ASUS router Disabling Router Configuration by http and telnet
This document describes how to bypass disable the router configuration
by http and telnet on an ASUS router.
This is based on my experiences with an ASUS
AAM6000EV router, firmware revision 71146a1, connecting to
Eclipse Internet.
Why disable the router configuration by http and telnet?
- The IP Filter
function, is typically used to protect the router configuration when running
the router in bridged
mode.
- However, enabling IP Filter prevents the router from passing packets
which are not of type TCP, UDP or ICMP.
- Unfortunately these are precisely the types of packets that must be
passed when running VPNs like
IPsec.
Up till now, the usual answer to this dilemma was not to enable IP
Filter, set the router configuration username and password to "secure" values,
and hope that no-one cracked them, hacked into your router, and switched off
your Internet connectivity.
However, there is another, more secure way - to disable the router
configuration by http and telnet, so there is no router configuration to access
- hence there is no need to use IP Filter to protect it.
How to disable the router configuration by http and telnet?
*** PLEASE READ BEFORE ATTEMPTING THIS PROCEDURE ***
- You MUST, I repeat MUST, have a
working serial cable attached to your router, and be comfortable using the
router's command line interface through the serial cable.
- If you attempt to perform this procedure without the above - e.g.
you attempt to do it via telnet, without using the serial cable - then
YOU ARE DOOMED! Remember that this procedure
DISABLES http and telnet on the router, so if you don't have a
serial cable then you will NOT be able configure your router any
more.
- This is a hazardous procedure!
- You router might stop working! Mine crashed twice while I
was configuring it this way.
- The settings that you modify when configuring the router in this
way are NOT, I repeat NOT, restored if you do a
"Reset to Factory Configuration" - you have to restore the settings
manually!
- You might not get a sympathetic reception if you have to phone up
anyone for support if your router breaks when attempting this
procedure!
- Don't ask me how to fix your router if it breaks - I disclaim all
responsibility! N.B. The very nice guy who told me about this didn't want
anyone knowing his email address!
- If you don't understand this procedure then I doubt you should
even THINK about performing it!
If you're still with me after reading through that lot, and you are
either brave or foolish enough to want to go ahead, then here's how to do
it:-
- Connect to the router using the serial cable and sign in.
- Press 9 to get the router's command line.
- Enter the command ip portname list, and you should see the
standard list of ports:-
l2tp 1701/UDP
router 520/UDP
snmp 161/UDP
tftp 69/UDP
http 80/TCP
telnet 23/TCP
- The essence of this procedure is to remove http and telnet from the
list of known port names on the router - this prevents it from starting the
http and telnet services (i.e. router configuration) on the router.
Unfortunately you can only clear all the services, then re-add the ones that
you want to keep. So start by entering the command ip portname flush to
clear the list.
- Then enter the command ip portname list again, to check the
list is empty.
- Now re-add all the services that are not http and
telnet by entering the commands:-
ip portname add l2tp 1701/UDP
ip
portname add router 520/UDP
ip portname add snmp 161/UDP
ip portname add
tftp 69/UDP
- Re-enter the command ip portname list and check that the port
name list now shows:-
l2tp 1701/UDP
router 520/UDP
snmp 161/UDP
tftp 69/UDP
- Enter the command config save to save this as the default
configuration for the router when it next restarts.
- Enter the command flashfs cat services to list the the default
configuration for port names when the router restarts - it should show:-
tftp 69/UDP
snmp 161/UDP
router 520/UDP
l2tp 1701/UDP
N.B. These settings are NOT restored by a "Reset to
Factory Configuration".
- Now enter the command restart to restart the router.
- If the router stops working after doing this, then you may have to
restart the router - by switching it off, and then on again - once or twice in
order to get it working. I certainly did.
- If you want to re-enable http and telnet access to the router
configuration then repeat the above procedure, adding the http and telnet
services back into the port name list.
*** Good luck! (you might need it!) ***
Last modified 22/03/2002.