Ahhh.. the moto influence is strong in this one...
;) On Thu, May 5, 2016 at 12:07 PM, Chuck Macenski <ch...@macenski.com> wrote: > I can add you to the list. There is a fee for this service, however :) > > On Thu, May 5, 2016 at 11:28 AM, Ken Hohhof <af...@kwisp.com> wrote: >> >> Chuck M will come to my house? And bring Legos? Where do I sign up? >> >> >> From: That One Guy /sarcasm >> Sent: Thursday, May 05, 2016 10:53 AM >> To: af@afmug.com >> Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions? >> >> Chuck M will come to your house and put legos in all your shoes if you >> badmouth the airfiber :-) >> >> On Thu, May 5, 2016 at 10:17 AM, Chuck Macenski <ch...@macenski.com> >> wrote: >>> >>> I hate it when people lump airFiber into these things. I know of no >>> security holes in airFiber that don't require you to already be logged into >>> the unit (where you can change the configuration until your heart's >>> content). AirFiber also supports a very simple to configure management VLAN >>> (I don't know how it could be simpler) to keep inband managment traffic away >>> from the IP of the unit. If that isn't enough, you can simply disable inband >>> management and use the out-of-band management port; no one can then access >>> the management traffic from the user traffic flows. >>> >>> Good morning :) >>> >>> Chuck >>> >>> On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com> >>> wrote: >>>> >>>> 5.6.2, I think, fixed one of them more serious security flaws, and that >>>> was released less than a year ago... and it looks like 5.6.3 and 5.6.4 >>>> (which was released very recently) also had security fixes. I believe most >>>> of those vulnerabilities applied to the AC and airFiber firmware as well. >>>> >>>> Ubiquiti has been good about releasing fixes quickly when they find >>>> vulnerabilities, but that doesn't help if nobody bothers to update >>>> anything. >>>> >>>> On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com> >>>> wrote: >>>>> >>>>> I know about the very old firmware version for M series stuff that is >>>>> vulnerable to a known worm. >>>>> >>>>> But let's assume you do have ubnt devices with public IPs (which is a >>>>> bad idea). What's the attack surface? http, https, ssh, snmp >>>>> >>>>> Provided you have chosen a reasonably complex admin login and password >>>>> there are no current, known remote root exploits for current (or within >>>>> the >>>>> past 2 years) ubnt firmware on M or AC devices, right? >>>>> >>>>> >>>>> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman >>>>> <j...@imaginenetworksllc.com> wrote: >>>>>> >>>>>> Public IP on Ubnt. What else do you need to know? >>>>>> >>>>>> Josh Luthman >>>>>> Office: 937-552-2340 >>>>>> Direct: 937-552-2343 >>>>>> 1100 Wayne St >>>>>> Suite 1337 >>>>>> Troy, OH 45373 >>>>>> >>>>>> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote: >>>>>>> >>>>>>> The thread got this far and noone has wondered how the CPE was pwned >>>>>>> in the first place? >>>>>>> >>>>>>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com> >>>>>>> wrote: >>>>>>>> >>>>>>>> Yeah, I looked at setting it up that way at one point, but something >>>>>>>> didn't look like it was going to work quite the way I wanted it to... >>>>>>>> but I >>>>>>>> probably spent all of five minutes on it, so it may very well be >>>>>>>> possible. >>>>>>>> The way ePMP does it is really nice though... and simple. >>>>>>>> >>>>>>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman >>>>>>>> <j...@imaginenetworksllc.com> wrote: >>>>>>>>> >>>>>>>>> People do it for sure. I want to say there was an example on the >>>>>>>>> forums or some where... >>>>>>>>> >>>>>>>>> Josh Luthman >>>>>>>>> Office: 937-552-2340 >>>>>>>>> Direct: 937-552-2343 >>>>>>>>> 1100 Wayne St >>>>>>>>> Suite 1337 >>>>>>>>> Troy, OH 45373 >>>>>>>>> >>>>>>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the >>>>>>>>>> radio also gets a completely separate private management IP via >>>>>>>>>> DHCP, which >>>>>>>>>> is the only way you can remotely access the radio, and it doesn't >>>>>>>>>> even have >>>>>>>>>> to be in a separate vlan unless you want it to be... and it's one >>>>>>>>>> checkbox >>>>>>>>>> to configure it. >>>>>>>>>> >>>>>>>>>> I'm not sure if that can be duplicated on UBNT or not, since I >>>>>>>>>> haven't really tried yet, but at the very least it's a lot more >>>>>>>>>> complicated >>>>>>>>>> to configure. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman >>>>>>>>>> <j...@imaginenetworksllc.com> wrote: >>>>>>>>>>> >>>>>>>>>>> It does...you just need to set it up that way. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Josh Luthman >>>>>>>>>>> Office: 937-552-2340 >>>>>>>>>>> Direct: 937-552-2343 >>>>>>>>>>> 1100 Wayne St >>>>>>>>>>> Suite 1337 >>>>>>>>>>> Troy, OH 45373 >>>>>>>>>>> >>>>>>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard >>>>>>>>>>> <mhoward...@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>> I really wish Ubiquiti radios had a separate management vlan >>>>>>>>>>>> option (in router mode), like ePMP does... >>>>>>>>>>>> >>>>>>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds >>>>>>>>>>>> <j...