[HN Gopher] Please Log in with Router's Password
___________________________________________________________________
Please Log in with Router's Password
Author : fny
Score : 183 points
Date : 2021-08-10 20:41 UTC (2 hours ago)
(HTM) web link (www.google.com)
(TXT) w3m dump (www.google.com)
| jonplackett wrote:
| This has gone meta now and the search link just links back to
| this HN article.
| coldacid wrote:
| Funny enough, this very page was the top result for me on Google.
| soheil wrote:
| I suggest anyone wanting to see the pages in the search result to
| click on the google cache version instead of clicking on the link
| itself exposing your IP address.
| AshamedCaptain wrote:
| I am quite sure there are enough preload/prefetch links in the
| Google results pages to make this irrelevant (and crash the
| poor routers' owners' downstream links).
| prasanthabr wrote:
| Woah! Never thought this would be crawled by the google bot.
| Thanks for sharing
| Johnny555 wrote:
| I think this is more the fault of manufacturers than end users.
|
| Routers should be secure by default, and it should be hard to do
| something that will make it insecure. The router manufacturers
| are the supposed experts when it comes to networking, expecting
| every consumer to even know the risks of exposing their router
| admin interface to the world is not a reasonable assumption.
| Pxtl wrote:
| These routers are secure by default. This is only visible
| because users have chosen to have their routers expose their
| admin pages to the public internet.
|
| I have never seen a router that had its admin page visible to
| the WAN by default.
| sathackr wrote:
| So it's the car companies fault if I crash my car?
|
| They should limit vehicle speed to 5mph so I don't hurt myself
| or others.
|
| I have used many of these routers. Admin access on the wan port
| is blocked by default and must be enabled by the user.
| solarkraft wrote:
| Lackluster comparison (a modern consumer router should be
| more like a self steering car), but modern cars indeed have
| safety features to prevent you from crashing.
|
| Of course, both with the car and the router there are good
| arguments that you should be able to do the dumb thing if you
| know you need it. If it has to be explicitly enabled after
| intense warnings, the protective duty (as someone knowing
| better) can possibly be considered fulfilled - or you can
| still argue that it should be especially hard to do to block
| out people who don't listen to warnings.
| Johnny555 wrote:
| Do you want to require that router users pass a government
| proficiency test _and_ carry insurance to cover their
| liability for unsafe network use? Otherwise the analogy with
| driving a car is not quite complete.
| kube-system wrote:
| My car will literally hit the brakes for me if I am about to
| crash into something. A router marketed to a non-professional
| should do the same.
| sophacles wrote:
| You are making a very good point: the order of gear shifting
| was tightly regulated after a lot of accidents caused by NDLR
| order (instead of the now-standard PRNDL). In fact most
| automotive interfaces have regulations to standardize them
| after enough accidents were caused by people getting new cars
| that had different interfaces.
| Alupis wrote:
| I haven't bought a consumer router in well over a decade that
| isn't secure by default. Universally they all prohibit
| accessing the router via the WAN interface, and have reasonable
| firewall defaults. Many these days even include a randomized
| unique password for every router, stuck to the side of the
| device with a sticker.
|
| These routers were put on the internet on purpose, by people
| that seem to know what they are doing (universities and
| businesses), and none seem to have default credentials. Seems
| reasonable to me.
| paxys wrote:
| Is there any mainstream router brand that exposes admin pages
| to the internet by default?
| [deleted]
| z80x86 wrote:
| When you include omitted results, you'll get the entire set of
| ~7000. The each result is nearly identical, so Google will
| initially filter them out.
| [deleted]
| soheil wrote:
| Here is another example of what Google wasn't designed to do:
| https://www.google.com/search?q=intitle%3A%22index+of%22+mp3
| gennarro wrote:
| This is a list of the routers with the best SEO
| mrkramer wrote:
| Google dorking at its finest.
| FridayoLeary wrote:
| It's a slightly recursive submission.
