cancel
Showing results for 
Search instead for 
Did you mean: 

Securing HG612 modems in Bridge Mode

Yorkshirekev99
Dabbler
Posts: 19
Registered: 31-07-2015

Securing HG612 modems in Bridge Mode

I thought I'd feed back some thoughts on securing Huawei HG612 routers in bridge mode. Due to the fact it's in bridge mode, security isn't as big a concern as if it's in routing mode, due to the fact there is no IP address in the data path; the only IP address will be on LAN2, which can be seen as a dedicated Out Of Band management interface, and that will be a private address which - providing you don't carelessly NAT it through your firewall / gateway / routing point - should never be able to access the Internet. This post assumes the router has been unlocked and you have full access to the GUI and command line. 

One seemingly problematic sticking point is that changing the admin password within the GUI doesn't change the admin password for telnet access. I searched the web and they said you couldn't do it; here's how Smiley

First of all, ensure you're running in bridge mode; I'm not going to cover securing routed mode because that's a whole different kettle of fish. It will need strong firewall rules to protect it, and you have the challenge of BTAgent and potential other unknown back doors. It's such an old product that I wouldn't trust the code to be at all secure, even with good firewall rules. Far better to use it purely as a modem and buy a new, up to date router / firewall to place behind it. Also, this post isn't intended to be a "click this" Janet & John instruction book - it's more what to do, rather than how to do it.

Next, change the admin password to something secure, and optionally set a user password. This is actually key to locking down the telnet password; if you create a new account of "Bob" and give it your password of choice, you'll find the next bit easier.

As I said, changing the admin password doesn't change the telnet password. What you'll need to do is download the modified config to your PC, change the extension to .txt and then edit it. Now if you created a user account, just search for Bob - and after that, you'll see a string of garbage in double quotes - that's your hashed password. Copy the whole of that string to clipboard. Now go back to the top of the text file and search for admin - there are a couple of entries, but the one you want is followed by something like "telnet password" and again, there will be a string of garbage - this is the hash of "admin". paste your hash in place of the admin hash and you're sorted Smiley Now save the file and remove the .txt extension, go back to your router and upload it.

One word of caution; it seems when you upload a config file, it screws up your bespoke DHCP and routing setup - the DHCP scope will revert to the full subnet (if you had previously set something smaller) and static routes just don't seem to work, though they look ok. You might be thinking "why would you have static routes on a bridged modem?" Well, I've connected my LAN2 interface to a DMZ on my firewall, so I can manage it from my LAN but without bypassing my firewall (I have rules that allow me to http & telnet to the modem, but doesn't allow the modem to initiate connections anywhere), so I have a route pointing to my LAN via the DMZ interface. If you also do this, my suggestion would be to now disable the DHCP server and delete all routes; then reenable and set up DHCP server as you want it and re-add the static routes. (Note, without deleting the routes, it was odd - I could connect when plugged straight into LAN2, but although the static route looked fine, it just didn't work; rebooting made no difference, I had to delete the route and start again).

Now, you should be able to telnet in using your chosen password, and not the default Cheesy

 

Next, go to advanced / CWMP and disable TR069 - this is the remote config protocol. As there is no IP address in the data path, it shouldn't matter, but you never know... I don't like the idea of TR069 / ACS.

 

If anyone has any specific questions, I'll try to flesh it out, and if anyone has other ideas for securing it (in bridge mode), please feel free to add.

3 REPLIES
danielmorris
Newbie
Posts: 1
Registered: 16-02-2018

Re: Securing HG612 modems in Bridge Mode

hi kev  are you about i have unlocked HG612  and cannot get it to talk to my router i have interface access doing my head in 

but running in lan 1 to router  wan  ,accessing interface lant 2 pc    help 

Yorkshirekev99
Dabbler
Posts: 19
Registered: 31-07-2015

Re: Securing HG612 modems in Bridge Mode

Hi Daniel

 

What exactly are you trying to do? Can you actually log into LAN2 using a direct cable? Just checking, have you set it in Bridge mode? If it's in Routed mode then only 1 interface will be enabled and I can't remember which. On the Basic / WAN page, make sure Connection Mode = Bridged and Bridge Type = IP_Bridged.

 

On that page you should also have set up a WAN profile called ptm1.101 or something - I have mine set as follows:

Layer2 interface = ptm1/(ptm1_0_1)

WAN connection = enable

Service List = Internet 

Port Binding = LAN1

Connection Mode = Bridge

Bridge Type = IP_bridged

DHCP Transparent Transmission = disable

WAN 802.1q = enable

VLAN ID = 101

WAN 802.1p = enable

Value = 1

LAN 802.1q = disable

LAN 802.1p = disable

 

When you say it won't talk to your router, do you mean the data path LAN1 isn't working or are you trying to get the LAN2 admin interface working on a DMZ like I wrote about? Note that's an advanced setup, so I'd suggest getting it working "basic" first - connect a laptop directly to LAN2 using a straight through ethernet cable and you should get an IP address - then just browse to your PC's gateway, which will be the modem LAN2.

 

Once you're logged in, go to Status / LAN / Ethernet - you should see both interface are connected and packets for "receive" and "send" next to LAN1 with 0 errors or discards.

 

If you get Send but not Receive (or maybe nothing at all), check your cable - maybe you need to have a crossover cable between your router WAN and LAN1 - not all devices will automatically cross over transmit to receive, and that's needed when you connect 2 routers / modems together.

 

Theres a few ideas Smiley Let me know how you get on.

Yorkshirekev99
Dabbler
Posts: 19
Registered: 31-07-2015

Re: Securing HG612 modems in Bridge Mode

Hi Daniel

 

Did you get anywhere with this?

 

Kev