[nSLUG] Switched to Fibreop, telnet backdoor on Bell router

Rory rory at unixism.org
Tue Nov 18 11:06:39 AST 2014


Yeah, that ActionTec scares me.  In my case I left it in place and added 
my own router/firewall behind it.  I just assume that the Bell network 
is no safer than the open Internet and prefer to add my own layer. The 
one extra hop doesn't appreciably affect the service and I like the idea 
that nothing of the Bell world touches my desktops or servers directly.

The main advantage of replacing it is that you'll likely end up having 
to do less cabling, depending on where all your computers and TVs are 
located.

On 14-11-18 09:53 AM, D G Teed wrote:
>
> I now have Fibreop, and there are some changes, and one surprise.
>
> I could previously relay email from my own domain using
> postfix and the Eastlink SMTP.  Bell allows email only by
> authentication and the email must be from the Bell Aliant
> email address assigned.  (Can't disagree, I've done
> the same sort of restriction at my work's SMTP.)
>
> To resolve this, I used smtpcorp.com <http://smtpcorp.com> free SMTP
> service for relaying less than 20 emails a day.  Works
> for my domain's needs.
>
> The firewall on the Actiontec is OK, but not very flexible for
> dyndns users.  There doesn't seem to be a way to reproduce
> the Postrouting I had before with Linux so my dyndns domain
> works from inside the house.  I can see where replacing the
> Actiontec router can be useful.
>
> At least the thing is stable.  Half the consumer routers out there
> can't keep a ssh connection up over night.
>
> The surprise is the Actiontec router has what seems to be a backdoor
> of telnet open to the Internet.  I have set its firewall to not allow 23
> in or out, and I can still telnet to it from outside:
>
> $ telnet 47.XXX.YYY.ZZZ
> Trying 47.XXX.YYY.ZZZ...
> Connected to 47.XXX.YYY.ZZZ.
> Escape character is '^]'.
> ===Actiontec xDSL Router===
> Login:
>
> Nmap of the 2-254 range around my IP reveals hundreds of routers also open
> telnet access to the Internet.
>
> If you don't have access to nmap from outside your home, you can test
> with Gibson Research Corp's "Shields Up" website, and scan common ports.
>
> I called Bell support on this, and the guy was earnestly trying to help,
> but said they are not trained on the router's firewall and all he
> could suggest was a reset, to eliminate the possibility my port
> forwarding rules are the problem.  So its looking like I will reuse
> my Linux firewall with the vlan tweaks someone posted links to
> last year.
>
> The post #5 on this page seems to cover what I'd need to add
> on a basic (no wireless) Linux router (in my case,
> an Atom system with 2 NICs).
>
> http://digitalhome.ca/forum/showthread.php?t=134496
>
> vconfig comes with the package vlan on Debian.
>
> I remember DSL router backdoors as something from the 90's.
> Very surprised to see it still around today.
>
> Of course the speed is nice and my kids won't let me even talk
> about going back.
>
>
>
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20141118/64c5aef6/attachment.html>


More information about the nSLUG mailing list