Other things on this site...

MCLD
music
Evolutionary sound
Listen to Flat Four Internet Radio
Learn about
The Molecules of HIV
MCLD
software
Make Oddmusic!
Make oddmusic!

Demon broadband fixed, security fix for Thomson TG585 v7

A while ago I had big problems with Demon broadband because they "upgraded" the service and made it incompatible with my router. After a bit of back-and-forth Demon kindly replaced the router with a newer one, a "Thomson TG585 v7". It works fine.

While trying to get our radio station back online and streaming, I discovered something dodgy about the router setup, so if you happen to have one of these routers then do this check described below, to make sure your router's admin page isn't exposed to the world. I have to thank the very helpful people on the portforward.com forums who spotted the issue (thread here, with more details).

(1) Connect to the router's admin interface using telnet. On my Mac I do this by launching Terminal and typing telnet 192.168.254.254 (then giving the username and password when prompted).

(2) Type config dump (and press return) and a massive massive screed of text will appear, listing all the config settings for the device.

(3) In that text, look for a subsection labelled [ servmgr.ini ] (for me it was near the bottom). Check to see if these lines are in that bit:

    ifadd name=HTTP group=wan
    ifadd name=TELNET group=wan

The important thing here is "wan". "lan" is OK, it means you can have local access to the admin, but "wan" is dodgy because it means you're providing an opportunity for the world to access your router.

(4) If you do have those lines then you can fix the situation by running the following commands (the final one will reboot your router):

    service system ifdelete name HTTP group wan
    service system ifdelete name TELNET group wan
    saveall
    system reboot

Voila. After rebooting you may wish to go through the steps again to check that the config settings have been changed.

Sunday 30th August 2009 | IT | Permalink
Comments:
Name: Antony Roberts
Email: anotony art tone141 dort demon dort co dort uk
Date: Thursday 10th September 2009 20:52
I am having a similar problem with Demon Internet. After years of reliable service I was getting similar problems to the person above. I had to pay them £15 for a Thompson adsl 2+ compatible router (similar to the one above but a v6) and now the broadband is slower! Also takes about 30 minutes for the internet to start up when I switch the router on.
Name: Giselle Berger
Email: gberger art shorthand dort co dort uk
Date: Sunday 13th September 2009 01:11
Help! I'm with Demon. Had problems with older router. Bought new Thomson but cannot access net either wirelessly or not - only on daughter's computer with lan cable. Keep getting message when trying to install router HTTP/1 401 - any ideas?? Probably wont get your reply as I am without internet connection and it's 1 in the morning. I'm not happy!"
Name: Mister B
Email: a25231xiha [at] yahoo [dot] co [dot] uk
Date: Tuesday 22nd September 2009 21:39
Been having nothing but problems with Demon (line drops) since this upgrade of theirs. One new (and pretty much useless) router from them and three months plus of phonecalls has now resulted in them being dumped (after 11 years with them) along with BT and the installation of cable instead.
Name: Lars Jonsson
Email: larsonina art swipnet dort se
Date: Friday 9th October 2009 23:53
I agree that the TG585 gateway works great during normal use but it seems impossible to enable WAN access to an FTP server on the LAN. I can access the FTP server fine from inside the LAN but port 21 is stelth from the WAN. I tried to open up for FTP by running the following Telnet commands:

service system ifadd name=FTP group=wan
saveall
system reboot

Now I can 'see' port 21 from he WAN meaning I get a prompt for user name and pwd when trying to access the FTP server. However, the user name asked for is the user name of the Thomson Gateway !?!?

I've searched for days on the Internet to find a solution or at least a tip without success. I hate the box :-)
Name: Dan
Website: http://www.mcld.co.uk/
Date: Saturday 10th October 2009 10:12
Lars, sounds like you've done the opposite of what you want. In my blog article I deliberately *delete* a line like that, in order to prevent outside access to my router's config. I recomend you undo what you did, then go into the router's web interface and in the "Game sharing" section (or something like that) you can assign the FTP role to one of your local machines. That should allow you to get FTP from outside to that machine.
Name: Lars Jonsson
Email: laronina art swipnet dort se
Date: Saturday 10th October 2009 20:15
Thank's for your quick reply!

I tried to assign the preconfigured FTP Server role to the device having the FTP server (a WD MyBook NAS). Just to be sure I also restarted both the device and the gateway but it did not help. port 21 is still stelth and I get a time out when trying to access it from wan (the role specified port 21 translating to port 21). I also tried with a custom role specifying another port translating to port 21 but no change.

Sorry for not writing this in the first comment.
Name: MrGv
Email: mrgv255 art yahoo dort com
Date: Sunday 3rd October 2010 16:34
Thanks, good catch! What a security hole.
Just wondering though... My router also has this in the config:
ifadd name=FTP group=wan
Should probably remove that as well right? Could we just recommend that everything under [ servmgr.ini ] be removed if it says "group=wan"?
Thanks again.

Add your comments:

Name:
Email:
Website:
Comment:
I am a:
Everything is optional - and email addresses will be marmalised to protect you
Creative Commons License
Dan's blog articles may be re-used under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 License. Click the link to see what that means...