:)
On Thu, May 5, 2016 at 1:39 PM, Josh Reynolds <j...@kyneticwifi.com> wrote: > Why? He's busy making nice products that Mimosa won't like so much :P > > On Thu, May 5, 2016 at 1:38 PM, Chuck McCown <ch...@wbmfg.com> wrote: > > I think it would be exciting of Chuck Macenski’s email address all of a > > sudden was a Mimosa domain.... > > > > From: Chuck Macenski > > Sent: Thursday, May 05, 2016 12:36 PM > > To: af@afmug.com > > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions? > > > > I don't mean to be touchy about it, but, if I had a quarter for every > time > > someone said "I had this nano-station 5 years ago that had this issue > they > > fixed in software so you must have that issue too", I'd have a lot of > > quarters. Maybe not enough to buy a Tesla, but, a lot of quarters... > > > > On Thu, May 5, 2016 at 1:26 PM, Josh Baird <joshba...@gmail.com> wrote: > >> > >> Um, well, airFiber IS a Ubiquiti product, so it's not that stupid. They > >> may run different operating systems, be designed by different teams and > have > >> different feature sets, but it still says Ubiquiti on it. > >> > >> On Thu, May 5, 2016 at 11:17 AM, Chuck Macenski <ch...@macenski.com> > >> wrote: > >>> > >>> I hate it when people lump airFiber into these things. I know of no > >>> security holes in airFiber that don't require you to already be logged > into > >>> the unit (where you can change the configuration until your heart's > >>> content). AirFiber also supports a very simple to configure management > VLAN > >>> (I don't know how it could be simpler) to keep inband managment > traffic away > >>> from the IP of the unit. If that isn't enough, you can simply disable > inband > >>> management and use the out-of-band management port; no one can then > access > >>> the management traffic from the user traffic flows. > >>> > >>> Good morning :) > >>> > >>> Chuck > >>> > >>> On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com> > >>> wrote: > >>>> > >>>> 5.6.2, I think, fixed one of them more serious security flaws, and > that > >>>> was released less than a year ago... and it looks like 5.6.3 and 5.6.4 > >>>> (which was released very recently) also had security fixes. I believe > most > >>>> of those vulnerabilities applied to the AC and airFiber firmware as > well. > >>>> > >>>> Ubiquiti has been good about releasing fixes quickly when they find > >>>> vulnerabilities, but that doesn't help if nobody bothers to update > anything. > >>>> > >>>> On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com> > >>>> wrote: > >>>>> > >>>>> I know about the very old firmware version for M series stuff that is > >>>>> vulnerable to a known worm. > >>>>> > >>>>> But let's assume you do have ubnt devices with public IPs (which is a > >>>>> bad idea). What's the attack surface? http, https, ssh, snmp > >>>>> > >>>>> Provided you have chosen a reasonably complex admin login and > password > >>>>> there are no current, known remote root exploits for current (or > within the > >>>>> past 2 years) ubnt firmware on M or AC devices, right? > >>>>> > >>>>> > >>>>> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman > >>>>> <j...@imaginenetworksllc.com> wrote: > >>>>>> > >>>>>> Public IP on Ubnt. What else do you need to know? > >>>>>> > >>>>>> Josh Luthman > >>>>>> Office: 937-552-2340 > >>>>>> Direct: 937-552-2343 > >>>>>> 1100 Wayne St > >>>>>> Suite 1337 > >>>>>> Troy, OH 45373 > >>>>>> > >>>>>> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> > wrote: > >>>>>>> > >>>>>>> The thread got this far and noone has wondered how the CPE was > pwned > >>>>>>> in the first place? > >>>>>>> > >>>>>>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard < > mhoward...@gmail.com> > >>>>>>> wrote: > >>>>>>>> > >>>>>>>> Yeah, I looked at setting it up that way at one point, but > something > >>>>>>>> didn't look like it was going to work quite the way I wanted it > to... but I > >>>>>>>> probably spent all of five minutes on it, so it may very well be > possible. > >>>>>>>> The way ePMP does it is really nice though... and simple. > >>>>>>>> > >>>>>>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman > >>>>>>>> <j...@imaginenetworksllc.com> wrote: > >>>>>>>>> > >>>>>>>>> People do it for sure. I want to say there was an example on the > >>>>>>>>> forums or some where... > >>>>>>>>> > >>>>>>>>> Josh Luthman > >>>>>>>>> Office: 937-552-2340 > >>>>>>>>> Direct: 937-552-2343 > >>>>>>>>> 1100 Wayne St > >>>>>>>>> Suite 1337 > >>>>>>>>> Troy, OH 45373 > >>>>>>>>> > >>>>>>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> > >>>>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>> I have our ePMP's setup to get their public IP via PPPoE, and > the > >>>>>>>>>> radio also gets a completely separate private management IP via > DHCP, which > >>>>>>>>>> is the only way you can remotely access the radio, and it > doesn't even have > >>>>>>>>>> to be in a separate vlan unless you want it to be... and it's > one checkbox > >>>>>>>>>> to configure it. > >>>>>>>>>> > >>>>>>>>>> I'm not sure if that can be duplicated on UBNT or not, since I > >>>>>>>>>> haven't really tried yet, but at the very least it's a lot more > complicated > >>>>>>>>>> to configure. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman > >>>>>>>>>> <j...@imaginenetworksllc.com> wrote: > >>>>>>>>>>> > >>>>>>>>>>> It does...you just need to set it up that way. > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> Josh Luthman > >>>>>>>>>>> Office: 937-552-2340 > >>>>>>>>>>> Direct: 937-552-2343 > >>>>>>>>>>> 1100 Wayne St > >>>>>>>>>>> Suite 1337 > >>>>>>>>>>> Troy, OH 45373 > >>>>>>>>>>> > >>>>>>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard > >>>>>>>>>>> <mhoward...