| yakubin wrote:
| https://www.google.com/search?hl=en&q=recursion
| beezischillin wrote:
| Some of these routers can be crazy insecure. Just some fun from
| my own experience: before I got mine switched into bridge mode by
| my ISP I managed to disable the wifi on it despite the ISP
| blocking that functionality. How? By removing the disabled
| attribute from the select element via the devtools. I also know a
| friend who found his password in plaintext in a script tag in his
| router's login page. I understand that nothing is absolutely
| secure but this is just tempting fate.
| aetherspawn wrote:
| Hi folks, not much to see here.
|
| These routers are very well designed, receive regular firmware
| updates and are overall very solid. The only router that I
| haven't had to reboot since I've owned it (for nearly 18 months
| now).
|
| As others have said, this is not the default setting, and you're
| actually warned when you try and enable external access. But for
| some, this is useful. Since this router supports a VPN server,
| external access could be the only way to troubleshoot it if
| you're not on-site.
| paxys wrote:
| Funny enough just 45 minutes later this very HN thread is the top
| result on Google.
| nicce wrote:
| We live in the endless loop folks! It took me a while to
| realize if it was actually the purpose of this post.
|
| Edit: Yes, it was not.
| slim wrote:
| It is not. The purpose is to show misconfigured access points
| accessible through the internet
| soheil wrote:
| I don't think that was the purpose of this post.
| cduzz wrote:
| This reminds me of when Sergey Brin explained recursion to
| Terry Gross in this interview (14:45 seconds into the
| interview)
|
| https://freshairarchive.org/segments/google-founders-
| larry-p...
| JasonFruit wrote:
| Terry Gross is one of the very best interviewers I have
| ever heard. Her interviews and classical music alone make
| public radio worthwhile.
| Alupis wrote:
| Folks - these routers are secure. There is nothing to see here,
| move along.
|
| Here's the user manual for the TP-Link AC2300 "Archer C7", as
| found in the google results:
|
| https://static.tp-link.com/2019/201912/20191231/7106508598_A...
|
| Step 2 of first time setup forces a default password change.
| There is no way around this step.
|
| The defaults for the router also do not allow router access from
| the WAN port.
|
| This means:
|
| 1) These routers all have secured passwords that are non-default.
|
| 2) These routers were deliberately placed on the internet by
| people that knew enough about them to do so.
|
| Just because it's not how _you_ would configure your router doesn
| 't make it wrong. There are legit reasons to place a router on
| the internet, so long as it's secured properly... how else would
| you remotely manage a router at a different physical location,
| for instance.
|
| __Lastly__ click "Next Page" on the OP search results. The
| estimated 7,000+ results becomes 21. Many of which are HN
| aggregators reporting on this thread here.
|
| So... out of the possible millions of routers TP-Link has sold in
| this model line, less than 21 are on the public internet - many
| of which no longer load via IP address (indicating they are no
| longer publicly accessible), and the rest have professional
| CNAME's attached, indicating professional management.
|
| Nothing here...
| jfrunyon wrote:
| > So... out of the possible millions of routers TP-Link has
| sold in this model line, less than 21 are on the public
| internet
|
| Make that 47,000 of them on Shodan:
| https://www.shodan.io/search?query=hash%3A-904286784
|
| > 1) These routers all have secured passwords that are non-
| default.
|
| You have a very interesting definition of "secured" if you
| think they are all actually secured.
|
| > 2) These routers were deliberately placed on the internet by
| people that knew enough about them to do so.
|
| Just because they knew enough to click a checkbox doesn't mean
| they knew enough to do so. If they knew enough, they wouldn't
| have done so.
|
| You seem to be under the mistaken impression that embedded
| devices (like consumer routers) don't usually have glaring
| security holes. But they do.
| szidev wrote:
| not every tp-link model (or revision, or locale, or firmware
| version) that shares a web interface with the c7 requires you
| to manually set a password. even if that were the case, there
| are bound to be users who aren't security savvy and chose a
| very weak password (e.g. "password", "admin").
|
| many tp-link routers also have configurable vpn servers built
| in, which can open up the whole network to malicious actors.
