DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Telnet "admin connecting from ... rejected"
- pol098
- Topic Author
- Offline
- Junior Member
-
Less
More
- Posts: 44
- Thank you received: 0
07 Nov 2016 18:55 #7
by pol098
Thanks again. The problem with access is that I sometimes need unattended access, and normally have the computer I need switched off; I can switch it on using Wake on LAN as supported by the Vigor. I could leave it on permanently, but there is the risk of a crash and inability to connect (on one occasion I rang somebody in the in the middle of the UK night from Australia to go and fix a problem that prevented connection). Of course I need to rethink this now, after realising I've been under sustained attack (successfully protected by an adequate password, everything looks OK - DNS servers particularly, I'm aware of the DNS redirection threat, and I probably wouldn't have all these attempts if they had got in).
Very useful checklist. In the first instance I'm thinking of disabling telnet, using HTTPS to access the router if necessary to switch computers on, and VPN to connect. But the main part of solving a problem is often knowing that there is
By the way, is there anything in the syslog that would indicate these attacks? I'm logging everything to a USB stick, but didn't see anything obvious in a quick look with a text editor.
For anybody who chances upon this thread, a quick summary: if you sometimes get "system administrator is connecting from ... reject the connection request !!!" on trying to make a telnet connection, if telnet from any WAN address is supported, this may indicate an attack - read the thread.
Replied by pol098 on topic Re: Telnet "admin connecting from ... rejected"
Suggestions for security accessing from wan:-jedi98 wrote:
Use VPN where possible- then you don't need wan access at all
Make sure the password is adequate
Use HTTPS web interface where possible
Use SSH instead of telnet, because telnet passes passwords unencrypted and so can be intercepted
Change the default ports for ssh and telnet, the bots mainly target the defaults
Turn off FTP
What can they do if they get in? How about redirect your DNS through a proxy so that they can redirect all your traffic to who knows where! Yes I've seen it (on an asus router which is less secure) and it really caught me by surprise.
But mainly it's just a real pain - eg. brute force attack slowing up your connection.
Thanks again. The problem with access is that I sometimes need unattended access, and normally have the computer I need switched off; I can switch it on using Wake on LAN as supported by the Vigor. I could leave it on permanently, but there is the risk of a crash and inability to connect (on one occasion I rang somebody in the in the middle of the UK night from Australia to go and fix a problem that prevented connection). Of course I need to rethink this now, after realising I've been under sustained attack (successfully protected by an adequate password, everything looks OK - DNS servers particularly, I'm aware of the DNS redirection threat, and I probably wouldn't have all these attempts if they had got in).
Very useful checklist. In the first instance I'm thinking of disabling telnet, using HTTPS to access the router if necessary to switch computers on, and VPN to connect. But the main part of solving a problem is often knowing that there is
By the way, is there anything in the syslog that would indicate these attacks? I'm logging everything to a USB stick, but didn't see anything obvious in a quick look with a text editor.
For anybody who chances upon this thread, a quick summary: if you sometimes get "system administrator is connecting from ... reject the connection request !!!" on trying to make a telnet connection, if telnet from any WAN address is supported, this may indicate an attack - read the thread.
Please Log in or Create an account to join the conversation.
- jedi98
- Offline
- Member
-
Less
More
- Posts: 186
- Thank you received: 0
07 Nov 2016 19:37 #8
by jedi98
I don't think there's anything useful in there for that. I use syslog but, to be honest, I find it less than useful for most things except maybe debugging (some) vpn problems. When we had sustained VOIP attacks I could not track it down on the router at all, I had to trace it on the target server.
Replied by jedi98 on topic Re: Telnet "admin connecting from ... rejected"
By the way, is there anything in the syslog that would indicate these attacks?
I don't think there's anything useful in there for that. I use syslog but, to be honest, I find it less than useful for most things except maybe debugging (some) vpn problems. When we had sustained VOIP attacks I could not track it down on the router at all, I had to trace it on the target server.
Please Log in or Create an account to join the conversation.
- pol098
- Topic Author
- Offline
- Junior Member
-
Less
More
- Posts: 44
- Thank you received: 0
07 Nov 2016 20:46 #9
by pol098
Thanks again. That's basically what I've always found. It is possible to log all traffic, but on the 2820 (unlike later models) this requires an additional network card in the monitoring computer, and would probably generate colossal files which would fill space and be difficult to analyse.
