I really wish Ubiquiti radios had a separate management vlan option (in router mode), like ePMP does...
On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com> wrote: > I would encourage you to put your CPEs on a management vlan, in RFC1918 > space. > > On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband > <li...@smarterbroadband.com> wrote: > > Hi Tushar > > > > > > > > We run all radios in NAT mode. > > > > > > > > Adam > > > > > > > > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel > > Sent: Wednesday, May 04, 2016 3:34 PM > > To: af@afmug.com > > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions? > > > > > > > > Radios could be put on private ip so nobody from outside world can access > > it. That is what we do. > > > > Tushar > > > > > > > > > > On May 4, 2016, at 5:22 PM, SmarterBroadband <li...@smarterbroadband.com > > > > wrote: > > > > I have received a number of emails for ab...@light-gap.net saying > certain of > > our IP address are being used for attacks (see email text below). > > > > > > > > All IP addresses are in UBNT radios. We are unable to remote access any > of > > the these radios now. We see that the radio we are unable to access > > rebooted a couple of days ago. A number of other radios show they > rebooted > > around the same time (in sequence) on the AP. We are unable to remote > > access any of those either. Other radios with longer uptime on the AP’s > are > > fine. > > > > > > > > We have a tech on route to one of the customer sites. > > > > > > > > We think the radios are being made into bots. Anyone seen this or > anything > > like this? Do the hackers need a username and password to hack a radio? > > I.E. Would a change of the password stop the changes being made to the > > radios? Any other thoughts, suggestions or ideas? > > > > > > > > Thanks > > > > > > > > Adam > > > > > > > > Email Text below: > > > > > > > > “This is a semi-automated e-mail from the LG-Mailproxy authentication > > system, all requests have been approved manually by the > > system-administrators or are obviously unwanted (eg. requests to our > > spamtraps). > > > > For further questions or if additional information is needed please > reply to > > this email. > > > > > > > > The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to suspicious > > behaviour on our system. > > > > This happened already 1 times. > > > > It might be be part of a botnet, infected by a trojan/virus or running > > brute-force attacks. > > > > > > > > Our affected destination servers: smtp.light-gap.net, imap.light-gap.net > > > > > > > > Currently 7 failed/unauthorized logins attempts via SMTP/IMAP with 6 > > different usernames and wrong password: > > > > 2016-05-04T23:48:40+02:00 with username "downloads.openscience.or.at" > > (spamtrap account) > > > > 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap account) > > > > 2016-05-04T14:55:11+02:00 with username "info" (spamtrap account) > > > > 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account) > > > > 2016-05-03T20:57:19+02:00 with username "downloads.openscience.or.at" > > (spamtrap account) > > > > 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap account) > > > > 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap account) > > Ongoing failed/unauthorized logins attempts will be logged and sent to > you > > every 24h until the IP will be permanently banned from our systems after > 72 > > hours. > > > > > > > > The Light-Gap.net Abuse Team.” > > > > >
