Just spotted an interesting entry in the event log on my Superhub:-

Thu Dec 29 11:43:00 2011 Critical (3) Telnet login failed from 210.61.240.52.


I find that indeed the superhub is running a telnet server, which appears to be accessible via the WAN IP address. the normal admin login doesn't work though. Hopefully there isn't a standard login as this woudl seem to be a security risk.

The ip resolves to

CHUNGHWA-TELECOM-TP-TW

Yup I suspect a portscan found it. Is there a way to disable telnet from the WAN port?

it should already be off so looks like a bug, VM went to great effort to lockout ssh/telnet access.

From what I remember of it you could access it from the standard port 23 on the LAN side - I don't recall ever trying or seeing it mentioned that WAN access was possible at all. IMO any WAN access using any protocol is a potential security breach - didn't O2 suffer some stick for an open port on their Thomson router?

It is definitely accessible from both the LAN and WAN side of the Superhub. This is running the business service firmware though. Version 5.5.2R04-BU

I am not sure if this is based on te R04 build of the residential firmware or is a totally new build stream. It does not have modem mode, but does have oter features like L2TP tunnel config options under Basic Settings. SSH is disabled which implies it is more aligned to a later version, however does respond to a port 23 connection with:-

Netgear Embedded Telnet Server (c) 2000-2007

WARNING: Access allowed by authorized users only.

Login:

If it uses the standard port then simply running Gibson's "Shields up" will expose it. I've even got a smartphone app that scans ports on the LAN but don't have a Superhub to check what the current firmware does.

Well it exposes itself with that login banner....

If you wish to PM the IP address of the hub I'll check to see if the port is open

Technically, I've broken VM's ToS with this, which specifically prohibits portscanning, but..


username@fileserver:~$ sudo nmap -sS -P0 -p -1024 <myownip>

Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-30 10:26 GMT
Interesting ports on <myhost> (<myip>):
Not shown: 1023 filtered ports
PORT STATE SERVICE
22/tcp open ssh

Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds


No telnet port open here, and Im on a superhub, firmware V5.5.2R30.

Yes, I know port 22 is open, I specifically opened it.

No telnet port open here, and Im on a superhub, firmware V5.5.2R30.

Yes, I know port 22 is open, I specifically opened it.

He's on a business hub not a residential hub so different firmware

Ah, okay, I missed that bit.

On the two IP's sent to me I get no response on SSH or Telnet

Well it exposes itself with that login banner....
That was the business hub - I was interested to know if they'd made yet another error with the standard hub which is in half a million homes...

Thanks for testing Kymmy. I do get a login from the first of the two IP addresses I sent out and also the internal one.

I wonder if some filtering is going on somewhere as the event log has now two rejected Telnet logins from different external IP addresses.

My IP ends x.x.x.39, did you get a failure with that one? If so then it's a firewall/blocking error that's showing up and not a login error as I got no response.

It is definitely accessible from both the LAN and WAN side of the Superhub. This is running the business service firmware though. Version 5.5.2R04-BU

I am not sure if this is based on te R04 build of the residential firmware or is a totally new build stream. It does not have modem mode, but does have oter features like L2TP tunnel config options under Basic Settings. SSH is disabled which implies it is more aligned to a later version, however does respond to a port 23 connection with:-

Netgear Embedded Telnet Server (c) 2000-2007

WARNING: Access allowed by authorized users only.

Login:

can you list what other extra features it has?

Hi Kymmy - No that wasn't one of the IP addresses

Chrysalis - as far as I am aware the only extra option the business version of thefirmware has is - under basic settings there are some extra options in connection with the L2TP tunnel that is used to provide the static IP addresses:-

Cable Network Settings
Domain Name
Device Name
WAN Connection Type L2TP(DHCP)
PPP User Name *********
PPP Password *********
L2TP Server xx.xx.xx.xx (Host name or IP)


There are also entries under Static IP Subnet setup but I think I've seen that same set of options on the residential firmware.

As mentioned before modem mode is not provided in this firmware. SSH is disabled, but telnet is enabled, though the GUI login ID & Password do not grant access to the telnet interface.

Since the device is in no NAT mode as I have 5 routable IP addresses the port forwarding options are not present.

In no NAT mode the Firewall Features checkbox in Services is greyed out and unticked.

The base code version is the same - 5.5.2, but I am unsure if R04-BU is a derivative of the R04 build for the residential Superhub (very old!) or whether the -BU stream is a totally separate stream.


I am on the 50 Mb/s business service and in an area that has not yet received the upstream bandwidth increases, however it seems the business service in a non upgraded area is not set the same as the residential one:-

Primary Downstream Service Flow
Downstream(0)
SFID 21328
Max Traffic Rate 54600000 bps
Max Traffic Burst 10000 bytes
Mix Traffic Rate 0 bps

Primary Upstream Service Flow
Upstream(0)
SFID 21327
Max Traffic Rate 3490000 bps
Max Traffic Burst 8160 bytes
Mix Traffic Rate 0 bps
Max Concatenated Burst 8160 bytes
Scheduling Type Best Effort

After chatting to someone in an area that has had the upstream increase that is set to 5700000 bps

EVen though I have upstream set to 3.49 Mb/s I rarely achieve over 2.2 - 2.5 Mb/s upstream. Downstream seems a solid 47 Mb/s

ok thanks for the info.

EVen though I have upstream set to 3.49 Mb/s I rarely achieve over 2.2 - 2.5 Mb/s upstream. Downstream seems a solid 47 Mb/s

Not entirely unsurprising, the entire channel can only shift 9Mb/s or so and it's probably the only one feeding the DOCSIS 3 network in your area.

May be worth reconnecting to see if you can find another channel, I suspect you're currently on 25.8MHz?

Might be another one at 29.2MHz.

Spot on - my upstream is channel 2 at 25.8 Mhz, TDMA

I'll see if I can find the 29.2Mhz one. Hopefully they will move to ATDMA and 18 Mb/s before too long, since the upgrade work seems to be in progress given I noticed the move from QPSK to 16QAM on DOCSIS 1. The DOCSIS 1 network here seemed to have three upstreams. Do you know if the upstream upgrade work provides more upstream channels as well as increasing the capacity of those already available? Where more than one is available what determines which one the modem will lock onto?

Also in a given area on DOCSIS 3 are the same 4 downstreams used by all or are there a pool of channels available and the modem will select 4 of them?

Spot on - my upstream is channel 2 at 25.8 Mhz, TDMA

I'll see if I can find the 29.2Mhz one. Hopefully they will move to ATDMA and 18 Mb/s before too long, since the upgrade work seems to be in progress given I noticed the move from QPSK to 16QAM on DOCSIS 1. The DOCSIS 1 network here seemed to have three upstreams. Do you know if the upstream upgrade work provides more upstream channels as well as increasing the capacity of those already available? Where more than one is available what determines which one the modem will lock onto?

Also in a given area on DOCSIS 3 are the same 4 downstreams used by all or are there a pool of channels available and the modem will select 4 of them?

There may or may not be a 29.2MHz channel available.

There will indeed be additional upstreams ready to go with the upgrade work. At the moment the network is restricted to a shade over 30MHz as end point for upstreams, the upgrade work increases this to 85MHz.

In a given area the same downstreams on DOCSIS 3 are used by all devices - if there were two pools of channels it would make far more sense to put them all together as one single 8 channel bonded group than to split them into 2 x 4.

Ignition do you know why VM share the downstream channels but split the upstreams into seperate groups? I dont mean bonding but rather allowing devices to use the upstream channels.