| mullingitover wrote:
| I would love to know how these are secured. I doubt there's MFA
| or even rate limiting.
|
| > 2) These routers were deliberately placed on the internet by
| people that knew enough about them to do so.
|
| That's making some very generous assumptions.
| csydas wrote:
| >That's making some very generous assumptions.
|
| Disagree. In my current country of living, I'm not even sure
| how I'd properly expose the router I use to the public
| internet since I sit behind the ISP's NAT-ing, and even when
| I lived in the US, I am not confident I could tell you how to
| publicly expose the modem provided by Comcast for non-local
| access, much less how someone without any tech experience
| might do this.
|
| If this was a prevalent problem because of default settings,
| I'd expect far more than 7800 results; I am not willing to
| concede every instance is intentional, but 7800 out of the
| billions of routing devices in the world showing up on this
| search enforces my understanding that these 7800 entries are
| special in some way.
|
| >I doubt there's MFA or even rate limiting.
|
| MFA is not common at all on consumer routers, which at least
| quite a few on the first page result are, same with rate
| limiting.
|
| Even for Enterprise grade gear, the threat isn't the user-
| defined password, it's the manufacturer backdoors, which
| we've seen many of in the last few years. Rate limiting
| doesn't do much if you have a fair chance that you've got a
| back door.
|
| What likely __does__ help is that as far as I know, "Enable
| Web Access from WAN" is by default *disabled* on most
| consumer routers (and enterprise? that I'm not sure of), so I
| think that this leads credence to the devices on the Google
| results being exposed intentionally to some degree. (The
| owners' knowledge level not withstanding, this is a fairly
| out of the way setting, at least on my Asus router)
| Alupis wrote:
| > but 7800 out of the billions of routing devices in the
| world showing
|
| Click "Next Page" - estimated results turns into 21 results
| in total... of which a bunch are dead links, a bunch are HN
| aggregators... leaving just a small handful of actual
| devices on the internet.
| jfrunyon wrote:
| > I am not confident I could tell you how to publicly
| expose the modem provided by Comcast for non-local access
|
| You likely couldn't. That setting is usually gated behind
| some sort of "technician" or "mso" account (or not present,
| or only accessible from the devices telnet/ssh interface).
| Of course, it's probably not difficult to guess Comcast's
| password; past experience with other companies suggests you
| try things like "comcast" or "C0mc4s7". (Not even joking,
| Suddenlink and Spectrum/TWC.)
|
| > much less how someone without any tech experience might
| do this.
|
| Easy. It's a button that their kid clicked while playing
| around.
|
| > MFA is not common at all on consumer routers, which at
| least quite a few on the first page result are, same with
| rate limiting.
|
| Are you trying to say that's a positive for exposing it on
| the internet...?
| Alupis wrote:
| These are not high end enterprise grade kit, folks. Expecting
| things like MFA, secondary VPN endpoints, etc is just absurd
| for the target audience of this device.
|
| Again, just because you wouldn't configure it this way
| doesn't make it wrong. It's as secure as it can be, short of
| throwing a bunch of other kit in front of it, and then why
| would you be using a $100 consumer router anyway?
|
| The only vulnerability here is the possibility of a 0-Day.
| Everything else is either misguided or screaming for the sake
| of it.
| SheinhardtWigCo wrote:
| > The only vulnerability here is the possibility of a
| 0-Day.
|
| That's not exactly uncommon in cheap consumer routers.
|
| No rate limiting is as good as no authentication.
| jrockway wrote:
| I'm a big fan of rate limiting (and even rate limit my
| static pages) but if your password is secure enough, the
| lack of a rate limit isn't going to help attackers.
|
| I kind of agree with the comment that started this thread
| -- people that have explicitly decided to expose their
| consumer-grade routers directly to the Internet probably
| know about password managers. Even if you do guess the
| password and compromise the router, all you'll have is
| some remote office that is getting TLS errors because of
| your MITM, and best case control of some unpatched
| Windows 3.1 machine and maybe some developer's local
| MySQL install happily listening on port 3306 somewhere.
