Posted: Wed Jul 07, 2021 10:06 Post subject: What the bug?
First off, thank you admin folks & developers for creating the dd-wrt project, I've been using dd-wrt since the early builds in the mid - late 2000's never actually posted nor needed to as the wiki & other documentation is quite fabulous and most builds have been generally quite stable in my experience, at least when paired with the right router hardware and configured correctly. I generally know my way around network hardware and a Linux terminal etc. But this particular issue is making me feel like a blockhead.
And now here - I have collected a rather tall stack of routers that do not work and have tried all of them running various versions of the latest dd-wrt builds, even some older builds and all of them are behaving similar with the same types of issues. I will get more specific as we go along, and can certainly post logs I will attempt to not bore you with a novel but unfortunately to get a clear picture of what I'm dealing with this post may get lengthy.
so the devils in the details; in front of me I have a quick trick brick stack of...
Symptoms: All of them act very much in the same organized chaotic fashion. The LED's begin to behave very strangely on boot up compared to what I've known in the past. Wireless lights flicker on/off randomly, The LAN port lights that are not plugged in turn on/off at times. and seems to go through a re-boot up sequence of sorts, then the wireless lights come BACK on & stay on even frequently after being disabled in webgui, 20+ character passwords, even when I lock down all the security settings and disable remote access, restrict IP addresses, change to alternate subnets. disable SSH, telnet services, restrict access IP addresses, At best the router simply wont work and locks me out of the interface and the wireless lights flicker and some of the LAN port lights come on (even when disabled & ethernet unplugged). Thats mostly what happens now; God forbid I plug one into the WAN that was resulting in DNS hijacks/redirects, in spite of VPN and local machine firewalls.
I've tried just about I can possibly rack my brain over.
I can fire them up after a good hard reset, & get into webgui interface, clear factory reset, firmware upgrade goes fine and dandy. I can set strong admin passwords configure the settings as I want, and I've tried many variations... soon as I log out and reboot the router kaboom
That being said, I'm stumped over here getting tired of banging my head against a wall, and figured it cant hurt to ask for a little help, and maybe if whats happening as I suspect is indeed some kind of vulnerability in the wireless being exploited that may need patching as I've seen tell of on various channels recently. To be clear, as part of my job in IT I am on the front lines to mitigating a lot of active-threats and having recently helped some small business clients clean up their infected networks of some nasty successful phishing attempts landed them with rootkits combined with other malware delivery methods and their unfortunate subsequent payload deliveries made their way up into one of my personal LAN's unnoticed. Guessing through some vulnerability in one of my many devices.
I've subsequently sterilized and squashed the bugs in my LAN, disabled all wireless functions, quarantined all hard drives, potentially infected devices, and flash media, nuked and paved all the local machines, replaced any old motherboards if the firmware wasn't able to update. Most of the test-rigs I'm running for the moment while I'm trying to configure the routers are all simply linux live boot mostly debian based distros from DVD's (verified PGP keys), with no persistence and no hard drives installed. Therefore I know this isn't coming from the local machines, or at least not anymore... I hope.
The only two routers I have been able to get working & fully secured so far are one of the TP-Link Archer C7's running the latest stock firmware, and a brand new TP-Link Archer C4000, also completely stock firmware configured with maximum security and disabled wireless, I don't think dd-wrt supports it yet.. I was able to get these working by using the physical disable wireless button, configuring it from a completely sandboxed laptop running blackarch or puppy linux and bound the sandboxed computer as the only mac address I've bound as being able to access the admin panel interface.
I know I promised you some logs, but that's been a bit of a hassle to reliably collect them as the only time I can get reliable access to the backend functionality is when the quick trick brick in question is plugged into a sandboxed machine and therefore my copy and paste function consists of encrypted sneakernet thumbdrives or dvds just to be safe. I also just realized its almost 3 am now so that might have to wait for a post tomorrow; Let me know what logs /routers/ builds you want first? lol any recommended builds to try or settings my tired brain overlooked would appreciated.
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Wed Jul 07, 2021 13:53 Post subject:
And we have no idea what DD-WRT build version you are experiencing these issues on. When you come back to this thread, please provide all applicable information. Thanks. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
And we have no idea what DD-WRT build version you are experiencing these issues on. When you come back to this thread, please provide all applicable information. Thanks.
Yes yes, apologies I had full intention of posting more details of all the build versions and some logs last night if I could even access them (most of the time I get locked out of the webgui interface before I even have a chance to look at the logs) however my eyes were getting bleary and I felt the need to get some sleep before I started posting the wrong information off the top of my head or making dumb config mistakes myself and confusing you guys further.
As stated I have tried various different DD-WRT builds/routers hardware with somewhat similar behaviors and apparent results.
