D-link DIR-635 intrusion

Page 1 of 2 12 LastLast

  1. Posts : 14
    Windows 10 Home
       #1

    D-link DIR-635 intrusion


    I have a D-link in my summer house and connect to a micro Arduino just to control the heat.
    So I set a port forward to the local IP of my micro in D-link.
    I have blocked in D-link config all subnet but the one I connect from at my flat in my city living.
    Seems ok that a lot of connections from various IP to port 80 is blocked when I check the D-link Log.
    It's like 5-10 blocked connections per minute. Guess that's what to be expected .....

    Still I find when managing the D-link from WAN and checking current Internet sessions that most of the time I see one EST (established) connection from stocastic IP's not within my subnet from home. With TCP timeout 1sec - 2 hours.
    My problem with this is my VERY crude webserver on the Arduino "webserver" get confused when there is multiple active connections to it's port 80. I can connect like for a starter from city home. But after like from 2 hours - 1-2 days I can not connect anymore. So I'm thinking maybe these intruder connections is the problem.

    I don't understand how these connections get through my blocking.
    I can only guess .... Security problem with the D-link ???
    Any idea on this

    D-link version (pretty old I think) :
    Firmware Version: 2.20EU
    Hardware Version: B1
      My Computer


  2. Posts : 8,057
    windows 10
       #2

    What have you actually blocked as a webserver may accept connection on 8080
      My Computer


  3. Posts : 14
    Windows 10 Home
    Thread Starter
       #3

    Samuria said:
    What have you actually blocked as a webserver may accept connection on 8080
    I have blocked on IP. So I assume that will block on all ports. I can see in log that there is established connection to port 80 on my micro ....
    The block reports I have in log is to all kind of random ports for my WAN Ip . Seems like a bot trying any port.
      My Computer


  4. Posts : 8,057
    windows 10
       #4

    All search engines do crawl any open ip with a webserver
      My Computer


  5. Posts : 809
    Win10
       #5

    Can you post screenshots of your D-link port forwarding, inbound filters, and firewall settings? You can mask out your IP address.

    That said, the DIR-635 is an ancient device and you are not even using the latest firmware so it's not inconceivable that there's some security bug.
      My Computer


  6. Posts : 14
    Windows 10 Home
    Thread Starter
       #6

    Samuria said:
    All search engines do crawl any open ip with a webserver
    Yes sure. But the annoying thing here is I see established connection for IP that should have been blocked. In the log this offending IP is not present. Although a lot of other IP's can be seen blocked in log.
      My Computer


  7. Posts : 14
    Windows 10 Home
    Thread Starter
       #7

    PolarNettles said:
    Can you post screenshots of your D-link port forwarding, inbound filters, and firewall settings? You can mask out your IP address.

    That said, the DIR-635 is an ancient device and you are not even using the latest firmware so it's not inconceivable that there's some security bug.
    I'm using Virtual server instead of Port forward. I can try Port forward intead and see if it make any difference.
    Also firewall setting I haven't considered. Guess I could restrict some more there

    See config in attach.
    Attached Thumbnails Attached Thumbnails D-link DIR-635 intrusion-t3.png   D-link DIR-635 intrusion-t4.png   D-link DIR-635 intrusion-t2.png   D-link DIR-635 intrusion-t1.png  
      My Computer


  8. xTL
    Posts : 396
    Windows 10 Pro 64-Bit
       #8

    Hello @bosse

    I too have a old d-link router, mine is dir-655, ( not used anymore tho )
    I suggest you use following options in the routers webui.

    @ Tools > admin >
    enable graphical authentication
    enable https server
    disable remote admin port
    disable remote admin inbound filter > set to deny all.

    If you want to administer the router, remote in from ur pc to the web server and access the webui that way.
    Also change ur primary dns server to either 8.8.8.8 or 1.1.1.1


    Your router is very old, and you should probably invest in a newer router, with better security.

    Getting attacks on port 80 is connected to your webserver, is SSL enabled?
    Is the webserver's OS based on Windows or Linux ?
    What webserver are you running? nginx, iis, apache, others?
    To get ssl enabled you need a domain, there are a few ways and i'm working on a guide on how to in detail enable ssl.
    But for now go to cloudflare.com all you need is to change nameservers and cloudflare will do the rest :)
    ( tho this requires you to have a domain name )
      My Computer


  9. Posts : 14
    Windows 10 Home
    Thread Starter
       #9

    @xTL Thanks for input. I'll try out some of it. Just that my "webserver" is extremely stupid Arduino micro comp sketch. Not sure it will handle SSL or any other normal web service. What I can do is change default port to something else. Maybe help some. Also I have changed remote admin port.
    I'm a bit unsure about the inbound filter. If I just have one single Allow filter. Will that Deny any other IP ? Is the Deny entry I have obsolete ?
      My Computer


  10. xTL
    Posts : 396
    Windows 10 Pro 64-Bit
       #10

    @bosse You're welcome :)
    if you have public ip to the webserver you can take use of cloudflare's secure dns & other security features.

    First go to dot.tk create a free domain.
    Then login at dot.tk and peek the servers ip to ur new domain, ( use CNAME when peeking IP to Domain )
    Then change the nameservers from the default that dot.tk use to cloudflare's Here is a youtube video on how to do this.
    The vid is from 2016, but the interface should still be the same in dot.tk

    Now go to cloudflare.com & register and login.
    Then change NS here is a guide from cloudflare ( NS = Name Servers )
    When all this is done go cloudflares control planel / Overview > press DNS & Make sure you have this active on your www status.

    D-link DIR-635 intrusion-413245uhe.png



    Now, i have not tried this myself with dot.tk because i have a domain from one.com
    But as long as your able to change the NS from what dot.tk use to cloudflares you should be good :)

    And if it's 100% impossible to do with dot.tk
    You can go here and check what domains are fully supported from cloudflare.com :)
    ( just scroll down untill you see this )
    " Below is a list of links to popular registrar knowledge base articles to help you change your nameservers accordingly, contact your registrar if you have any questions: "

    So why cloudflare.com?
    Because you don't have to think about anything when it comes to security and ssl ect, cloudflare.com takes care of all of that for you :) They've made it really simple

    Both cloudflare & dot.tk is 100% free so you don't have to spend any money when trying this,
    you just spend some time that's it :)

    Let me know how it went.



    bosse said:
    I'm a bit unsure about the inbound filter. If I just have one single Allow filter. Will that Deny any other IP ? Is the Deny entry I have obsolete ?
    Yes if you only allow one single ip in the filter that will deny any and all other ips that try to login.

    D-link DIR-635 intrusion-1rqte2.png

    But keep in mind that the router is fairly old.
    I don't know for sure but the router probably has a few security holes,
    with firmware not been updated for a few years.
    Last edited by xTL; 12 Nov 2018 at 16:08.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:57.
Find Us




Windows 10 Forums