Shortly before Christmas 2017 the hacker group Lizard Squad with a DDoS attack lamented the networks of Sony’s Playstation and Microsoft’s Xbox. At the beginning of January, security researcher Brien Krebs found out that the enormous bandwidth was made possible by the fact that the hackers dodged DSL routers with outdated firmware or standard passwords directly. Apparently the attack should only serve to advertise the “Lizard Stresser” christened hacker tool.
Check your router yourself
In fact, DSL routers should enjoy the full attention of users and manufacturers, this device separates the clear home network from the great evil world of the Internet. The quick response to security gaps and automatic updating of the firmware should be self-evident. However, with most manufacturers, the opposite is the case: to push prices, the life cycle of a DSL router is not thought out over the sales period. As a result, the DSL router is a security risk, especially when it comes to cheap restposten offers. Also the DSL providers provided by many providers free of charge are not a positive example for security because of the strong price pressure and the opened remote configuration portals.
Best way: Free firmware
To make things worse, routers provide printer servers and share USB drives as Windows Share or UPnP streaming. Often, manipulated web pages that use iFrame try to use standard passwords to access standard IPs of popular routers.
Secondary emergency service
No way back?
WRT on the router
The first obvious scenario is to check whether your router has already been hacked. This is not easy, because only the analysis is useful with a network vulnerability scanner such as OpenVAS. This is part of the free and free security and rescue Linux LessLinux Search and Rescue. In addition, the Google search for "
But: Any device with outdated firmware should be considered as hacked. Many attacks affect the configuration, so they are persistently persistent across a firmware update. Reset the router to factory defaults and create new WAP keys.
Now you have a DSL router, which was unfortunately terminated and therefore a security risk - for you, your home network, the entire Internet and me, whose router or server may be the target of attacks that are routed over your router or its mailserver Spam that is sent through your router. The logical consequence is to take the old router off the net, turn it off, get replacement. The replacement may be free from the provider, but occasionally only against a contract extension of 12 or 24 months.
Lesetipp: The best AC WLAN router
It is possible that the path to the local electronics market is more successful - whoever opens their eyes and makes himself aware of a usable and sufficiently long-lasting substitute already from 20 euros.
OpenWRT and DD-WRT are two related and highly interactive Linux projects for creating free firmware for DSL routers. The initial idea for the development of both was Linksys' router WRT54G, which came on the market in 2003 and used a Linux-based firmware, but without satisfying the conditions of the Open Source license GPL. On some public pressure, Linksys released the sources, and some intrepid programmers started to develop a first free firmware.
Today, in 99 percent of the cases, a free firmware of the two large OpenWRT and DD-WRT projects can be installed on explicitly supported devices, but a residual risk remains. Also, stable operation of the WLAN interface can not always be guaranteed. It is not the respective programmers of the firmware that are responsible for this, but rather the hardware manufacturers, who do not provide their own free drivers and who keep the documentation of the chipsets. However, with the increased volume of commercial firmware using free projects as a basis, hardware manufacturers are increasingly willing to ship their chips with free and well-documented drivers.
Before starting experiments with free firmware, you should provide a second router for the emergency. In order to minimize the risk of disconnecting the entire wireless network from the Internet, the author has just bought a TP-Link TL-WR841N (D) for around € 20. In principle, you should make your decision as to whether the old router becomes a primary or secondary device dependent on the hardware properties and, of course, your own deployment scenarios: devices with 5 GHz radio, two USB ports, Gigabit LAN like the TP link TL-WDR3600 is already available for under 50 euros. Even more important than the sometimes fantastic WLAN transmission rates is the memory expansion: 4 MByte Flash and 32 MByte RAM (as with the TL-WR841N (D)) are currently considered the minimum for the sensible operation with DD-WRT and OpenWRT: With this expansion A web front end can be held, and it is possible to use a guest WLAN or VPN.
Devices with 8 MB of RAM and 128 MB of RAM (eg TP-Link TL-WDR3600) have enough resources to support games such as home automation as well as VPN and guest networks, printer spoolers, Windows releases or media streaming (UPnP or Chromecast). USB ports allow the connection of additional hardware such as DVB-T sticks for use as a video recorder and allow the expansion of the memory via USB stick or disk. If you want, you can output up to 250 euros for a DD-WRT or OpenWRT-compatible router and receive up to 128 MB of RAM and 512 MB of RAM, several USB ports and often GPO (General Purpose Input Output) ports The connection of hardware to the measurement data acquisition or of the radio modules for the home automation - there is a long guarantee of a long service.
