Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Joshaven Mailing Lists]

Sorry, here is the URL:  
http://www.securityweek.com/flaw-allows-hackers-find-ubiquiti-devices-exposed-web
 


Sincerely,
Joshaven Potter
Google Hangouts: j...@g2wireless.co
Cell & SMS: 1-517-607-9370
supp...@joshaven.com



> On May 6, 2016, at 11:46 AM, That One Guy /sarcasm 
>  wrote:
> 
> whats the remote management thats enabled by default? or just the web 
> management?
> 
> On Fri, May 6, 2016 at 10:41 AM, Joshaven Mailing Lists  > wrote:
> FYI… This is why you keep your firmware updated... :)
> 
> 
> 
> Sincerely,
> Joshaven Potter
> Google Hangouts: j...@g2wireless.co 
> Cell & SMS: 1-517-607-9370 
> supp...@joshaven.com 
> 
> 
>> On May 4, 2016, at 6:33 PM, Tushar Patel > > wrote:
>> 
>> Radios could be put on private ip so nobody from outside world can access 
>> it. That is what we do.
>> 
>> Tushar
>> 
>> 
>> On May 4, 2016, at 5:22 PM, SmarterBroadband > > wrote:
>> 
>>> I have received a number of emails for ab...@light-gap.net 
>>>  saying certain of our IP address are being 
>>> used for attacks (see email text below).
>>>  
>>> All IP addresses are in UBNT radios.  We are unable to remote access any of 
>>> the these radios now.  We see that the radio we are unable to access 
>>> rebooted a couple of days ago.  A number of other radios show they rebooted 
>>> around the same time (in sequence) on the AP.  We are unable to remote 
>>> access any of those either. Other radios with longer uptime on the AP’s are 
>>> fine.
>>>  
>>> We have a tech on route to one of the customer sites.
>>>  
>>> We think the radios are being made into bots.  Anyone seen this or anything 
>>> like this?  Do the hackers need a username and password to hack a radio?  
>>> I.E.  Would a change of the password stop the changes being made to the 
>>> radios?  Any other thoughts, suggestions or ideas?
>>>  
>>> Thanks
>>>  
>>> Adam  
>>>  
>>> Email Text below:
>>>  
>>> “This is a semi-automated e-mail from the LG-Mailproxy authentication 
>>> system, all requests have been approved manually by the 
>>> system-administrators or are obviously unwanted (eg. requests to our 
>>> spamtraps).
>>> For further questions or if additional information is needed please reply 
>>> to this email.
>>>  
>>> The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to suspicious 
>>> behaviour on our system.
>>> This happened already 1 times.
>>> It might be be part of a botnet, infected by a trojan/virus or running 
>>> brute-force attacks.
>>>  
>>> Our affected destination servers: smtp.light-gap.net 
>>> , imap.light-gap.net 
>>> 
>>>  
>>> Currently 7 failed/unauthorized logins attempts via SMTP/IMAP with 6 
>>> different usernames and wrong password:
>>> 2016-05-04T23:48:40+02:00 with username "downloads.openscience.or.at 
>>> " (spamtrap account)
>>> 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap account)
>>> 2016-05-04T14:55:11+02:00 with username "info" (spamtrap account)
>>> 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account)
>>> 2016-05-03T20:57:19+02:00 with username "downloads.openscience.or.at 
>>> " (spamtrap account)
>>> 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap account)
>>> 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap account) 
>>> Ongoing failed/unauthorized logins attempts will be logged and sent to you 
>>> every 24h until the IP will be permanently banned from our systems after 72 
>>> hours.
>>>  
>>> The Light-Gap.net  Abuse Team.”
> 
> 
> 
> 
> -- 
> If you only see yourself as part of the team but you don't see your team as 
> part of yourself you have already failed as part of the team.

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[That One Guy /sarcasm]

;>>>> forums or some where...
>>>>>>>>>
>>>>>>>>> Josh Luthman
>>>>>>>>> Office: 937-552-2340
>>>>>>>>> Direct: 937-552-2343
>>>>>>>>> 1100 Wayne St
>>>>>>>>> Suite 1337
>>>>>>>>> Troy, OH 45373
>>>>>>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the
>>>>>>>>>> radio also gets a completely separate private management IP via 
>>>>>>>>>> DHCP, which
>>>>>>>>>> is the only way you can remotely access the radio, and it doesn't 
>>>>>>>>>> even have
>>>>>>>>>> to be in a separate vlan unless you want it to be... and it's one 
>>>>>>>>>> checkbox
>>>>>>>>>> to configure it.
>>>>>>>>>>
>>>>>>>>>> I'm not sure if that can be duplicated on UBNT or not, since I
>>>>>>>>>> haven't really tried yet, but at the very least it's a lot more 
>>>>>>>>>> complicated
>>>>>>>>>> to configure.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> It does...you just need to set it up that way.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Josh Luthman
>>>>>>>>>>> Office: 937-552-2340
>>>>>>>>>>> Direct: 937-552-2343
>>>>>>>>>>> 1100 Wayne St
>>>>>>>>>>> Suite 1337
>>>>>>>>>>> Troy, OH 45373
>>>>>>>>>>>
>>>>>>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <
>>>>>>>>>>> mhoward...@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> I really wish Ubiquiti radios had a separate management vlan
>>>>>>>>>>>> option (in router mode), like ePMP does...
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <
>>>>>>>>>>>> j...@kyneticwifi.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> I would encourage you to put your CPEs on a management vlan,
>>>>>>>>>>>>> in RFC1918 space.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>>>>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>>>>>>>>> > Hi Tushar
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > We run all radios in NAT mode.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Adam
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar
>>>>>>>>>>>>> Patel
>>>>>>>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>>>>>>>>>> > To: af@afmug.com
>>>>>>>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >
>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Mathew Howard]

t;>>>>>>
>>>>>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the
>>>>>>>>> radio also gets a completely separate private management IP via DHCP, 
>>>>>>>>> which
>>>>>>>>> is the only way you can remotely access the radio, and it doesn't 
>>>>>>>>> even have
>>>>>>>>> to be in a separate vlan unless you want it to be... and it's one 
>>>>>>>>> checkbox
>>>>>>>>> to configure it.
>>>>>>>>>
>>>>>>>>> I'm not sure if that can be duplicated on UBNT or not, since I
>>>>>>>>> haven't really tried yet, but at the very least it's a lot more 
>>>>>>>>> complicated
>>>>>>>>> to configure.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>>>>
>>>>>>>>>> It does...you just need to set it up that way.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Josh Luthman
>>>>>>>>>> Office: 937-552-2340
>>>>>>>>>> Direct: 937-552-2343
>>>>>>>>>> 1100 Wayne St
>>>>>>>>>> Suite 1337
>>>>>>>>>> Troy, OH 45373
>>>>>>>>>>
>>>>>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <
>>>>>>>>>> mhoward...@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> I really wish Ubiquiti radios had a separate management vlan
>>>>>>>>>>> option (in router mode), like ePMP does...
>>>>>>>>>>>
>>>>>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <
>>>>>>>>>>> j...@kyneticwifi.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>>>>>>>> RFC1918 space.
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>>>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>>>>>>>> > Hi Tushar
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > We run all radios in NAT mode.
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > Adam
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar
>>>>>>>>>>>> Patel
>>>>>>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>>>>>>>>> > To: af@afmug.com
>>>>>>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > Radios could be put on private ip so nobody from outside
>>>>>>>>>>>> world can access
>>>>>>>>>>>> > it. That is what we do.
>>>>>>>>>>>> >
>>>>>>>>>>>> > Tushar
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband <
>>>>>>>>>>>> li...@smarterbroadband.com>
>>>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Josh Reynolds]

IMO, that customer is an idiot.

That said, he may have been an idiot but you also didn't get his monies :(

On Thu, May 5, 2016 at 2:33 PM, Ken Hohhof <af...@kwisp.com> wrote:
> I understand the issue because it was part of my learning experience when
> the company I worked for in the 80's was acquired by Rockwell International.
>
> Sales dragged me along on a sales call to try and sell some digital carrier
> product to a Bell company.  The customer said I will look at your product
> when you fix the  I bought from you.  We protested that
> was from a totally unrelated division of Rockwell, like maybe the M13 mux
> people in Texas, or the Collins Radio people in Iowa, I forget.
>
> Customer pointed to the logo on our product, the logo on the lemon he had
> bought, and the logo on our business cards.  They all said Rockwell.  He
> didn't care what division we were from.  He had a problem with our company,
> and he was holding us responsible.
>
>
>
> -Original Message- From: Josh Reynolds
> Sent: Thursday, May 05, 2016 1:37 PM
>
> To: af@afmug.com
> Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>
> Wow, let's not be objective or anything.
>
> Cisco makes some shit products. They make some good ones too.
> Juniper makes some shit products. They make some good ones too.
> Crayola makes some shit products. They make some good ones too.
> GE makes some shit products. They make some good ones too.
> $vendorOfChoice makes some shit products. They make some good ones too.
>
> (continue)
>
> On Thu, May 5, 2016 at 1:26 PM, Josh Baird <joshba...@gmail.com> wrote:
>>
>> Um, well, airFiber IS a Ubiquiti product, so it's not that stupid.  They
>> may
>> run different operating systems, be designed by different teams and have
>> different feature sets, but it still says Ubiquiti on it.
>>
>> On Thu, May 5, 2016 at 11:17 AM, Chuck Macenski <ch...@macenski.com>
>> wrote:
>>>
>>>
>>> I hate it when people lump airFiber into these things. I know of no
>>> security holes in airFiber that don't require you to already be logged
>>> into
>>> the unit (where you can change the configuration until your heart's
>>> content). AirFiber also supports a very simple to configure management
>>> VLAN
>>> (I don't know how it could be simpler) to keep inband managment traffic
>>> away
>>> from the IP of the unit. If that isn't enough, you can simply disable
>>> inband
>>> management and use the out-of-band management port; no one can then
>>> access
>>> the management traffic from the user traffic flows.
>>>
>>> Good morning :)
>>>
>>> Chuck
>>>
>>> On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com>
>>> wrote:
>>>>
>>>>
>>>> 5.6.2, I think, fixed one of them more serious security flaws, and that
>>>> was released less than a year ago... and it looks like 5.6.3 and 5.6.4
>>>> (which was released very recently) also had security fixes. I believe
>>>> most
>>>> of those vulnerabilities applied to the AC and airFiber firmware as
>>>> well.
>>>>
>>>> Ubiquiti has been good about releasing fixes quickly when they find
>>>> vulnerabilities, but that doesn't help if nobody bothers to update
>>>> anything.
>>>>
>>>> On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com>
>>>> wrote:
>>>>>
>>>>>
>>>>> I know about the very old firmware version for M series stuff that is
>>>>> vulnerable to a known worm.
>>>>>
>>>>> But let's assume you do have ubnt devices with public IPs (which is a
>>>>> bad idea). What's the attack surface? http, https, ssh, snmp
>>>>>
>>>>> Provided you have chosen a reasonably complex admin login and password
>>>>> there are no current, known remote root exploits for current (or within
>>>>> the
>>>>> past 2 years) ubnt firmware on M or AC devices, right?
>>>>>
>>>>>
>>>>> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman
>>>>> <j...@imaginenetworksllc.com> wrote:
>>>>>>
>>>>>>
>>>>>> Public IP on Ubnt.  What else do you need to know?
>>>>>>
>>>>>> Josh Luthman
>>>>>> Office: 937-552-2340
>>>>>> Direct: 937-552-2343
>>>>>> 1100 Wayne St
>>>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Ken Hohhof]

I understand the issue because it was part of my learning experience when 
the company I worked for in the 80's was acquired by Rockwell International.


Sales dragged me along on a sales call to try and sell some digital carrier 
product to a Bell company.  The customer said I will look at your product 
when you fix the  I bought from you.  We protested that 
was from a totally unrelated division of Rockwell, like maybe the M13 mux 
people in Texas, or the Collins Radio people in Iowa, I forget.


Customer pointed to the logo on our product, the logo on the lemon he had 
bought, and the logo on our business cards.  They all said Rockwell.  He 
didn't care what division we were from.  He had a problem with our company, 
and he was holding us responsible.




-Original Message- 
From: Josh Reynolds

Sent: Thursday, May 05, 2016 1:37 PM
To: af@afmug.com
Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?

Wow, let's not be objective or anything.

Cisco makes some shit products. They make some good ones too.
Juniper makes some shit products. They make some good ones too.
Crayola makes some shit products. They make some good ones too.
GE makes some shit products. They make some good ones too.
$vendorOfChoice makes some shit products. They make some good ones too.

(continue)

On Thu, May 5, 2016 at 1:26 PM, Josh Baird <joshba...@gmail.com> wrote:
Um, well, airFiber IS a Ubiquiti product, so it's not that stupid.  They 
may

run different operating systems, be designed by different teams and have
different feature sets, but it still says Ubiquiti on it.

On Thu, May 5, 2016 at 11:17 AM, Chuck Macenski <ch...@macenski.com> 
wrote:


I hate it when people lump airFiber into these things. I know of no
security holes in airFiber that don't require you to already be logged 
into

the unit (where you can change the configuration until your heart's
content). AirFiber also supports a very simple to configure management 
VLAN
(I don't know how it could be simpler) to keep inband managment traffic 
away
from the IP of the unit. If that isn't enough, you can simply disable 
inband
management and use the out-of-band management port; no one can then 
access

the management traffic from the user traffic flows.

Good morning :)

Chuck

On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com>
wrote:


5.6.2, I think, fixed one of them more serious security flaws, and that
was released less than a year ago... and it looks like 5.6.3 and 5.6.4
(which was released very recently) also had security fixes. I believe 
most
of those vulnerabilities applied to the AC and airFiber firmware as 
well.


Ubiquiti has been good about releasing fixes quickly when they find
vulnerabilities, but that doesn't help if nobody bothers to update 
anything.


On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com>
wrote:


I know about the very old firmware version for M series stuff that is
vulnerable to a known worm.

But let's assume you do have ubnt devices with public IPs (which is a
bad idea). What's the attack surface? http, https, ssh, snmp

Provided you have chosen a reasonably complex admin login and password
there are no current, known remote root exploits for current (or within 
the

past 2 years) ubnt firmware on M or AC devices, right?


On Wed, May 4, 2016 at 7:00 PM, Josh Luthman
<j...@imaginenetworksllc.com> wrote:


Public IP on Ubnt.  What else do you need to know?

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:


The thread got this far and noone has wondered how the CPE was pwned
in the first place?

On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
wrote:


Yeah, I looked at setting it up that way at one point, but something
didn't look like it was going to work quite the way I wanted it 
to... but I
probably spent all of five minutes on it, so it may very well be 
possible.