| That's not great, but it's a risk that some people are
| willing to take.
| Alupis wrote:
| > That's not exactly uncommon in cheap consumer routers.
|
| That's, in my opinion, the only fair criticism available
| here.
|
| > No rate limiting is as good as no authentication.
|
| Trying to even load some of the links found in Google
| takes 10's of seconds. That's effectively a rate limit,
| even if it doesn't temp-ban per IP address.
|
| Someone would have to dump the firmware to find out, but
| it would be trivial for each device to generate their own
| salt - making a potential lack of rate limit a non-issue.
| jfrunyon wrote:
| The load times are most likely primarily caused either by
| slow JS or high RTT/multiple requests, either of which
| could be trivially bypassed by an attacker. Or an
| attacker could just fire off 100 requests at the same
| time and saturate the bandwidth anyway, despite a high
| latency. And any high latency would likely be
| significantly lower if you happen to be in the same
| geographic area.
|
| Latency is not rate-limiting.
| gsich wrote:
| That would also be an assumption.
| [deleted]
| nickstinemates wrote:
| SD-WAN / VPN / Many many many other solutions.
| jrochkind1 wrote:
| What you say is sensible, except for:
|
| > The estimated 7,000+ results becomes 21. Many of which are HN
| aggregators reporting on this thread here.
|
| Nope, Google is just collapsing them because they are all
| identical copies of the same "page", being the same login
| screen. Most of them look like routers, you can ask Google to
| "include" them all and see for yourself.
| https://www.google.com/search?q=%22Please+log+in+with+router...
| fny wrote:
| OP. I'm posting this because I discovered a box at the hostel
| I'm at on Google after fat fingering the IP by mistake. (It's
| disconnected already.) The password was easily guessable.
|
| Aside from the anecdata, a counter argument is that the router
| manufacturer has taken no steps to obscure the routers from
| search engines. Sure someone could simply IP scan, but you have
| to admit this is a little absurd.
| amanzi wrote:
| You're making some massive assumptions here.
|
| Exposing your router's admin page to the internet is not good
| security practice. These routers are protected by nothing but a
| password, and I couldn't see anything in the manual that
| enforces password length/complexity. So while the password
| might be non-default, it could still be incredibly insecure.
|
| Also, to expose these routers to the internet, all it takes is
| a single checkbox to enable "Remote management". So your
| assumption that these have all been deliberately placed on the
| internet also doesn't hold up because I can definitely see a
| curious home user playing with these settings without realising
| the impact of this. There have been tons of similar reports in
| the past where home users have exposed things to the internet
| without realising the impact.
| system2 wrote:
| Why would the search engines index these though? That's the
| question, not their default security.
| lmilcin wrote:
| > Folks - these routers are secure. There is nothing to see
| here, move along.
|
| If experience is any guide, they are not.
|
| Consumer routers have horrible track of embarrassing, easily
| exploitable vulnerabilities. That are not patched for a long
| time or ever.
|
| And exposing your router to public like that suggests the owner
| knows very little about security. This typically goes in hand
| with other neglect. Tell me, how many home users that are not
| security conscious keep their routers regularly patched and
| will replace the router when the manufacturer stops supporting
| them?
| ericyan wrote:
| > These routers all have secured passwords that are non-
| default.
|
| Secure passwords is just a tiny subset of non-default
| passwords. Chances of an average human being being able to come
| up with a password with enough entropy to be called as secure
| is pretty low.
|
| > These routers were deliberately placed on the internet by
| people that knew enough about them to do so.
|
| This means these people knows how to expose the management
| interface to the internet. It does not mean these people have
| enough knowledge on securing their devices -- based on their
| actions, it is more likely that the opposite is true.
| ascar wrote:
| > Chances of an average human being being able to come up
| with a password with enough entropy to be called as secure is
| pretty low.
|
| https://xkcd.com/936/
|
| So you think the chance of human beings to come up with 4
| random words is pretty low?
