BSNL FTTH Connection ONT vulnerabilities - Increase security

[eriek_halenx]

Sharing some vulnerabilities. BSNL FTTH has public ip address, so the ONT is accessible from the internet. Its annoying that LCO did not do these simple changes. Most likely for their ease of use - any problems can be fixed by LCO by remotely accessing users, using the exact same default credentials .

1. Change default admin password - For my Netlink V2801SG ONT, it was admin / admin.

2. Change / Remove 'user' account - There is an additional account with default credentials user / user as shown below.

3. Turn on firewall, which was turned off my default. I'm not exactly sure what it does, but everything like torrenting etc seem to work at this firewall level.

4. Remove the default worldwide http and telent access. Restrict it to your LAN / as required.

A. Use a decent router in between your devices and the ONT. Secure router - disable WPS. Use WPA3 or WPA2-PSK with AES (Dont use 'auto' which enables WPA also.) Members here also suggest putting ONT in bridge mode. There are threads in the forum for both.

B. Use something to check for open ports eg

shields up

C. Regular updates, Linux, antivirus, windows defender, pihole etc etc...

 

[Dark_Nate]

It's not a problem on its own per se. Remote management is enabled by default on some crap ONTs/Routers in India for some reason.

Some of us, intentionally enable remote management. You'll generally be fine if you use a randomly generated 20+ character passwords. The Router will block any brute force attack. Assuming your router is decent enough.

I'm using TP-Link XN020-G3v ONT, by default remote management is disabled.

 

[eriek_halenx]

1. Change the default pwd for [email protected] pppoe from 'password'. Can be done in the fuptopup website.
Earlier, i assumed bsnl was doing mac whitelisting. But as of now, for me, this doesnt seem to be the case. pppoe is working from my router itself without cloning the ONT mac.

2. Disable 'CWMP'. (tplink archer c6 new firmware issues | Routers Modems Dongles)

 

[ginzon]

How did you manage to change your password.? It always gives me an error that I'm not logged in from some IP

 

[eriek_halenx]

@ginzon , sorry I just saw this post. Is the issue resolved now?

Just a guess... In img 4 in the first post above, there's an option to specify which IP's you can login from. Maybe someone has set so in service control? If that's the case, a reset and reconfiguration should fix it.

 

[deltaechov]

Anyone who is using Netlink/optlink or related ONT should check the following once.

1. Download the current config file of the ONT.
2. Open the downloaded file in notepad++ or any editor you prefer.
3. Look for a string containing FTP...PASSWD or FTP...USERNAME (... is any character)

If you find something like this, try to connect to FTP using that username password.

PS. I have done this to get root access to a Netlink ONT, thus know how vulnerable these ONTs are. (you can check for yourself). Once I am free I'll make a detailed guide about the same (but no guarantees)

 

---

[Realme]

@deltacho: gimme the guide to root

 

[ginzon]

@ginzon , sorry I just saw this post. Is the issue resolved now?

Just a guess... In img 4 in the first post above, there's an option to specify which IP's you can login from. Maybe someone has set so in service control? If that's the case, a reset and reconfiguration should fix it.

Thanks.. Not fixed yet, however I've let it be so.. Don't think will continue BSNL longer.. Every other day there's speed issue and disconnections, the BSNL guys are least bothered as they have their salary cmg in anyways..

 

[eriek_halenx]

@ginzon I empathize. I had faced intermittent ping spikes and bad routing for almost 3 - 6 months.

And you are right. This PSU culture of lazyness is eventually costing us our own money! Thankfully, the majority of people are recognising that reality nowerdays.