Amtec (ElsagDatamag) Argo 55/95 – Take 4: Hardening —
It seems like a good idea, since we have now access (again) to the router, try to do our best to lock out the provider, and avoid further remote configurations / upgrades.
This is what I did, feel free to find other methods and add a comment to this post :)
– Activate the firewall, and block – with a specific rule – port 4567 (is used for remote control)
– Edit the firewall rule that allows access – via telnet – from a specific list of networks, changing the operation to “Drop”, and write down those networks (these are the networks from which the provider connects to do remote maintenance)
– Create a static route for every network noted in the previous step, redirecting to a non-existing gateway (ie. 0.0.0.0)
A note on the last point: when you restart the router, it will fail to connect to the ACS (remote configuration) server. This is a nice thing, but because of this the ‘Fastweb’ led will remain red, and the ‘Ethernet’ and ‘WiFi’ leds will remain off. This is just aesthetic: wireless and wired network works perfectly.
Here are a couple of screenshots that shows what you should obtain thereafter:
Usual disclaimer: these are not general purpose instructions – I cannot guarantee it will work for you. Use them at your own risk.
Categorised as: Hacking
Is this the reason becouse your router is still accessible? Is it maybe becouse they were unable to access your router configuration due to the software modification you did to it to prevent any remote maintanance?
Yes – or, at least, is what I hope :) The router cannot reach the TR-069 server, so no new configuration file can be provisioned.
Well, and what if they need to improve your service or change something vital to your connection?
Honestly I can’t imagine anything vital to the connection, on FTTH networks at least, that they could send via TR-069.
Neverthless, if I’ll ever need to do a factory reset, or to upgrade the router, I’ll sniff the communication again, so I’ll have a chance to keep the access to the router.
[…] Then reconnect the fiber cable, access to the Argo web interface, and follow the steps in the hardening post, before it’s too late […]
I’ve followed this guide, but… every time it auto-update himself! How can I stop it?!?!
Hi Paolone, are you sure you created the dummy routes for the Fastweb management network? It shouldn’t been able to log to the ACS.
When you start the router, the ‘Fastweb’ led becomes green, or it remains red?
ciao, ti rispondo in italiano :) si allora il problema erano proprio le rotte, ma continuiamo sull’altro “capitolo” per evitare macello :)
Grazie del supporto!
Firmware downgraded, but i can’t access to the web interface.
tried accessing http://192.168.1.254 but with no luck. I know this project is old but i wanted to use it. Is the web interface stored on web or inside the router? It seems like spider interface is not into this firmware:
Main Software: EDA_1.3.20
WLAN firmware: 9.2.0
AP firmware: 5.8.0-james_04May10
DSL firmware: 5.5.1
DSP firmware: 5.8.0
UPNP firmware: 1.5.0
DLNA firmware: 1.5.0
Platform: ElsagDatamat ARGO 55+
from your local network (by default remote administration is NOT enabled).
unfortunately the webserver is binded on the port 80 of the external ip address: thus, to access the interface, you should go to http://