|
| You can't brute force millions of guesses per second through
| a web interface. 40 bits of entropy is already plenty for
| internet usage especially when the password is properly
| hashed with something like bcrypt.
| eganist wrote:
| To the reader: if this is your first exposure to finding things
| that aren't supposed to be exposed to the internet and you're
| finding it interesting enough to want to learn more, there's a
| tool commonly used among security practitioners called Shodan
| that enables a much more tunable search for exposed assets.
|
| https://en.wikipedia.org/wiki/Shodan_(website) - deeper reading.
| I'm not affiliated.
|
| ---
|
| It's also a super basic intro to proper google-fu (which you can
| google to find others' takes on how to become somewhat effective
| at, erm, googling). Back when I used to blog on Microsoft-related
| topics, it was common to construct extremely narrow queries to
| find exposed confidential documents in Skydrive accounts which we
| could then sift through to find bloggable material.
|
| e.g site:[skydrive domain] filetype:.pptx "Microsoft
| Confidential" etc.
|
| Or one which still works:
|
| https://www.google.com/search?q="Microsoft+Confidential"+sit...
|
| lmao I'm going to have some fun tonight.
| kryogen1c wrote:
| i think my first exposure to shodan was from viss
|
| https://youtu.be/-T-3buBwMEQ
|
| this video is 9 years old now, but id wager the prevalence of
| pulbic scada and webcams et al is still pretty high.
| atum47 wrote:
| Shodan, great tool. I remember spending time looking at some
| misconfigured IP cams
| jfrunyon wrote:
| Sadly, Shodan does not appear to index these, seemingly because
| it attempts an HTTP connection, while the router expects an
| HTTPS connection.
|
| Edit: I take it back. Looks like the hash is good enough.
| 47,000 results; the first three that responded are the same
| kind of routers.
| https://www.shodan.io/search?query=hash%3A-904286784
| tg180 wrote:
| Lately, Shodan's results are not as good as in the past. I
| think they are scanning less aggressively.
|
| I always recommend to watch at least both Censys and Shodan.
|
| https://censys.io/
| walrus01 wrote:
| Some fun things here, as a google search:
|
| site:.gov "for official use only" filetype:pptx
|
| site:.gov "for official use only" filetype:pdf
| br2 wrote:
| Are Skydrive documents somewhat public or are people just
| sharing them by mistake? I don't use it nor am I that familiar
| with it.
| bellyfullofbac wrote:
| You can create a long complicated link to share with other
| people, even people without Skydrive/OneDrive/Dropbox/Google
| Drive accounts. But sometimes people publish these links
| somewhere where a search engine's crawler sees it and follow
| it.
|
| I remember spotting someone's URL to a Google Doc on their
| screen which their camera caught in their YouTube video. I
| manually typed it into my browser's URL bar and voila, I
| could read that document. Nothing juicy though.
| eganist wrote:
| > Are Skydrive documents somewhat public or are people just
| sharing them by mistake? I don't use it nor am I that
| familiar with it.
|
| Almost all of this would be by mistake, no different than
| misconfiguring an S3 bucket.
| core-e wrote:
| I don't understand. What point is being made here?
| syncsynchalt wrote:
| It's a demonstration of google dorking. Construct a google
| search term that returns attackable hosts.
|
| Skip past the first few results, then you'll see a list of
| likely easily-hackable home routers. If you were to try
| user/pass combos like "admin"/"admin" on these results I bet
| you'd have successful logins on several of them.
|
| Don't actually do this (seriously, the penalties aren't light),
| the demonstration of the search results is enough to make the
| point.
| [deleted]
| fungiblecog wrote:
| People are exposing their routers to the internet. This is not
| a good idea.
| core-e wrote:
| Thanks. How do I make sure I'm not on this list?
| mixedCase wrote:
| Easiest, most practical, 90% good enough: Get your IP
| address, grab your phone on mobile network and go to
| http://your.ip.address
| iamcreasy wrote:
| So, if I was exposed I will see the router's login page?