The way ePMP does it is really nice though... and simple.

On Wed, May 4, 2016 at 8:38 PM, Josh Luthman
<j...@imaginenetworksllc.com> wrote:


People do it for sure.  I want to say there was an example on the
forums or some where...

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com>
wrote:


I have our ePMP's setup to get their public IP via PPPoE, and the
radio also gets a completely separate private management IP via 
DHCP, which
is the only way you can remotely access the radio, and it doesn't 
even have
to be in a separate vlan unless you want it to be... and it's one 
checkbox

to configure it.

I'm not sure if that can be duplicated on UBNT or not, since I
haven't really tried yet, but at the very least it's a lot more 
complicated

to configure.



On Wed, May 4, 2016 at 7:04 PM, Josh Lut

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Chuck Macenski]

:)


On Thu, May 5, 2016 at 1:39 PM, Josh Reynolds <j...@kyneticwifi.com> wrote:

> Why? He's busy making nice products that Mimosa won't like so much :P
>
> On Thu, May 5, 2016 at 1:38 PM, Chuck McCown <ch...@wbmfg.com> wrote:
> > I think it would be exciting of Chuck Macenski’s email address all of a
> > sudden was a Mimosa domain
> >
> > From: Chuck Macenski
> > Sent: Thursday, May 05, 2016 12:36 PM
> > To: af@afmug.com
> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
> >
> > I don't mean to be touchy about it, but, if I had a quarter for every
> time
> > someone said "I had this nano-station 5 years ago that had this issue
> they
> > fixed in software so you must have that issue too", I'd have a lot of
> > quarters. Maybe not enough to buy a Tesla, but, a lot of quarters...
> >
> > On Thu, May 5, 2016 at 1:26 PM, Josh Baird <joshba...@gmail.com> wrote:
> >>
> >> Um, well, airFiber IS a Ubiquiti product, so it's not that stupid.  They
> >> may run different operating systems, be designed by different teams and
> have
> >> different feature sets, but it still says Ubiquiti on it.
> >>
> >> On Thu, May 5, 2016 at 11:17 AM, Chuck Macenski <ch...@macenski.com>
> >> wrote:
> >>>
> >>> I hate it when people lump airFiber into these things. I know of no
> >>> security holes in airFiber that don't require you to already be logged
> into
> >>> the unit (where you can change the configuration until your heart's
> >>> content). AirFiber also supports a very simple to configure management
> VLAN
> >>> (I don't know how it could be simpler) to keep inband managment
> traffic away
> >>> from the IP of the unit. If that isn't enough, you can simply disable
> inband
> >>> management and use the out-of-band management port; no one can then
> access
> >>> the management traffic from the user traffic flows.
> >>>
> >>> Good morning :)
> >>>
> >>> Chuck
> >>>
> >>> On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com>
> >>> wrote:
> >>>>
> >>>> 5.6.2, I think, fixed one of them more serious security flaws, and
> that
> >>>> was released less than a year ago... and it looks like 5.6.3 and 5.6.4
> >>>> (which was released very recently) also had security fixes. I believe
> most
> >>>> of those vulnerabilities applied to the AC and airFiber firmware as
> well.
> >>>>
> >>>> Ubiquiti has been good about releasing fixes quickly when they find
> >>>> vulnerabilities, but that doesn't help if nobody bothers to update
> anything.
> >>>>
> >>>> On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com>
> >>>> wrote:
> >>>>>
> >>>>> I know about the very old firmware version for M series stuff that is
> >>>>> vulnerable to a known worm.
> >>>>>
> >>>>> But let's assume you do have ubnt devices with public IPs (which is a
> >>>>> bad idea). What's the attack surface? http, https, ssh, snmp
> >>>>>
> >>>>> Provided you have chosen a reasonably complex admin login and
> password
> >>>>> there are no current, known remote root exploits for current (or
> within the
> >>>>> past 2 years) ubnt firmware on M or AC devices, right?
> >>>>>
> >>>>>
> >>>>> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman
> >>>>> <j...@imaginenetworksllc.com> wrote:
> >>>>>>
> >>>>>> Public IP on Ubnt.  What else do you need to know?
> >>>>>>
> >>>>>> Josh Luthman
> >>>>>> Office: 937-552-2340
> >>>>>> Direct: 937-552-2343
> >>>>>> 1100 Wayne St
> >>>>>> Suite 1337
> >>>>>> Troy, OH 45373
> >>>>>>
> >>>>>> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com>
> wrote:
> >>>>>>>
> >>>>>>> The thread got this far and noone has wondered how the CPE was
> pwned
> >>>>>>> in the first place?
> >>>>>>>
> >>>>>>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <
> mhoward...@gmail.com>
> &

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Josh Reynolds]

Why? He's busy making nice products that Mimosa won't like so much :P

On Thu, May 5, 2016 at 1:38 PM, Chuck McCown <ch...@wbmfg.com> wrote:
> I think it would be exciting of Chuck Macenski’s email address all of a
> sudden was a Mimosa domain
>
> From: Chuck Macenski
> Sent: Thursday, May 05, 2016 12:36 PM
> To: af@afmug.com
> Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>
> I don't mean to be touchy about it, but, if I had a quarter for every time
> someone said "I had this nano-station 5 years ago that had this issue they
> fixed in software so you must have that issue too", I'd have a lot of
> quarters. Maybe not enough to buy a Tesla, but, a lot of quarters...
>
> On Thu, May 5, 2016 at 1:26 PM, Josh Baird <joshba...@gmail.com> wrote:
>>
>> Um, well, airFiber IS a Ubiquiti product, so it's not that stupid.  They
>> may run different operating systems, be designed by different teams and have
>> different feature sets, but it still says Ubiquiti on it.
>>
>> On Thu, May 5, 2016 at 11:17 AM, Chuck Macenski <ch...@macenski.com>
>> wrote:
>>>
>>> I hate it when people lump airFiber into these things. I know of no
>>> security holes in airFiber that don't require you to already be logged into
>>> the unit (where you can change the configuration until your heart's
>>> content). AirFiber also supports a very simple to configure management VLAN
>>> (I don't know how it could be simpler) to keep inband managment traffic away
>>> from the IP of the unit. If that isn't enough, you can simply disable inband
>>> management and use the out-of-band management port; no one can then access
>>> the management traffic from the user traffic flows.
>>>
>>> Good morning :)
>>>
>>> Chuck
>>>
>>> On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com>
>>> wrote:
>>>>
>>>> 5.6.2, I think, fixed one of them more serious security flaws, and that
>>>> was released less than a year ago... and it looks like 5.6.3 and 5.6.4
>>>> (which was released very recently) also had security fixes. I believe most
>>>> of those vulnerabilities applied to the AC and airFiber firmware as well.
>>>>
>>>> Ubiquiti has been good about releasing fixes quickly when they find
>>>> vulnerabilities, but that doesn't help if nobody bothers to update 
>>>> anything.
>>>>
>>>> On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com>
>>>> wrote:
>>>>>
>>>>> I know about the very old firmware version for M series stuff that is
>>>>> vulnerable to a known worm.
>>>>>
>>>>> But let's assume you do have ubnt devices with public IPs (which is a
>>>>> bad idea). What's the attack surface? http, https, ssh, snmp
>>>>>
>>>>> Provided you have chosen a reasonably complex admin login and password
>>>>> there are no current, known remote root exploits for current (or within 
>>>>> the
>>>>> past 2 years) ubnt firmware on M or AC devices, right?
>>>>>
>>>>>
>>>>> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman
>>>>> <j...@imaginenetworksllc.com> wrote:
>>>>>>
>>>>>> Public IP on Ubnt.  What else do you need to know?
>>>>>>
>>>>>> Josh Luthman
>>>>>> Office: 937-552-2340
>>>>>> Direct: 937-552-2343
>>>>>> 1100 Wayne St
>>>>>> Suite 1337
>>>>>> Troy, OH 45373
>>>>>>
>>>>>> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>>>>>>>
>>>>>>> The thread got this far and noone has wondered how the CPE was pwned
>>>>>>> in the first place?
>>>>>>>
>>>>>>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Yeah, I looked at setting it up that way at one point, but something
>>>>>>>> didn't look like it was going to work quite the way I wanted it to... 
>>>>>>>> but I
>>>>>>>> probably spent all of five minutes on it, so it may very well be 
>>>>>>>> possible.
>>>>>>>> The way ePMP does it is really nice though... and simple.
>>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Chuck McCown]

I think it would be exciting of Chuck Macenski’s email address all of a sudden 
was a Mimosa domain

From: Chuck Macenski 
Sent: Thursday, May 05, 2016 12:36 PM
To: af@afmug.com 
Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?

I don't mean to be touchy about it, but, if I had a quarter for every time 
someone said "I had this nano-station 5 years ago that had this issue they 
fixed in software so you must have that issue too", I'd have a lot of quarters. 
Maybe not enough to buy a Tesla, but, a lot of quarters...

On Thu, May 5, 2016 at 1:26 PM, Josh Baird <joshba...@gmail.com> wrote:

  Um, well, airFiber IS a Ubiquiti product, so it's not that stupid.  They may 
run different operating systems, be designed by different teams and have 
different feature sets, but it still says Ubiquiti on it.

  On Thu, May 5, 2016 at 11:17 AM, Chuck Macenski <ch...@macenski.com> wrote:

I hate it when people lump airFiber into these things. I know of no 
security holes in airFiber that don't require you to already be logged into the 
unit (where you can change the configuration until your heart's content). 
AirFiber also supports a very simple to configure management VLAN (I don't know 
how it could be simpler) to keep inband managment traffic away from the IP of 
the unit. If that isn't enough, you can simply disable inband management and 
use the out-of-band management port; no one can then access the management 
traffic from the user traffic flows. 

Good morning :)

Chuck

On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com> wrote:

  5.6.2, I think, fixed one of them more serious security flaws, and that 
was released less than a year ago... and it looks like 5.6.3 and 5.6.4 (which 
was released very recently) also had security fixes. I believe most of those 
vulnerabilities applied to the AC and airFiber firmware as well. 


  Ubiquiti has been good about releasing fixes quickly when they find 
vulnerabilities, but that doesn't help if nobody bothers to update anything.


  On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com> wrote:

I know about the very old firmware version for M series stuff that is 
vulnerable to a known worm.


But let's assume you do have ubnt devices with public IPs (which is a 
bad idea). What's the attack surface? http, https, ssh, snmp


Provided you have chosen a reasonably complex admin login and password 
there are no current, known remote root exploits for current (or within the 
past 2 years) ubnt firmware on M or AC devices, right?



On Wed, May 4, 2016 at 7:00 PM, Josh Luthman 
<j...@imaginenetworksllc.com> wrote:

  Public IP on Ubnt.  What else do you need to know?

  Josh Luthman
  Office: 937-552-2340
  Direct: 937-552-2343
  1100 Wayne St
  Suite 1337
  Troy, OH 45373

  On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:

The thread got this far and noone has wondered how the CPE was 
pwned in the first place?  


On Wed, May 4, 2016 at 6:55 PM, Mathew Howard 
<mhoward...@gmail.com> wrote:

  Yeah, I looked at setting it up that way at one point, but 
something didn't look like it was going to work quite the way I wanted it to... 
but I probably spent all of five minutes on it, so it may very well be 
possible. The way ePMP does it is really nice though... and simple.


  On Wed, May 4, 2016 at 8:38 PM, Josh Luthman 
<j...@imaginenetworksllc.com> wrote:

People do it for sure.  I want to say there was an example on 
the forums or some where...

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> 
wrote:

  I have our ePMP's setup to get their public IP via PPPoE, and 
the radio also gets a completely separate private management IP via DHCP, which 
is the only way you can remotely access the radio, and it doesn't even have to 
be in a separate vlan unless you want it to be... and it's one checkbox to 
configure it.


  I'm not sure if that can be duplicated on UBNT or not, since 
I haven't really tried yet, but at the very least it's a lot more complicated 
to configure.




  On Wed, May 4, 2016 at 7:04 PM, Josh Luthman 
<j...@imaginenetworksllc.com> wrote:

It does...you just need to set it up that way.



Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Wed, May

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Josh Reynolds]

;>>>>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the
>>>>>>>>> radio also gets a completely separate private management IP via DHCP, 
>>>>>>>>> which
>>>>>>>>> is the only way you can remotely access the radio, and it doesn't 
>>>>>>>>> even have
>>>>>>>>> to be in a separate vlan unless you want it to be... and it's one 
>>>>>>>>> checkbox
>>>>>>>>> to configure it.
>>>>>>>>>
>>>>>>>>> I'm not sure if that can be duplicated on UBNT or not, since I
>>>>>>>>> haven't really tried yet, but at the very least it's a lot more 
>>>>>>>>> complicated
>>>>>>>>> to configure.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman
>>>>>>>>> <j...@imaginenetworksllc.com> wrote:
>>>>>>>>>>
>>>>>>>>>> It does...you just need to set it up that way.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Josh Luthman
>>>>>>>>>> Office: 937-552-2340
>>>>>>>>>> Direct: 937-552-2343
>>>>>>>>>> 1100 Wayne St
>>>>>>>>>> Suite 1337
>>>>>>>>>> Troy, OH 45373
>>>>>>>>>>
>>>>>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard
>>>>>>>>>> <mhoward...@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>> I really wish Ubiquiti radios had a separate management vlan
>>>>>>>>>>> option (in router mode), like ePMP does...
>>>>>>>>>>>
>>>>>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds
>>>>>>>>>>> <j...@kyneticwifi.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>>>>>>>> RFC1918 space.
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>>>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>>>>>>>> > Hi Tushar
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > We run all radios in NAT mode.
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > Adam
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar
>>>>>>>>>>>> > Patel
>>>>>>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>>>>>>>>> > To: af@afmug.com
>>>>>>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > Radios could be put on private ip so nobody from outside world
>>>>>>>>>>>> > can access
>>>>>>>>>>>> > it. That is what we do.
>>>>>>>>>>>> >
>>>>>>>>>>>> > Tushar
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>&g

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Chuck Macenski]

;>> wrote:
>>>>>>>>
>>>>>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the
>>>>>>>>> radio also gets a completely separate private management IP via DHCP, 
>>>>>>>>> which
>>>>>>>>> is the only way you can remotely access the radio, and it doesn't 
>>>>>>>>> even have
>>>>>>>>> to be in a separate vlan unless you want it to be... and it's one 
>>>>>>>>> checkbox
>>>>>>>>> to configure it.
>>>>>>>>>
>>>>>>>>> I'm not sure if that can be duplicated on UBNT or not, since I
>>>>>>>>> haven't really tried yet, but at the very least it's a lot more 
>>>>>>>>> complicated
>>>>>>>>> to configure.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>>>>
>>>>>>>>>> It does...you just need to set it up that way.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Josh Luthman
>>>>>>>>>> Office: 937-552-2340
>>>>>>>>>> Direct: 937-552-2343
>>>>>>>>>> 1100 Wayne St
>>>>>>>>>> Suite 1337
>>>>>>>>>> Troy, OH 45373
>>>>>>>>>>
>>>>>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <
>>>>>>>>>> mhoward...@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> I really wish Ubiquiti radios had a separate management vlan
>>>>>>>>>>> option (in router mode), like ePMP does...
>>>>>>>>>>>
>>>>>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <
>>>>>>>>>>> j...@kyneticwifi.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>>>>>>>> RFC1918 space.
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>>>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>>>>>>>> > Hi Tushar
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > We run all radios in NAT mode.
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > Adam
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar
>>>>>>>>>>>> Patel
>>>>>>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>>>>>>>>> > To: af@afmug.com
>>>>>>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > Radios could be put on private ip so nobody from outside
>>>>>>>>>>>> world can access
>>>>>>>>>>>> > it. That is what we do.
>>>>>>>>>>>> >
>>>>>>>>>>>> > Tushar
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> >
>>>>>>>>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband <
>>>>>>>>>>>> li...@smarterbroadband.