@gmail.com> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> I really wish Ubiquiti radios had a separate management vlan > >>>>>>>>>>>> option (in router mode), like ePMP does... > >>>>>>>>>>>> > >>>>>>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds > >>>>>>>>>>>> <j...@kyneticwifi.com> wrote: > >>>>>>>>>>>>> > >>>>>>>>>>>>> I would encourage you to put your CPEs on a management vlan, > in > >>>>>>>>>>>>> RFC1918 space. > >>>>>>>>>>>>> > >>>>>>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband > >>>>>>>>>>>>> <li...@smarterbroadband.com> wrote: > >>>>>>>>>>>>> > Hi Tushar > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > We run all radios in NAT mode. > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > Adam > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar > >>>>>>>>>>>>> > Patel > >>>>>>>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM > >>>>>>>>>>>>> > To: af@afmug.com > >>>>>>>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive > actions? > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > Radios could be put on private ip so nobody from outside > >>>>>>>>>>>>> > world can access > >>>>>>>>>>>>> > it. That is what we do. > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > Tushar > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband > >>>>>>>>>>>>> > <li...@smarterbroadband.com> > >>>>>>>>>>>>> > wrote: > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > I have received a number of emails for ab...@light-gap.net > >>>>>>>>>>>>> > saying certain of > >>>>>>>>>>>>> > our IP address are being used for attacks (see email text > >>>>>>>>>>>>> > below). > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > All IP addresses are in UBNT radios. We are unable to > remote > >>>>>>>>>>>>> > access any of > >>>>>>>>>>>>> > the these radios now. We see that the radio we are unable > to > >>>>>>>>>>>>> > access > >>>>>>>>>>>>> > rebooted a couple of days ago. A number of other radios > show > >>>>>>>>>>>>> > they rebooted > >>>>>>>>>>>>> > around the same time (in sequence) on the AP. We are > unable > >>>>>>>>>>>>> > to remote > >>>>>>>>>>>>> > access any of those either. Other radios with longer uptime > >>>>>>>>>>>>> > on the AP’s are > >>>>>>>>>>>>> > fine. > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > We have a tech on route to one of the customer sites. > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > We think the radios are being made into bots. Anyone seen > >>>>>>>>>>>>> > this or anything > >>>>>>>>>>>>> > like this? Do the hackers need a username and password to > >>>>>>>>>>>>> > hack a radio? > >>>>>>>>>>>>> > I.E. Would a change of the password stop the changes being > >>>>>>>>>>>>> > made to the > >>>>>>>>>>>>> > radios? Any other thoughts, suggestions or ideas? > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > Thanks > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > Adam > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > Email Text below: > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > “This is a semi-automated e-mail from the LG-Mailproxy > >>>>>>>>>>>>> > authentication > >>>>>>>>>>>>> > system, all requests have been approved manually by the > >>>>>>>>>>>>> > system-administrators or are obviously unwanted (eg. > requests > >>>>>>>>>>>>> > to our > >>>>>>>>>>>>> > spamtraps). > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > For further questions or if additional information is > needed > >>>>>>>>>>>>> > please reply to > >>>>>>>>>>>>> > this email. > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to > >>>>>>>>>>>>> > suspicious > >>>>>>>>>>>>> > behaviour on our system. > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > This happened already 1 times. > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > It might be be part of a botnet, infected by a trojan/virus > >>>>>>>>>>>>> > or running > >>>>>>>>>>>>> > brute-force attacks. > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > Our affected destination servers: smtp.light-gap.net, > >>>>>>>>>>>>> > imap.light-gap.net > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > Currently 7 failed/unauthorized logins attempts via > SMTP/IMAP > >>>>>>>>>>>>> > with 6 > >>>>>>>>>>>>> > different usernames and wrong password: > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > 2016-05-04T23:48:40+02:00 with username > >>>>>>>>>>>>> > "downloads.openscience.or.at" > >>>>>>>>>>>>> > (spamtrap account) > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap > >>>>>>>>>>>>> > account) > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > 2016-05-04T14:55:11+02:00 with username "info" (spamtrap > >>>>>>>>>>>>> > account) > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap > >>>>>>>>>>>>> > account) > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > 2016-05-03T20:57:19+02:00 with username > >>>>>>>>>>>>> > "downloads.openscience.or.at" > >>>>>>>>>>>>> > (spamtrap account) > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" > >>>>>>>>>>>>> > (spamtrap account) > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > 2016-05-03T05:34:43+02:00 with username "12345678" > (spamtrap > >>>>>>>>>>>>> > account) > >>>>>>>>>>>>> > Ongoing failed/unauthorized logins attempts will be logged > >>>>>>>>>>>>> > and sent to you > >>>>>>>>>>>>> > every 24h until the IP will be permanently banned from our > >>>>>>>>>>>>> > systems after 72 > >>>>>>>>>>>>> > hours. > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > The Light-Gap.net Abuse Team.” > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>> > >>>>> > >>>> > >>>> > >>> > >>> > >> > >> > > > > >