cancel
Showing results for 
Search instead for 
Did you mean: 

Hub One router and services that it is not capable of

UK_TK
Hooked
Posts: 5
Thanks: 1
Registered: ‎25-08-2019

Hub One router and services that it is not capable of

Having just accepted a latest offer for FTTC to upgrade my old plusnet ADSL2+ unlimited that last month dropped out of contract  I have received a Hub One modem/router and experimentally connected it to the existing ADSL2+ enabled line and it eventually synced and configured itself for my old service which is good... but annoyingly it is so locked down by PlusNet/BT that it cannot perform several of the operations I got used to being able to enjoy on the older Technicolor TG582n ADSL2+ modem/router. e,g it has Telnet shell access that let me configure many features for example setting the routers primary and secondary default DNS server IP address to those of MY choice and that allowed the plusnet ones to be added automatically as tertiary and lower priority servers that only get called into service if primary and secondary servers cannot find a domain name... but this HubOne has been neutered so much that we cannot login via telnet or ssh. I have noted that under nmap from a LAN based IP address that port 22 for SSH returns as filtered rather than stealth or open implying there is a SSH service running but it has been filtered by some policy but SSH under windows 10 does act like it is trying to connect on port 22 but eventually times out and fails. trying to SSH to any other port like telnet or ftp ports that do not appear in the nmap scan results in an immediate connection refused response so there very probably is an SSH server running if only someone with access to the firmware source can let us know if there are any unlinked to URLs in the admin server we can use to unfilter the SSH server on the HubOne then maybe we could reconfigure it properly like we could with the older Technicolor router. In the mean time there is a possible workaround for some HubOne inadequacies, reconfigure the old Technicolor router so it lives on a different IP number than the HubOne (by default the both reside on 192.168.1.254 but it is possible to reconfigure the Technicolor to reside on say 192.168.1.252 and leaving the aux UPNP aux devices server on 192.168.1.253, disable the DHCP server on the Technicolor and place the Technicolour on the HubOnes LAN and use that to serve USB printers and let the crippled HubOne USB port to use for dumb file server if necessary... or use it as a phone charger... I would like to know if there is any hidden URL to enable the Syslog client on the device to send out the logs to a syslog server on the LAN... It is so disappointing how these more modern devices are so severely crippled especially when this HubOne is also the product sent out to business FTTC customers too yet it lacks any necessary enterprise functions like proper syslog and SNMP support and SSH access. Cannot use he USB port for anything either! Also cannot host my own web server on my static ip as I am not allowed to forward the standard http or https ports to an internal machines private IP number... do I have to enable DMZ on the server IP number and hope for the best Microsoft don't have any big zero day vulnerability lurking for the NSA to gain illegal access and criminals to find?

10 REPLIES 10
UK_TK
Hooked
Posts: 5
Thanks: 1
Registered: ‎25-08-2019

how do I stealth Hub One router?

I have found that due to some really silly configuration the TR-069 remote login for pushing remote firmware updates and other unsolicited remote admin we are not told about the non-standard http protocol login is accessible to the entire internet and not just some limited plusnet owned IP range. Means the hub one routers are vulnerable to detection by malicious 3rd parties as well as unlimited brute force attempts to gain remote admin via the TR-069 interface as well as likely susceptibility to Denial of Service due to resource depletion if multiple instances of login attempts are forced from a single or from multiple malicious IP numbers. It is currently impossible for the local admin to add any restriction on what network can connect to this public port and we cannot close the public port by any means open to us e.g. forwarding the port to a non-existent server. I would much prefer manual firmware updating or in admin settings than this unwanted public exposure to the rest of the internet! An attacker can find all plusnet hub one users in one fell swoop scanning the plusnet owned ip ranges for tcpip port 4567 and fuzz that server until it either crashes the router or gains admin access to it and potentially takes ownership of the high speed broad band connection for criminal purposes. There is a potential to be able to mitigate this vulnerability by adding the ability to choose custom inbound ports to block using the plusnets extra software firewall which could allow us to run our own secure servers we administer and block the unprotected tcp port 4567 server from any malicious or inquisitive hacker out there!

dvorak
Moderator
Moderator
Posts: 29,473
Thanks: 6,623
Fixes: 1,482
Registered: ‎11-01-2008

Re: Hub One router and services that it is not capable of

Why not just replace it with another router of your choosing? The Hub one is a mass market plug and play suitable for most users, treat it as such Smiley

I don't think there is an ssh server running as I've successfully forward both port 22 and 80 to machines on the LAN with a Hub One.
Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
dvorak
Moderator
Moderator
Posts: 29,473
Thanks: 6,623
Fixes: 1,482
Registered: ‎11-01-2008

Re: how do I stealth Hub One router?


Moderators Note


This topic has been moved from Fibre to My Router

Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
Anonymous
Not applicable

Re: how do I stealth Hub One router?

As said by @dvorak in reply to your other post @UK_TK just replace the router, it's by far the best option.

dvorak
Moderator
Moderator
Posts: 29,473
Thanks: 6,623
Fixes: 1,482
Registered: ‎11-01-2008

Re: how do I stealth Hub One router?


Moderators Note


Topics from OP merged as they are related to the same subject.

Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
daveplus
Pro
Posts: 630
Thanks: 132
Fixes: 10
Registered: ‎25-08-2010

Re: how do I stealth Hub One router?

Hi @UK_TK

Although I love William Faulker, non-literary absence of paragraphs is really tedious to read.

UK_TK
Hooked
Posts: 5
Thanks: 1
Registered: ‎25-08-2019

Re: how do I stealth Hub One router?

@daveplus no one is forcing you to read any posts. If you are just looking to troll and attempt insults I'll leave you to the moderators Smiley Good manners are far more important than abiding by some arbitrary spoke counters literary standards.I am uncertain what your reference to "William Faulker" is about. I doubt it has anything to do with the thread but do not mind being corrected if I am wrong.

UK_TK
Hooked
Posts: 5
Thanks: 1
Registered: ‎25-08-2019

Re: Hub One router and services that it is not capable of

Why not just replace it with a modem/router of my choosing? Well it is difficult to CHOOSE a suitable VDSL2 modem and router and server never knowing how compatible it will be with the cabinet VDSL2 hardware and my other hardware. Plus the vulnerability PlusNet is foisting upon ALL customers offered or advised to install the hub one router is completely avoidable through either not having that interface open on the standard data channel... they could have had the entire TR-069 configured occur on a completely different data channel completely isolated from any routed internet IP number. Alternatively they could provide a custom profile where the end user can specify which open ports can be seen from the internet and which cannot be seen from the internet but can be seen from the TR-069 admin machines network fragment. Even if I managed to resolve the routers unwanted exposure to malicious inquiries for my self it would still leave many thousands operating their hub one routers in the default configurations with all of them open to speculative brute force authentication probing as well as potential denial of service resource depletion attack and potential hacking of the connections. When I try and forward 25, 80, 443 and a few others via UPNP it states the ports are already in use when they are not by any of my settings. The My Account Broadband Firewall if set to High does block the TR-069 port 4567 access from the internet but it also blocks wanted inbound port mappings too! LOW profile blocks nothing apparently. And the advanced settings that lists common ports and common ports excluding various services does not block 4567 from the internet. I'd suggest that the profile common ports should also include port 4567 in its block list if it's ok to block it in the High Profile it should be ok to block it in EVERY profile since no end user has any need to have that port accessible to the internet.

dvorak
Moderator
Moderator
Posts: 29,473
Thanks: 6,623
Fixes: 1,482
Registered: ‎11-01-2008

Re: Hub One router and services that it is not capable of

Something on your end must be opening the ports - I have succesfully opened 80 & 443 with no issues.
These aren't opened or listened by default on the hub one.
Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
UK_TK
Hooked
Posts: 5
Thanks: 1
Registered: ‎25-08-2019

Re: Hub One router and services that it is not capable of

Nothing on my end has the ports opened on the router it is just the hub one router does not behave politely when using UPNP to control port forwarding.

On that topic... I just "discovered" something that I have seen some locked threads on from the past where users of the hub one modem/router wanted to have the hub one DHCP server automatically assign the DNS server of THEIR choice and not be bound to PlusNet ones by default and having to assign the DNS servers on each connected device statically, requiring a level of admin access often not appropriate for visitors given access to their wifi…

I have found a way to assign a custom DNS server to the DHCP server in the hub one... via UPNP control interface using a 3rd party UPNPtest The tool is downloadable from various software repository sites like majorgeeks etc.

Using that tool to browse the PlusNet Hub One Internet Gateway Device and locate the "Internal WAN Device" folder and select the "LANHostConfigManagment" control object and right click on it and select Properties in the context menu for that object and Choose the "Action" GetDNSServers and "Invoke" it and the output result will display what the DHCP server sends as the primary DNS server.

If you then select the "Action" SetDNSServer and input the required DNS server IP number to the right of the "Arguments:" NewDNSServer e.g. put 1.1.1.1 there and "Invoke" it then the next device to request a DHCP lease or lease renewal will be sent the new Primary DNS value just set and an empty secondary DNS value. It also appears to survive reboot too. A word of caution avoid Set Actions testing unless you have your conf file safely saved away so you can restore a previous working configuration if needed. As it is possible to set values that could make IP routing fail if you try hard enough. Oh and regarding the remote admin server port 4567 while PlusNet seem to be wilfully ignorant of the bad ramifications of exposing the remote admin login server to the internet if the end user is not running their own servers inside their LAN that needs port forwarding they can use the PlusNet broadband firewall in their PlusNet account web pages set to "High" profile and it will prevent the remote admin server from being accessible by all and sundry on the internet. It is not the ideal solution but it does allow ones broadband to appear stealthier to speculative port scans and probes by bots looking for targets.

It is amazing how many FTTC PlusNet customers are out there online with the remote admin server readily scannable and their RDS on their IP being their username.plus.com and how PlusNet likes suggest we use our names in our account usernames which then get broadcast over the internet every time any website they visit or connection they make where the other end does a rDNS on the IP and is given the users name and or username. As I am sure you are aware it is possible to set ones broadband account to have the rDNS NOT use the accounts username in its rDNS but a generic subdomain derived from the IP number alone. Internet security and privacy do not seem to be a strong point of BT/PlusNet planners.