[SGVLUG] ATT's 2wire products are braindead

Thu Aug 1 19:53:52 PDT 2013

Thanks all for the numerous thoughtful replies, both on and off list.

> the URL to use to get to the management and diagnostic console on my
2wire box
Per my earlier post with all the details (which I now see never made it
through to the list) I am running the new uVerse 3801HGV router.  This
router does not have the /mdc menu.  AT&T third level tech support and the
manufacturer both confirmed that they no longer support extended features
in AT&T specific routers.

> Any chance AT&T blocks incoming port 22
Scott, good ideas there.  I can confirm that AT&T is not blocking the SSH
port as my router's firewall log is showing the incoming packets and
admitting to dropping them.  See the log excerpt at the bottom of the
initial email in this chain:
INF 2013-07-26T20:15:42-07:00 fw src=162.200.153.165 dst=172.28.1.2
ipprot=6 sport=40058 dport=22 Session Matches User Pinhole, Packet Passed
INF 2013-07-26T20:15:42-07:00 fw src=162.200.153.165 dst=172.28.1.2
ipprot=6 sport=40058 dport=22 Drop traffic to 172.16.0.0/12
This shows that the packets are getting through to the 3801, that it is
recognizing that I have defined a pinhole rule to pass port 22 traffic on
to 172.28.1.2 and that it is dropping all traffic to the entire 172.16/12
subnet from the second packet on.

> it's not clear from your original email if you trying to ssh inbound to
your house or outbound
Claude, yes I am trying to get inbound SSH traffic to pass through the
router to my SSH host.

>What has changed since you were last able to use ssh?
My current DSL modem (a 2wire 2701HG) died.  AT&T would not support fixing
it, my only options were to purchase a new DSL router from a third party or
take advantage of a fabulous and unique opportunity to switch over to
uVerse for a $26/month discount.  It turned out that tripling my bandwidth
reduced my Internet monthly bill by $5/mo the second year and $30/mo the
first so I decided (against all previous experience) to give it another go.

> Setting up OpenWRT or DD-WRT or some such and bridging it to the 2Wire
will give you MUCH nicer firewalling options.
Yeah, I am running a large Cisco router behind the AT&T DSL.  It fronts 52
ports of gigE, 8 ports of VOIP and lots of other features.  Unfortunately I
don't have a Cisco account for $n,000 per year so I can't download the
firmware that includes firewall functionality.  I am stuck using the 2wire
for my firewall, not at all the best solution.  I also have 2 great FireBox
firewalls, but they again require a $n00/mo firewall update service to make
functional...
http://www.watchguard.com/products/?gclid=CPmQzMba3bgCFWXZQgod-XIAjQ

If anyone has experience with the fireboxes and wants to help me get one
working in trade for the second one please feel free to drop me a line.

> Also, ssh -vv is often helpful.
Thanks Rae.  Unfortunately I am using ConnectBot from my tablet to test the
connection, I don't know how to offer it flags.  I don't see anything in
connection or application settings here.  I tried to use my (again
braindead) ISP to bounce SSH but they don't support outgoing SSH
connections. (Doh!)

I set up my laptop to VPN from my home network into work, then transferred
to another server up in the bay area, bounced through an east coast data
center then back to my home using the -v flag in SSH.  It just confirmed
that ddns is working and that nothing is getting past the firewall.

So no luck so far...  :(

Matt

On Thu, Aug 1, 2013 at 10:30 AM, Christopher Smith <cbsmith at gmail.com>wrote:

