I have recently discovered that a large number of ip addresses are trying to access rogers ip addresess.
If rogers cable modem is your first line of defense and it has the default username and password, then there is a high possible that your network is breached. There are a lot of forums where rogers cable modem admin account credentials are listed. My advice is to call your firends and family who are using rogers cable modem and ask them to call techsupport and get that password change ASAP. I tried calling techsupport myself to have these subnets blocked, but the lady said she can't and they dont do that.
I am posting this here after seening firewall logs (Juniper) from 5 different clients that I know and all have continous login attempts from a few ips and also a few replay attack session on SSH connections. Find below a list of attack on 1 client in a few days: (I am limited to 10k caracters so i cant post the whole log. in 3 days there are more than 2000 attempts!
2014-01-08 15:52:15 alert Login attempt by admin root from 220.127.116.11 is refused as this account is locked
2014-01-08 15:51:42 alert Login attempt by admin root from 18.104.22.168 is refused as this account is locked
2014-01-08 15:50:06 alert Login attempt by admin bin from 22.214.171.124 is refused as this account is locked
2014-01-08 15:46:15 alert Login attempt by admin root from 126.96.36.199 is refused as this account is locked
2014-01-08 15:39:43 alert Login attempt by admin root from 188.8.131.52 is refused as this account is locked
2014-01-08 15:39:40 alert Potential replay attack detected on SSH connection initiated from 184.108.40.206:43983
2014-01-08 15:35:55 alert Potential replay attack detected on SSH connection initiated from 220.127.116.11:42395
2014-01-08 15:33:22 alert Login attempt by admin root from 18.104.22.168 is refused as this account is locked
2014-01-08 15:33:21 alert Login attempt by admin root from 22.214.171.124 is refused as this account is locked
2014-01-08 08:20:03 alert Login attempt by admin root from 126.96.36.199 is refused as this account is locked
2014-01-08 03:00:50 alert Login attempt by admin root from 188.8.131.52 is refused as this account is locked
2014-01-08 01:34:37 alert Login attempt by admin root from 184.108.40.206 is refused as this account is locked
2014-01-08 01:23:55 alert Potential replay attack detected on SSH connection initiated from 220.127.116.11:41592
2014-01-07 19:54:39 alert Login attempt by admin root from 18.104.22.168 is refused as this account is locked
2014-01-07 19:26:35 alert Potential replay attack detected on SSH connection initiated from 22.214.171.124:49391
2014-01-07 18:11:57 alert Login attempt by admin root from 126.96.36.199 is refused as this account is locked
2014-01-07 15:03:10 alert Login attempt by admin root from 188.8.131.52 is refused as this account is locked
Thanks for starting this thread. Very good advice. Maybe it depends on the modem/router, but I have an SMCD3GN and change my password often. I don't need Rogers to do anything. Just checked my logs and don't see anything unusual.
The DEFAULT one is fairly well know. But you are correct.. it should be change VERY often.
I know on the SMC, Cisco and the older hitron its fairly easy to do, not sure on the new one.
Usually all it requires is loging into the gateway itself.
If you dont know the gateway address.. you can open an command prompt (start, run, cmd.exe on a windows computer) and type ipconfig and it will list a GATEWAY address.
Usually this is 192.168.0.1 or 192.168.1.1.
Log into there with the default rogers username/password.
Now, the username i dont beleive can be change, but the password can.
One thing, in the case of above the OP's client.. that person SHOULD be able to make the request to rogers, to rotate thier IP at least.. they should be able to accomodate something like that. Since its a directed attack at her IP, with it changed, the attack should stop.
(bar, there being something like malware or similar on the PC, reporting the new IP to the malicious parties involved)
Keep in mind for them to be able to login to your gateway you would need to allow remote administration or setup firewall rules to allow access to the admin page from the outside world. As far as I know all of the rogers gateways have remote admin disabled from the WAN/internet port. The LAN ports have access and of course rogers has their access through the management network.
OP - Juniper Firewalls( the screen OS variety at least) do not have remote admin enabled by default but in your case since it sounds like you may manage their devices remotely you have it enabled. You should limit access by IP so only you can access remotely. That way the firewall will block the attempts so no brute force password guessing attempts can take place.
sbenninger I agree,
Remote admin and SSH are enabled and limited to centain subnets only. But a few days ago, I made some policy changes and remove the managed ip list while making the policy changes. And all this happens within that period of time the list was offline (3 days). Good news is that after 2 attempts, the account is disabled for 24hrs. But as you can see, they were trying very hard.
"seening firewall logs (Juniper)" This is obviously a business - the fact you have not changed the Rogers device into a modem only and disabled all features and chaged the login USER NAME and PASSWORD shows you need professional IT help.
Contract a relaible IT management company or start reading the network device manuals and take a Cisco networking course.
I don't know what your set-up or equipment but usually there is a way to block the IPs the attacks are coming from, and you can do other things like time out connections on failed attempts.
User Name and password changes are simple level one, if I was trying to hack you and saw no response on the brute force I would start probing for open ports, to find a back door.
But with all attacks and why calling your friends to get them to change passwords is not neccessary - is you have to have something of value - most home users have nothing of interest for hackers that are attacking you on this level.
Here are a few tips:
1. Seeing a firewall log does not mean that its a business. FYI: It is at my home and its not a home business.
2. The information was giving to the public to help them better understand what is happening on the WAN side of the internet, and for those who acutally use rogers modem as their primary router.
3. Are you saying that home users have no value behind their network and has nothing worth protecting?
4. For you to say that I have not change the rogers device into a modem show your limited knowlege in networking. FYI: It IS in brigde mode that is why the juniper was logging the failed login attempt on the untrust zone(public ip side).
As for my log, if you look you will see the acccount is locked when the bots/humans are trying to access the firewall. FYI: its locked for 1440 mins after 1 failed attempt. All this atttacks occus during deployment stage while there was nothing connected to this firewall, while it was being configured. It has been fully configured now for WAN management access on only certain subnets amoung other firewall features.
You made some rather daring assumptions based on a firewall log file that was meant to be just information to forum members. However Mike, thanks for your advice and good luck with that IT management company that you work for.