Lets simplify this a tad; I'll work with one router at a time here starting with the:
Netgear R6700v3, looks like it is currently running build r46885 (6/5/21)
looks like I forgot to download the latest build for this router so we'll just leave it there for now.
Starting config from scratch::: Simplifying my Config settings a bit this time will leave more on defaults hopefully I'm just making a dumb configuration mistake?
Strong admin password & alt username set, changed subnet & router IP to 192.168.22.2/24 Turned on logging to high, enabled syslogd, disabled SSHd/Telnet access, enabled impede DDoS/bruteforce etc. etc. disabled wireless in wireless tab. Enabled turning off wireless radio && radio off at boot. Set web access to HTTPS; Rebooting Router...
Updated static IP/gateway to reflect the new subnet on sandboxed test rig: (core i3 9th gen asus b360m-c, running fossapupx64 puppy linux liveCD)
Hmmmm, Lights look a bit more tame this time, we have power LED, Ethernet port 1 lit, & the last two wireless lights are on, but the 2 & 5ghz band LED's are off. maybe we're making progress? Still cannot access webgui, browser cannot establish connection to server. Checking static ip route
#ip route show
default via 192.168.22.2 dev eth0
192.168.22.0/24 dev eth0 scope link src 192.168.22.101
Checking ping to router, 192.168.22.2 successful pings, no packet loss... Still no access to webgui. Rebooting both test rig and router.
Trying DHCP this time. Still no access to webgui. Looks like my box grabbed the client IP 192.168.22.135. Router Pings OK.
#ip route show
default via 192.168.22.2 dev eth0 metric 202
127.0.0.0/8 dev lo scope link
192.168.22.0/24 dev eth0 scope link src 192.168.22.135 metric 202
Attempting to access webgui https://192.168.22.2/ Cant establish a connection to server trying static IP config. Same result.
This has been consistent across the board. Once I set the initial settings after a standard hard reset, I get locked out of the interface most of the time.
I will try one of the TP-Link Archer C7 v5's again next time and report on the next post. I can tell you I just tried re-flashing the latest build on one of them last night though 06-28-2021-r47000 with similar results as above. I can try rolling back to the recommended build in the router database perhaps(R44715??) I don't know I've never had these kinds of issues, and this is not exactly my first rodeo.
Last edited by iamgroot on Wed Jul 07, 2021 19:30; edited 1 time in total
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Wed Jul 07, 2021 19:43 Post subject:
iamgroot wrote:
Set web access to HTTPS; Rebooting Router...
egc wrote:
Probably do not disable http access.
I see where you broke it. To use https access, you have to have something in your startup script to restart httpd with the proper command line switches.
I generally use ebtables to restrict access to webUI from wireless and all wired clients except for a specific IP/MAC address. HTTPS is unnecessary and you cannot flash firmware upgrades from HTTPS. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Thank you for the reminder on being patient. I realize sometimes do work too fast for the router to process the settings. I will ensure a more patient awareness of the basic save/apply/reboot process here for my next attempt and report back.
Quote:
I see where you broke it. To use https access, you have to have something in your startup script to restart httpd with the proper command line switches.
I generally use ebtables to restrict access to webUI from wireless and all wired clients except for a specific IP/MAC address. HTTPS is unnecessary and you cannot flash firmware upgrades from HTTPS.
Ahhhh, Bingo! my thinking was not set straight on needing HTTPS access then. Thank you. That hopefully will solve my issues. I was figuring (hoping) it is probably something stupid simple like that. I'll let you know a status update. Thanks!
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Wed Jul 07, 2021 20:05 Post subject:
on R7000 and r7800 only https works fine...
just don't use chrome based browsers...i use pale-moon only for router stuff...
I clearly didn't get your full issue, LEDs are funny or you suspect of been wifi hacked?
Collect logs, firewall and syslogs logs, do a Wireshark on TAP... What type is your WAN connection...?
Of course WPA2 can be bruteforced, but takes time, if you use a crafty WiFi password...apart of that, there are few other methods of overtaking WPA2 AES some of them very easy and you cannot do anything against it..sadly...But you can create a honeypot and get some details about the perpetrator..if he is that stupid...unless he is not, your final chance is honeypot with bomb and he will get some fun too...but those cases require strategy, patience and planning...as well some skills
Other things that you can do it to put some restrictions via DNSmasq/iptables and harden you router with static addresses and not free DHCP, but this is smoken mirror _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
So it does appear that changing it to HTTPS only mode was my primary culprit that I kept stumbling on boy do I feel silly - And thank you Alozaros for pointing out that it does/can actually work on r7000/r7800's so now I don't feel completely crazy because I was pretty sure I had that feature working at one point or another? lol
I now have just HTTP mode, restricted IP address access etc. etc. At least was able to get the R6700 working OK, still have the rest of the quick trick brick stack to flash through but I don't anticipate that will be an issue now that I have the network cleaned up.
