I would encourage you to put your CPEs on a management vlan, in RFC1918 space.
On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband <li...@smarterbroadband.com> wrote: > Hi Tushar > > > > We run all radios in NAT mode. > > > > Adam > > > > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel > Sent: Wednesday, May 04, 2016 3:34 PM > To: af@afmug.com > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions? > > > > Radios could be put on private ip so nobody from outside world can access > it. That is what we do. > > Tushar > > > > > On May 4, 2016, at 5:22 PM, SmarterBroadband <li...@smarterbroadband.com> > wrote: > > I have received a number of emails for ab...@light-gap.net saying certain of > our IP address are being used for attacks (see email text below). > > > > All IP addresses are in UBNT radios. We are unable to remote access any of > the these radios now. We see that the radio we are unable to access > rebooted a couple of days ago. A number of other radios show they rebooted > around the same time (in sequence) on the AP. We are unable to remote > access any of those either. Other radios with longer uptime on the AP’s are > fine. > > > > We have a tech on route to one of the customer sites. > > > > We think the radios are being made into bots. Anyone seen this or anything > like this? Do the hackers need a username and password to hack a radio? > I.E. Would a change of the password stop the changes being made to the > radios? Any other thoughts, suggestions or ideas? > > > > Thanks > > > > Adam > > > > Email Text below: > > > > “This is a semi-automated e-mail from the LG-Mailproxy authentication > system, all requests have been approved manually by the > system-administrators or are obviously unwanted (eg. requests to our > spamtraps). > > For further questions or if additional information is needed please reply to > this email. > > > > The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to suspicious > behaviour on our system. > > This happened already 1 times. > > It might be be part of a botnet, infected by a trojan/virus or running > brute-force attacks. > > > > Our affected destination servers: smtp.light-gap.net, imap.light-gap.net > > > > Currently 7 failed/unauthorized logins attempts via SMTP/IMAP with 6 > different usernames and wrong password: > > 2016-05-04T23:48:40+02:00 with username "downloads.openscience.or.at" > (spamtrap account) > > 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap account) > > 2016-05-04T14:55:11+02:00 with username "info" (spamtrap account) > > 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account) > > 2016-05-03T20:57:19+02:00 with username "downloads.openscience.or.at" > (spamtrap account) > > 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap account) > > 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap account) > Ongoing failed/unauthorized logins attempts will be logged and sent to you > every 24h until the IP will be permanently banned from our systems after 72 > hours. > > > > The Light-Gap.net Abuse Team.” > >