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Josh Baird]

t, since I
>>>>>>>> haven't really tried yet, but at the very least it's a lot more 
>>>>>>>> complicated
>>>>>>>> to configure.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>>>
>>>>>>>>> It does...you just need to set it up that way.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Josh Luthman
>>>>>>>>> Office: 937-552-2340
>>>>>>>>> Direct: 937-552-2343
>>>>>>>>> 1100 Wayne St
>>>>>>>>> Suite 1337
>>>>>>>>> Troy, OH 45373
>>>>>>>>>
>>>>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <
>>>>>>>>> mhoward...@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> I really wish Ubiquiti radios had a separate management vlan
>>>>>>>>>> option (in router mode), like ePMP does...
>>>>>>>>>>
>>>>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <
>>>>>>>>>> j...@kyneticwifi.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>>>>>>> RFC1918 space.
>>>>>>>>>>>
>>>>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>>>>>>> > Hi Tushar
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > We run all radios in NAT mode.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Adam
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar
>>>>>>>>>>> Patel
>>>>>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>>>>>>>> > To: af@afmug.com
>>>>>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Radios could be put on private ip so nobody from outside world
>>>>>>>>>>> can access
>>>>>>>>>>> > it. That is what we do.
>>>>>>>>>>> >
>>>>>>>>>>> > Tushar
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband <
>>>>>>>>>>> li...@smarterbroadband.com>
>>>>>>>>>>> > wrote:
>>>>>>>>>>> >
>>>>>>>>>>> > I have received a number of emails for ab...@light-gap.net
>>>>>>>>>>> saying certain of
>>>>>>>>>>> > our IP address are being used for attacks (see email text
>>>>>>>>>>> below).
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > All IP addresses are in UBNT radios.  We are unable to remote
>>>>>>>>>>> access any of
>>>>>>>>>>> > the these radios now.  We see that the radio we are unable to
>>>>>>>>>>> access
>>>>>>>>>>> > rebooted a couple of days ago.  A number of other radios show
>>>>>>>>>>> they rebooted
>>>>>>>>>>> > around the same time (in sequence) on the AP.  We are unable
>>>>>>>>>>> to remote
>>>>>>>>>>> > access any of those either. Other radios with longer uptime on
>>>>>>>>>>> the AP’s are
>>>>>>>>>>> > fine.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > We have a tech on route to one of the customer sites.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > We think the radios are being made into bots.  Anyone seen
>>>>>>>>>>> this or anything
>>>>>>>>>>> > like this?  Do the hackers need a username and password to
>>>>>>>>>>> hack a radio?
>>>>>>>>>>> > I.E.  Would a change of the password stop the changes being
>>>>>>>>>>> made to the
>>>>>>>>>>> > radios?  Any other thoughts, suggestions or ideas?
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Thanks
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Adam
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Email Text below:
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > “This is a semi-automated e-mail from the LG-Mailproxy
>>>>>>>>>>> authentication
>>>>>>>>>>> > system, all requests have been approved manually by the
>>>>>>>>>>> > system-administrators or are obviously unwanted (eg. requests
>>>>>>>>>>> to our
>>>>>>>>>>> > spamtraps).
>>>>>>>>>>> >
>>>>>>>>>>> > For further questions or if additional information is needed
>>>>>>>>>>> please reply to
>>>>>>>>>>> > this email.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to
>>>>>>>>>>> suspicious
>>>>>>>>>>> > behaviour on our system.
>>>>>>>>>>> >
>>>>>>>>>>> > This happened already 1 times.
>>>>>>>>>>> >
>>>>>>>>>>> > It might be be part of a botnet, infected by a trojan/virus or
>>>>>>>>>>> running
>>>>>>>>>>> > brute-force attacks.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Our affected destination servers: smtp.light-gap.net,
>>>>>>>>>>> imap.light-gap.net
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Currently 7 failed/unauthorized logins attempts via SMTP/IMAP
>>>>>>>>>>> with 6
>>>>>>>>>>> > different usernames and wrong password:
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-04T23:48:40+02:00 with username "
>>>>>>>>>>> downloads.openscience.or.at"
>>>>>>>>>>> > (spamtrap account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-04T14:55:11+02:00 with username "info" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-03T20:57:19+02:00 with username "
>>>>>>>>>>> downloads.openscience.or.at"
>>>>>>>>>>> > (spamtrap account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> > Ongoing failed/unauthorized logins attempts will be logged and
>>>>>>>>>>> sent to you
>>>>>>>>>>> > every 24h until the IP will be permanently banned from our
>>>>>>>>>>> systems after 72
>>>>>>>>>>> > hours.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > The Light-Gap.net Abuse Team.”
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>
>>
>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Ken Hohhof]

I’m on the list now for Professor Proton to visit, I’ll contact you after that.

From: Chuck Macenski 
Sent: Thursday, May 05, 2016 12:07 PM
To: af@afmug.com 
Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?

I can add you to the list. There is a fee for this service, however :)

On Thu, May 5, 2016 at 11:28 AM, Ken Hohhof <af...@kwisp.com> wrote:

  Chuck M will come to my house?  And bring Legos?  Where do I sign up?


  From: That One Guy /sarcasm 
  Sent: Thursday, May 05, 2016 10:53 AM
  To: af@afmug.com 
  Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?

  Chuck M will come to your house and put legos in all your shoes if you 
badmouth the airfiber :-)

  On Thu, May 5, 2016 at 10:17 AM, Chuck Macenski <ch...@macenski.com> wrote:

I hate it when people lump airFiber into these things. I know of no 
security holes in airFiber that don't require you to already be logged into the 
unit (where you can change the configuration until your heart's content). 
AirFiber also supports a very simple to configure management VLAN (I don't know 
how it could be simpler) to keep inband managment traffic away from the IP of 
the unit. If that isn't enough, you can simply disable inband management and 
use the out-of-band management port; no one can then access the management 
traffic from the user traffic flows. 

Good morning :)

Chuck

On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com> wrote:

  5.6.2, I think, fixed one of them more serious security flaws, and that 
was released less than a year ago... and it looks like 5.6.3 and 5.6.4 (which 
was released very recently) also had security fixes. I believe most of those 
vulnerabilities applied to the AC and airFiber firmware as well. 


  Ubiquiti has been good about releasing fixes quickly when they find 
vulnerabilities, but that doesn't help if nobody bothers to update anything.


  On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com> wrote:

I know about the very old firmware version for M series stuff that is 
vulnerable to a known worm.


But let's assume you do have ubnt devices with public IPs (which is a 
bad idea). What's the attack surface? http, https, ssh, snmp


Provided you have chosen a reasonably complex admin login and password 
there are no current, known remote root exploits for current (or within the 
past 2 years) ubnt firmware on M or AC devices, right?



On Wed, May 4, 2016 at 7:00 PM, Josh Luthman 
<j...@imaginenetworksllc.com> wrote:

  Public IP on Ubnt.  What else do you need to know?

  Josh Luthman
  Office: 937-552-2340
  Direct: 937-552-2343
  1100 Wayne St
  Suite 1337
  Troy, OH 45373

  On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:

The thread got this far and noone has wondered how the CPE was 
pwned in the first place?  


On Wed, May 4, 2016 at 6:55 PM, Mathew Howard 
<mhoward...@gmail.com> wrote:

  Yeah, I looked at setting it up that way at one point, but 
something didn't look like it was going to work quite the way I wanted it to... 
but I probably spent all of five minutes on it, so it may very well be 
possible. The way ePMP does it is really nice though... and simple.


  On Wed, May 4, 2016 at 8:38 PM, Josh Luthman 
<j...@imaginenetworksllc.com> wrote:

People do it for sure.  I want to say there was an example on 
the forums or some where...

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> 
wrote:

  I have our ePMP's setup to get their public IP via PPPoE, and 
the radio also gets a completely separate private management IP via DHCP, which 
is the only way you can remotely access the radio, and it doesn't even have to 
be in a separate vlan unless you want it to be... and it's one checkbox to 
configure it.


  I'm not sure if that can be duplicated on UBNT or not, since 
I haven't really tried yet, but at the very least it's a lot more complicated 
to configure.




  On Wed, May 4, 2016 at 7:04 PM, Josh Luthman 
<j...@imaginenetworksllc.com> wrote:

It does...you just need to set it up that way.



Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Wed, May 4, 2016 at 7:54 PM, Mathew Howard 
<mhoward...@gmail.com> wrote:

  I really wish U

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Josh Reynolds]

Ahhh.. the moto influence is strong in this one...


;)

On Thu, May 5, 2016 at 12:07 PM, Chuck Macenski <ch...@macenski.com> wrote:
> I can add you to the list. There is a fee for this service, however :)
>
> On Thu, May 5, 2016 at 11:28 AM, Ken Hohhof <af...@kwisp.com> wrote:
>>
>> Chuck M will come to my house?  And bring Legos?  Where do I sign up?
>>
>>
>> From: That One Guy /sarcasm
>> Sent: Thursday, May 05, 2016 10:53 AM
>> To: af@afmug.com
>> Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>
>> Chuck M will come to your house and put legos in all your shoes if you
>> badmouth the airfiber :-)
>>
>> On Thu, May 5, 2016 at 10:17 AM, Chuck Macenski <ch...@macenski.com>
>> wrote:
>>>
>>> I hate it when people lump airFiber into these things. I know of no
>>> security holes in airFiber that don't require you to already be logged into
>>> the unit (where you can change the configuration until your heart's
>>> content). AirFiber also supports a very simple to configure management VLAN
>>> (I don't know how it could be simpler) to keep inband managment traffic away
>>> from the IP of the unit. If that isn't enough, you can simply disable inband
>>> management and use the out-of-band management port; no one can then access
>>> the management traffic from the user traffic flows.
>>>
>>> Good morning :)
>>>
>>> Chuck
>>>
>>> On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com>
>>> wrote:
>>>>
>>>> 5.6.2, I think, fixed one of them more serious security flaws, and that
>>>> was released less than a year ago... and it looks like 5.6.3 and 5.6.4
>>>> (which was released very recently) also had security fixes. I believe most
>>>> of those vulnerabilities applied to the AC and airFiber firmware as well.
>>>>
>>>> Ubiquiti has been good about releasing fixes quickly when they find
>>>> vulnerabilities, but that doesn't help if nobody bothers to update 
>>>> anything.
>>>>
>>>> On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com>
>>>> wrote:
>>>>>
>>>>> I know about the very old firmware version for M series stuff that is
>>>>> vulnerable to a known worm.
>>>>>
>>>>> But let's assume you do have ubnt devices with public IPs (which is a
>>>>> bad idea). What's the attack surface? http, https, ssh, snmp
>>>>>
>>>>> Provided you have chosen a reasonably complex admin login and password
>>>>> there are no current, known remote root exploits for current (or within 
>>>>> the
>>>>> past 2 years) ubnt firmware on M or AC devices, right?
>>>>>
>>>>>
>>>>> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman
>>>>> <j...@imaginenetworksllc.com> wrote:
>>>>>>
>>>>>> Public IP on Ubnt.  What else do you need to know?
>>>>>>
>>>>>> Josh Luthman
>>>>>> Office: 937-552-2340
>>>>>> Direct: 937-552-2343
>>>>>> 1100 Wayne St
>>>>>> Suite 1337
>>>>>> Troy, OH 45373
>>>>>>
>>>>>> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>>>>>>>
>>>>>>> The thread got this far and noone has wondered how the CPE was pwned
>>>>>>> in the first place?
>>>>>>>
>>>>>>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Yeah, I looked at setting it up that way at one point, but something
>>>>>>>> didn't look like it was going to work quite the way I wanted it to... 
>>>>>>>> but I
>>>>>>>> probably spent all of five minutes on it, so it may very well be 
>>>>>>>> possible.
>>>>>>>> The way ePMP does it is really nice though... and simple.
>>>>>>>>
>>>>>>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman
>>>>>>>> <j...@imaginenetworksllc.com> wrote:
>>>>>>>>>
>>>>>>>>> People do it for sure.  I want to say there was an example on the
>>>>>>>&g

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Chuck Macenski]

I can add you to the list. There is a fee for this service, however :)

On Thu, May 5, 2016 at 11:28 AM, Ken Hohhof <af...@kwisp.com> wrote:

