I’m on the list now for Professor Proton to visit, I’ll contact you after that.
From: Chuck Macenski
Sent: Thursday, May 05, 2016 12:07 PM
To: af@afmug.com
Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
I can add you to the list. There is a fee for this service, however :)
On Thu, May 5, 2016 at 11:28 AM, Ken Hohhof <af...@kwisp.com> wrote:
Chuck M will come to my house? And bring Legos? Where do I sign up?
From: That One Guy /sarcasm
Sent: Thursday, May 05, 2016 10:53 AM
To: af@afmug.com
Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
Chuck M will come to your house and put legos in all your shoes if you
badmouth the airfiber :-)
On Thu, May 5, 2016 at 10:17 AM, Chuck Macenski <ch...@macenski.com> wrote:
I hate it when people lump airFiber into these things. I know of no
security holes in airFiber that don't require you to already be logged into the
unit (where you can change the configuration until your heart's content).
AirFiber also supports a very simple to configure management VLAN (I don't know
how it could be simpler) to keep inband managment traffic away from the IP of
the unit. If that isn't enough, you can simply disable inband management and
use the out-of-band management port; no one can then access the management
traffic from the user traffic flows.
Good morning :)
Chuck
On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com> wrote:
5.6.2, I think, fixed one of them more serious security flaws, and that
was released less than a year ago... and it looks like 5.6.3 and 5.6.4 (which
was released very recently) also had security fixes. I believe most of those
vulnerabilities applied to the AC and airFiber firmware as well.
Ubiquiti has been good about releasing fixes quickly when they find
vulnerabilities, but that doesn't help if nobody bothers to update anything.
On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com> wrote:
I know about the very old firmware version for M series stuff that is
vulnerable to a known worm.
But let's assume you do have ubnt devices with public IPs (which is a
bad idea). What's the attack surface? http, https, ssh, snmp
Provided you have chosen a reasonably complex admin login and password
there are no current, known remote root exploits for current (or within the
past 2 years) ubnt firmware on M or AC devices, right?
On Wed, May 4, 2016 at 7:00 PM, Josh Luthman
<j...@imaginenetworksllc.com> wrote:
Public IP on Ubnt. What else do you need to know?
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
The thread got this far and noone has wondered how the CPE was
pwned in the first place?
On Wed, May 4, 2016 at 6:55 PM, Mathew Howard
<mhoward...@gmail.com> wrote:
Yeah, I looked at setting it up that way at one point, but
something didn't look like it was going to work quite the way I wanted it to...
but I probably spent all of five minutes on it, so it may very well be
possible. The way ePMP does it is really nice though... and simple.
On Wed, May 4, 2016 at 8:38 PM, Josh Luthman
<j...@imaginenetworksllc.com> wrote:
People do it for sure. I want to say there was an example on
the forums or some where...
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com>
wrote:
I have our ePMP's setup to get their public IP via PPPoE, and
the radio also gets a completely separate private management IP via DHCP, which
is the only way you can remotely access the radio, and it doesn't even have to
be in a separate vlan unless you want it to be... and it's one checkbox to
configure it.
I'm not sure if that can be duplicated on UBNT or not, since
I haven't really tried yet, but at the very least it's a lot more complicated
to configure.
On Wed, May 4, 2016 at 7:04 PM, Josh Luthman
<j...@imaginenetworksllc.com> wrote:
It does...you just need to set it up that way.
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Wed, May 4, 2016 at 7:54 PM, Mathew Howard
<mhoward...@gmail.com> wrote:
I really wish Ubiquiti radios had a separate management
vlan option (in router mode), like ePMP does...
On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds
<j...@kyneticwifi.com> wrote:
I would encourage you to put your CPEs on a management
vlan, in RFC1918 space.
On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
<li...@smarterbroadband.com> wrote:
> Hi Tushar
>
>
>
> We run all radios in NAT mode.
>
>
>
> Adam
>
>
>
> From: Af [mailto:af-boun...@afmug.com] On Behalf Of
Tushar Patel
> Sent: Wednesday, May 04, 2016 3:34 PM
> To: af@afmug.com
> Subject: Re: [AFMUG] UBNT CPE being used for Abusive
actions?
>
>
>
> Radios could be put on private ip so nobody from
outside world can access
> it. That is what we do.
>
> Tushar
>
>
>
>
> On May 4, 2016, at 5:22 PM, SmarterBroadband
<li...@smarterbroadband.com>
> wrote:
>
> I have received a number of emails for
ab...@light-gap.net saying certain of
> our IP address are being used for attacks (see email
text below).
>
>
>
> All IP addresses are in UBNT radios. We are unable
to remote access any of
> the these radios now. We see that the radio we are
unable to access
> rebooted a couple of days ago. A number of other
radios show they rebooted
> around the same time (in sequence) on the AP. We are
unable to remote
> access any of those either. Other radios with longer
uptime on the AP’s are
> fine.
>
>
>
> We have a tech on route to one of the customer sites.
>
>
>
> We think the radios are being made into bots. Anyone
seen this or anything
> like this? Do the hackers need a username and
password to hack a radio?
> I.E. Would a change of the password stop the changes
being made to the
> radios? Any other thoughts, suggestions or ideas?
>
>
>
> Thanks
>
>
>
> Adam
>
>
>
> Email Text below:
>
>
>
> “This is a semi-automated e-mail from the
LG-Mailproxy authentication
> system, all requests have been approved manually by
the
> system-administrators or are obviously unwanted (eg.
requests to our
> spamtraps).
>
> For further questions or if additional information is
needed please reply to
> this email.
>
>
>
> The IP xxx.xxx.xxx.xxx has been banned for 48 hours
due to suspicious
> behaviour on our system.
>
> This happened already 1 times.
>
> It might be be part of a botnet, infected by a
trojan/virus or running
> brute-force attacks.
>
>
>
> Our affected destination servers: smtp.light-gap.net,
imap.light-gap.net
>
>
>
> Currently 7 failed/unauthorized logins attempts via
SMTP/IMAP with 6
> different usernames and wrong password:
>
> 2016-05-04T23:48:40+02:00 with username
"downloads.openscience.or.at"
> (spamtrap account)
>
> 2016-05-04T22:47:19+02:00 with username "sp_woq"
(spamtrap account)
>
> 2016-05-04T14:55:11+02:00 with username "info"
(spamtrap account)
>
> 2016-05-03T21:24:22+02:00 with username "fips"
(spamtrap account)
>
> 2016-05-03T20:57:19+02:00 with username
"downloads.openscience.or.at"
> (spamtrap account)
>
> 2016-05-03T10:13:59+02:00 with username "d10hw49WpH"
(spamtrap account)
>
> 2016-05-03T05:34:43+02:00 with username "12345678"
(spamtrap account)
> Ongoing failed/unauthorized logins attempts will be
logged and sent to you
> every 24h until the IP will be permanently banned
from our systems after 72
> hours.
>
>
>
> The Light-Gap.net Abuse Team.”
>
>
--
If you only see yourself as part of the team but you don't see your team as
part of yourself you have already failed as part of the team.
