DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Cannot prevent WAN side web admin

  • warmsummer
  • Topic Author
  • User
  • User
More
22 Jul 2015 10:42 #1 by warmsummer
Cannot prevent WAN side web admin was created by warmsummer
Hi, I have two routers a (Vigor2850Vn and a Vigor 2925n) both are at the latest firmware levels, both are showing the admin interface WAN side. The option is switched off in the web admin (settings/management), and has never been switch on. The setting has survived through multiple router factory resets, installations of the .rst firmware and the HTTPS port number change. Nothing appears to make any difference, the web admin login screen is shown WAN side (tested from other locations on the internet). This behaviour is new - neither device have ever had a WAN admin open it could be related to a recent firmware upgrade.

Has anybody seen this before?

Please Log in or Create an account to join the conversation.

More
22 Jul 2015 11:58 #2 by voodle
Replied by voodle on topic Re: Cannot prevent WAN side web admin
That should be the SSL VPN, you can turn that off from VPN and Remote Access - Remote Access Control and once the router has restarted it won't load that any more :)

Please Log in or Create an account to join the conversation.

  • warmsummer
  • Topic Author
  • User
  • User
More
22 Jul 2015 14:18 #3 by warmsummer
Replied by warmsummer on topic Re: Cannot prevent WAN side web admin
Thank you for the reply I found the option under 'VPN and Remote access'/'Remote Access control'.

Disabling the SSL fixed it! Thank you!

Surly this is a security flaw as SSL VPN is enabled by default on these two routers at least, so WAN direct access to the web admin is also generally available ..all of this despite the remote admin setting being off in the management interface!

Please Log in or Create an account to join the conversation.

More
22 Jul 2015 14:29 #4 by voodle
Replied by voodle on topic Re: Cannot prevent WAN side web admin
I think the SSL port only allows SSL VPN accounts to log in, not the router's admin account

Please Log in or Create an account to join the conversation.

  • warmsummer
  • Topic Author
  • User
  • User
More
22 Jul 2015 15:03 #5 by warmsummer
Replied by warmsummer on topic Re: Cannot prevent WAN side web admin
Thanks that makes sense - but it's still opening up an attack surface - by default I would have thought that the router should not respond to any requests on 443 - - running GRC shields up - shows that the router is still responding on 443 (and for that matter 445 (MS directory service)) neither which it should respond to.

Please Log in or Create an account to join the conversation.

  • darrent123
  • User is blocked
  • User is blocked
More
02 Sep 2015 17:29 #6 by darrent123
Replied by darrent123 on topic Re: Cannot prevent WAN side web admin
Updated the firmware to 3.7.8.3 now I have the same issue.
I have 'enable SSL VPN Service' unticked from 'VPN and Remote Access >> Remote Access Control Setup' but Shields-Up still sees the port as open.

I changed the SSL VPN port number to 444 which is what Shields-Up detects, so I know it is this, but I have the option unticked, which implies the service is disabled, so why is the port still open? Is there somewhere else for me to disable it?

Thanks

Please Log in or Create an account to join the conversation.