> Chuck M will come to my house?  And bring Legos?  Where do I sign up?
>
>
> *From:* That One Guy /sarcasm <thatoneguyst...@gmail.com>
> *Sent:* Thursday, May 05, 2016 10:53 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] UBNT CPE being used for Abusive actions?
>
> Chuck M will come to your house and put legos in all your shoes if you
> badmouth the airfiber :-)
>
> On Thu, May 5, 2016 at 10:17 AM, Chuck Macenski <ch...@macenski.com>
> wrote:
>
>> I hate it when people lump airFiber into these things. I know of no
>> security holes in airFiber that don't require you to already be logged into
>> the unit (where you can change the configuration until your heart's
>> content). AirFiber also supports a very simple to configure management VLAN
>> (I don't know how it could be simpler) to keep inband managment traffic
>> away from the IP of the unit. If that isn't enough, you can simply disable
>> inband management and use the out-of-band management port; no one can then
>> access the management traffic from the user traffic flows.
>>
>> Good morning :)
>>
>> Chuck
>>
>> On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com>
>> wrote:
>>
>>> 5.6.2, I think, fixed one of them more serious security flaws, and that
>>> was released less than a year ago... and it looks like 5.6.3 and 5.6.4
>>> (which was released very recently) also had security fixes. I believe most
>>> of those vulnerabilities applied to the AC and airFiber firmware as well.
>>>
>>> Ubiquiti has been good about releasing fixes quickly when they find
>>> vulnerabilities, but that doesn't help if nobody bothers to update anything.
>>>
>>> On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com>
>>> wrote:
>>>
>>>> I know about the very old firmware version for M series stuff that is
>>>> vulnerable to a known worm.
>>>>
>>>> But let's assume you do have ubnt devices with public IPs (which is a
>>>> bad idea). What's the attack surface? http, https, ssh, snmp
>>>>
>>>> Provided you have chosen a reasonably complex admin login and password
>>>> there are no *current, known* remote root exploits for current (or
>>>> within the past 2 years) ubnt firmware on M or AC devices, right?
>>>>
>>>>
>>>> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman <
>>>> j...@imaginenetworksllc.com> wrote:
>>>>
>>>>> Public IP on Ubnt.  What else do you need to know?
>>>>>
>>>>> Josh Luthman
>>>>> Office: 937-552-2340
>>>>> Direct: 937-552-2343
>>>>> 1100 Wayne St
>>>>> Suite 1337
>>>>> Troy, OH 45373
>>>>> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>>>>>
>>>>>> The thread got this far and noone has wondered how the CPE was pwned
>>>>>> in the first place?
>>>>>>
>>>>>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Yeah, I looked at setting it up that way at one point, but something
>>>>>>> didn't look like it was going to work quite the way I wanted it to... 
>>>>>>> but I
>>>>>>> probably spent all of five minutes on it, so it may very well be 
>>>>>>> possible.
>>>>>>> The way ePMP does it is really nice though... and simple.
>>>>>>>
>>>>>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <
>>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>>
>>>>>>>> People do it for sure.  I want to say there was an example on the
>>>>>>>> forums or some where...
>>>>>>>>
>>>>>>>> Josh Luthman
>>>>>>>> Office: 937-552-2340
>>>>>>>> Direct: 937-552-2343
>>>>>>>> 1100 Wayne St
>>>>>>>> Suite 1337
>>>>>>>> Troy, OH 45373
>>>>>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com>
>>>>>>>> wrote:
>>>>&g

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Ken Hohhof]

Chuck M will come to my house?  And bring Legos?  Where do I sign up?


From: That One Guy /sarcasm 
Sent: Thursday, May 05, 2016 10:53 AM
To: af@afmug.com 
Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?

Chuck M will come to your house and put legos in all your shoes if you badmouth 
the airfiber :-)

On Thu, May 5, 2016 at 10:17 AM, Chuck Macenski <ch...@macenski.com> wrote:

  I hate it when people lump airFiber into these things. I know of no security 
holes in airFiber that don't require you to already be logged into the unit 
(where you can change the configuration until your heart's content). AirFiber 
also supports a very simple to configure management VLAN (I don't know how it 
could be simpler) to keep inband managment traffic away from the IP of the 
unit. If that isn't enough, you can simply disable inband management and use 
the out-of-band management port; no one can then access the management traffic 
from the user traffic flows. 

  Good morning :)

  Chuck

  On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com> wrote:

5.6.2, I think, fixed one of them more serious security flaws, and that was 
released less than a year ago... and it looks like 5.6.3 and 5.6.4 (which was 
released very recently) also had security fixes. I believe most of those 
vulnerabilities applied to the AC and airFiber firmware as well. 


Ubiquiti has been good about releasing fixes quickly when they find 
vulnerabilities, but that doesn't help if nobody bothers to update anything.


On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com> wrote:

  I know about the very old firmware version for M series stuff that is 
vulnerable to a known worm.


  But let's assume you do have ubnt devices with public IPs (which is a bad 
idea). What's the attack surface? http, https, ssh, snmp


  Provided you have chosen a reasonably complex admin login and password 
there are no current, known remote root exploits for current (or within the 
past 2 years) ubnt firmware on M or AC devices, right?



  On Wed, May 4, 2016 at 7:00 PM, Josh Luthman 
<j...@imaginenetworksllc.com> wrote:

Public IP on Ubnt.  What else do you need to know?

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:

  The thread got this far and noone has wondered how the CPE was pwned 
in the first place?  


  On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com> 
wrote:

Yeah, I looked at setting it up that way at one point, but 
something didn't look like it was going to work quite the way I wanted it to... 
but I probably spent all of five minutes on it, so it may very well be 
possible. The way ePMP does it is really nice though... and simple.


On Wed, May 4, 2016 at 8:38 PM, Josh Luthman 
<j...@imaginenetworksllc.com> wrote:

  People do it for sure.  I want to say there was an example on the 
forums or some where...

  Josh Luthman
  Office: 937-552-2340
  Direct: 937-552-2343
  1100 Wayne St
  Suite 1337
  Troy, OH 45373

  On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> 
wrote:

I have our ePMP's setup to get their public IP via PPPoE, and 
the radio also gets a completely separate private management IP via DHCP, which 
is the only way you can remotely access the radio, and it doesn't even have to 
be in a separate vlan unless you want it to be... and it's one checkbox to 
configure it.


I'm not sure if that can be duplicated on UBNT or not, since I 
haven't really tried yet, but at the very least it's a lot more complicated to 
configure.




On Wed, May 4, 2016 at 7:04 PM, Josh Luthman 
<j...@imaginenetworksllc.com> wrote:

  It does...you just need to set it up that way.



  Josh Luthman
  Office: 937-552-2340
  Direct: 937-552-2343
  1100 Wayne St
  Suite 1337
  Troy, OH 45373


  On Wed, May 4, 2016 at 7:54 PM, Mathew Howard 
<mhoward...@gmail.com> wrote:

I really wish Ubiquiti radios had a separate management 
vlan option (in router mode), like ePMP does...


On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds 
<j...@kyneticwifi.com> wrote:

  I would encourage you to put your CPEs on a management 
vlan, in RFC1918 space.


  On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
  <li...@smarterbroadband.com> wrote:

  > Hi Tushar
  >

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Josh Luthman]

or not, since I
>>>>>>>> haven't really tried yet, but at the very least it's a lot more 
>>>>>>>> complicated
>>>>>>>> to configure.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>>>
>>>>>>>>> It does...you just need to set it up that way.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Josh Luthman
>>>>>>>>> Office: 937-552-2340
>>>>>>>>> Direct: 937-552-2343
>>>>>>>>> 1100 Wayne St
>>>>>>>>> Suite 1337
>>>>>>>>> Troy, OH 45373
>>>>>>>>>
>>>>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <
>>>>>>>>> mhoward...@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> I really wish Ubiquiti radios had a separate management vlan
>>>>>>>>>> option (in router mode), like ePMP does...
>>>>>>>>>>
>>>>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <
>>>>>>>>>> j...@kyneticwifi.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>>>>>>> RFC1918 space.
>>>>>>>>>>>
>>>>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>>>>>>> > Hi Tushar
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > We run all radios in NAT mode.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Adam
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar
>>>>>>>>>>> Patel
>>>>>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>>>>>>>> > To: af@afmug.com
>>>>>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Radios could be put on private ip so nobody from outside world
>>>>>>>>>>> can access
>>>>>>>>>>> > it. That is what we do.
>>>>>>>>>>> >
>>>>>>>>>>> > Tushar
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband <
>>>>>>>>>>> li...@smarterbroadband.com>
>>>>>>>>>>> > wrote:
>>>>>>>>>>> >
>>>>>>>>>>> > I have received a number of emails for ab...@light-gap.net
>>>>>>>>>>> saying certain of
>>>>>>>>>>> > our IP address are being used for attacks (see email text
>>>>>>>>>>> below).
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > All IP addresses are in UBNT radios.  We are unable to remote
>>>>>>>>>>> access any of
>>>>>>>>>>> > the these radios now.  We see that the radio we are unable to
>>>>>>>>>>> access
>>>>>>>>>>> > rebooted a couple of days ago.  A number of other radios show
>>>>>>>>>>> they rebooted
>>>>>>>>>>> > around the same time (in sequence) on the AP.  We are unable
>>>>>>>>>>> to remote
>>>>>>>>>>> > access any of those either. Other radios with longer uptime on
>>>>>>>>>>> the AP’s are
>>>>>>>>>>> > fine.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > We have a tech on route to one of the customer sites.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > We think the radios are being made into bots.  Anyone seen
>>>>>>>>>>> this or anything
>>>>>>>>>>> > like this?  Do the hackers need a username and password to
>>>>>>>>>>> hack a radio?
>>>>>>>>>>> > I.E.  Would a change of the password stop the changes being
>>>>>>>>>>> made to the
>>>>>>>>>>> > radios?  Any other thoughts, suggestions or ideas?
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Thanks
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Adam
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Email Text below:
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > “This is a semi-automated e-mail from the LG-Mailproxy
>>>>>>>>>>> authentication
>>>>>>>>>>> > system, all requests have been approved manually by the
>>>>>>>>>>> > system-administrators or are obviously unwanted (eg. requests
>>>>>>>>>>> to our
>>>>>>>>>>> > spamtraps).
>>>>>>>>>>> >
>>>>>>>>>>> > For further questions or if additional information is needed
>>>>>>>>>>> please reply to
>>>>>>>>>>> > this email.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to
>>>>>>>>>>> suspicious
>>>>>>>>>>> > behaviour on our system.
>>>>>>>>>>> >
>>>>>>>>>>> > This happened already 1 times.
>>>>>>>>>>> >
>>>>>>>>>>> > It might be be part of a botnet, infected by a trojan/virus or
>>>>>>>>>>> running
>>>>>>>>>>> > brute-force attacks.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Our affected destination servers: smtp.light-gap.net,
>>>>>>>>>>> imap.light-gap.net
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Currently 7 failed/unauthorized logins attempts via SMTP/IMAP
>>>>>>>>>>> with 6
>>>>>>>>>>> > different usernames and wrong password:
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-04T23:48:40+02:00 with username "
>>>>>>>>>>> downloads.openscience.or.at"
>>>>>>>>>>> > (spamtrap account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-04T14:55:11+02:00 with username "info" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-03T20:57:19+02:00 with username "
>>>>>>>>>>> downloads.openscience.or.at"
>>>>>>>>>>> > (spamtrap account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> > Ongoing failed/unauthorized logins attempts will be logged and
>>>>>>>>>>> sent to you
>>>>>>>>>>> > every 24h until the IP will be permanently banned from our
>>>>>>>>>>> systems after 72
>>>>>>>>>>> > hours.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > The Light-Gap.net Abuse Team.”
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>
>>
>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[That One Guy /sarcasm]

t, but at the very least it's a lot more 
>>>>>>>> complicated
>>>>>>>> to configure.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>>>
>>>>>>>>> It does...you just need to set it up that way.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Josh Luthman
>>>>>>>>> Office: 937-552-2340
>>>>>>>>> Direct: 937-552-2343
>>>>>>>>> 1100 Wayne St
>>>>>>>>> Suite 1337
>>>>>>>>> Troy, OH 45373
>>>>>>>>>
>>>>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <
>>>>>>>>> mhoward...@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> I really wish Ubiquiti radios had a separate management vlan
>>>>>>>>>> option (in router mode), like ePMP does...
>>>>>>>>>>
>>>>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <
>>>>>>>>>> j...@kyneticwifi.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>>>>>>> RFC1918 space.
>>>>>>>>>>>
>>>>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>>>>>>> > Hi Tushar
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > We run all radios in NAT mode.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Adam
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar
>>>>>>>>>>> Patel
>>>>>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>>>>>>>> > To: af@afmug.com
>>>>>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Radios could be put on private ip so nobody from outside world
>>>>>>>>>>> can access
>>>>>>>>>>> > it. That is what we do.
>>>>>>>>>>> >
>>>>>>>>>>> > Tushar
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband <
>>>>>>>>>>> li...@smarterbroadband.com>
>>>>>>>>>>> > wrote:
>>>>>>>>>>> >
>>>>>>>>>>> > I have received a number of emails for ab...@light-gap.net
>>>>>>>>>>> saying certain of
>>>>>>>>>>> > our IP address are being used for attacks (see email text
>>>>>>>>>>> below).
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > All IP addresses are in UBNT radios.  We are unable to remote
>>>>>>>>>>> access any of
>>>>>>>>>>> > the these radios now.  We see that the radio we are unable to
>>>>>>>>>>> access
>>>>>>>>>>> > rebooted a couple of days ago.  A number of other radios show
>>>>>>>>>>> they rebooted
>>>>>>>>>>> > around the same time (in sequence) on the AP.  We are unable
>>>>>>>>>>> to remote
>>>>>>>>>>> > access any of those either. Other radios with longer uptime on
>>>>>>>>>>> the AP’s are
>>>>>>>>>>> > fine.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > We have a tech on route to one of the customer sites.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > We think the radios are being made into bots.  Anyone seen
>>>>>>>>>>> this or anything
>>>>>>>>>>> > like this?  Do the hackers need a username and password to
>>>>>>>>>>> hack a radio?
>>>>>>>>>>> > I.E.  Would a change of the password stop the changes being
>>>>>>>>>>> made to the
>>>>>>>>>>> > radios?  Any other thoughts, suggestions or ideas?
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Thanks
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Adam
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Email Text below:
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > “This is a semi-automated e-mail from the LG-Mailproxy
>>>>>>>>>>> authentication
>>>>>>>>>>> > system, all requests have been approved manually by the
>>>>>>>>>>> > system-administrators or are obviously unwanted (eg. requests
>>>>>>>>>>> to our
>>>>>>>>>>> > spamtraps).
>>>>>>>>>>> >
>>>>>>>>>>> > For further questions or if additional information is needed
>>>>>>>>>>> please reply to
>>>>>>>>>>> > this email.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to
>>>>>>>>>>> suspicious
>>>>>>>>>>> > behaviour on our system.
>>>>>>>>>>> >
>>>>>>>>>>> > This happened already 1 times.
>>>>>>>>>>> >
>>>>>>>>>>> > It might be be part of a botnet, infected by a trojan/virus or
>>>>>>>>>>> running
>>>>>>>>>>> > brute-force attacks.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Our affected destination servers: smtp.light-gap.net,
>>>>>>>>>>> imap.light-gap.net
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > Currently 7 failed/unauthorized logins attempts via SMTP/IMAP
>>>>>>>>>>> with 6
>>>>>>>>>>> > different usernames and wrong password:
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-04T23:48:40+02:00 with username "
>>>>>>>>>>> downloads.openscience.or.at"
>>>>>>>>>>> > (spamtrap account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-04T14:55:11+02:00 with username "info" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-03T20:57:19+02:00 with username "
>>>>>>>>>>> downloads.openscience.or.at"
>>>>>>>>>>> > (spamtrap account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> >
>>>>>>>>>>> > 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap
>>>>>>>>>>> account)
>>>>>>>>>>> > Ongoing failed/unauthorized logins attempts will be logged and
>>>>>>>>>>> sent to you
>>>>>>>>>>> > every 24h until the IP will be permanently banned from our
>>>>>>>>>>> systems after 72
>>>>>>>>>>> > hours.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > The Light-Gap.net Abuse Team.”
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>
>>
>


-- 
If you only see yourself as part of the team but you don't see your team as
part of yourself you have already failed as part of the team.

