Router Security Checklist-Series Security

TechSpice July 17, 2018
In previous posts we learned about what is router and how we gonna secure up or hardening the router,This post will serve as one stop checklist which was collected from multiple sources of internet.

The following security checklist was retrieved from routersecurity.

Level setting: While connected to a VPN, all the tests on this page test the VPN server, not your router. Likewise, with Tor you end up testing your Tor exit node rather than your router. To test your router, it needs to be connected to a dumb modem. If, however, you have connected a router to a gateway device (combination modem, router and perhaps even telephone adapter) from your ISP, you may be testing the firewall in the gateway device rather than your router. To test your router in this case, the gateway device needs to be put in Bridge mode, which should disable its firewall.

DNS Server Tests  top

Defensive Computing mandates that you know what your DNS servers should be. There are three reasons to be aware of your DNS servers. First, is that changing the DNS servers in a router is a common attack and without the websites listed below, it could be a very long time before this malicious change was detected. Then too, if you have a preferred set of DNS servers (perhaps OpenDNS or Quad9) the router you are connected to may ignore this preference and force you to use its DNS servers. I blogged about this in March 2018 (Some routers can force their DNS servers onto all devices). When connected to a public Wi-Fi network, you should always check if the router running the network has imposed its DNS servers on your computer. Finally, we come to VPNs. If working well, the VPN client software on your computer should change your DNS servers to those run by the VPN provider. But, sometimes this does not happen. I would advise checking on your DNS servers before and after connecting to a VPN to insure that they have changed.
  • At browserleaks.com/ip you need to scroll down to see your DNS servers. It reports the Hostname, ISP, city and country. The page also shows lots of other useful information such as your public IP address, host name, location and ISP.
  • DNS Leak Test is sponsored by VPN provider IVPN. It offers a quick standard test and a slower extended test. Both report the Hostname, ISP and Country for each detected DNS server (no city).
  • DNS Leak Test from VPN provider ExpressVPN reports the Country and "Provider" for each detected DNS server. It does not report a hostname or city. Note that it always warns that "Your DNS is exposed!" which really means you are not connected to ExpressVPN.
  • DNS Leaktest from VPN provider Perfect Privacy reports your current DNS servers. For each server it shows the IP address, computer name, ISP and host country. There a bug however, the ISP name is truncated.
  • dnsleak.com is sponsored and operated by London Trust Media, the company behind VPN provider Private Internet Access. It reports the hostname, city and country for each detected DNS server, but not the ISP.
  • ipx.ac is from VPN provider VPN.ac. Click the big orange bottom at the bottom of the page to see the IP address, country and ISP of detected DNS servers. It does not show the names of each DNS server.
  • Am I Mullvad? is a VPN tester page for the Mullvad VPN. In addition to confirming that you are connected to their VPN, it also shows the IP address, name and country of your DNS servers. And, it tests WebRTC too.
  • The F-Secure Router Checker does not really check routers, it simply reports on a DNS server. All the other DNS server checkers report on multiple detected DNS servers, F-Secure only reports on one. The company says their goal is to insure that your router is using an "authorized DNS server" but there is no such thing and they don't define it. The service disappeared from roughly Feb. 2016 through Aug. 2016) but as of mid-August 2016, it's back online.
  • The Tenta VPN tester reports more details about your DNS servers than anywhere else that I know of. That said, it used to have a CPU looping issue. More recently, it takes a very long time for the tests to complete.
  • If you are using OpenDNS, you can verify this at www.opendns.com/welcome/.
  • ipleak.net is from VPN provider AirVPN. It reports lots of things, including DNS servers. It is only available via HTTP, not HTTPS. It is also available on ports 8000 and 62222. This is my least favorite option as the font used is all but unreadable.
  • Some known BAD DNS servers: 91.194.254.105 (I lost track of the source). From a 2012 attack in Brazil: 5.104.175.150 and 5.104.175.151 (source). From a December 2016 article by Proofpoint: 46.17.102.10-24, 5.39.220.117-126, 217.12.218.114-121 and 93.115.31.194-244.
In May 2017, Trend Micro made a great point, that I had not previously considered. "Unfortunately, website-based tests may not be reliable once a home router has been compromised." With that in mind, it makes sense to check with the router directly, be it with a web interface or an app, to double check the DNS servers.
Windows users have another excellent option, the DNS query sniffer program by Nir Sofer. The program is free, portable and from a trustworthy source. It simply traces DNS requests and responses. Before connecting to a VPN, tell it to examine either your Wi-Fi or Ethernet connection to confirm the program is working. Then connect to the VPN and you should see no further DNS activity. As further proof that the VPN is handling things, tell the program to examine your VPN connection (Options -> Capture Options) and you should see all your DNS requests.
On a totally different plane, is Steve Gibson's Router Crash Test. While working a DNS spoofability test, Gibson accidentally discovered that he crashed some routers just by sending them legit DNS requests. This is a bit dated (Gibson has no creation dates on the pages of his site) but it takes only a few seconds to verify that your router does not fall prey to this attack. At the bottom of the page look for a gray "Initiate Router Crash Test" button.

