cancel
Showing results for 
Search instead for 
Did you mean: 

Inbound IP Filtering on CODA-4582U

hectop
I plan to stick around

I have a CODA-4582U modem running in Gateway mode with Firmware 2.0.10.36T6

Gateway Function settings show:

Residential Gateway Function:  Enabled

Router Mode:                                IPv4

USB                                                 Enabled

UPNP                                              Enabled

SIP ALG                                          Enabled

 

My ZoneAlarm firewall is showing blocked incoming traffic from a number of IPs

Windows 10 Security Event Logs show some Audit Failures with EventID 4625 which shows an attempted login from a workstation with an external IP address (from a high risk country)

 

So sometimes an IP is getting past the software firewall.

 

Can the CODA-4582U be configured to block incoming IP addresses.  Rogers Tech Support said this was outside their scope.  The documentation doesn't seem to indicate this is possible, but have I missed anything?

 

TIA

 

*Added Labels*

4 REPLIES 4

Re: Inbound IP Filtering on CODA-4582U

Datalink
Resident Expert
Resident Expert

@hectop I don't think you've missed anything.  There isn't any capability to block external probing beyond the firewall setting.  

 

Fwiw, use this address and change the IP address to the address that you've seen in the external probes:

 

https://otx.alienvault.com/indicator/ip/5.42.160.0

 

That address is for one of the Blizzard servers.  If you change the IP Address to what you're seeing, check it to see if its been noted as an address that is seen to conduct that type of attack.  

 

Fwiw, for your settings that you posted, I would disable the USB, UPNP, and SIP ALG, settings.  That is, unless you're a gamer and want to use UPNP instead of setting port forwarding rules manually, or if you happen to have a VOIP phone and need the SIP ALG setting enabled.  If neither one is true, I'd disable both.

 

In the SECURITY .... FIREWALL tab, consider changing the Firewall Level to Typical or Maximum to see what effect that has on your internet access.  Each level higher, has a greater effect on what is blocked.  The question is, does those settings impede your access to the internet to the point where it becomes a pain?  

 

On that tab, the Ping from WAN setting should be set to Deny.

 

On the VPN Pass-through tab, unless you're running a VPN of some type, all of the pass-through settings should be set to Disabled.

 

The Windows Remote Access setting should also be set to disabled. 

 

What you can do, which would have some minimal effect is to swap the modem at the nearest Rogers store.  That will result in a different MAC address for the newly obtained modem, which results in a different WAN IP address.  The problem here is that external hackers will probably sweep through a range of addresses and ports, probing for any port that can be used for items such as logging into modems, routers and anything connected to the internet.  So, for example here is Hurricane Electric's search page for Rogers Communications:

 

https://bgp.he.net/search?search%5Bsearch%5D=rogers+communications&commit=Search

 

A hacker would simply take those ASN ranges and sweep through those, looking for any unprotected ports.  So, despite swapping the modem, you might only see temporary relief assuming that the hacker is sweeping through the ASN ranges on a regular basis.  And, you can multiply that by a multitude of hackers around the world.  

 

Its a little perplexing that a hacker is able to reach the pc thru the firewall.  If and when you have time, run a port scan using GRC's ShieldsUp scanner, located here:  https://www.grc.com/intro.htm

 

The scan is located under Services ..... ShieldsUP.  Run a scan for all service ports to see what turns up as been unprotected.

 

In terms of protecting yourself from external hackers, you would need to use a router that provides the ability to block external IP addresses, either by country or by blacklist, and there are several blacklists around that can be used for Firewall purposes.  That's a discussion in itself.  

Re: Inbound IP Filtering on CODA-4582U

hectop
I plan to stick around

Looks like my reply got lost

Thanks for your response Datalink.

I've disabled the USB, UPNP, and SIP ALG, settings.

When I found the Audit Errors and Blocked IPs I turned Firewall Level to maximum which seems to have blocked the Audit Errors.  I still have Blocked IPs but they don't seem to be from the sources that I thought were higher risk.  I'll monitor those and compare with Alien Vault.