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Chuck Macenski]

I hate it when people lump airFiber into these things. I know of no
security holes in airFiber that don't require you to already be logged into
the unit (where you can change the configuration until your heart's
content). AirFiber also supports a very simple to configure management VLAN
(I don't know how it could be simpler) to keep inband managment traffic
away from the IP of the unit. If that isn't enough, you can simply disable
inband management and use the out-of-band management port; no one can then
access the management traffic from the user traffic flows.

Good morning :)

Chuck

On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com> wrote:

> 5.6.2, I think, fixed one of them more serious security flaws, and that
> was released less than a year ago... and it looks like 5.6.3 and 5.6.4
> (which was released very recently) also had security fixes. I believe most
> of those vulnerabilities applied to the AC and airFiber firmware as well.
>
> Ubiquiti has been good about releasing fixes quickly when they find
> vulnerabilities, but that doesn't help if nobody bothers to update anything.
>
> On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com> wrote:
>
>> I know about the very old firmware version for M series stuff that is
>> vulnerable to a known worm.
>>
>> But let's assume you do have ubnt devices with public IPs (which is a bad
>> idea). What's the attack surface? http, https, ssh, snmp
>>
>> Provided you have chosen a reasonably complex admin login and password
>> there are no *current, known* remote root exploits for current (or
>> within the past 2 years) ubnt firmware on M or AC devices, right?
>>
>>
>> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman <j...@imaginenetworksllc.com
>> > wrote:
>>
>>> Public IP on Ubnt.  What else do you need to know?
>>>
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>>>
>>>> The thread got this far and noone has wondered how the CPE was pwned in
>>>> the first place?
>>>>
>>>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
>>>> wrote:
>>>>
>>>>> Yeah, I looked at setting it up that way at one point, but something
>>>>> didn't look like it was going to work quite the way I wanted it to... but 
>>>>> I
>>>>> probably spent all of five minutes on it, so it may very well be possible.
>>>>> The way ePMP does it is really nice though... and simple.
>>>>>
>>>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <
>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>
>>>>>> People do it for sure.  I want to say there was an example on the
>>>>>> forums or some where...
>>>>>>
>>>>>> Josh Luthman
>>>>>> Office: 937-552-2340
>>>>>> Direct: 937-552-2343
>>>>>> 1100 Wayne St
>>>>>> Suite 1337
>>>>>> Troy, OH 45373
>>>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:
>>>>>>
>>>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the
>>>>>>> radio also gets a completely separate private management IP via DHCP, 
>>>>>>> which
>>>>>>> is the only way you can remotely access the radio, and it doesn't even 
>>>>>>> have
>>>>>>> to be in a separate vlan unless you want it to be... and it's one 
>>>>>>> checkbox
>>>>>>> to configure it.
>>>>>>>
>>>>>>> I'm not sure if that can be duplicated on UBNT or not, since I
>>>>>>> haven't really tried yet, but at the very least it's a lot more 
>>>>>>> complicated
>>>>>>> to configure.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>>
>>>>>>>> It does...you just need to set it up that way.
>>>>>>>>
>>>>>>>>
>>>>>>>> Josh Luthman
>>>>>>>> Office: 937-552-2340
>>&

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[That One Guy /sarcasm]

Maybe you gut the same bug my guy says he got from the other ISP in the
areas open access point that cross platformed lolz. I lolz right now, but
there is always the slim possibility some advanced malware has gotten in
the wild by mistake from the creators and is being exploited by script
kiddies who think the payout on some spambots is lucrative

On Wed, May 4, 2016 at 11:39 PM, Mathew Howard <mhoward...@gmail.com> wrote:

> 5.6.2, I think, fixed one of them more serious security flaws, and that
> was released less than a year ago... and it looks like 5.6.3 and 5.6.4
> (which was released very recently) also had security fixes. I believe most
> of those vulnerabilities applied to the AC and airFiber firmware as well.
>
> Ubiquiti has been good about releasing fixes quickly when they find
> vulnerabilities, but that doesn't help if nobody bothers to update anything.
>
> On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com> wrote:
>
>> I know about the very old firmware version for M series stuff that is
>> vulnerable to a known worm.
>>
>> But let's assume you do have ubnt devices with public IPs (which is a bad
>> idea). What's the attack surface? http, https, ssh, snmp
>>
>> Provided you have chosen a reasonably complex admin login and password
>> there are no *current, known* remote root exploits for current (or
>> within the past 2 years) ubnt firmware on M or AC devices, right?
>>
>>
>> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman <j...@imaginenetworksllc.com
>> > wrote:
>>
>>> Public IP on Ubnt.  What else do you need to know?
>>>
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>>>
>>>> The thread got this far and noone has wondered how the CPE was pwned in
>>>> the first place?
>>>>
>>>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
>>>> wrote:
>>>>
>>>>> Yeah, I looked at setting it up that way at one point, but something
>>>>> didn't look like it was going to work quite the way I wanted it to... but 
>>>>> I
>>>>> probably spent all of five minutes on it, so it may very well be possible.
>>>>> The way ePMP does it is really nice though... and simple.
>>>>>
>>>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <
>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>
>>>>>> People do it for sure.  I want to say there was an example on the
>>>>>> forums or some where...
>>>>>>
>>>>>> Josh Luthman
>>>>>> Office: 937-552-2340
>>>>>> Direct: 937-552-2343
>>>>>> 1100 Wayne St
>>>>>> Suite 1337
>>>>>> Troy, OH 45373
>>>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:
>>>>>>
>>>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the
>>>>>>> radio also gets a completely separate private management IP via DHCP, 
>>>>>>> which
>>>>>>> is the only way you can remotely access the radio, and it doesn't even 
>>>>>>> have
>>>>>>> to be in a separate vlan unless you want it to be... and it's one 
>>>>>>> checkbox
>>>>>>> to configure it.
>>>>>>>
>>>>>>> I'm not sure if that can be duplicated on UBNT or not, since I
>>>>>>> haven't really tried yet, but at the very least it's a lot more 
>>>>>>> complicated
>>>>>>> to configure.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>>
>>>>>>>> It does...you just need to set it up that way.
>>>>>>>>
>>>>>>>>
>>>>>>>> Josh Luthman
>>>>>>>> Office: 937-552-2340
>>>>>>>> Direct: 937-552-2343
>>>>>>>> 1100 Wayne St
>>>>>>>> Suite 1337
>>>>>>>> Troy, OH 45373
>>>>>>>>
>>>>>>>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Mathew Howard]

5.6.2, I think, fixed one of them more serious security flaws, and that was
released less than a year ago... and it looks like 5.6.3 and 5.6.4 (which
was released very recently) also had security fixes. I believe most of
those vulnerabilities applied to the AC and airFiber firmware as well.

Ubiquiti has been good about releasing fixes quickly when they find
vulnerabilities, but that doesn't help if nobody bothers to update anything.

On Wed, May 4, 2016 at 9:12 PM, Eric Kuhnke <eric.kuh...@gmail.com> wrote:

> I know about the very old firmware version for M series stuff that is
> vulnerable to a known worm.
>
> But let's assume you do have ubnt devices with public IPs (which is a bad
> idea). What's the attack surface? http, https, ssh, snmp
>
> Provided you have chosen a reasonably complex admin login and password
> there are no *current, known* remote root exploits for current (or within
> the past 2 years) ubnt firmware on M or AC devices, right?
>
>
> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman <j...@imaginenetworksllc.com>
> wrote:
>
>> Public IP on Ubnt.  What else do you need to know?
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>>
>>> The thread got this far and noone has wondered how the CPE was pwned in
>>> the first place?
>>>
>>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
>>> wrote:
>>>
>>>> Yeah, I looked at setting it up that way at one point, but something
>>>> didn't look like it was going to work quite the way I wanted it to... but I
>>>> probably spent all of five minutes on it, so it may very well be possible.
>>>> The way ePMP does it is really nice though... and simple.
>>>>
>>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <
>>>> j...@imaginenetworksllc.com> wrote:
>>>>
>>>>> People do it for sure.  I want to say there was an example on the
>>>>> forums or some where...
>>>>>
>>>>> Josh Luthman
>>>>> Office: 937-552-2340
>>>>> Direct: 937-552-2343
>>>>> 1100 Wayne St
>>>>> Suite 1337
>>>>> Troy, OH 45373
>>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:
>>>>>
>>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the
>>>>>> radio also gets a completely separate private management IP via DHCP, 
>>>>>> which
>>>>>> is the only way you can remotely access the radio, and it doesn't even 
>>>>>> have
>>>>>> to be in a separate vlan unless you want it to be... and it's one 
>>>>>> checkbox
>>>>>> to configure it.
>>>>>>
>>>>>> I'm not sure if that can be duplicated on UBNT or not, since I
>>>>>> haven't really tried yet, but at the very least it's a lot more 
>>>>>> complicated
>>>>>> to configure.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>
>>>>>>> It does...you just need to set it up that way.
>>>>>>>
>>>>>>>
>>>>>>> Josh Luthman
>>>>>>> Office: 937-552-2340
>>>>>>> Direct: 937-552-2343
>>>>>>> 1100 Wayne St
>>>>>>> Suite 1337
>>>>>>> Troy, OH 45373
>>>>>>>
>>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> I really wish Ubiquiti radios had a separate management vlan option
>>>>>>>> (in router mode), like ePMP does...
>>>>>>>>
>>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>>>>> RFC1918 space.
>>>>>>>>>
>>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Brian Meredith]

We've gotten a couple of the same notices in the past few days; our CPE is
on RFC 1918 IP addresses with no gateway to the outside world, so I'm going
to assume it's something behind the CPE (either a router or customer
device).

We've had a couple of cases where routers had an exploitable  and rooted
remotely and loaded with software to do stuff like this.

http://routersecurity.org/bugs.php



On Wed, May 4, 2016 at 8:13 PM, Eric Kuhnke <eric.kuh...@gmail.com> wrote:

> If people are sitting on a remote root SSL exploit that's not public, I
> think it'll be used for something far more lucrative than turning ubnt CPEs
> into relays for smtp spam.
>
> But unrelated to ubnt, there *are* some recent openssl security issues
> that have been addressed in the latest updates for centos, debian, ubuntu,
> etc. Time to update.
>
> https://www.openssl.org/news/secadv/20160503.txt
>
> On Wed, May 4, 2016 at 7:53 PM, Josh Reynolds <j...@kyneticwifi.com>
> wrote:
>
>> Could be a yet as unidentified SSL exploit...
>> On May 4, 2016 9:12 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>>
>>> I know about the very old firmware version for M series stuff that is
>>> vulnerable to a known worm.
>>>
>>> But let's assume you do have ubnt devices with public IPs (which is a
>>> bad idea). What's the attack surface? http, https, ssh, snmp
>>>
>>> Provided you have chosen a reasonably complex admin login and password
>>> there are no *current, known* remote root exploits for current (or
>>> within the past 2 years) ubnt firmware on M or AC devices, right?
>>>
>>>
>>> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman <
>>> j...@imaginenetworksllc.com> wrote:
>>>
>>>> Public IP on Ubnt.  What else do you need to know?
>>>>
>>>> Josh Luthman
>>>> Office: 937-552-2340
>>>> Direct: 937-552-2343
>>>> 1100 Wayne St
>>>> Suite 1337
>>>> Troy, OH 45373
>>>> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>>>>
>>>>> The thread got this far and noone has wondered how the CPE was pwned
>>>>> in the first place?
>>>>>
>>>>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Yeah, I looked at setting it up that way at one point, but something
>>>>>> didn't look like it was going to work quite the way I wanted it to... 
>>>>>> but I
>>>>>> probably spent all of five minutes on it, so it may very well be 
>>>>>> possible.
>>>>>> The way ePMP does it is really nice though... and simple.
>>>>>>
>>>>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <
>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>
>>>>>>> People do it for sure.  I want to say there was an example on the
>>>>>>> forums or some where...
>>>>>>>
>>>>>>> Josh Luthman
>>>>>>> Office: 937-552-2340
>>>>>>> Direct: 937-552-2343
>>>>>>> 1100 Wayne St
>>>>>>> Suite 1337
>>>>>>> Troy, OH 45373
>>>>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the
>>>>>>>> radio also gets a completely separate private management IP via DHCP, 
>>>>>>>> which
>>>>>>>> is the only way you can remotely access the radio, and it doesn't even 
>>>>>>>> have
>>>>>>>> to be in a separate vlan unless you want it to be... and it's one 
>>>>>>>> checkbox
>>>>>>>> to configure it.
>>>>>>>>
>>>>>>>> I'm not sure if that can be duplicated on UBNT or not, since I
>>>>>>>> haven't really tried yet, but at the very least it's a lot more 
>>>>>>>> complicated
>>>>>>>> to configure.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Eric Kuhnke]

If people are sitting on a remote root SSL exploit that's not public, I
think it'll be used for something far more lucrative than turning ubnt CPEs
into relays for smtp spam.