> FYI, most 2Wire products have a feature of bridging to another router.
> Setting up OpenWRT or DD-WRT or some such and bridging it to the 2Wire will
> give you MUCH nicer firewalling options.
>
> I didn't see mention of which model of 2Wire router you have. That would
> make it much easier to help you out.
>
>
> On Wed, Jul 31, 2013 at 3:53 PM, Claude Felizardo <cafelizardo at gmail.com>wrote:
>
>> Okay, it took me a while to figure out how to access my DSL modem at home
>> remotely - I have an entry in my .ssh/config to forward port 9001 to the
>> router, but I couldn't remembered the URL to use to get to the management
>> and diagnostic console on my 2wire box  (It was localhost:9001/mdc which
>> was in my bookmarks of course!)
>>
>> Anyway, I'm not seeing my port 22 attempts to log in so it's still
>> blocked presumably by the modem.  With my old netgear RT311 router I used
>> to log everything but lost that ability when I "upgraded" to a 2wire DSL
>> modem/router from my original Alcatel modem.
>>
>> Hmm, looks like I'm seeing some syn/fin ddos attacks I'll have to
>> investigate.  But I see the ipprot=6 that was mentioned in the original
>> post but I believe that means IP protocol 6 which is TCP, not to be
>> confused with IPv6.  ipprot=1 is used by ping and traceroute, ipprot=17 is
>> UDP.
>>
>> I was going to try and add port 22 for a short test but I don't remember
>> how to edit the "applications"?  I can see that I have defined custom
>> services for my port knocking ports, weather station and others, how to
>> create new ones but dont see an option to edit.
>>
>> Claude
>>
>>
>>
>> On Wed, Jul 31, 2013 at 12:59 PM, Claude Felizardo <cafelizardo at gmail.com
>> > wrote:
>>
>>> Matt, it's not clear from your original email if you trying to ssh
>>> inbound to your house or outbound.
>>> What has changed since you were last able to use ssh?  Server at home?
>>>  Different ISP or switched to Uverse from something else like DSL or cable?
>>>
>>> I long ago decided to block port 22 and use a non standard port that
>>> will only work from specific hosts/domains using a combination of shorewall
>>> and /etc/hosts.allow.  I also use port knocking if I want to connect from
>>> unexpected sites.  Never got around to setting up automatic blacklists for
>>> DDoS attacks as I haven't had any problems (knock on wood).
>>>
>>> Claude
>>>
>>>
>>> On Wed, Jul 31, 2013 at 12:40 PM, Scott Packard <spackard at gmail.com>wrote:
>>>
>>>> Any chance AT&T blocks incoming port 22, but would allow it if you
>>>> phoned and asked for it to be enabled?
>>>>
>>>> Back when I used their DSL, they allowed, then without notice blocked,
>>>> inbound port 25.  Later, they said I could have phoned them and asked for
>>>> it to be unblocked, but by then I'd had enough.
>>>>
>>>> Regards, Scott
>>>>
>>>>
>>>> On Wed, Jul 31, 2013 at 12:09 PM, Matthew Campbell <dvdmatt at gmail.com>wrote:
>>>>
>>>>> Thanks Dan.  Unfortunately AT&Ts new modems have had all useful
>>>>> features castrated.  I spent hours looking, talking to techs and eventually
>>>>> to the manufacturer to verify that menu no longer exists.
>>>>>
>>>>> Rae, thank you for the ideas, I'll give it a shot tonight.  I am using
>>>>> SSH from an IPv4 only platform, but with current security paranoia I don't
>>>>> think I can verify that AT&T is not routing me over IPv6 on the way.  I
>>>>> don't know of a way to hook up a laptop outside the firewall to test.
>>>>>
>>>>> Does anyone know if uVerse is IPv6 only?
>>>>>
>>>>> Matt
>>>>>  On Jul 29, 2013 7:10 PM, "Dan Buthusiem" <dan.buthusiem at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> What are the model and firmware for your router? There used to be a
>>>>>> hidden menu in the 2701 HG-B, but the firmware still ignored those
>>>>>> settings, anyway. My experience with 2Wire is that they make their products
>>>>>> with AT&T's desires in mind, which comes at the expense of anyone with any
>>>>>> amount of technical know-how who may be stuck using their products. YMMV.
>>>>>> That being said, I'll take a stab anyway. :)
>>>>>>
>>>>>>
>>>>>> On Mon, Jul 29, 2013 at 5:36 PM, Rae Yip <rae.yip at gmail.com> wrote:
>>>>>>
>>>>>>> Double-check that your ssh client isn't attempting to use IPv6 or
>>>>>>> something. (Note the ipprot=6 in your logs)
>>>>>>>
>>>>>>> Also, ssh -vv is often helpful.
>>>>>>>
>>>>>>> -Rae.
>>>>>>> On Jul 29, 2013 4:48 PM, "Lakestake Rocketry" <lakestake at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Good afternoon,
>>>>>>>>
>>>>>>>> I am trying to get SSH through my firewall at home.  I have set up
>>>>>>>> a port redirect to senge, but I get a timeout when I connect to the port
>>>>>>>> with ssh.  The following messages appear in the firewall log.  It looks
>>>>>>>> like the first packet is being passed through, then following packets are
>>>>>>>> being blocked...  Any ideas?  All Google gives me is a long list of people
>>>>>>>> with similar problems.
>>>>>>>>
>>>>>>>> Matthew Campbell
>>>>>>>>
>>>>>>>>
>>>>>>>> ---------- Forwarded message ----------
>>>>>>>> INF 2013-07-26T20:15:42-07:00 fw src=162.200.153.165
>>>>>>>> dst=172.28.1.2 ipprot=6 sport=40058 dport=22 Session Matches User Pinhole,
>>>>>>>> Packet Passed  INF 2013-07-26T20:15:42-07:00 fw src=162.200.153.165
>>>>>>>> dst=172.28.1.2 ipprot=6 sport=40058 dport=22 Drop traffic to
>>>>>>>> 172.16.0.0/12
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>>
>>
>
>
> --
> Chris
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20130801/0f989754/attachment.html>