Comments on: Routers owned by Botnet

By: Chris

Chris — Mon, 13 Apr 2009 20:10:47 +0000

Don’t mean to be argumentative, but in all fairness it doesn’t seem to have much to do with Linux, per se, but rather with poor security practices in general. For instance, there’s nothing keeping brain-dead users from leaving pfSense vulnerable to the same kind of issues if they were sufficiently ignorant and/or apathetic towards security. It’s not as if OpenSSH or lighttpd are Linux-specific services, after all. If these devices were running FreeBSD or even OpenBSD, I’d imagine the outcome would be pretty similar.

Of course, take this in the proper context, since I am running the wonderful pfSense in several production environments myself!

Regards,
-C

By: Dwayne

Dwayne — Wed, 01 Apr 2009 11:28:17 +0000

Most linux routers do allow you to limit their remote login to a specific remote static IP or subnet. If remote access is open to the world then its just encouraging trouble, although there will be ways to break the security.

By: James Carter

James Carter — Wed, 25 Mar 2009 05:08:26 +0000

“Your device has telnet, SSH or web-based interfaces available to the WAN”

FAIL!

By: Scott Ullrich

Scott Ullrich — Tue, 24 Mar 2009 21:31:34 +0000

Always change your username and password to something secure.

By: Mike

Mike — Tue, 24 Mar 2009 06:10:47 +0000

The problem here is that many of us use such an embedded device between a PC or other device running pfSense or m0n0wall and the rest of the net, such as an ADSL modem. In such a case, as the article pointed out, you won’t even know you got pwned unless you or your provider try to log into the device. The problem also, at this point, is easily solved by power-cycling, meaning 1. it’s not advanced (perhaps deliberately from what I read) enough to write its config to flash; and 2. this is a bigger problem for those that leave their computer stuff up all the time, so if you turn off everything when you’re not using it, you’re ok. OTOH, if you’re running a business, like our motel here, where the internet has to be available 24/7, this is a serious issue.

One of my connections going into pfSense is through a device that may meet these requirements (I have to use it because, except maybe in 2.0, pfSense doesn’t support USB modems); however, the config interface isn’t available to the outside world anymore that pfSense’s is, so it’s ok. But I feel sorry for those who need the ability to control one of these things from home (on-call support anyone?).

Mike

By: Chris Buechler

Chris Buechler — Tue, 24 Mar 2009 01:18:04 +0000

Though with poor administration practices, there isn’t anything stopping people from adding pfSense “support” to these exploits. If you have an easy to guess password, this is always a possibility with any device, especially if you open your web interface to the Internet. Any firewall is only as good as it’s configured to be.

By: Curtis LaMasters

Curtis LaMasters — Mon, 23 Mar 2009 20:21:01 +0000

Very thankful. This is quite scary, hope the dev’s come up with something to fix the issue and I’m glad I don’t have any deployed.