But unrelated to ubnt, there *are* some recent openssl security issues that
have been addressed in the latest updates for centos, debian, ubuntu, etc.
Time to update.

https://www.openssl.org/news/secadv/20160503.txt

On Wed, May 4, 2016 at 7:53 PM, Josh Reynolds <j...@kyneticwifi.com> wrote:

> Could be a yet as unidentified SSL exploit...
> On May 4, 2016 9:12 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>
>> I know about the very old firmware version for M series stuff that is
>> vulnerable to a known worm.
>>
>> But let's assume you do have ubnt devices with public IPs (which is a bad
>> idea). What's the attack surface? http, https, ssh, snmp
>>
>> Provided you have chosen a reasonably complex admin login and password
>> there are no *current, known* remote root exploits for current (or
>> within the past 2 years) ubnt firmware on M or AC devices, right?
>>
>>
>> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman <j...@imaginenetworksllc.com
>> > wrote:
>>
>>> Public IP on Ubnt.  What else do you need to know?
>>>
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>>>
>>>> The thread got this far and noone has wondered how the CPE was pwned in
>>>> the first place?
>>>>
>>>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
>>>> wrote:
>>>>
>>>>> Yeah, I looked at setting it up that way at one point, but something
>>>>> didn't look like it was going to work quite the way I wanted it to... but 
>>>>> I
>>>>> probably spent all of five minutes on it, so it may very well be possible.
>>>>> The way ePMP does it is really nice though... and simple.
>>>>>
>>>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <
>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>
>>>>>> People do it for sure.  I want to say there was an example on the
>>>>>> forums or some where...
>>>>>>
>>>>>> Josh Luthman
>>>>>> Office: 937-552-2340
>>>>>> Direct: 937-552-2343
>>>>>> 1100 Wayne St
>>>>>> Suite 1337
>>>>>> Troy, OH 45373
>>>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:
>>>>>>
>>>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the
>>>>>>> radio also gets a completely separate private management IP via DHCP, 
>>>>>>> which
>>>>>>> is the only way you can remotely access the radio, and it doesn't even 
>>>>>>> have
>>>>>>> to be in a separate vlan unless you want it to be... and it's one 
>>>>>>> checkbox
>>>>>>> to configure it.
>>>>>>>
>>>>>>> I'm not sure if that can be duplicated on UBNT or not, since I
>>>>>>> haven't really tried yet, but at the very least it's a lot more 
>>>>>>> complicated
>>>>>>> to configure.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>>
>>>>>>>> It does...you just need to set it up that way.
>>>>>>>>
>>>>>>>>
>>>>>>>> Josh Luthman
>>>>>>>> Office: 937-552-2340
>>>>>>>> Direct: 937-552-2343
>>>>>>>> 1100 Wayne St
>>>>>>>> Suite 1337
>>>>>>>> Troy, OH 45373
>>>>>>>>
>>>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> I really wish Ubiquiti radios had a separate management vlan
>>>>>>>>> option (in router mode), like ePMP does...
>>>>>>>>>
>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[timothy steele]

There is also a Linux worm going around that exploits devices with default
username and passwords the latest firmware for ubnt will force you to
change the password

On Wed, May 4, 2016, 10:12 PM Eric Kuhnke <eric.kuh...@gmail.com> wrote:

> I know about the very old firmware version for M series stuff that is
> vulnerable to a known worm.
>
> But let's assume you do have ubnt devices with public IPs (which is a bad
> idea). What's the attack surface? http, https, ssh, snmp
>
> Provided you have chosen a reasonably complex admin login and password
> there are no *current, known* remote root exploits for current (or within
> the past 2 years) ubnt firmware on M or AC devices, right?
>
>
> On Wed, May 4, 2016 at 7:00 PM, Josh Luthman <j...@imaginenetworksllc.com>
> wrote:
>
>> Public IP on Ubnt.  What else do you need to know?
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>>
>>> The thread got this far and noone has wondered how the CPE was pwned in
>>> the first place?
>>>
>>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
>>> wrote:
>>>
>>>> Yeah, I looked at setting it up that way at one point, but something
>>>> didn't look like it was going to work quite the way I wanted it to... but I
>>>> probably spent all of five minutes on it, so it may very well be possible.
>>>> The way ePMP does it is really nice though... and simple.
>>>>
>>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <
>>>> j...@imaginenetworksllc.com> wrote:
>>>>
>>>>> People do it for sure.  I want to say there was an example on the
>>>>> forums or some where...
>>>>>
>>>>> Josh Luthman
>>>>> Office: 937-552-2340
>>>>> Direct: 937-552-2343
>>>>> 1100 Wayne St
>>>>> Suite 1337
>>>>> Troy, OH 45373
>>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:
>>>>>
>>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the
>>>>>> radio also gets a completely separate private management IP via DHCP, 
>>>>>> which
>>>>>> is the only way you can remotely access the radio, and it doesn't even 
>>>>>> have
>>>>>> to be in a separate vlan unless you want it to be... and it's one 
>>>>>> checkbox
>>>>>> to configure it.
>>>>>>
>>>>>> I'm not sure if that can be duplicated on UBNT or not, since I
>>>>>> haven't really tried yet, but at the very least it's a lot more 
>>>>>> complicated
>>>>>> to configure.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>>
>>>>>>> It does...you just need to set it up that way.
>>>>>>>
>>>>>>>
>>>>>>> Josh Luthman
>>>>>>> Office: 937-552-2340
>>>>>>> Direct: 937-552-2343
>>>>>>> 1100 Wayne St
>>>>>>> Suite 1337
>>>>>>> Troy, OH 45373
>>>>>>>
>>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> I really wish Ubiquiti radios had a separate management vlan option
>>>>>>>> (in router mode), like ePMP does...
>>>>>>>>
>>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>>>>> RFC1918 space.
>>>>>>>>>
>>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>>>>> > Hi Tushar
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Eric Kuhnke]

I know about the very old firmware version for M series stuff that is
vulnerable to a known worm.

But let's assume you do have ubnt devices with public IPs (which is a bad
idea). What's the attack surface? http, https, ssh, snmp

Provided you have chosen a reasonably complex admin login and password
there are no *current, known* remote root exploits for current (or within
the past 2 years) ubnt firmware on M or AC devices, right?


On Wed, May 4, 2016 at 7:00 PM, Josh Luthman <j...@imaginenetworksllc.com>
wrote:

> Public IP on Ubnt.  What else do you need to know?
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>
>> The thread got this far and noone has wondered how the CPE was pwned in
>> the first place?
>>
>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
>> wrote:
>>
>>> Yeah, I looked at setting it up that way at one point, but something
>>> didn't look like it was going to work quite the way I wanted it to... but I
>>> probably spent all of five minutes on it, so it may very well be possible.
>>> The way ePMP does it is really nice though... and simple.
>>>
>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <
>>> j...@imaginenetworksllc.com> wrote:
>>>
>>>> People do it for sure.  I want to say there was an example on the
>>>> forums or some where...
>>>>
>>>> Josh Luthman
>>>> Office: 937-552-2340
>>>> Direct: 937-552-2343
>>>> 1100 Wayne St
>>>> Suite 1337
>>>> Troy, OH 45373
>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:
>>>>
>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the
>>>>> radio also gets a completely separate private management IP via DHCP, 
>>>>> which
>>>>> is the only way you can remotely access the radio, and it doesn't even 
>>>>> have
>>>>> to be in a separate vlan unless you want it to be... and it's one checkbox
>>>>> to configure it.
>>>>>
>>>>> I'm not sure if that can be duplicated on UBNT or not, since I haven't
>>>>> really tried yet, but at the very least it's a lot more complicated to
>>>>> configure.
>>>>>
>>>>>
>>>>>
>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>
>>>>>> It does...you just need to set it up that way.
>>>>>>
>>>>>>
>>>>>> Josh Luthman
>>>>>> Office: 937-552-2340
>>>>>> Direct: 937-552-2343
>>>>>> 1100 Wayne St
>>>>>> Suite 1337
>>>>>> Troy, OH 45373
>>>>>>
>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I really wish Ubiquiti radios had a separate management vlan option
>>>>>>> (in router mode), like ePMP does...
>>>>>>>
>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>>>> RFC1918 space.
>>>>>>>>
>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>>>> > Hi Tushar
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > We run all radios in NAT mode.
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > Adam
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel
>>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>>>>> > To: af@afmug.com
>>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Mathew Howard]

The odd thing is, he says port 80 and 22 are blocked at his routers. The
only time I've seen UBNT radios get infected was when I accidentally left
port 80 open on an IP block.

On Wed, May 4, 2016 at 9:00 PM, Josh Luthman <j...@imaginenetworksllc.com>
wrote:

> Public IP on Ubnt.  What else do you need to know?
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
>
>> The thread got this far and noone has wondered how the CPE was pwned in
>> the first place?
>>
>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
>> wrote:
>>
>>> Yeah, I looked at setting it up that way at one point, but something
>>> didn't look like it was going to work quite the way I wanted it to... but I
>>> probably spent all of five minutes on it, so it may very well be possible.
>>> The way ePMP does it is really nice though... and simple.
>>>
>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <
>>> j...@imaginenetworksllc.com> wrote:
>>>
>>>> People do it for sure.  I want to say there was an example on the
>>>> forums or some where...
>>>>
>>>> Josh Luthman
>>>> Office: 937-552-2340
>>>> Direct: 937-552-2343
>>>> 1100 Wayne St
>>>> Suite 1337
>>>> Troy, OH 45373
>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:
>>>>
>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the
>>>>> radio also gets a completely separate private management IP via DHCP, 
>>>>> which
>>>>> is the only way you can remotely access the radio, and it doesn't even 
>>>>> have
>>>>> to be in a separate vlan unless you want it to be... and it's one checkbox
>>>>> to configure it.
>>>>>
>>>>> I'm not sure if that can be duplicated on UBNT or not, since I haven't
>>>>> really tried yet, but at the very least it's a lot more complicated to
>>>>> configure.
>>>>>
>>>>>
>>>>>
>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>>> j...@imaginenetworksllc.com> wrote:
>>>>>
>>>>>> It does...you just need to set it up that way.
>>>>>>
>>>>>>
>>>>>> Josh Luthman
>>>>>> Office: 937-552-2340
>>>>>> Direct: 937-552-2343
>>>>>> 1100 Wayne St
>>>>>> Suite 1337
>>>>>> Troy, OH 45373
>>>>>>
>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I really wish Ubiquiti radios had a separate management vlan option
>>>>>>> (in router mode), like ePMP does...
>>>>>>>
>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>>>> RFC1918 space.
>>>>>>>>
>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>>>> > Hi Tushar
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > We run all radios in NAT mode.
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > Adam
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel
>>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>>>>> > To: af@afmug.com
>>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > Radios could be put on private ip so nobody from outside world
>>>>>>>> can access
>>>>>>>> > i

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Josh Luthman]

Public IP on Ubnt.  What else do you need to know?

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:

> The thread got this far and noone has wondered how the CPE was pwned in
> the first place?
>
> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com>
> wrote:
>
>> Yeah, I looked at setting it up that way at one point, but something
>> didn't look like it was going to work quite the way I wanted it to... but I
>> probably spent all of five minutes on it, so it may very well be possible.
>> The way ePMP does it is really nice though... and simple.
>>
>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <j...@imaginenetworksllc.com
>> > wrote:
>>
>>> People do it for sure.  I want to say there was an example on the forums
>>> or some where...
>>>
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:
>>>
>>>> I have our ePMP's setup to get their public IP via PPPoE, and the radio
>>>> also gets a completely separate private management IP via DHCP, which is
>>>> the only way you can remotely access the radio, and it doesn't even have to
>>>> be in a separate vlan unless you want it to be... and it's one checkbox to
>>>> configure it.
>>>>
>>>> I'm not sure if that can be duplicated on UBNT or not, since I haven't
>>>> really tried yet, but at the very least it's a lot more complicated to
>>>> configure.
>>>>
>>>>
>>>>
>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>>> j...@imaginenetworksllc.com> wrote:
>>>>
>>>>> It does...you just need to set it up that way.
>>>>>
>>>>>
>>>>> Josh Luthman
>>>>> Office: 937-552-2340
>>>>> Direct: 937-552-2343
>>>>> 1100 Wayne St
>>>>> Suite 1337
>>>>> Troy, OH 45373
>>>>>
>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I really wish Ubiquiti radios had a separate management vlan option
>>>>>> (in router mode), like ePMP does...
>>>>>>
>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>>> RFC1918 space.
>>>>>>>
>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>>> > Hi Tushar
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > We run all radios in NAT mode.
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > Adam
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel
>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>>>> > To: af@afmug.com
>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > Radios could be put on private ip so nobody from outside world can
>>>>>>> access
>>>>>>> > it. That is what we do.
>>>>>>> >
>>>>>>> > Tushar
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband <
>>>>>>> li...@smarterbroadband.com>
>>>>>>> > wrote:
>>>>>>> >
>>>>>>> > I have received a number of emails for ab...@light-gap.net saying
>>>>>>> certain of
>>>>>>> > our IP address are being used for attacks (see email text below).
>>>&

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Josh Luthman]

That is true.  They just added some fields for it.

I feel like Ubnt would add a dual WAN in the GUI if demand was there.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On May 4, 2016 9:55 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:

> Yeah, I looked at setting it up that way at one point, but something
> didn't look like it was going to work quite the way I wanted it to... but I
> probably spent all of five minutes on it, so it may very well be possible.
> The way ePMP does it is really nice though... and simple.
>
> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <j...@imaginenetworksllc.com>
> wrote:
>
>> People do it for sure.  I want to say there was an example on the forums
>> or some where...
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:
>>
>>> I have our ePMP's setup to get their public IP via PPPoE, and the radio
>>> also gets a completely separate private management IP via DHCP, which is
>>> the only way you can remotely access the radio, and it doesn't even have to
>>> be in a separate vlan unless you want it to be... and it's one checkbox to
>>> configure it.
>>>
>>> I'm not sure if that can be duplicated on UBNT or not, since I haven't
>>> really tried yet, but at the very least it's a lot more complicated to
>>> configure.
>>>
>>>
>>>
>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>> j...@imaginenetworksllc.com> wrote:
>>>
>>>> It does...you just need to set it up that way.
>>>>
>>>>
>>>> Josh Luthman
>>>> Office: 937-552-2340
>>>> Direct: 937-552-2343
>>>> 1100 Wayne St
>>>> Suite 1337
>>>> Troy, OH 45373
>>>>
>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com>
>>>> wrote:
>>>>
>>>>> I really wish Ubiquiti radios had a separate management vlan option
>>>>> (in router mode), like ePMP does...
>>>>>
>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com>
>>>>> wrote:
>>>>>
>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>> RFC1918 space.
>>>>>>
>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>> > Hi Tushar
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > We run all radios in NAT mode.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > Adam
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel
>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>>> > To: af@afmug.com
>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > Radios could be put on private ip so nobody from outside world can
>>>>>> access
>>>>>> > it. That is what we do.
>>>>>> >
>>>>>> > Tushar
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband <
>>>>>> li...@smarterbroadband.com>
>>>>>> > wrote:
>>>>>> >
>>>>>> > I have received a number of emails for ab...@light-gap.net saying
>>>>>> certain of
>>>>>> > our IP address are being used for attacks (see email text below).
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > All IP addresses are in UBNT radios.  We are unable to remote
>>>>>> access any of
>>>>>> > the these radios now.  We see that the radio we are unable to access
>>>>>> > rebooted a couple of days ago.  A number of other radios show they
>>>>>> rebooted
>>>>>> > around the same time (in sequence

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Eric Kuhnke]

The thread got this far and noone has wondered how the CPE was pwned in the
first place?