By the way, a precaution against having the router's DNS redrected to somewhere nasty is for all devices on the network to use their own DNS server addresses, rather than using the router as gateway; criminals could change the router's DNS to their hearts' content, to no avail. 8.8.8.8 and OpenDNS would probably be good, and not likely to change. Of course they could always set up their own VPN to a Draytek router if they got in ...
Replied by pol098 on topic Re: Telnet "admin connecting from ... rejected"
I don't think there's anything useful in [syslog] for that. I use syslog but, to be honest, I find it less than useful for most things except maybe debugging (some) vpn problems.jedi98 wrote:
Thanks again. That's basically what I've always found. It is possible to log all traffic, but on the 2820 (unlike later models) this requires an additional network card in the monitoring computer, and would probably generate colossal files which would fill space and be difficult to analyse.
By the way, a precaution against having the router's DNS redrected to somewhere nasty is for all devices on the network to use their own DNS server addresses, rather than using the router as gateway; criminals could change the router's DNS to their hearts' content, to no avail. 8.8.8.8 and OpenDNS would probably be good, and not likely to change. Of course they could always set up their own VPN to a Draytek router if they got in ...
Please Log in or Create an account to join the conversation.
- pol098
- Topic Author
- Offline
- Junior Member
-
Less
More
- Posts: 44
- Thank you received: 0
08 Nov 2016 19:51 #10
by pol098
Replied by pol098 on topic Re: Telnet "admin connecting from ... rejected"
I've had a response from Draytek support. I'll post my answer, which quotes that response and updates my situation. To summarise: I disabled access from anywhere but my LAN; the issue I reported is completely resolved
My message to Draytek support:
My message to Draytek support:
Thanks for your response:
> The router only supports one connection session via telnet. You have
> not closed the session correctly either though the script running or
> by entering the command in the CLI window to exit the session.
> You may have closed the CLI window and the time-out session is
> activated by the router. It has timed out when you go to make another
> Telnet connection to the router it's still timing out. So since the
> first connection you made it was never closed. The time out is still
> rejecting your connection.
> You simply need to issue the command to exit and close the session.
That's absolutely not so. I connect manually only occasionally; when I do I always type "quit" to the router, and get a command prompt in the command-line windows, then close the window. The script, which I use several times a day, is:
CALL ZocTimeout 30
[connect and login to router via telnet]
CALL ZocSend "wol up 123456ABCDEF^M^J"
CALL ZocWait ">"
CALL ZocSend "quit^M^J"
CALL ZocTerminate
The critical point is that both manually and by script there is a "quit" command, which always works. I can always repeat the script immediately with no trouble now that I've restricted access to my LAN only.
> It is not china or anyone else trying to hack you.
I am virtually certain that it is. Whenever I've checked the IP address the router says the "system administrator is connecting from" it's mostly been in China. (I've had the telnet port open for access from anywhere for years, which I now see is a very bad idea. Fortunately I have a good password.) When I went into router configuration and told it only to allow management from my LAN, the problem IMMEDIATELY stopped; it never happens. My throughput shown below Diagnostics/Traffic Graph, which was an unusual 1GB/day approximately over a period (I thought is was Windows 10 updates and the like, I don't often stream or download video) has dropped to less than 100MB in the 23 hours since I last rebooted.
> Hope this helps.Let me know how you get on.
Forum users were very helpful; I will post this new information there (I hadn't reported that restricting management access to LAN addresses only completely eliminated the problem, and seems to have reduced Internet throughput and possibly got rid of slow Internet response; I'm not sure of that yet).
My issue is resolved, but if you want I can open the port to the Internet again and provide diagnostic details.
Please Log in or Create an account to join the conversation.
- sjltech.uk
- User
-
Less
More
08 Nov 2016 21:16 #11
by sjltech.uk
Replied by sjltech.uk on topic Re: Telnet "admin connecting from ... rejected"
Thanks for posting the response from Draytek here - very useful.
I would have to agree with your comment about "quit" and scripting, I run a couple of telnet scripts under cron to routinely check some things on the router(s) and have a "quit" command at the end of the telnet "script" (embedded in a bash script) and never had a problem with the connection closing.
I don't have any of the "Management from the Internet" options enabled, having seen some suspicious behaviour a couple of years ago now.