| Arrath wrote:
| If you're running their equipment, you may see your ISP
| provided modem's login page, which ideally should have
| whatever randomly generated password was on the sticker
| on the bottom of the modem when you got your service. A
| shade more secure than a router with default credentials.
| kelnos wrote:
| I'd hope you don't even see that. Your ISP shouldn't be
| exposing that to the internet by default, either. Ideally
| you get connection refused or an eventual timeout.
| Alupis wrote:
| There are legit reasons to have a router be publicly
| accessible. How else would one remotely manage a router (top
| results in Google are businesses and universities, for
| example).
|
| Since the default configuration of these routers is _not_ to
| expose the router on the WAN interface, manually overriding
| this configuration usually demonstrates a sufficient enough
| understanding that the default credentials have likely also
| been changed.
|
| The only real issue would be using a default password, which
| none of the top results shown on Google seem to have
| (thankfully). So, little-to-no issue here.
| kube-system wrote:
| Best practice for remote management of network devices is
| over a VPN or a remote access application designed for
| remote management, and it has been that way for decades.
| Web UIs on routers are designed for use on trusted
| networks, are notoriously full of vulnerabilities, and
| aren't typically hardened for exposure to the open
| internet. They often do not support _any_ security features
| beyond a password. No fail2ban, no 2FA, no SSO, etc. Most
| router manufacturers will warn you against doing this for
| these exact reasons, even if they don 't elaborate on why,
| and let you do otherwise.
|
| The businesses and universities you see in the list are
| likely:
|
| * a result of people hooking up rouge devices
|
| * organizations operating without competent IT management
|
| * honeypots
| Alupis wrote:
| Are VPN's, secondary networks, etc reasonable to expect
| for a $100 MSRP device targeted at consumers? I think
| not...
|
| Given what it is... it's as secure as it can be. Short of
| a 0-Day lurking somewhere, or an active CVE, the
| configuration is fine. Not to mention all the top results
| appear to be operated by organizations that certainly
| know what they are doing.
| kelnos wrote:
| > _Are VPN 's, secondary networks, etc reasonable to
| expect for a $100 MSRP device targeted at consumers?_
|
| If they are, great. If not, then consumer-grade router
| admin interfaces should not be exposed to the public
| internet, ever.
| kube-system wrote:
| Yes, there are many consumer routers that support VPNs,
| including the ones we're talking about here.
|
| https://www.tp-link.com/us/user-
| guides/Archer-C7/chapter-12-...
|
| Although, remote management isn't much of a consumer
| feature to begin with.
| darkwater wrote:
| If you as a consumer and
|
| - spend 100 bucks on a specific router
|
| - have a static IP
|
| - put your router web ui on the Internet
|
| then yeah, you are definitely the type who should be also
| able to put a VPN to properly manage it. I don't really
| get your defense of this practice. It is bad and risky,
| and there are no good reasons to expect it to be a sane
| config for a router.
| Johnny555 wrote:
| _manually overriding this configuration usually
| demonstrates a sufficient enough understanding that the
| default credentials have likely also been changed_
|
| I don't think that's a reasonable assumption at all -- the
| router should _ensure_ that the admin cred has been set to
| a (reasonably secure) password. Just because someone read
| on a web page that they should enable remote admin doesn 't
| mean that they understand the risk.
|
| And it should warn that exposing the admin interface to the
| internet may make the router more vulnerable to remote
| exploits - basically the same type warning that browsers
| show for a bad SSL cert should be shown for insecure router
| configs - tell the user that it's insecure and is a really
| bad idea before they do it.
| Alupis wrote:
| How do you know this router doesn't already do that?
|
| You're making some wild assumptions here.
|
| Even your basic free Comcast router comes with sane
| defaults, and tons of warnings for every configuration
| change.
|
| Here's the user manual for the TP-Link AC2300 - The
| Archer C7 found in the google results this post links to:
|
| https://static.tp-
| link.com/2019/201912/20191231/7106508598_A...