On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com> wrote:

> Yeah, I looked at setting it up that way at one point, but something
> didn't look like it was going to work quite the way I wanted it to... but I
> probably spent all of five minutes on it, so it may very well be possible.
> The way ePMP does it is really nice though... and simple.
>
> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <j...@imaginenetworksllc.com>
> wrote:
>
>> People do it for sure.  I want to say there was an example on the forums
>> or some where...
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:
>>
>>> I have our ePMP's setup to get their public IP via PPPoE, and the radio
>>> also gets a completely separate private management IP via DHCP, which is
>>> the only way you can remotely access the radio, and it doesn't even have to
>>> be in a separate vlan unless you want it to be... and it's one checkbox to
>>> configure it.
>>>
>>> I'm not sure if that can be duplicated on UBNT or not, since I haven't
>>> really tried yet, but at the very least it's a lot more complicated to
>>> configure.
>>>
>>>
>>>
>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <
>>> j...@imaginenetworksllc.com> wrote:
>>>
>>>> It does...you just need to set it up that way.
>>>>
>>>>
>>>> Josh Luthman
>>>> Office: 937-552-2340
>>>> Direct: 937-552-2343
>>>> 1100 Wayne St
>>>> Suite 1337
>>>> Troy, OH 45373
>>>>
>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com>
>>>> wrote:
>>>>
>>>>> I really wish Ubiquiti radios had a separate management vlan option
>>>>> (in router mode), like ePMP does...
>>>>>
>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com>
>>>>> wrote:
>>>>>
>>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>>> RFC1918 space.
>>>>>>
>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>>> <li...@smarterbroadband.com> wrote:
>>>>>> > Hi Tushar
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > We run all radios in NAT mode.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > Adam
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel
>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>>> > To: af@afmug.com
>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > Radios could be put on private ip so nobody from outside world can
>>>>>> access
>>>>>> > it. That is what we do.
>>>>>> >
>>>>>> > Tushar
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband <
>>>>>> li...@smarterbroadband.com>
>>>>>> > wrote:
>>>>>> >
>>>>>> > I have received a number of emails for ab...@light-gap.net saying
>>>>>> certain of
>>>>>> > our IP address are being used for attacks (see email text below).
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > All IP addresses are in UBNT radios.  We are unable to remote
>>>>>> access any of
>>>>>> > the these radios now.  We see that the radio we are unable to access
>>>>>> > rebooted a couple of days ago.  A number of other radios show they
>>>>>> rebooted
>>>>>> > around the same time (in sequence) on the AP.  We are unable to
>>>>>> remote
>>>>>> > access any of those either. Other radios

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Mathew Howard]

Yeah, I looked at setting it up that way at one point, but something didn't
look like it was going to work quite the way I wanted it to... but I
probably spent all of five minutes on it, so it may very well be possible.
The way ePMP does it is really nice though... and simple.

On Wed, May 4, 2016 at 8:38 PM, Josh Luthman <j...@imaginenetworksllc.com>
wrote:

> People do it for sure.  I want to say there was an example on the forums
> or some where...
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:
>
>> I have our ePMP's setup to get their public IP via PPPoE, and the radio
>> also gets a completely separate private management IP via DHCP, which is
>> the only way you can remotely access the radio, and it doesn't even have to
>> be in a separate vlan unless you want it to be... and it's one checkbox to
>> configure it.
>>
>> I'm not sure if that can be duplicated on UBNT or not, since I haven't
>> really tried yet, but at the very least it's a lot more complicated to
>> configure.
>>
>>
>>
>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <j...@imaginenetworksllc.com
>> > wrote:
>>
>>> It does...you just need to set it up that way.
>>>
>>>
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>>
>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com>
>>> wrote:
>>>
>>>> I really wish Ubiquiti radios had a separate management vlan option (in
>>>> router mode), like ePMP does...
>>>>
>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com>
>>>> wrote:
>>>>
>>>>> I would encourage you to put your CPEs on a management vlan, in
>>>>> RFC1918 space.
>>>>>
>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>>> <li...@smarterbroadband.com> wrote:
>>>>> > Hi Tushar
>>>>> >
>>>>> >
>>>>> >
>>>>> > We run all radios in NAT mode.
>>>>> >
>>>>> >
>>>>> >
>>>>> > Adam
>>>>> >
>>>>> >
>>>>> >
>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel
>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>>> > To: af@afmug.com
>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>>> >
>>>>> >
>>>>> >
>>>>> > Radios could be put on private ip so nobody from outside world can
>>>>> access
>>>>> > it. That is what we do.
>>>>> >
>>>>> > Tushar
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband <
>>>>> li...@smarterbroadband.com>
>>>>> > wrote:
>>>>> >
>>>>> > I have received a number of emails for ab...@light-gap.net saying
>>>>> certain of
>>>>> > our IP address are being used for attacks (see email text below).
>>>>> >
>>>>> >
>>>>> >
>>>>> > All IP addresses are in UBNT radios.  We are unable to remote access
>>>>> any of
>>>>> > the these radios now.  We see that the radio we are unable to access
>>>>> > rebooted a couple of days ago.  A number of other radios show they
>>>>> rebooted
>>>>> > around the same time (in sequence) on the AP.  We are unable to
>>>>> remote
>>>>> > access any of those either. Other radios with longer uptime on the
>>>>> AP’s are
>>>>> > fine.
>>>>> >
>>>>> >
>>>>> >
>>>>> > We have a tech on route to one of the customer sites.
>>>>> >
>>>>> >
>>>>> >
>>>>> > We think the radios are being made into bots.  Anyone seen this or
>>>>> anything
>>>>> > like this?  Do the hackers need a username and password to hack a
>>>>> radio?
>>>>> > I

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Josh Luthman]

People do it for sure.  I want to say there was an example on the forums or
some where...

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote:

> I have our ePMP's setup to get their public IP via PPPoE, and the radio
> also gets a completely separate private management IP via DHCP, which is
> the only way you can remotely access the radio, and it doesn't even have to
> be in a separate vlan unless you want it to be... and it's one checkbox to
> configure it.
>
> I'm not sure if that can be duplicated on UBNT or not, since I haven't
> really tried yet, but at the very least it's a lot more complicated to
> configure.
>
>
>
> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <j...@imaginenetworksllc.com>
> wrote:
>
>> It does...you just need to set it up that way.
>>
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>>
>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com>
>> wrote:
>>
>>> I really wish Ubiquiti radios had a separate management vlan option (in
>>> router mode), like ePMP does...
>>>
>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com>
>>> wrote:
>>>
>>>> I would encourage you to put your CPEs on a management vlan, in RFC1918
>>>> space.
>>>>
>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>>> <li...@smarterbroadband.com> wrote:
>>>> > Hi Tushar
>>>> >
>>>> >
>>>> >
>>>> > We run all radios in NAT mode.
>>>> >
>>>> >
>>>> >
>>>> > Adam
>>>> >
>>>> >
>>>> >
>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel
>>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>>> > To: af@afmug.com
>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>>> >
>>>> >
>>>> >
>>>> > Radios could be put on private ip so nobody from outside world can
>>>> access
>>>> > it. That is what we do.
>>>> >
>>>> > Tushar
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband <
>>>> li...@smarterbroadband.com>
>>>> > wrote:
>>>> >
>>>> > I have received a number of emails for ab...@light-gap.net saying
>>>> certain of
>>>> > our IP address are being used for attacks (see email text below).
>>>> >
>>>> >
>>>> >
>>>> > All IP addresses are in UBNT radios.  We are unable to remote access
>>>> any of
>>>> > the these radios now.  We see that the radio we are unable to access
>>>> > rebooted a couple of days ago.  A number of other radios show they
>>>> rebooted
>>>> > around the same time (in sequence) on the AP.  We are unable to remote
>>>> > access any of those either. Other radios with longer uptime on the
>>>> AP’s are
>>>> > fine.
>>>> >
>>>> >
>>>> >
>>>> > We have a tech on route to one of the customer sites.
>>>> >
>>>> >
>>>> >
>>>> > We think the radios are being made into bots.  Anyone seen this or
>>>> anything
>>>> > like this?  Do the hackers need a username and password to hack a
>>>> radio?
>>>> > I.E.  Would a change of the password stop the changes being made to
>>>> the
>>>> > radios?  Any other thoughts, suggestions or ideas?
>>>> >
>>>> >
>>>> >
>>>> > Thanks
>>>> >
>>>> >
>>>> >
>>>> > Adam
>>>> >
>>>> >
>>>> >
>>>> > Email Text below:
>>>> >
>>>> >
>>>> >
>>>> > “This is a semi-automated e-mail from the LG-Mailproxy authentication
>>>> > system, all requests have been approved manually by the
>>>> > system-administrators or are obviously unwanted (eg. requests to our
>>>> > spamtraps).
>>>> >

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Mathew Howard]

I have our ePMP's setup to get their public IP via PPPoE, and the radio
also gets a completely separate private management IP via DHCP, which is
the only way you can remotely access the radio, and it doesn't even have to
be in a separate vlan unless you want it to be... and it's one checkbox to
configure it.

I'm not sure if that can be duplicated on UBNT or not, since I haven't
really tried yet, but at the very least it's a lot more complicated to
configure.



On Wed, May 4, 2016 at 7:04 PM, Josh Luthman <j...@imaginenetworksllc.com>
wrote:

> It does...you just need to set it up that way.
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com>
> wrote:
>
>> I really wish Ubiquiti radios had a separate management vlan option (in
>> router mode), like ePMP does...
>>
>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com>
>> wrote:
>>
>>> I would encourage you to put your CPEs on a management vlan, in RFC1918
>>> space.
>>>
>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>>> <li...@smarterbroadband.com> wrote:
>>> > Hi Tushar
>>> >
>>> >
>>> >
>>> > We run all radios in NAT mode.
>>> >
>>> >
>>> >
>>> > Adam
>>> >
>>> >
>>> >
>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel
>>> > Sent: Wednesday, May 04, 2016 3:34 PM
>>> > To: af@afmug.com
>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>>> >
>>> >
>>> >
>>> > Radios could be put on private ip so nobody from outside world can
>>> access
>>> > it. That is what we do.
>>> >
>>> > Tushar
>>> >
>>> >
>>> >
>>> >
>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband <
>>> li...@smarterbroadband.com>
>>> > wrote:
>>> >
>>> > I have received a number of emails for ab...@light-gap.net saying
>>> certain of
>>> > our IP address are being used for attacks (see email text below).
>>> >
>>> >
>>> >
>>> > All IP addresses are in UBNT radios.  We are unable to remote access
>>> any of
>>> > the these radios now.  We see that the radio we are unable to access
>>> > rebooted a couple of days ago.  A number of other radios show they
>>> rebooted
>>> > around the same time (in sequence) on the AP.  We are unable to remote
>>> > access any of those either. Other radios with longer uptime on the
>>> AP’s are
>>> > fine.
>>> >
>>> >
>>> >
>>> > We have a tech on route to one of the customer sites.
>>> >
>>> >
>>> >
>>> > We think the radios are being made into bots.  Anyone seen this or
>>> anything
>>> > like this?  Do the hackers need a username and password to hack a
>>> radio?
>>> > I.E.  Would a change of the password stop the changes being made to the
>>> > radios?  Any other thoughts, suggestions or ideas?
>>> >
>>> >
>>> >
>>> > Thanks
>>> >
>>> >
>>> >
>>> > Adam
>>> >
>>> >
>>> >
>>> > Email Text below:
>>> >
>>> >
>>> >
>>> > “This is a semi-automated e-mail from the LG-Mailproxy authentication
>>> > system, all requests have been approved manually by the
>>> > system-administrators or are obviously unwanted (eg. requests to our
>>> > spamtraps).
>>> >
>>> > For further questions or if additional information is needed please
>>> reply to
>>> > this email.
>>> >
>>> >
>>> >
>>> > The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to suspicious
>>> > behaviour on our system.
>>> >
>>> > This happened already 1 times.
>>> >
>>> > It might be be part of a botnet, infected by a trojan/virus or running
>>> > brute-force attacks.
>>> >
>>> >
>>> >
>>> > Our affected destination servers: smtp.light-gap.net,
>>> imap.light-gap.net
>>> >
>>> >
>>> >
>>> > Currently 7 failed/unauthorized logins attempts via SMTP/IMAP with 6
>>> > different usernames and wrong password:
>>> >
>>> > 2016-05-04T23:48:40+02:00 with username "downloads.openscience.or.at"
>>> > (spamtrap account)
>>> >
>>> > 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap account)
>>> >
>>> > 2016-05-04T14:55:11+02:00 with username "info" (spamtrap account)
>>> >
>>> > 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account)
>>> >
>>> > 2016-05-03T20:57:19+02:00 with username "downloads.openscience.or.at"
>>> > (spamtrap account)
>>> >
>>> > 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap account)
>>> >
>>> > 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap account)
>>> > Ongoing failed/unauthorized logins attempts will be logged and sent to
>>> you
>>> > every 24h until the IP will be permanently banned from our systems
>>> after 72
>>> > hours.
>>> >
>>> >
>>> >
>>> > The Light-Gap.net Abuse Team.”
>>> >
>>> >
>>>
>>
>>
>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Josh Luthman]

It does...you just need to set it up that way.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com> wrote:

> I really wish Ubiquiti radios had a separate management vlan option (in
> router mode), like ePMP does...
>
> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com>
> wrote:
>
>> I would encourage you to put your CPEs on a management vlan, in RFC1918
>> space.
>>
>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
>> <li...@smarterbroadband.com> wrote:
>> > Hi Tushar
>> >
>> >
>> >
>> > We run all radios in NAT mode.
>> >
>> >
>> >
>> > Adam
>> >
>> >
>> >
>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel
>> > Sent: Wednesday, May 04, 2016 3:34 PM
>> > To: af@afmug.com
>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>> >
>> >
>> >
>> > Radios could be put on private ip so nobody from outside world can
>> access
>> > it. That is what we do.
>> >
>> > Tushar
>> >
>> >
>> >
>> >
>> > On May 4, 2016, at 5:22 PM, SmarterBroadband <
>> li...@smarterbroadband.com>
>> > wrote:
>> >
>> > I have received a number of emails for ab...@light-gap.net saying
>> certain of
>> > our IP address are being used for attacks (see email text below).
>> >
>> >
>> >
>> > All IP addresses are in UBNT radios.  We are unable to remote access
>> any of
>> > the these radios now.  We see that the radio we are unable to access
>> > rebooted a couple of days ago.  A number of other radios show they
>> rebooted
>> > around the same time (in sequence) on the AP.  We are unable to remote
>> > access any of those either. Other radios with longer uptime on the AP’s
>> are
>> > fine.
>> >
>> >
>> >
>> > We have a tech on route to one of the customer sites.
>> >
>> >
>> >
>> > We think the radios are being made into bots.  Anyone seen this or
>> anything
>> > like this?  Do the hackers need a username and password to hack a radio?
>> > I.E.  Would a change of the password stop the changes being made to the
>> > radios?  Any other thoughts, suggestions or ideas?
>> >
>> >
>> >
>> > Thanks
>> >
>> >
>> >
>> > Adam
>> >
>> >
>> >
>> > Email Text below:
>> >
>> >
>> >
>> > “This is a semi-automated e-mail from the LG-Mailproxy authentication
>> > system, all requests have been approved manually by the
>> > system-administrators or are obviously unwanted (eg. requests to our
>> > spamtraps).
>> >
>> > For further questions or if additional information is needed please
>> reply to
>> > this email.
>> >
>> >
>> >
>> > The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to suspicious
>> > behaviour on our system.
>> >
>> > This happened already 1 times.
>> >
>> > It might be be part of a botnet, infected by a trojan/virus or running
>> > brute-force attacks.
>> >
>> >
>> >
>> > Our affected destination servers: smtp.light-gap.net,
>> imap.light-gap.net
>> >
>> >
>> >
>> > Currently 7 failed/unauthorized logins attempts via SMTP/IMAP with 6
>> > different usernames and wrong password:
>> >
>> > 2016-05-04T23:48:40+02:00 with username "downloads.openscience.or.at"
>> > (spamtrap account)
>> >
>> > 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap account)
>> >
>> > 2016-05-04T14:55:11+02:00 with username "info" (spamtrap account)
>> >
>> > 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account)
>> >
>> > 2016-05-03T20:57:19+02:00 with username "downloads.openscience.or.at"
>> > (spamtrap account)
>> >
>> > 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap account)
>> >
>> > 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap account)
>> > Ongoing failed/unauthorized logins attempts will be logged and sent to
>> you
>> > every 24h until the IP will be permanently banned from our systems
>> after 72
>> > hours.
>> >
>> >
>> >
>> > The Light-Gap.net Abuse Team.”
>> >
>> >
>>
>
>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Mathew Howard]

I really wish Ubiquiti radios had a separate management vlan option (in
router mode), like ePMP does...

