 |
| Register | FAQ | Members List | Calendar | Links | Search | Today's Posts | Mark Forums Read |
|
||||||||
|
|
|||||||
 |
|
|
Thread Tools | Display Modes |
|
#1
11-15-2004, 12:54 PM
|
Draytek 2900 router exposes its config to the outside
The Draytek 2900Gi exposes its login to the outside network, via HTTPS. Not very clever, and disabling "configuration from the internet" which is supposed to stop this, doesn't actually stop it. This exposes the router to dictionary attacks, or DOS attacks, the latter being possible because the router's processor has to run some crypto software to run HTTPS. I got a security specialist from a big IT infrastructure company to do a security check on our system and he found this. We are running the latest firmware, emailed straight to us from Draytek Taiwan. Peter. -- Return address is invalid to help stop junk mail. E-mail replies to (E-Mail Removed) but remove the X and the Y. Please do NOT copy usenet posts to email - it is NOT necessary. Peter 
|
|
#2
11-15-2004, 02:01 PM
|
|||
|
|||
|
Re: Draytek 2900 router exposes its config to the outside
On 15 Nov 2004 in uk.telecom.broadband, Peter wrote:
>The Draytek 2900Gi exposes its login to the outside network, The cheap ones I've used allow for the port to be defined, rather than using common ones such as 80, 81, 8080, etc. Also some allow a fixed IP to be defined as an 'allowed' connection. OK, it might be 'spoofed' but an attacker would presumably not get any return traffic :-) PGM -- PlusNet <http://tinyurl.com/24ymz> - I recommend them and save some cash.
|
|
#3
11-15-2004, 05:28 PM
|
|||
|
|||
|
Re: Draytek 2900 router exposes its config to the outside
"Peter M" <us-(E-Mail Removed)> wrote in message news:(E-Mail Removed)... > On 15 Nov 2004 in uk.telecom.broadband, Peter wrote: > >>The Draytek 2900Gi exposes its login to the outside network, > > The cheap ones I've used allow for the port to be defined, rather than > using common ones such as 80, 81, 8080, etc. Also some allow a fixed > IP to be defined as an 'allowed' connection. OK, it might be 'spoofed' > but an attacker would presumably not get any return traffic :-) PGM Yes the 2600 lets you do both of these. Careful when specifying IP addresses to be defined as an allowed connection (the 2600 lets you add three) - I managed to lock myself out of the router for a day as you need to specify local/internal IP addresses also! Just tried my 2600 with a "https" type connection - no connection was possible (running latest firmware).
|
|
| Tags |
| 2900, config, draytek, exposes, router |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
