if I DOWNGRADE to V3.6.7.2 I ****DO NOT***** get the login banner displayed but instead "ERR_SSL_VERSION_OR_CIPHER_MISTMATCH" message. I can kind of live with that (no one knows the router) but that exposes me to the POODLE vulnerability.

So this is where I am at! Clearly not impressed. Take any other vendors kit (e.g. Zyxel, Cisco, Fortinet etc...), put in a trusted source, and managed is only allowed FROM THAT TRUSTED SOURCE. If you come outside of the trusted source, YOU DO **NOT** GET A LOGIN WINDOW.

I think it time to call "over & out".
Thanks,

I have just discovered the same issue and have over 30 routers out there in the wild which is extreemly worrying. I expect that when I untic the remote management box there will be no remote management- this needs to be sorted but I dont give much hope. So until this is fixed the I will start a rolling replacement of these routers with another brand who do not make stupid security descisions. Another way that this is shafting me is that a lot of our customers take card payments and the open port screws up the compliance scan from the bank (no changing the ssl port and the ssl vpn port does not work neither does blocking it in the firewall) so I now need to buty an ssl cert for some crap I dont need and cannot turn off due to screwed firmware.

Dress it up as you like but this is farcical in this day and age - get it fixed!!!

wabsys wrote: Dress it up as you like but this is farcical in this day and age - get it fixed!!!

Have worked with many routers and I have to agree that this is highly unusual. When access is restricted to a given IP range, that normally means the port should appear closed to other IPs.

Has anyone tried turning off the SSL VPN feature? That's under vpn and remote access > remote access control.

The thing is, the SSL VPN server part wouldn't be subject to the access list that the management interface is limited to, hence why you'd get the login page on everything, but that would only allow logging in to an SSL VPN user account.

Yep just tried that and guess what no change it's still exposed - aaarrrggghhh how stupid can Draytek be to allow and ignore this issue, also just to reiterate you cannot disable remote login AT ALL :oops: .