Security advice direct from Draytek:
Every time we hear news about network intrusions or security vulnerabilities, such as the recent major news about SolarWinds Orion Hack, we always hope that these events will never happen in Vigor routers. In fact, cyber attacks have been going on all the time. We also often see many failed attempts to log in or connect to the router from our company's daily network check, as the syslog shown below. Most of them are Web login and VPN dial-in. Therefore, it is strongly recommended that you follow the list below to check the security settings in your Vigor router and make sure that all settings are configured properly to avoid the disaster.
The following are the security settings we usually recommend. Please also provide these information to all your customers to avoid a disaster.
- Use the latest fw we have released because those firmwares have security patches.
- Use a strong password for admin login and all VPN profiles. Change the password often.
- Disable any services and VPN profiles not needed, e.g. OpenVPN, PPTP VPN, or remote management(Web, SNMP, telnet,SSH,FTP) from WAN.
If the service is turned on, please enable the access list or specify the VPN peer IP to restrict access. - Enable Brute Force Protection in Management setup page.
- Record Syslog and turn on Mail Alerts, and review the logs periodically.
While seeing the abnormal attack events, we can enable DoS Defense and block those IPs by using the Blacklist. - Resign and Change the default security certificates for SSL or HTTPS access.
- Consider to use 2-FA for web and VPN login.
Here are the logs of login failure often received in our test routers:
Dec 14 16:05:50 192.168.177.1 HQ: is_user_in_sslgroup, _SSL_GROUP
Dec 14 16:05:50 192.168.177.1 HQ: [SSL]Portal login fail from IP 218.255.242.246!
Dec 14 16:06:08 192.168.177.1 HQ: PPTP accept client from 218.255.242.246:50212 ...
Dec 14 16:06:08 192.168.177.1 HQ: [PPTP][Radius/LDAP][0:vivian][@218.255.242.246] I/O read error, fast close
Dec 14 16:06:08 192.168.177.1 HQ: [PPTP][@218.255.242.246] pppShutdown
Dec 14 16:06:08 192.168.177.1 HQ: Destroy pptp connection ifno: 69, socket: -1
Dec 14 16:10:03 192.168.177.1 HQ: error : next payload type of ISAKMP Identification Payload has an unknown value: 244
Dec 14 16:10:03 192.168.177.1 HQ: [IPSEC/IKE][Local][502:-][@218.255.242.246] smalformed payload: probable authentication (preshared secret) failure
Dec 14 23:48:16 192.168.177.1 HQ: [Unknown][DOWN][OpenVPN]
Dec 14 23:48:16 192.168.177.1 HQ: OpenVPN (VPN-11, 51.81.142.36) HARD RESET V2, start negotiation
176482:Dec 10 09:56:19 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????27AB/MAX_PORT=150000
176504:Dec 10 09:56:19 V3910_394RC3: Incoming Call Failed : No Such Entry for admin
176505:Dec 10 09:56:19 V3910_394RC3: Incoming Call Failed : No Such Entry for admin
176570:Dec 10 09:56:20 V3910_394RC3: [PPTP][Radius/LDAP][0:admin][@213.108.134.182] Radius authentication fail
176571:Dec 10 09:56:20 V3910_394RC3: PPTP (VPN-100, admin) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=40424445C607A87962D7123040484D50 V=0 M=Good luck! ##
176737:Dec 10 09:56:23 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????27C2/MAX_PORT=150000
176950:Dec 10 09:56:26 V3910_394RC3: Incoming Call Failed : No Such Entry for vpn
176951:Dec 10 09:56:26 V3910_394RC3: Incoming Call Failed : No Such Entry for vpn
177010:Dec 10 09:56:27 V3910_394RC3: [PPTP][Radius/LDAP][0:vpn][@213.108.134.183] Radius authentication fail
177011:Dec 10 09:56:27 V3910_394RC3: PPTP (VPN-123, vpn) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=1945DCA80E42DCAA9105405E6D75FA3D V=0 M=Good luck! ##
177156:Dec 10 09:56:29 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????27A0/MAX_PORT=150000
177170:Dec 10 09:56:29 V3910_394RC3: Incoming Call Failed : No Such Entry for test
177171:Dec 10 09:56:29 V3910_394RC3: Incoming Call Failed : No Such Entry for test
177231:Dec 10 09:56:30 V3910_394RC3: [PPTP][Radius/LDAP][0:test][@213.108.134.181] Radius authentication fail
177232:Dec 10 09:56:30 V3910_394RC3: PPTP (VPN-89, test) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=999717D7386902CFB62A64821159FED1 V=0 M=Good luck! ##
177331:Dec 10 09:56:31 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????2757/MAX_PORT=150000
177347:Dec 10 09:56:31 V3910_394RC3: Incoming Call Failed : No Such Entry for user
177348:Dec 10 09:56:31 V3910_394RC3: Incoming Call Failed : No Such Entry for user
177409:Dec 10 09:56:32 394RC3: [PPTP][Radius/LDAP][0:user][@217.108.135.182] Radius authentication fail
177410:Dec 10 09:56:32 V3910_394RC3: PPTP (VPN-16, user) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=E2CC41FCDACA427F1E6E96ABB63CFFE1 V=0 M=Good luck! ##
177527:Dec 10 09:56:34 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????277E/MAX_PORT=150000
177538:Dec 10 09:56:34 V3910_394RC3: Incoming Call Failed : No Such Entry for 1
177539:Dec 10 09:56:34V3910_394RC3: Incoming Call Failed : No Such Entry for 1
177627:Dec 10 09:56:35 V3910_394RC3: [PPTP][Radius/LDAP][0:1][@213.108.134.183] Radius authentication fail
177628:Dec 10 09:56:35V3910_394RC3: PPTP (VPN-55, 1) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=470EF2E55F9CBBCB54197C2E07F4EBE7 V=0 M=Good luck! ##
177803:Dec 10 09:56:37 V3910_394RC3: [PPTP][Radius/LDAP][0:test][@213.108.134.181] Radius authentication fail
177804:Dec 10 09:56:37 V3910_394RC3: PPTP (VPN-51, test) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=BE5A281004FF7D3C9C4D26934A26148C V=0 M=Good luck! ##
177927:Dec 10 09:56:39V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????2792/MAX_PORT=150000
177946:Dec 10 09:56:39 V3910_394RC3: Incoming Call Failed : No Such Entry for 123
177947:Dec 10 09:56:39 V3910_394RC3: Incoming Call Failed : No Such Entry for 123
178075:Dec 10 09:56:41 V3910_394RC3: [APM] [VigorAP920R_632C00] GET temper/traffic data failed
178108:Dec 10 09:56:41 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????27AD/MAX_PORT=150000
178124:Dec 10 09:56:41 V3910_394RC3: Incoming Call Failed : No Such Entry for vpn
178125:Dec 10 09:56:41 V3910_394RC3: Incoming Call Failed : No Such Entry for vpn
To stop these unknown login attempts, we can enable the Brute Force protection in Management setup page.