On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com> wrote:

> I would encourage you to put your CPEs on a management vlan, in RFC1918
> space.
>
> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
> <li...@smarterbroadband.com> wrote:
> > Hi Tushar
> >
> >
> >
> > We run all radios in NAT mode.
> >
> >
> >
> > Adam
> >
> >
> >
> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel
> > Sent: Wednesday, May 04, 2016 3:34 PM
> > To: af@afmug.com
> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
> >
> >
> >
> > Radios could be put on private ip so nobody from outside world can access
> > it. That is what we do.
> >
> > Tushar
> >
> >
> >
> >
> > On May 4, 2016, at 5:22 PM, SmarterBroadband <li...@smarterbroadband.com
> >
> > wrote:
> >
> > I have received a number of emails for ab...@light-gap.net saying
> certain of
> > our IP address are being used for attacks (see email text below).
> >
> >
> >
> > All IP addresses are in UBNT radios.  We are unable to remote access any
> of
> > the these radios now.  We see that the radio we are unable to access
> > rebooted a couple of days ago.  A number of other radios show they
> rebooted
> > around the same time (in sequence) on the AP.  We are unable to remote
> > access any of those either. Other radios with longer uptime on the AP’s
> are
> > fine.
> >
> >
> >
> > We have a tech on route to one of the customer sites.
> >
> >
> >
> > We think the radios are being made into bots.  Anyone seen this or
> anything
> > like this?  Do the hackers need a username and password to hack a radio?
> > I.E.  Would a change of the password stop the changes being made to the
> > radios?  Any other thoughts, suggestions or ideas?
> >
> >
> >
> > Thanks
> >
> >
> >
> > Adam
> >
> >
> >
> > Email Text below:
> >
> >
> >
> > “This is a semi-automated e-mail from the LG-Mailproxy authentication
> > system, all requests have been approved manually by the
> > system-administrators or are obviously unwanted (eg. requests to our
> > spamtraps).
> >
> > For further questions or if additional information is needed please
> reply to
> > this email.
> >
> >
> >
> > The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to suspicious
> > behaviour on our system.
> >
> > This happened already 1 times.
> >
> > It might be be part of a botnet, infected by a trojan/virus or running
> > brute-force attacks.
> >
> >
> >
> > Our affected destination servers: smtp.light-gap.net, imap.light-gap.net
> >
> >
> >
> > Currently 7 failed/unauthorized logins attempts via SMTP/IMAP with 6
> > different usernames and wrong password:
> >
> > 2016-05-04T23:48:40+02:00 with username "downloads.openscience.or.at"
> > (spamtrap account)
> >
> > 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap account)
> >
> > 2016-05-04T14:55:11+02:00 with username "info" (spamtrap account)
> >
> > 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account)
> >
> > 2016-05-03T20:57:19+02:00 with username "downloads.openscience.or.at"
> > (spamtrap account)
> >
> > 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap account)
> >
> > 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap account)
> > Ongoing failed/unauthorized logins attempts will be logged and sent to
> you
> > every 24h until the IP will be permanently banned from our systems after
> 72
> > hours.
> >
> >
> >
> > The Light-Gap.net Abuse Team.”
> >
> >
>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Josh Reynolds]

I would encourage you to put your CPEs on a management vlan, in RFC1918 space.

On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband
<li...@smarterbroadband.com> wrote:
> Hi Tushar
>
>
>
> We run all radios in NAT mode.
>
>
>
> Adam
>
>
>
> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel
> Sent: Wednesday, May 04, 2016 3:34 PM
> To: af@afmug.com
> Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?
>
>
>
> Radios could be put on private ip so nobody from outside world can access
> it. That is what we do.
>
> Tushar
>
>
>
>
> On May 4, 2016, at 5:22 PM, SmarterBroadband <li...@smarterbroadband.com>
> wrote:
>
> I have received a number of emails for ab...@light-gap.net saying certain of
> our IP address are being used for attacks (see email text below).
>
>
>
> All IP addresses are in UBNT radios.  We are unable to remote access any of
> the these radios now.  We see that the radio we are unable to access
> rebooted a couple of days ago.  A number of other radios show they rebooted
> around the same time (in sequence) on the AP.  We are unable to remote
> access any of those either. Other radios with longer uptime on the AP’s are
> fine.
>
>
>
> We have a tech on route to one of the customer sites.
>
>
>
> We think the radios are being made into bots.  Anyone seen this or anything
> like this?  Do the hackers need a username and password to hack a radio?
> I.E.  Would a change of the password stop the changes being made to the
> radios?  Any other thoughts, suggestions or ideas?
>
>
>
> Thanks
>
>
>
> Adam
>
>
>
> Email Text below:
>
>
>
> “This is a semi-automated e-mail from the LG-Mailproxy authentication
> system, all requests have been approved manually by the
> system-administrators or are obviously unwanted (eg. requests to our
> spamtraps).
>
> For further questions or if additional information is needed please reply to
> this email.
>
>
>
> The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to suspicious
> behaviour on our system.
>
> This happened already 1 times.
>
> It might be be part of a botnet, infected by a trojan/virus or running
> brute-force attacks.
>
>
>
> Our affected destination servers: smtp.light-gap.net, imap.light-gap.net
>
>
>
> Currently 7 failed/unauthorized logins attempts via SMTP/IMAP with 6
> different usernames and wrong password:
>
> 2016-05-04T23:48:40+02:00 with username "downloads.openscience.or.at"
> (spamtrap account)
>
> 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap account)
>
> 2016-05-04T14:55:11+02:00 with username "info" (spamtrap account)
>
> 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account)
>
> 2016-05-03T20:57:19+02:00 with username "downloads.openscience.or.at"
> (spamtrap account)
>
> 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap account)
>
> 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap account)
> Ongoing failed/unauthorized logins attempts will be logged and sent to you
> every 24h until the IP will be permanently banned from our systems after 72
> hours.
>
>
>
> The Light-Gap.net Abuse Team.”
>
>

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[SmarterBroadband]

Hi Tushar

 

We run all radios in NAT mode.

 

Adam

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel
Sent: Wednesday, May 04, 2016 3:34 PM
To: af@afmug.com
Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions?

 

Radios could be put on private ip so nobody from outside world can access it. 
That is what we do.

Tushar

 


On May 4, 2016, at 5:22 PM, SmarterBroadband <li...@smarterbroadband.com> wrote:

I have received a number of emails for ab...@light-gap.net saying certain of 
our IP address are being used for attacks (see email text below).

 

All IP addresses are in UBNT radios.  We are unable to remote access any of the 
these radios now.  We see that the radio we are unable to access rebooted a 
couple of days ago.  A number of other radios show they rebooted around the 
same time (in sequence) on the AP.  We are unable to remote access any of those 
either. Other radios with longer uptime on the AP’s are fine.

 

We have a tech on route to one of the customer sites.

 

We think the radios are being made into bots.  Anyone seen this or anything 
like this?  Do the hackers need a username and password to hack a radio?  I.E.  
Would a change of the password stop the changes being made to the radios?  Any 
other thoughts, suggestions or ideas?

 

Thanks

 

Adam  

 

Email Text below:

 

“This is a semi-automated e-mail from the LG-Mailproxy authentication system, 
all requests have been approved manually by the system-administrators or are 
obviously unwanted (eg. requests to our spamtraps).

For further questions or if additional information is needed please reply to 
this email.

 

The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to suspicious behaviour 
on our system.

This happened already 1 times.

It might be be part of a botnet, infected by a trojan/virus or running 
brute-force attacks.

 

Our affected destination servers: smtp.light-gap.net, imap.light-gap.net

 

Currently 7 failed/unauthorized logins attempts via SMTP/IMAP with 6 different 
usernames and wrong password:

2016-05-04T23:48:40+02:00 with username "downloads.openscience.or.at" (spamtrap 
account)

2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap account)

2016-05-04T14:55:11+02:00 with username "info" (spamtrap account)

2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account)

2016-05-03T20:57:19+02:00 with username "downloads.openscience.or.at" (spamtrap 
account)

2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap account)

2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap account) Ongoing 
failed/unauthorized logins attempts will be logged and sent to you every 24h 
until the IP will be permanently banned from our systems after 72 hours.

 

The Light-Gap.net Abuse Team.”

 

Re: [AFMUG] UBNT CPE being used for Abusive actions?

[Tushar Patel]

Radios could be put on private ip so nobody from outside world can access it. 
That is what we do.

Tushar


> On May 4, 2016, at 5:22 PM, SmarterBroadband  
> wrote:
> 
> I have received a number of emails for ab...@light-gap.net saying certain of 
> our IP address are being used for attacks (see email text below).
>  
> All IP addresses are in UBNT radios.  We are unable to remote access any of 
> the these radios now.  We see that the radio we are unable to access rebooted 
> a couple of days ago.  A number of other radios show they rebooted around the 
> same time (in sequence) on the AP.  We are unable to remote access any of 
> those either. Other radios with longer uptime on the AP’s are fine.
>  
> We have a tech on route to one of the customer sites.
>  
> We think the radios are being made into bots.  Anyone seen this or anything 
> like this?  Do the hackers need a username and password to hack a radio?  
> I.E.  Would a change of the password stop the changes being made to the 
> radios?  Any other thoughts, suggestions or ideas?
>  
> Thanks
>  
> Adam 
>  
> Email Text below:
>  
> “This is a semi-automated e-mail from the LG-Mailproxy authentication system, 
> all requests have been approved manually by the system-administrators or are 
> obviously unwanted (eg. requests to our spamtraps).
> For further questions or if additional information is needed please reply to 
> this email.
>  
> The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to suspicious 
> behaviour on our system.
> This happened already 1 times.
> It might be be part of a botnet, infected by a trojan/virus or running 
> brute-force attacks.
>  
> Our affected destination servers: smtp.light-gap.net, imap.light-gap.net
>  
> Currently 7 failed/unauthorized logins attempts via SMTP/IMAP with 6 
> different usernames and wrong password:
> 2016-05-04T23:48:40+02:00 with username "downloads.openscience.or.at" 
> (spamtrap account)
> 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap account)
> 2016-05-04T14:55:11+02:00 with username "info" (spamtrap account)
> 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account)
> 2016-05-03T20:57:19+02:00 with username "downloads.openscience.or.at" 
> (spamtrap account)
> 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap account)
> 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap account) Ongoing 
> failed/unauthorized logins attempts will be logged and sent to you every 24h 
> until the IP will be permanently banned from our systems after 72 hours.
>  
> The Light-Gap.net Abuse Team.”
>  

[AFMUG] UBNT CPE being used for Abusive actions?

[SmarterBroadband]

I have received a number of emails for ab...@light-gap.net saying certain of 
our IP address are being used for attacks (see email text below).

 

All IP addresses are in UBNT radios.  We are unable to remote access any of the 
these radios now.  We see that the radio we are unable to access rebooted a 
couple of days ago.  A number of other radios show they rebooted around the 
same time (in sequence) on the AP.  We are unable to remote access any of those 
either. Other radios with longer uptime on the AP’s are fine.

 

We have a tech on route to one of the customer sites.

 

We think the radios are being made into bots.  Anyone seen this or anything 
like this?  Do the hackers need a username and password to hack a radio?  I.E.  
Would a change of the password stop the changes being made to the radios?  Any 
other thoughts, suggestions or ideas?

 

Thanks

 

Adam  

 

Email Text below:

 

“This is a semi-automated e-mail from the LG-Mailproxy authentication system, 
all requests have been approved manually by the system-administrators or are 
obviously unwanted (eg. requests to our spamtraps).

For further questions or if additional information is needed please reply to 
this email.

 

The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to suspicious behaviour 
on our system.

This happened already 1 times.

It might be be part of a botnet, infected by a trojan/virus or running 
brute-force attacks.

 

Our affected destination servers: smtp.light-gap.net, imap.light-gap.net

 

Currently 7 failed/unauthorized logins attempts via SMTP/IMAP with 6 different 
usernames and wrong password:

2016-05-04T23:48:40+02:00 with username "downloads.openscience.or.at" (spamtrap 
account)

2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap account)

2016-05-04T14:55:11+02:00 with username "info" (spamtrap account)

2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account)

2016-05-03T20:57:19+02:00 with username "downloads.openscience.or.at" (spamtrap 
account)

2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap account)

2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap account) Ongoing 
failed/unauthorized logins attempts will be logged and sent to you every 24h 
until the IP will be permanently banned from our systems after 72 hours.

 

The Light-Gap.net Abuse Team.”