Conclusion
But even weaker devices do not always have to be disposed of: With 4 MB Flash and 16 MB RAM is usually stable operation with OpenWRT without Webinterface possible. If you already have some Linux experience, you will be able to quickly access SSH-Login in OpenWRT. Thus, a router with original firmware unsafe router with quite fast 802.11ng WLAN can still be used as an access point. In the new purchase, the price alone is not a guarantee of sufficient memory: Linksys still sells the WRT54GL with penguin on the cardboard box and the promise to use a free firmware. But this is only half the truth: A look at the OpenWRT Wiki shows that this router with 4 MB of RAM and 16 MB of RAM falls into the category, where stable operation is not possible with the web front end enabled.
Some manufacturers, such as Asus and Buffalo, rely on explicit collaboration with the developers of OpenWRT and DD-WRT on some product lines, and provide router-based DD-WRT-based firmware. With such devices the switch to a completely free firmware is usually easier. In general, no recommendation can be made for or against a specific manufacturer - in doubt, the wikis and forums of DD-WRT and OpenWRT provide hints for suitability and possible problems.
Before you flashed OpenWRT or DD-WRT on your own router, you should set up the second router and ensure that, in addition to the DSL access data, DHCP and WLAN settings are set so that all clients on the network can access the Internet with little effort , Problems with flashing should occur. The decision, whether OpenWRT or DD-WRT, is largely up to you. For OpenWRT the fast development temperature and the high modularity of the software, as well as the very clear web interface LuCI speaks. Against OpenWRT, the device requires quite detailed network knowledge - even an experienced user may spend half an hour until Ethernet, WLAN are configured as a bridge to the Ethernet and the DHCP server.
For DD-WRT, the standard settings, which are set for many cases, speak for the simplest operation and the more comfortable access to USB devices. For flashing, we recommend a minimal system configuration consisting of a notebook and a router connected via an Ethernet cable. You should assign an IP address to the PC from the address range of the router, for example 192.168.2.5 if the router has 192.168.2.1. If you do not know the IP address of the router, open a command shell cmd in Windows and type the command
Ipconfig / all
on. Under standard gateway stands the IP of the router. Important is the same netmask, usually this is 255.255.255.0. The router's IP address must also be entered as the gateway and first nameserver.
Now you can start the download of the image: With OpenWRT you will find the links to the current Barrier Breaker images on the respective device pages of the hardware wiki. If there is no link, please note the architecture of your router, eg ar71xx-generic in HardwareWiki, and then search for the exact matching firmware in the download folder. Look for the right hardware vision! A firmware for hardware v3 installed on v2 leads almost certainly to network problems. Please note that when you first flash, you must choose an image with factory in the name, but upgrade from one OpenWRT release to the next one is to use sysupgrade.
It looks similar to DD-WRT, look for your model, at editorial office were offered as stable version versions of March or April 2013 on most devices. Note the model name at the beginning of the firmware name, for example, tl-wdr3600, and click Other downloads. Here you can click through the year and the day of the last build - with editorial deadline this was the 22nd of December 2017.
In the directory of your router, you will usually find two images factory-to-ddwrt.bin for the first flashing from the original web interface and a file
If the interface has an option to reset all settings after the upgrade, activate this option; otherwise, variables of the same name in the NVRAM (a non-volatile memory) can prevent trouble-free operation. After upgrade and restart the DSL router is in most cases not reachable. This is because both OpenWRT and DD-WRT as the default network settings of the router use the IP address 192.168.1.1 with mask 255.255.255.0 - the static IP settings of the PC used for configuration must therefore be adapted again. Only if the final IP address of the DSL router is set and the DHCP server is activated, the Windows PC can be switched back to automatic addressing.
It sounds a little like a dream to tickle the features three times as expensive devices out of 50-euro router hardware - only by installing free software. In reality, the typical router functions, fast WLAN, VPN and use as a NAS, are fast and stable - thanks to the latest firmware, very secure.
However, if you are leaving abandoned paths and, for example, installing the DVB-T video recorder TVheadend on USB, you should be able to embark on one or the other night of the evening. There is nothing to lose: A failed installation is quickly deleted from the stick.
No comments:
Post a Comment