I have just received a SpeedTouch 780 WL Residential ADSL Router with VOIP from Be* Un Limited.
The router comes preconfigured with a username of Administrator and a blank password. In addition, there are also a number of other users preconfigured for use by Be* Technical support.
There are two ways to access the router; you may either use the graphical interface or the command line interface. The graphical interface is simpler to use, but is limited in its functionality.
Connect the router to your computer
You will need to use a cable for this first stage of the configuration.This is for your own security. Also, we are going to be changing some wireless parameters and we don’t want you to be locked out.
Backup your current setup
- Open your browser and navigate to http://192.168.1.254/. This is the default address for your router’s configuration interface. You can also access the router over a secure link by accessing https://192.168.1.254/, https://bebox/, https://speedtouch/ and https://dsldevice/. Note that the SpeedTouch uses a self signed certificate, which your browser will not recognise by default and may issue some security alerts if using HTTPS; you can proceed safely. You should always use HTTPS when accessing your router’s interface wirelessly.
- If necessary, login using the username Administrator and a blank password.
- You should be presented with your router’s home page. Your current username is shown in square brackets thus [Administrator] between the two horizontal lines at the top of the page. This region is known as the “Notification Area”
- Click on the the Speedtouch button in the left hand column and then click on the Configuration hyperlink. At the bottom of the page you will see Save or Restore Configuration. Click it.
- Click on the Backup Configuration Now button and save user.ini to your hard drive
Change the default user and password
- Click on the Toolbox in the lefthand menu bar
- Click on User Management. You will be presented with a list of current users.
- Click on Change My Password and enter a new password for the Administrator account. We will disable this account later, but let’s make life difficult for any hacker. When you click on the Change Password button, you will be presented with a login screen. Login as Administrator with the password you have just created.
- Now create a new user by clicking on Add a new user. Create a new user with Administration Privileges set to Administrator. Click the Apply button to create the new user. The default password will be the same as their name.
- Click on Switch to another user. If you are not presented with a login prompt, then click the link again. This time, login as the new user you created. Notice that the username has changed in the Notification Area.
- Click on Change My Password again, but this time enter a new password for the new user’s account. Click on the Change Password button, and login as the new user, with the password you have just created.
- Click on Administrator in the list of usernames and change their Administration Privileges to User (the most restricted) and click on Apply. There are eight predefined privilege levels.
Role Access Rights root Any service and any access from LAN/WAN/LOCAL SuperUser Any service and any access from LAN/WAN/LOCAL TechnicalSupport Any service and any access from WAN Administrator Any service and any access from LAN/Local. No access from WAN PowerUser GUI (Service/overview page) via http/https from LAN origin WAN_Admin Only WAN related configurations from any Channel/Origin LAN_Admin Only LAN related configurations from any Channel/Origin User GUI (Overview page/Remote Assistance) via http/https from LAN origin
- That is as much as you can do from the GUI interface. You can delete the Be* backdoors and the Administrator account if use the CLI
Configuring Wireless Access
IF YOU ARE NOT USING WIRELESS, THEN MAKE SURE YOU DISABLE IT!
- Click on Home Network in the lefthand menu.
- Click on WLAN:BeBox under Wireless in the list of interfaces
- Click on Configure in the Notification Area
- If you are not using Wireless access, then clear the check mark against Interface Enabled and click the Apply button.
- If you are using Wireless access, then
- Change the Network Name (SSID) from BeBox
- Clear the check mark against Broadcast Network Name
- Set Allow New Devices to New stations are allowed (via registration)
- Set Encryption to Use WPA-PSK Encryption
- The default WPA-PSK Encryption Key is a ten digit Hexadeciaml number (64 bit encryption). It should be be set to a random, 26 digit, Hexadecimal number for maximum security (128 bit encryption) (Example:FADDC2077AF10406E866984C9E). A Hexadecimal character is any of the numbers 0-9 and the letters A-F. Download this Excel spreadsheet to generate a key for you if you want to. Make a note of this number as you will need it later.
- Set the WPA-PSK version to WPA2.
- Click the Apply button to save your changes.
- Now you need to configure your PC.
- Click on the Start button
- Click on Control Panel
- If you are using Category View, then click on Network and Internet Connections
- Click on Network Connections
- Right Click on your Wireless Network Card and select Properties
- If you are not going to use your Wireless link to connect to another computer on your home network, then deselect Client for Microsoft Windows and File and Printer Sharing for Microsoft Networks on the General Tab.
- Select the Wireless Networks tab
- Click on the Add button in the Preferred Networks pane
- Enter the Network Name (SSID) of your Wireless router
- Select WPA2-PSK from the drop down list for Network Authentication. If WPA2-PSK is not an option, then either your Wireless card does not support WPA2-PSK and you will need to use WPA-PSK instead OR you need to download the WPA2 update from Microsoft. Try the download first.
- Set Data Encryption to TKIP
- Enter the same 26 digit Hexadecimal number as you generated earlier in the Network Key and Confirm Network Key fields.
- Click on OK to confirm your changes.
- Even if you have done everything properly, you will still not be able to connect Wirelessly to your router until you have registered your Wireless card with it. The simplest way to do this is to press the button on the front of your router when trying to connect to it. You will then have one minute to connect. Once your card has been registered, you will not need to repeat this.
The alternative way to register your card is via the GUI interface. Just click on Home Network, WLAN:YourSSID and then click Search for Wireless Devices when you try to connect to the router.
Checking your security
- Go to Gibson Research and run a ShieldsUP! test. The link is near the bottom of the page in the “Hot Spots” section.
- Follow the instructions and run the Common Ports or All Service Ports ShieldsUP! service
- If everything is OK, then you will get a TruStealth PASSED stamp. I had to close port 0 in order not to reply to pings. Replying to a ping (or ICMP request) is not a problem in itself, however it lets a hacker doing a port scan know that there is a potential target there.
- In order to close a port, you will have to use the CLI to configure your router.
- Connect to your router by typing telnet 192.168.1.254 from the command prompt of your computer
- Login using your router’s username and password
- Enter the command service system ifdelete name=PING_RESPONDER group=wan
- Save the changes by entering the command saveall
- End your session by typing exit
- Other ports you should close (unless you NEED to access your router remotely)
Port Command to delete 21 service system ifdelete name=TELNET group=wan 23 service system ifdelete name=FTP group=wan 443 service system ifdelete name=HTTPs group=wan
You can get a full list of services by issuing the command service system list