Firewall Testers  top

Port Status: An "open" port responds to unsolicited incoming requests. A "closed" port (a.k.a. "refused" in Nmap lingo) is accessible, but there is no application listening on it. A status of "stealth" (a.k.a. "filtered" to Nmap) means data sent to the port generates no response at all. This is the most secure status.
  • See what Shodan knows about your router on my Shodan page. A Not Found result is a good thing. Any open ports are bad.
  • Steve Gibsons Shields UP! is an oldie but goodie. Stealth is the best status. Closed is OK. Open is bad news. Start with the "Common Ports" test which tests ports: 0, 21, 22, 23, 25, 79, 80, 110, 113, 119, 135, 139, 143, 389, 443, 445 1002, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1720 and 5000. Then, move on to the "All Service Ports" which tests all the ports from zero to 1055 and takes about 70 seconds to run. If all is well, it will say "Passed" in green and the status of every port will be "stealth". The passing grade also means that the router does not reply to Ping commands on the WAN port. A perfect report looks like this. (Alternate URL)
  • The Speed Guide Security Scan tests 85 ports out of the box. If you register and create an account, then it scans 359 ports. It does not tell you which 85 ports it scans. It will report some of the ports are filtered and others are "open|filtered" without explaining the terms. Click the small blue "START" button. If all is well, it will say "Our Security Scan found NO open ports."
  • Shields UP! can also test a single port, a feature called portprobe. There is no GUI interface though, you have to make your own URL. This example, grc.com/x/portprobe=999, tests port 999 and changing it to test another port is self-explanatory. Gibson does not address TCP vs. UDP, so I have to assume the test is TCP only.
  • Network Port Checker and Scanner Tool at ipfingerprints.com lets you test an arbitrary range of ports, both for TCP and UDP. And, you can test any online device, not just the router you are connected to. It also has some advanced features. Based on nmap.
  • The Nmap Online Port Scanner is a free demo of a paid service. Give it an IP address or domain name and it scans ports: 21(FTP), 22 (SSH), 23 Telnet, 25 Mail (SMTP), 80 Web (HTTP), 110 Mail (POP3), 143 Mail (IMAP), 443 SSL/TLS (HTTPS), 445 Microsoft (SMB) and 3389 Remote (RDP). It uses nmap with version detection enabled.
  • An option on the Speed Guide Security Scan lets you scan any port for TCP, UDP or both. Or, you can make a link such as
    speedguide.net/ portscan.php? port=999&tcp=1&udp=1 which scans port 999 for both TCP and UDP.
  • The website pentest-tools.com offers two port scanners based on nmap. One is for UDP, the other is for TCP. See their Terms of Service (PDF)
  • The Port Scanner at mxtoolbox.com scans 25 TCP (no UDP) ports: 21 ftp, 22 ssh, 23 telnet, 25 smtp, 53 dns, 80 http, 110 pop3, 111 portmapper, rpcbind, 135 Microsoft RPC services, 139 netbios, 143 imap, 389 ldap, 443 https, 445 SMB over IP, 587 msa-outlook, 1025 IIS, NFS, or listener RFS remote_file_sharing, 1352 lotus notes, 1433 sql server, 1723 PPTP, 3306 my sql, 3389 Microsoft remote desktop (RDP), 5060 SIP, 5900 VNC, 6001 X Window server and 8080 webcache. Port status is reported using Nmap naming conventions (refused is the same as closed and filtered is the same as stealth).
  • The Port Scanners page at WhatsMyIP.org can scan a single port or four different groups of common ports. They don't say if the scans are TCP, UDP or both. A port that does not respond is said to time out. This does not differentiate between closed and stealthed ports, making it relatively useless.
  • Security company Incapsula suggested using www.yougetsignal.com/tools/open-ports/ by Krk Ouimet. But, it only scans one port at a time, does not say anything about TCP vs. UDP and does not differentiate between Closed and Stealthed ports.