|
| Step 2 forces the default password to be changed. There
| is no way around that step.
|
| None of your assumptions are true here.
| kelnos wrote:
| > _Step 2 forces the default password to be changed.
| There is no way around that step._
|
| Sure, and you can change that password to "foobar" or
| whatever bad password you want. And I bet that login page
| doesn't have any rate limiting or a lockout after too
| many failed logins.
|
| Fortunately, though, I don't think there are any of these
| that enable remote admin by default, so the owner would
| need to do that explicitly. Hopefully they've paired that
| with a strong password. Even then, I still wouldn't
| advise anyone actually doing this...
|
| (Your manual link is broken; it takes me to a page that
| just links to TP-Links main marketing website.)
| Johnny555 wrote:
| Here's another TP-link manual:
|
| https://www.tp-link.com/us/support/faq/66/
|
| 1. Open the web browser and in the address bar type in:
| http://192.168.1.1
|
| 2. Type the username and password in the login page. They
| are both admin by default.
|
| 3. Click Security->Remote Management on the left side
|
| 4. To enable this function, please change the Remote
| Management IP address from 0.0.0.0 to a specific
| authorized remote IP address.
|
| Here's the warning they give at the bottom of the manual:
|
| Few people read the entire manual, if they read it at
| all, they read enough to do what they want, and fewer
| still know what "Use this with caution" means. I don't
| even know what it means. I typed 255.255.255.255
| carefully, is that sufficient caution?
|
| Type 255.255.255.255 Remote Management IP Address means
| that you can connect to the router remotely from anywhere
| via Internet, this is not recommended and please use it
| with caution
|
| We suggest changing the default log in Username and
| Password if the Remote Management feature is enabled,
| especially if you typed 255.255.255.255 as the Remote
| Management IP address.
| Alupis wrote:
| That link isn't from the routers this post links to
| (specifically Archer C7 and C9 routers).
|
| And, your link is old, to say the least. That screenshot
| is from the Windows XP era.
|
| You're trying to lampoon TP-Link for things that simply
| are not true anymore, nor have been for a long while.
|
| I'll repeat again - the defaults on these routers is to
| prohibit WAN access and they force a password change at
| setup. What more are you complaining about?
| Johnny555 wrote:
| Also from the page I linked to:
|
| _Updated 04-18-2019 07:10:55 AM_
|
| _This Article Applies to: TL-WR841N (and a couple dozen
| others)._
|
| You can buy a TL-WR841N today for $20. It was released in
| 2015, so it may be an "old" router, but old routers never
| die, they just get cheaper.
| Alupis wrote:
| OK so what? Nothing you've stated here applies to the
| original post. You're fabricating some outrage about
| nothing relevant. The original post shows Archer C7 and
| C9 routers...
| Johnny555 wrote:
| What original post? It was a google search that reveals
| some router's remote admin page, that search doesn't
| mention any specific router brand or model.
|
| But regardless, I was responding specifically to your
| comment:
|
| _manually overriding this configuration usually
| demonstrates a sufficient enough understanding that the
| default credentials have likely also been changed_
|
| (That's why I quoted it in my reply)
|
| And the point I was trying to make is that merely being
| able to override the default remote admin setting does
| not ensure that the user has any idea what the
| ramifications are. I'm surprised you're even arguing
| against that.
| Alupis wrote:
| > What original post? It was a google search that reveals
| some router's remote admin page, that search doesn't
| mention any specific router brand or model.
|
| It does, click any of the links. The specific search
| string OP used returns only C6, C7 and C9 routers (I
| clicked through 2 pages of results).
|
| You saw TP-Link and went off about things that were valid
| to complain about in the past... but are not specifically
| with these routers, and probably no new model TP-Link or
| any sane manufacturer is turning out today.
|
| > And the point I was trying to make is that merely being
| able to override the default remote admin setting does
| not ensure that the user has any idea what the
| ramifications are
|
| Again, if you actually clicked through the OP, you'd
| notice most of the bare IP address results are dead
| (meaning they are no longer on the internet), and the
| ones with CNAME's attached appear to be professionally
| managed. The assumption is sound.