@kyneticwifi.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> I would encourage you to put your CPEs on a management vlan, in >>>>>>>>>>>>> RFC1918 space. >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband >>>>>>>>>>>>> <li...@smarterbroadband.com> wrote: >>>>>>>>>>>>> > Hi Tushar >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > We run all radios in NAT mode. >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > Adam >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar >>>>>>>>>>>>> > Patel >>>>>>>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM >>>>>>>>>>>>> > To: af@afmug.com >>>>>>>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions? >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > Radios could be put on private ip so nobody from outside >>>>>>>>>>>>> > world can access >>>>>>>>>>>>> > it. That is what we do. >>>>>>>>>>>>> > >>>>>>>>>>>>> > Tushar >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband >>>>>>>>>>>>> > <li...@smarterbroadband.com> >>>>>>>>>>>>> > wrote: >>>>>>>>>>>>> > >>>>>>>>>>>>> > I have received a number of emails for ab...@light-gap.net >>>>>>>>>>>>> > saying certain of >>>>>>>>>>>>> > our IP address are being used for attacks (see email text >>>>>>>>>>>>> > below). >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > All IP addresses are in UBNT radios. We are unable to remote >>>>>>>>>>>>> > access any of >>>>>>>>>>>>> > the these radios now. We see that the radio we are unable to >>>>>>>>>>>>> > access >>>>>>>>>>>>> > rebooted a couple of days ago. A number of other radios show >>>>>>>>>>>>> > they rebooted >>>>>>>>>>>>> > around the same time (in sequence) on the AP. We are unable >>>>>>>>>>>>> > to remote >>>>>>>>>>>>> > access any of those either. Other radios with longer uptime >>>>>>>>>>>>> > on the AP’s are >>>>>>>>>>>>> > fine. >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > We have a tech on route to one of the customer sites. >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > We think the radios are being made into bots. Anyone seen >>>>>>>>>>>>> > this or anything >>>>>>>>>>>>> > like this? Do the hackers need a username and password to >>>>>>>>>>>>> > hack a radio? >>>>>>>>>>>>> > I.E. Would a change of the password stop the changes being >>>>>>>>>>>>> > made to the >>>>>>>>>>>>> > radios? Any other thoughts, suggestions or ideas? >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > Thanks >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > Adam >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > Email Text below: >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > “This is a semi-automated e-mail from the LG-Mailproxy >>>>>>>>>>>>> > authentication >>>>>>>>>>>>> > system, all requests have been approved manually by the >>>>>>>>>>>>> > system-administrators or are obviously unwanted (eg. requests >>>>>>>>>>>>> > to our >>>>>>>>>>>>> > spamtraps). >>>>>>>>>>>>> > >>>>>>>>>>>>> > For further questions or if additional information is needed >>>>>>>>>>>>> > please reply to >>>>>>>>>>>>> > this email. >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to >>>>>>>>>>>>> > suspicious >>>>>>>>>>>>> > behaviour on our system. >>>>>>>>>>>>> > >>>>>>>>>>>>> > This happened already 1 times. >>>>>>>>>>>>> > >>>>>>>>>>>>> > It might be be part of a botnet, infected by a trojan/virus >>>>>>>>>>>>> > or running >>>>>>>>>>>>> > brute-force attacks. >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > Our affected destination servers: smtp.light-gap.net, >>>>>>>>>>>>> > imap.light-gap.net >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > Currently 7 failed/unauthorized logins attempts via SMTP/IMAP >>>>>>>>>>>>> > with 6 >>>>>>>>>>>>> > different usernames and wrong password: >>>>>>>>>>>>> > >>>>>>>>>>>>> > 2016-05-04T23:48:40+02:00 with username >>>>>>>>>>>>> > "downloads.openscience.or.at" >>>>>>>>>>>>> > (spamtrap account) >>>>>>>>>>>>> > >>>>>>>>>>>>> > 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap >>>>>>>>>>>>> > account) >>>>>>>>>>>>> > >>>>>>>>>>>>> > 2016-05-04T14:55:11+02:00 with username "info" (spamtrap >>>>>>>>>>>>> > account) >>>>>>>>>>>>> > >>>>>>>>>>>>> > 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap >>>>>>>>>>>>> > account) >>>>>>>>>>>>> > >>>>>>>>>>>>> > 2016-05-03T20:57:19+02:00 with username >>>>>>>>>>>>> > "downloads.openscience.or.at" >>>>>>>>>>>>> > (spamtrap account) >>>>>>>>>>>>> > >>>>>>>>>>>>> > 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" >>>>>>>>>>>>> > (spamtrap account) >>>>>>>>>>>>> > >>>>>>>>>>>>> > 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap >>>>>>>>>>>>> > account) >>>>>>>>>>>>> > Ongoing failed/unauthorized logins attempts will be logged >>>>>>>>>>>>> > and sent to you >>>>>>>>>>>>> > every 24h until the IP will be permanently banned from our >>>>>>>>>>>>> > systems after 72 >>>>>>>>>>>>> > hours. >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > The Light-Gap.net Abuse Team.” >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> >> >> >> -- >> If you only see yourself as part of the team but you don't see your team >> as part of yourself you have already failed as part of the team. > >