I'll look at you other suggestions.

 

Do you have any suggestion on a good, relatively inexpensive (say <$200) router that will handle the IP filtering?

 

Re: Inbound IP Filtering on CODA-4582U

@hectop short answer is some router that you can load  third party firmware which can give you IP filtering capability.  That includes Merlins-Asuswrt for Asus routers and (Openwrt & dd-wrt) for a mixture of routers. 

 

https://www.asuswrt-merlin.net/

 

Small Net Builder forum for Merlins Asuswrt:

 

https://www.snbforums.com/forums/asuswrt-merlin.42/

 

https://openwrt.org/

 

https://dd-wrt.com/

 

I'm not familiar with Openwrt so I'd have to have a look at it.  @-G- might be able to give you a quick answer on that one.  Not familiar with dd-wrt either.  Beyond those choices, you're looking at something like PfSense, OpnSense, Sophos and others which are basically a pc with one of those operating systems loaded to run firewall, router, and other capabilities.  Those systems will have blocking capability built in, its just a matter of loading the right blocking lists. 

 

I run an Asus RT-AC86U with Merlins Asuswrt loaded, which can then be used to load add-ons developed specifically for the purpose of Adblocking, IP Filtering and others.  That also requires a USB3 flash drive to hold the add-on files.  I mention this as Bestbuy has this router on sale at the moment for $199.99.  Thats the lowest price that I've seen for this router.  Don't know if it might drop for Boxing Day sales:

 

https://www.bestbuy.ca/en-ca/product/asus-wireless-ac2900-dual-band-gigabit-router-rt-ac86u/11281277

 

So, don't have time at the moment for a long answer, I'll return to this later today.  But, for now, I can say that the combination of the 86U, Merlins Asuswrt and the add-ons work very well for adblocking, IP address blocking and country blocking.  There are blocking lists that are loaded automatically for both adblocking and IP address blocking and you can blacklist or whitelist domains or IP addresses as desired.  It takes a little getting used to as you have to SSH into the router, which isn't hard to do using PuTTy.  

 

https://www.putty.org/

 

Openwrt might give you a wider choice of routers to choose, but keep in mind, if you're running the gig plan, you should be looking at a router with a minimum 1.4 Ghz processor, preferably 1.8 Ghz processor or faster.  The 86U has a dual core 1.8 Ghz processor.  If you use VPNs or plan to, you should be looking for hardware support for Intels AES-NI which is the instruction set that is used for the hardware processor for encryption / decryption.  That makes a considerable difference in VPN data rates, going from a typical 40 to 50 Mb/s without hardware support to 200 to 250 Mb/s with hardware support.  That range depends on the level of encryption selected for the VPN.  The 86U also has hardware support for AES-NI.

 

Ok. Short answer for now.  There's more to consider for this ........

Re: Inbound IP Filtering on CODA-4582U

jini3
I've been around

@hectop wrote:

I have a CODA-4582U modem running in Gateway mode with Firmware 2.0.10.36T6

Gateway Function settings show:

Residential Gateway Function:  Enabled

Router Mode:                                IPv4

USB                                                 Enabled

UPNP                                              Enabled

SIP ALG                                          Enabled

 

My ZoneAlarm firewall is showing blocked incoming traffic from a number of IPs

Windows 10 Security Event Logs show some Audit Failures with EventID 4625 which shows an attempted login from a workstation with an external IP address (from a high risk country)

 

So sometimes an IP is getting past the software firewall.

 

Can the CODA-4582U be configured to block incoming IP addresses.  face Rogers Tech Support said this was outside their scope.  The documentation doesn't seem to indicate this is possible, but have I missed anything?

 

TIA

 

*Added Labels*


getting the same thing, did you resolve this ?

Topic Stats
  • 4 replies
  • 4447 views
  • 0 Likes
  • 3 in conversation