Alozaros wrote:
on R7000 and r7800 only https works fine...
just don't use chrome based browsers...i use pale-moon only for router stuff...
Yes, I've been using pale moon mostly or sometimes the latest Firefox or Firefox ESR kept up to date.
Quote:
I clearly didn't get your full issue, LEDs are funny or you suspect of been wifi hacked?
Collect logs, firewall and syslogs logs, do a Wireshark on TAP... What type is your WAN connection...?
Of course WPA2 can be bruteforced, but takes time, if you use a crafty WiFi password...apart of that, there are few other methods of overtaking WPA2 AES some of them very easy and you cannot do anything against it..sadly...But you can create a honeypot and get some details about the perpetrator..if he is that stupid...unless he is not, your final chance is honeypot with bomb and he will get some fun too...but those cases require strategy, patience and planning...as well some skills
Other things that you can do it to put some restrictions via DNSmasq/iptables and harden you router with static addresses and not free DHCP, but this is smoken mirror
Yeah I'm not 100% exactly sure how or where the initial vulnerability was that let "them" in, but it was a fairly sophisticated attack that started at the office. I've been trying to collect logs and data wherever possible to investigate more. We still have a stack of quarantined hard drives that we have not had time to do any forensics on but they compromised unfortunately some key hardware, had root access to some systems to the point where it was faster to just rip out all drives and replace motherboards & rebuild machines to get back online again.
It appeared as though process of deduction my initial problem(s) with configuring the routers were actually because of the initial live boot linux USB keys (I thought were trusted clean copies) were actually compromised through some sort of supply chain attack. Ultimately resulting in my downloading what appeared to be legitimate copies of linux (notably mint /ubuntu & a slightly older version of fedora. infected USB devices were mounting hidden filesystems and invisible keyboards etc.
With root access the attacker would browser hijack the settings when I would go to update admin panel stuff in DD-WRT, or any other cloud account from a compromised machine, for that matter, and automated bots would seem to re-write them as I was trying to secure them and attempt to erase their tracks making me feel a little bit crazy as stuff would keep breaking as I fixed it and logs in the cloud were getting erased like they were never there.
Once I realized that even new copies of linux I was downloading were getting corrupted with malicious code from strange servers I switched to DVD's and was vigilant on verifying PGP keys, and checking md5/SHA sums etc. etc. updated multi-factor keys on cloud systems - pretty much all of my issues have dissipated by now.
In any case its a good lesson for me to always verify that my pgp keys are correct and that I'm downloading software updates from trusted sources. Whew!
But, I am sure if I scoured this forum for posts over the past few years, I will find a recent enough post that says a startup script is required for it to work properly. I still don't waste the time specifically because upgrading firmware over https is not enabled. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Fri Jul 09, 2021 6:40 Post subject:
https is working ok on R7800 and R700 been using those always..do in mind it uses self signed certificate that you'd need to accept in your browser...but all is working as it should...
https has never worked on my TPlink 4MB flash size routers...as it doesn't have enough space, as BS stated in the past...if i can recall correctly there was an attempt that was not ok and since than https works only on 8MB+ flash size routers...(1043v2 is ok with https)...
Do not confuse https over WAN port...
You can harden GUI and SSH access with some iptables rules, that limit/restrict GUI accesses, bound to MAC address only.
good idea is to change SSh port to anything else and harden it with the same rules for example...
*you can remove this bit to make the rule more general (-i br0)
do in mind nothing will help, if your system is compromised from inside...but those above are good to have..
you can also limit DHCP given addresses via DNSmasq with some other rules, so even if the attacker knows your wifi pass, it will not get an IP, but this is not a general solution... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Fri Jul 09, 2021 11:27 Post subject:
Alozaros wrote:
https has never worked on my TPlink 4MB flash size routers...as it doesn't have enough space, as BS stated in the past...if i can recall correctly there was an attempt that was not ok and since than https works only on 8MB+ flash size routers...(1043v2 is ok with https)...
Do not confuse https over WAN port...
Enabling https access on 8MB flash devices does not work, unless using a startup script will make it work. See the linked tickets below, there are 8MB devices that were reported as it not working. It has never worked on my E4200 and I have never bothered with the startup script because I locked down access another way.
I can test it and add amplifying information to the one ticket I re-opened, but the fact remains that upgrading the firmware via https webUI is disabled, so what's the point other than forcing a user to flash via CLI. It's a moot feature, to be quite honest. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
and he will get some fun too...but those cases require strategy, patience and planning...as well some skills 