TCP Ports to Test  top

Note that while connected to a VPN, these tests test the VPN server, not your router. Same for Tor. An "open" port responds to unsolicited incoming requests. A "closed" port (a.k.a. "refused" in Nmap lingo) is accessible, but there is no application listening on it. A status of "stealth" (a.k.a. "filtered" to Nmap) means data sent to the port generates no response at all. This is the most secure status. This list is extremely incomplete.

UDP Ports to Test  top

Note that while connected to a VPN, these tests test the VPN server, not your router. Same for Tor. This list is extremely incomplete.
  • UPnP and SSDP use port 1900 and do not belong on the Internet. They were intended for LAN use only. Test port 1900.
  • In March 2018, Cisco issued a fix for a bounds-checking error in IOS/IOS XE's quality-of-service subsystem. The flaw can be attacked on UDP port 18999. Test UDP port 18999.
  • As per Attackers are now abusing exposed LDAP servers to amplify DDoS attacks (by Lucian Constantin Oct 26, 2016) Connectionless LDAP (CLDAP), a variant of LDAP (Lightweight Directory Access Protocol) that uses UDP, is being abused in DDoS attacks. LDAP is used in corporate networks and "its use directly on the internet is considered risky and is highly discouraged." Yet, SHODAN reports over 140,000 systems using it. Test port 389 TCP and port 389 UDP.
  • NAT-PMP, like UPnP, lets a LAN-resident device poke a hole in the router firewall. It was designed by Apple who uses it for Back to My Mac. It listens on UDP port 5351. In 2014 it was discovered that over a million devices, connected to the Internet, had this port open on the WAN side. Oops. Some companies making devices with this flaw were Belkin, Netgear, Technicolor, Ubiquiti and ZyXEL. The Shadowserver Foundation scans for this daily. On Nov. 11, 2016 they found 1.2 million devices exposing NAT-PMP. More here and here. Test port 5351.
  • The Asus infosvr service listens on UDP port 9999. It has a buggy history (see here and here and here and here. It is supposed to be a LAN side only issue (see section below on LAN side port testing) still, cant hurt to test it on WAN side too if you have an Asus router. Test port 9999.
  • If you are not using SNMP, and most people are not, then UDP ports 161 and 162 should be closed. A device running SNMP can be abused in SNMP amplification attacks, a type of DDoS attack. The Shadowserver Foundation scans the Internet for devices that respond to SNMP commands on UDP port 161. In mid-November 2016, they found 3,490,417 such devices. Test port 161 and Test port 162.
  • Port 1233. The Toshiba Service Station application receives commands via this port and was found to be a security issue in December 2015. More here. Test it
  • If you are not using an L2TP VPN then port 1701 should not be open. Not sure if this uses UDP, better safe than sorry. Test port 1701
  • A bug in Netis and Netcore routers could be exploited on port 53413. Read more here and here. From Aug. 2014. According to a mid-November 2016 scan by the Shadowserver Foundation, there are 20,320 vulnerable routers online, the vast majority of which are in China. Netis routers are sold in the US. Test port 53413
  • In September 2016, a backdoor was found in a D-Link router. Sending "HELODBG" to UDP port 39889 would cause the router to run Telnet, letting a bad guy login without a password. Test port 39889
  • Port 631 is used for Internet Printing Protocol with both TCP and UDP. More about this is in the above section on TCP ports
UDP Port testers
The links above, that test individual UDP ports, look like this
  http://www.speedguide.net/portscan.php?udp=1&port=999
This example would test port 999. SpeedGuide can also test individual ports at their Security Scan page where you can enter any port number and chose to test UDP and/or TCP.
Another website offering UDP port tests is the UDP Port Scan with Nmap page at PentTest-Tools.com. It can test a range of UDP ports, a list of UDP ports or individual ports.

