Administrative interface + ssh open to the internet? [solved, caused by wrong config of PPTP VPN]

I’ve just noticed the webserver and ssh server on my omnia are open to the world.

First I though it’s because of the honeypot, but they seem to be fully working, I can log in etc.

Is it a misconfiguration from my side, or is it desired?

I didn’t add manually any rule opening these ports to the world (AFAIK).

Thanks for help.

cat /etc/firewall.user (edited to allow PPTP VPN):
iptables -A input_wan -p tcp --dport 1723 -j ACCEPT
iptables -A input_wan -p gre -j ACCEPT

iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT

And here comes cat /etc/config/firewall:
config rule
option target 'ACCEPT’
option proto 'tcp’
option dest_port '22’
option name 'ssh’
option src ‘lan’

config rule
option name 'Allow-DHCP-Renew’
option src 'wan’
option proto 'udp’
option dest_port '68’
option target 'ACCEPT’
option family ‘ipv4’

config rule
option name 'Allow-Ping’
option src 'wan’
option proto 'icmp’
option icmp_type 'echo-request’
option family 'ipv4’
option target ‘ACCEPT’

config rule
option name 'Allow-IGMP’
option src 'wan’
option proto 'igmp’
option family 'ipv4’
option target ‘ACCEPT’

config rule
option name 'Allow-DHCPv6’
option src 'wan’
option proto 'udp’
option src_ip 'fe80::/10’
option src_port '547’
option dest_ip 'fe80::/10’
option dest_port '546’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option name 'Allow-MLD’
option src 'wan’
option proto 'icmp’
option src_ip 'fe80::/10’
list icmp_type '130/0’
list icmp_type '131/0’
list icmp_type '132/0’
list icmp_type '143/0’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option name 'Allow-ICMPv6-Input’
option src 'wan’
option proto 'icmp’
list icmp_type 'echo-request’
list icmp_type 'echo-reply’
list icmp_type 'destination-unreachable’
list icmp_type 'packet-too-big’
list icmp_type 'time-exceeded’
list icmp_type 'bad-header’
list icmp_type 'unknown-header-type’
list icmp_type 'router-solicitation’
list icmp_type 'neighbour-solicitation’
list icmp_type 'router-advertisement’
list icmp_type 'neighbour-advertisement’
option limit '1000/sec’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option name 'Allow-ICMPv6-Forward’
option src 'wan’
option dest '*'
option proto 'icmp’
list icmp_type 'echo-request’
list icmp_type 'echo-reply’
list icmp_type 'destination-unreachable’
list icmp_type 'packet-too-big’
list icmp_type 'time-exceeded’
list icmp_type 'bad-header’
list icmp_type 'unknown-header-type’
option limit '1000/sec’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option src 'wan’
option dest 'lan’
option proto 'esp’
option target ‘ACCEPT’

config rule
option src 'wan’
option dest 'lan’
option dest_port '500’
option proto 'udp’
option target ‘ACCEPT’

config defaults
option syn_flood '1’
option output 'ACCEPT’
option forward 'REJECT’
option input ‘REJECT’

config zone
option name 'lan’
option input 'ACCEPT’
option output 'ACCEPT’
option forward 'ACCEPT’
option network ‘lan’

config zone
option name 'wan’
option input 'REJECT’
option output 'ACCEPT’
option forward 'REJECT’
option masq '1’
option mtu_fix '1’
option network ‘wan wan6 wan_to_modem’

config forwarding
option src 'lan’
option dest ‘wan’

config include
option path ‘/etc/firewall.user’

config include
option path '/usr/share/firewall/turris’
option reload ‘1’

config include
option path '/etc/firewall.d/with_reload/firewall.include.sh’
option reload ‘1’

config include
option path '/etc/firewall.d/without_reload/firewall.include.sh’
option reload ‘0’

config include 'miniupnpd’
option type 'script’
option path '/usr/share/miniupnpd/firewall.include’
option family 'any’
option reload ‘1’

config zone
option output 'ACCEPT’
option name 'guest_lan’
option masq '1’
option network 'guest_lan’
option forward 'REJECT’
option input ‘REJECT’

config forwarding
option dest 'wan’
option src ‘guest_lan’

config rule
option target 'ACCEPT’
option proto 'tcp udp’
option dest_port '53’
option name 'Guest DNS’
option src ‘guest_lan’

config rule
option target 'ACCEPT’
option proto 'udp’
option dest_port '67-68’
option name 'Guest DHCP’
option src ‘guest_lan’

config rule
option enabled '1’
option target 'ACCEPT’
option proto 'tcp udp’
option dest_port '1723’
option name 'Allow VPN’
option src ‘*’

Sounds scary, any response from anyone already having the router (I can not check as I am still only expecting it)?

You could try to run “iptables -v -L” and “ip6tables -v -L” to see what kind of actual firewall configuration the system has built for kernel and network stack.

you are allowing everything incoming on the dialup-interface in the firewall.user

iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -i ppp+ -j ACCEPT

not what anyone wants

Thanks! Now I read again the note from OpenWRT wiki: “Be aware, that if you are using ppp (PPPoE or similar) in wan following configuration is insecure and shall be modified.”

Yes, I do connect my Omnia to the world over VDSL, so it is the case that my WAN is PPP with name pppoe-wan, which matches the wildcard expression.

The wiki, however, doesn’t give any advice about how to change the rules. I tried to find the PPTP interface name, but ifconfig doesn’t list it (and I still have some problems connecting to the VPN, so I’ve never seen the interface up and running).

Can I expect the interface name to be always ppp0 when I’m only connecting a single VPN client?

If you don’t misunderstand or ignore warning notices on the OpenWRT wiki, you’re okay :wink:

Ah! Thanks for updating on this, appreciated!!