Often, we read in news articles about network intrusions or security vulnerabilities resulting in cyber-attacks against a company network. By examining the router syslog’s, you may see many failed attempts to log in or connect to the router from the Internet. Most of them are Web login and VPN dial-in. Therefore, it is strongly recommended that you check the security settings in your Vigor router to ensure sure all settings are optimised to reduce the chances of your network being compromised.

The tips below list some settings to check in your Vigor router:

  1. Use the latest firmware. This usually includes the latest security patches.
  2. Use a secure password for admin login and all VPN profiles. Change the password often.
  3. Disable any services and VPN profiles not needed, e.g., OpenVPN, PPTP VPN, or remote management (Web, SNMP, telnet, SSH, FTP) from WAN.
  4. If the VPN service is enabled, use the access list feature or specify the VPN peer IP to restrict VPN access.
  5. Enable Brute Force Protection in Management setup page. (Brute Force for VPN will be introduced in upcoming firmware versions)
  6. Record Syslog and turn on Mail Alerts, and review the logs periodically.
  7. While abnormal attack event occurs, enable DoS Defense and block these IPs by using the Blacklist.
  8. Re-sign and Change the default security certificates for SSL or HTTPS access.
  9. Consider to use 2 Factor Authentication for web and VPN login.
  10. Disable remote access  or  insert an access list  : see url : https://faq.draytek.com.au/2022/05/11/how-do-i-allow-remote-access-to-the-router/

Examples attempted logins from the Internet are:
Dec 14 16:05:50 HQ: is_user_in_sslgroup, _SSL_GROUP
Dec 14 16:05:50 HQ: [SSL]Portal login fail from IP!
Dec 14 16:06:08 HQ: PPTP accept client from …
Dec 14 16:06:08 HQ: [PPTP][@] pppShutdown
Dec 14 16:06:08 HQ: Destroy pptp connection ifno: 69, socket: -1
Dec 14 16:10:03 HQ: error : next payload type of ISAKMP Identification Payload has an unknown value: 244
Dec 14 16:10:03 HQ: [IPSEC/IKE][Local][502:-][@] smalformed payload: probable authentication (preshared secret) failure
Dec 14 23:48:16 HQ: [Unknown][DOWN][OpenVPN]
Dec 14 23:48:16 HQ: OpenVPN (VPN-11, HARD RESET V2, start negotiation
176950:Dec 10 09:56:26 V3910_394RC3: Incoming Call Failed : No Such Entry for vpn
176951:Dec 10 09:56:26 V3910_394RC3: Incoming Call Failed : No Such Entry for vpn
177010:Dec 10 09:56:27 V3910_394RC3: [PPTP][Radius/LDAP][0:vpn][@] Radius authentication fail
177011:Dec 10 09:56:27 V3910_394RC3: PPTP (VPN-123, vpn) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=1945DCA80E42DCAA9105405E6D75FA3D V=0 M=Good luck! ##
177156:Dec 10 09:56:29 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????27A0/MAX_PORT=150000
177170:Dec 10 09:56:29 V3910_394RC3: Incoming Call Failed : No Such Entry for test
177171:Dec 10 09:56:29 V3910_394RC3: Incoming Call Failed : No Such Entry for test
177231:Dec 10 09:56:30 V3910_394RC3: [PPTP][Radius/LDAP][0:test][@] Radius authentication fail
177232:Dec 10 09:56:30 V3910_394RC3: PPTP (VPN-89, test) ==> Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=999717D7386902CFB62A64821159FED1 V=0 M=Good luck! ##
177331:Dec 10 09:56:31 V3910_394RC3: Get_GRE_Index_from_Callid failed? gre_idx=0x????2757/MAX_PORT=150000

To stop these unknown login attempts, you can enable the Brute Force protection feature in “System Maintenance >> Management” menu page in DrayOS routers.


Updated March 2024 – HL