One rather strange thing I've noticed since following this thread is that despite having LAN Access Control >> Telnet Server UNCHECKED, I can still telnet through to the router(s)
EDIT: Ooops - I really should learn to scroll ALL the way down the page in the GUI and READ the messages:oops:
Note:
Subnet LAN1 is always allowed to access all the router services regardless of "LAN Access Control" settings.
Cheers
Simon
I would have to agree with your comment about "quit" and scripting, I run a couple of telnet scripts under cron to routinely check some things on the router(s) and have a "quit" command at the end of the telnet "script" (embedded in a bash script) and never had a problem with the connection closing.
I don't have any of the "Management from the Internet" options enabled, having seen some suspicious behaviour a couple of years ago now.
One rather strange thing I've noticed since following this thread is that despite having LAN Access Control >> Telnet Server UNCHECKED, I can still telnet through to the router(s)
EDIT: Ooops - I really should learn to scroll ALL the way down the page in the GUI and READ the messages
Note:
Subnet LAN1 is always allowed to access all the router services regardless of "LAN Access Control" settings.
Cheers
Simon
Please Log in or Create an account to join the conversation.
- pol098
- Topic Author
- Offline
- Junior Member
-
Less
More
- Posts: 44
- Thank you received: 0
11 Nov 2016 13:00 #12
by pol098
Replied by pol098 on topic [SOLVED] Telnet "admin connecting from ... rejected"
Followup on telnet problem (resolved - almost certainly Internet attack).
This message describes the whole problem and solution, summarising the discussion.
Problem
As I said, I was running scripted telnet sessions, always ending with a proper quit
I definitely didn't have another telnet session open, but telnet access from any IP address (WAN) was enabled (to let me connect when travelling, which I haven't been lately).
Action
Following suggestions here that this was a systematic brute force attempt to break into the router (which has a good password), I restricted access to the local (192.168...) IP address of my LAN. The rogue admin
Results and conclusion
The very frequent error messages totally stopped immediately. In the four days since then my Internet throughput has dropped from around 1GB/day to about 350MB/day, in both cases mostly inbound; I don't think my legitimate activity has dropped by this amount. I had also noticed a sluggishness in Internet response, which seems to have disappeared. I don't rule out subjective errors or an unnoticed decrease in my activity, but everything is consistent with there having been a huge amount of traffic which was a sustained and massive brute force attempt to gain administrative access to the router.
Draytek
I raised the issue with Draytek, who were dismissive of the idea of the problem being due to intrusion from China, suggesting instead that I had left telnet sessions open (I'm sure I hadn't). I have sent them a message (with link to this discussion) accepting that the support ticket be closed, recommending that Draytek be aware of this issue, and suggesting that all unsuccessful attempts to access password-protected router functions be logged in permanent, unclearable non-volatile memory in the same was as printer page counts are (possibly all password-protected access should be logged).
I hope this information is of use. Best wishes to all, and thanks for very useful advice.
This message describes the whole problem and solution, summarising the discussion.
Problem
As I said, I was running scripted telnet sessions, always ending with a proper quit
I definitely didn't have another telnet session open, but telnet access from any IP address (WAN) was enabled (to let me connect when travelling, which I haven't been lately).
Action
Following suggestions here that this was a systematic brute force attempt to break into the router (which has a good password), I restricted access to the local (192.168...) IP address of my LAN. The rogue admin
Results and conclusion
The very frequent error messages totally stopped immediately. In the four days since then my Internet throughput has dropped from around 1GB/day to about 350MB/day, in both cases mostly inbound; I don't think my legitimate activity has dropped by this amount. I had also noticed a sluggishness in Internet response, which seems to have disappeared. I don't rule out subjective errors or an unnoticed decrease in my activity, but everything is consistent with there having been a huge amount of traffic which was a sustained and massive brute force attempt to gain administrative access to the router.
Draytek
I raised the issue with Draytek, who were dismissive of the idea of the problem being due to intrusion from China, suggesting instead that I had left telnet sessions open (I'm sure I hadn't). I have sent them a message (with link to this discussion) accepting that the support ticket be closed, recommending that Draytek be aware of this issue, and suggesting that all unsuccessful attempts to access password-protected router functions be logged in permanent, unclearable non-volatile memory in the same was as printer page counts are (possibly all password-protected access should be logged).
I hope this information is of use. Best wishes to all, and thanks for very useful advice.
Please Log in or Create an account to join the conversation.
Copyright © 2024 DrayTek