LAN side port testing  top

TELNET: Individual LAN side ports can be tested from a computer on the LAN with Telnet. Windows 7 and 8.1 users will have to first install the Telnet client using: Control Panel -> Programs and Features -> click on "Turn Windows features on or off" in the left side column -> Turn on the checkbox for Telnet Client -> Click OK. On OS X ....
To use telnet on Windows, open a Command Prompt window, type "telnet ipaddress portnumber". For example: "telnet 192.168.1.1 80". There needs to be a space on both sides of the IP address. If the port is closed, Windows will complain that it "could not open connection to the host on port 80: connect failed". If the port is open, the responses vary, you may just see a blank screen. You can also telnet to a computer by name, such as "telnet somewhere.com 8080"
ID Serve: ID Serve is a small, portable, Internet Server Identification Utility for Windows, created by Steve Gibson. It was written in 2003 and has not been updated since. The initial screen explains its purpose, the Server Query tab is where it does its work. You can query a computer by name (www.amazon.com) or by IP address. It defaults to port 80, but you can force a different port by adding a colon and the port number after the computer name or IP address (no spaces). If data comes back from the query, ID Serve displays it all. This data may identify the server software. If data does not come back, the message, in my experience, will either be "The port is closed, so our connection attempt was refused" or "No response was received from the machine and port at that IP. The machine may be offline or the connection port may be stealthed". ID Serve is limited to TCP (no UDP) and does not support HTTPS.
BROWSER: You can also test a port with a web browser. For example, http://192.168.1.1:999 would test TCP port 999 (of course, modify the IP address as necessary for your router). I don't think a browser can test a UDP port, it is limited to TCP.
NMAP: This command tests UDP ports 11 through 13 on the device at IP address 1.2.3.4
  nmap -sU -p 11-13 1.2.3.4

TCP/IP Port Information  top

HNAP Testing  top

The Home Network Administration Protocol is a network device management protocol dating back to 2007. There are four problems with HNAP. One, is that it has a long history of buggy implementations. It can also tell bad guys technical details of a router making it easier for them to find an appropriate vulnerability to attack. The fact that a router supports HNAP may not be visible in its administrative interface. Worst of all, HNAP often can not be disabled. Four strikes, you're out.
You can test if a router supports HNAP by typing http://1.2.3.4/HNAP1/ where 1.2.3.4 is the IP address of your router. Of course, every router has two IP addresses one on the public side and one on the private side. I suggest testing for HNAP on each.
You can learn your public IP address at many websites, such as ipchicken.com and checkip.dyndns.com. For the LAN side of a router, see my Sept. 2013 blog Find the IP address of your home router.
If HNAP is enabled, this test displays basic device information about your router in an XML file. See sample output. If it fails, there will be some type of error about the web page not being able to be displayed, perhaps a 404 Not Found error.
If HNAP is enabled, try to turn it off in the router administrative interface and then test again. You may not be able to turn it off. For more, see the HNAP page.

URLs to try from your LAN  top

In these examples, 1.2.3.4 represents the LAN side IP address of the router.
As per Scott Helme's 2014 description of his BrightBox router, try the URL below, where 1.2.3.4 is the IP address of your router. A good result returns nothing but an error message. Here is a sample of a bad result.
   http://1.2.3.4/cgi/cgi_status.js
In December 2016, Pedro Ribeiro reported on flaws in the Netgear WNR2000 router. If you own a Netgear router, it can't hurt to check for information leakage with the URL below. It may leak the device serial number.
   http://1.2.3.4/BRS_netgear_success.html
Many Netgear routers had a security flaw in December 2016 (see here and here for more). The command below tests a Netgear router. If this results in a web page with the word "Vulnerable", then the router is vulnerable. Netgear has issued fixes for all vulnerable routers.
  http://www.routerlogin.net/cgi-bin/;echo$IFS'Vulnerable'
This issue with port 32764 is explained above in the TCP Ports to Test section.
   http://1.2.3.4:32764
In September 2017, security firm Embedi found port 19541 open on many D-Link routers. It responds to commands such as one to reboot the router. They did not find any way to close the port. The default IP address is 192.168.0.1 but the router may also respond to dlinkrouter.local.
   http://1.2.3.4:19541

