Advice: Check that the security settings of your Vigor Router are properly configured : Support Portal

Security advice direct from Draytek:

Every time we hear news about network intrusions or security vulnerabilities, such as the recent major news about SolarWinds Orion Hack, we always hope that these events will never happen in Vigor routers. In fact, cyber attacks have been going on all the time. We also often see many failed attempts to log in or connect to the router from our company's daily network check, as the syslog shown below. Most of them are Web login and VPN dial-in. Therefore, it is strongly recommended that you follow the list below to check the security settings in your Vigor router and make sure that all settings are configured properly to avoid the disaster.

The following are the security settings we usually recommend. Please also provide these information to all your customers to avoid a disaster.

Use the latest fw we have released because those firmwares have security patches.
Use a strong password for admin login and all VPN profiles. Change the password often.
Disable any services and VPN profiles not needed, e.g. OpenVPN, PPTP VPN, or remote management(Web, SNMP, telnet,SSH,FTP) from WAN.
If the service is turned on, please enable the access list or specify the VPN peer IP to restrict access.
Enable Brute Force Protection in Management setup page.
Record Syslog and turn on Mail Alerts, and review the logs periodically.
While seeing the abnormal attack events, we can enable DoS Defense and block those IPs by using the Blacklist.
Resign and Change the default security certificates for SSL or HTTPS access.
Consider to use 2-FA for web and VPN login.

Here are the logs of login failure often received in our test routers:

Dec 14 16:05:50 192.168.177.1 HQ: is_user_in_sslgroup, _SSL_GROUP

Dec 14 16:05:50 192.168.177.1 HQ: [SSL]Portal login fail from IP 218.255.242.246!
Dec 14 16:06:08 192.168.177.1 HQ: PPTP accept client from 218.255.242.246:50212 ...
Dec 14 16:06:08 192.168.177.1 HQ: [PPTP][Radius/LDAP][0:vivian][@218.255.242.246] I/O read error, fast close
Dec 14 16:06:08 192.168.177.1 HQ: [PPTP][@218.255.242.246] pppShutdown
Dec 14 16:06:08 192.168.177.1 HQ: Destroy pptp connection ifno: 69, socket: -1
Dec 14 16:10:03 192.168.177.1 HQ: error : next payload type of ISAKMP Identification Payload has an unknown value: 244
Dec 14 16:10:03 192.168.177.1 HQ: [IPSEC/IKE][Local][502:-][@218.255.242.246] smalformed payload: probable authentication (preshared secret) failure

Dec 14 23:48:16 192.168.177.1 HQ: [Unknown][DOWN][OpenVPN]
Dec 14 23:48:16 192.168.177.1 HQ: OpenVPN (VPN-11, 51.81.142.36) HARD RESET V2, start negotiation

176482:Dec 10 09:56:19 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????27AB/MAX_PORT=150000

176504:Dec 10 09:56:19 V3910_394RC3: Incoming Call Failed : No Such Entry for admin

176505:Dec 10 09:56:19 V3910_394RC3: Incoming Call Failed : No Such Entry for admin

176570:Dec 10 09:56:20 V3910_394RC3: [PPTP][Radius/LDAP][0:admin][@213.108.134.182] Radius authentication fail

176571:Dec 10 09:56:20 V3910_394RC3: PPTP (VPN-100, admin) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=40424445C607A87962D7123040484D50 V=0 M=Good luck! ##

176737:Dec 10 09:56:23 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????27C2/MAX_PORT=150000

176950:Dec 10 09:56:26 V3910_394RC3: Incoming Call Failed : No Such Entry for vpn

176951:Dec 10 09:56:26 V3910_394RC3: Incoming Call Failed : No Such Entry for vpn

177010:Dec 10 09:56:27 V3910_394RC3: [PPTP][Radius/LDAP][0:vpn][@213.108.134.183] Radius authentication fail

177011:Dec 10 09:56:27 V3910_394RC3: PPTP (VPN-123, vpn) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=1945DCA80E42DCAA9105405E6D75FA3D V=0 M=Good luck! ##

177156:Dec 10 09:56:29 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????27A0/MAX_PORT=150000

177170:Dec 10 09:56:29 V3910_394RC3: Incoming Call Failed : No Such Entry for test

177171:Dec 10 09:56:29 V3910_394RC3: Incoming Call Failed : No Such Entry for test

177231:Dec 10 09:56:30 V3910_394RC3: [PPTP][Radius/LDAP][0:test][@213.108.134.181] Radius authentication fail

177232:Dec 10 09:56:30 V3910_394RC3: PPTP (VPN-89, test) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=999717D7386902CFB62A64821159FED1 V=0 M=Good luck! ##

177331:Dec 10 09:56:31 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????2757/MAX_PORT=150000

177347:Dec 10 09:56:31 V3910_394RC3: Incoming Call Failed : No Such Entry for user

177348:Dec 10 09:56:31 V3910_394RC3: Incoming Call Failed : No Such Entry for user

177409:Dec 10 09:56:32 394RC3: [PPTP][Radius/LDAP][0:user][@217.108.135.182] Radius authentication fail

177410:Dec 10 09:56:32 V3910_394RC3: PPTP (VPN-16, user) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=E2CC41FCDACA427F1E6E96ABB63CFFE1 V=0 M=Good luck! ##

177527:Dec 10 09:56:34 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????277E/MAX_PORT=150000

177538:Dec 10 09:56:34 V3910_394RC3: Incoming Call Failed : No Such Entry for 1

177539:Dec 10 09:56:34V3910_394RC3: Incoming Call Failed : No Such Entry for 1

177627:Dec 10 09:56:35 V3910_394RC3: [PPTP][Radius/LDAP][0:1][@213.108.134.183] Radius authentication fail

177628:Dec 10 09:56:35V3910_394RC3: PPTP (VPN-55, 1) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=470EF2E55F9CBBCB54197C2E07F4EBE7 V=0 M=Good luck! ##

177803:Dec 10 09:56:37 V3910_394RC3: [PPTP][Radius/LDAP][0:test][@213.108.134.181] Radius authentication fail

177804:Dec 10 09:56:37 V3910_394RC3: PPTP (VPN-51, test) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=BE5A281004FF7D3C9C4D26934A26148C V=0 M=Good luck! ##

177927:Dec 10 09:56:39V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????2792/MAX_PORT=150000

177946:Dec 10 09:56:39 V3910_394RC3: Incoming Call Failed : No Such Entry for 123

177947:Dec 10 09:56:39 V3910_394RC3: Incoming Call Failed : No Such Entry for 123

178075:Dec 10 09:56:41 V3910_394RC3: [APM] [VigorAP920R_632C00] GET temper/traffic data failed

178108:Dec 10 09:56:41 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????27AD/MAX_PORT=150000

178124:Dec 10 09:56:41 V3910_394RC3: Incoming Call Failed : No Such Entry for vpn

178125:Dec 10 09:56:41 V3910_394RC3: Incoming Call Failed : No Such Entry for vpn

To stop these unknown login attempts, we can enable the Brute Force protection in Management setup page.

Advice: Check that the security settings of your Vigor Router are properly configured Print

Related Articles