| larvaetron wrote:
| > There are legit reasons to have a router be publicly
| accessible.
|
| No, there are not.
|
| > How else would one remotely manage a router
|
| Over a WireGuard connection to a secure management network.
|
| > The only real issue would be using a default password
|
| Uh, no. Try any number of CVEs or 0-days or unknown-until-
| it's too-late vulnerabilities, depending on what web
| daemon/frameworks are used by the router's management
| software.
| ohyeshedid wrote:
| Even if all of that is updated and secure; with the
| services exposed, it's less than trivial to make that
| service eat the small amount of memory it has to work
| with, and take down the network it manages.
| csomar wrote:
| Probably people not aware of exposing their routers to the
| Internet.
| angott wrote:
| There are thousands of TP-LINK routers whose WAN port 80/443 is
| exposed to the Internet, allowing access to their
| administration interface if you know the password (or a
| vulnerability is present).
| toxicFork wrote:
| And I'd bet a nice amount that most of them have the default
| passwords.
|
| Some years ago I wrote a little tool to iterate all of an
| ISP's ip addresses and around 90% were using default
| passwords. Mostly homes, but some businesses.
| iamcreasy wrote:
| I was planning to host a simple website on my RasberryPi
| using Dynamic DNS - which I think requires me to expose port
| 80 to the internet. Is that safe?
| blacksmith_tb wrote:
| If it's a static site? Probably safe-ish, I suppose bots
| and bored teens could DDOS it. You could also choose a non-
| standard port, that might cut down on the noise.
| iamcreasy wrote:
| Thanks! I want to learn what could go wrong. Can you
| point me to any resource/book to study this particular
| matter?
| kube-system wrote:
| It depends entirely on what technologies you are
| specifically exposing. If you are serving a page with a
| web server application like Nginx or Apache, you should
| read about securing those applications. If you are
| writing a NodeJS application, you should read something
| specific to that.
|
| If you want something very general and comprehensive, you
| can read this, although it is probably too involved for a
| basic "website": https://owasp.org/www-project-web-
| security-testing-guide/sta...
| willhinsa wrote:
| If you disable the router's remote administration feature
| and/or change the router's default administration password,
| it should be safe.
| kelnos wrote:
| It's as safe as whatever software stack you'd be using on
| the Raspberry Pi to serve the site, same as if you'd be
| hosting it on a VPS in someone's cloud (though in your case
| if there's a vulnerability of a particular kind, someone
| could gain access to your local network).
|
| Since you're not hosting the site on the router itself,
| presumably you're forwarding port 80 from the router to the
| Raspberry Pi, so unless the security of the Pi ends up
| being broken, the router should be safe.
|
| (Also I'd recommend using Let's Encrypt to get an
| automatically-renewing TLS cert so you can serve https on
| port 443 as well, and even redirect port 80 to it. It's not
| that difficult to set up, and you'll be improving the
| privacy and security of those who visit your site.)
| [deleted]
| tester756 wrote:
| https://en.wikipedia.org/wiki/Google_hacking
| Alupis wrote:
| Click "Next Page" folks - estimated 7,000+ results turns into 21
| results - many of which are dead, many others are HN aggregators,
| leaving the total amount of these model routers on the public
| internet to be a small handful - all of which appear to be
| professionally managed with CNAMEs, etc.
|
| All the outrage in this thread over nothing...
| mr_sturd wrote:
| > many of which are dead
|
| They could all be receiving hugs of death from the HN traffic.
| ElijahLynn wrote:
| True claim: When I click on "next page" I get "Page 2 of about
| 7,520 results" BUT when I click on "next page" again I do get
| "Page 3 of about 21 results".
| nicce wrote:
| Does this mean that our beloved search engine is narcissist.
| Overqualifying its capabilities. Or thinks that it found
| everything useful already.
___________________________________________________________________
(page generated 2021-08-10 23:00 UTC)