Often, we read in news articles about network intrusions or security vulnerabilities resulting in cyber-attacks against a company network. By examining the router syslog’s, you may see many failed attempts to log in or connect to the router from the Internet. Most of them are Web login and VPN dial-in. Therefore, it is strongly recommended that you check the security settings in your Vigor router to ensure sure all settings are optimised to reduce the chances of your network being compromised.

The tips below list some settings to check in your Vigor router:

  1. Use the latest firmware. This usually includes the latest security patches.
  2. Use a secure password for admin login and all VPN profiles. Change the password often.
  3. Disable any services and VPN profiles not needed, e.g., OpenVPN, PPTP VPN, or remote management (Web, SNMP, telnet, SSH, FTP) from WAN.
  4. If the VPN service is enabled, use the access list feature or specify the VPN peer IP to restrict VPN access.
  5. Enable Brute Force Protection in Management setup page. (Brute Force for VPN will be introduced in upcoming firmware versions)
  6. Record Syslog and turn on Mail Alerts, and review the logs periodically.
  7. While abnormal attack event occurs, enable DoS Defense and block these IPs by using the Blacklist.
  8. Re-sign and Change the default security certificates for SSL or HTTPS access.
  9. Consider to use 2 Factor Authentication for web and VPN login.

Examples attempted logins from the Internet are:

Dec 14 16:05:50 HQ: is_user_in_sslgroup, _SSL_GROUP

Dec 14 16:05:50 HQ: [SSL]Portal login fail from IP!

Dec 14 16:06:08 HQ: PPTP accept client from …

Dec 14 16:06:08 HQ: [PPTP][@] pppShutdown

Dec 14 16:06:08 HQ: Destroy pptp connection ifno: 69, socket: -1

Dec 14 16:10:03 HQ: error : next payload type of ISAKMP Identification Payload has an unknown value: 244

Dec 14 16:10:03 HQ: [IPSEC/IKE][Local][502:-][@] smalformed payload: probable authentication (preshared secret) failure

Dec 14 23:48:16 HQ: [Unknown][DOWN][OpenVPN]

Dec 14 23:48:16 HQ: OpenVPN (VPN-11, HARD RESET V2, start negotiation

176950:Dec 10 09:56:26 V3910_394RC3: Incoming Call Failed : No Such Entry for vpn

176951:Dec 10 09:56:26 V3910_394RC3: Incoming Call Failed : No Such Entry for vpn

177010:Dec 10 09:56:27 V3910_394RC3: [PPTP][Radius/LDAP][0:vpn][@] Radius authentication fail

177011:Dec 10 09:56:27 V3910_394RC3: PPTP (VPN-123, vpn) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=1945DCA80E42DCAA9105405E6D75FA3D V=0 M=Good luck! ##

177156:Dec 10 09:56:29 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????27A0/MAX_PORT=150000

177170:Dec 10 09:56:29 V3910_394RC3: Incoming Call Failed : No Such Entry for test

177171:Dec 10 09:56:29 V3910_394RC3: Incoming Call Failed : No Such Entry for test

177231:Dec 10 09:56:30 V3910_394RC3: [PPTP][Radius/LDAP][0:test][@] Radius authentication fail

177232:Dec 10 09:56:30 V3910_394RC3: PPTP (VPN-89, test) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=999717D7386902CFB62A64821159FED1 V=0 M=Good luck! ##

177331:Dec 10 09:56:31 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????2757/MAX_PORT=150000

To stop these unknown login attempts, you can enable the Brute Force protection feature in “System Maintenance >> Management” menu page in DrayOS routers.