UPnP Testers  top

UPnP is dangerous because it lets computing devices (typically IoT devices) punch a hole in the routers firewall. This exposes them to the Internet where their poor security, such as default passwords, can be abused. This danger involves UPnP being enabled on the LAN side of the router. I am still looking for a LAN side tester.
UPnP on the WAN/Internet side of a router is a totally different problem. UPnP was never meant to be exposed on the Internet. The online tester below insures that your router does not respond to UPnP requests sent to it over the Internet. For more on why UPnP from the Internet side of a router is an issue at all, see my Jan. 2013 blog Check your router now, before Lex Luthor does.
UPnP is relatively hard to test for as there are two components to the protocol. Discovering UPnP enabled devices is done with the Simple Service Discovery Protocol (SSDP) which listens on UDP port 1900. The actual communication between devices is done via HTTP on varying ports. SSDP tells clients which port to use for HTTP communication. According to Rapid7, the TCP port number varies by vendor and is often chosen at random. Ugh. Their report notes that some Broadcom, D-Link and TP-Link routers use TCP port 5431, some devices use port 80 and still others use 2869.
  • Steve Gibson added UPnP testing to his ShieldsUP! service in January 2013. On the first page, click on the gray Proceed button. On the next page, click on the yellow/orange button for GRC's Instant UPnP Exposure Test.
  • Rapid7 used to offer an online UPnP Check but they discontinued it.
  • Rapid7 also discontinued their installable ScanNow program that scanned a LAN for UPnP enabled devices and reported if the devices were running buggy versions of UPnP software. This was useful to insure that your router was also not responding to UPnP on the LAN side. The program only ran on Windows and required 32 bit versions of either Java 6 or Java 7. As for why they abandoned ScanNow see ScanNow DLL Search Order Hijacking Vulnerability and Deprecation

Modem Tests  top

A modem is a computer and it too, can have bugs. Chances are the modem as an IP address such as 192.168.100.1. If nothing else, you should try to access the modem by its IP address so that technical information about your Internet connection is available to you. Also, you want to see what information is available without a password, some modems expose too much. If there is a password, then change it from the default.
As per ARRIS Cable Modem has a Backdoor in the Backdoor try to view the page below. An error viewing the page is the good result. See a video of this hack.
http://192.168.100.1/cgi-bin/tech_support_cgi
As per ARRIS DG860A NVRAM Backup Password Disclosure you should try to view the URL below. Again, an error is the good result.
http://192.168.0.1/router.data
For better security, a router may be able to block access to the modem by blocking its IP address. I blogged about modem access from the LAN side of a router in February 2015. While it can be helpful to directly access the modem, it can also be dangerous. See Talk to your modem and Using a router to block a modem. Some routers can do this, some can not. Dumbed down routers, such as the consumer mesh systems (eero, Google Wifi, Ubiquiti AmpliFi, etc) can not do this.
A great way to see if a modem is accessible from the LAN side is to ping it using the command below. Hopefully, the command fails.
ping 192.168.100.1
If it is pingable, then test Telnet access to the modem with the command below. Failure is the secure outcome.
telnet 192.168.100.1
An other good test is nmap. The simplest command is
nmap 192.168.100.1
For a much more comprehensive look at the LAN side of the modem use the below:
nmap -v -A -p 1-65535 192.168.100.1

IP Version 6 Testers  top

I know of no reason for IPv6 to be enabled on a home router. If it is enabled on yours, try to disable it then verify that it's really off. All the sites below are only available via HTTP.
  • Test for the existence of IP version 6 at whatismyv6.com. Click on the "IPv6 only Test" or go directly to ipv6.whatismyv6.com. It is a good thing if ipv6.whatismyv6.com fails to load in your browser.
  • Another site, ipv6leak.com is from London Trust Media, Inc. I don't know who they are, but the site is linked to by VPN provider PrivateInternetAccess.
  • test-ipv6.com is from Jason Fesler. It offers many technical details and is open source (see Github). The point of view here is that IP v6 is good, which I don't agree with.
  • Check IP from VPN provider Perfect Privacy reports connection details (IP address, DNS server, City and Country) for both IPv4 and IPv6. If it doesn't find any IPv6, the message is: "You do not seem to have IPv6 connectivity."
  • From Wireshark.org: IPv4 and IPv6 Connectivity Test

Android Apps  top

  • According to the company, RouterCheck "is the first consumer tool for protecting your home router ... RouterCheck is like an anti-virus system for your router. It protects your router from hackers..." Its an Android app. I have not tried it.
  • The Avast Wi-Fi Finder can do a network scan to show all devices connected to the network. It also claims to offer a Wi-Fi Security Scan that finds potential security holes and issues on the network.

WebRTC  top

Technically, WebRTC is not a router thing, it is a web browser thing. This section is here just for the heck of it. Anyone using a VPN needs to run these tests. WebRTC can expose your public IP address which is normally hidden by the VPN. If you use more than one browser, you need to run these WebRTC tests on each one.

External Reference For router security

 https://www.irs.gov/pub/irs-utl/switch_router.xls




 https://www.sans.org/media/score/checklists/NISPOM-Checklist.xls

http://www.cuiaa.org/IT-Questionnaires.xls


Image result for dns server tests


Tags
Reactions

Post a Comment

0 Comments