Have my GS1900 switches been hacked?

PersonX

Some strange things are going on with my Zyxel Switches.

A few months back I discovered I could no longer login on my GS1900-8HP. It refused my login/password.

I did a factory reset to solve it (and of course put again a custom login/password).

Now a few months later its static IP has been changed into a dynamic one and I could no longer log-in but could log in with the default admin / 1234 combination.

And now my GS1900-24E is also behaving strangely. It is still on its static IP but I can't login anymore using my login/password. So I'll probably have to factory reset that one.

This all makes me wonder whether someone has hacked my switches somehow?

Zyxel_Melen

Hi @PersonX,

It might be because someone in your network tried to access your switches and he guessed your password correctly.

It is recommended to use "Remote Access Control" to allow a specific IP range to access your switch. It can prevent unauthorized clients in other IP subnets from accessing. Please navigate to Menu > Configuration > Management > Remote Access Control > Global to set up and monitor if this problem occurs again.

Zyxel_Melen

Hi @PersonX,

It seems like you are using firmware that won't record the login IP address. Please upgrade to the latest firmware version. You may find the download link in this post. It will record the login IP address in the syslog. Please reference the screenshot below:

For the remote access control, I recommend setting a permit rule for internal access. Below is an example:

In addition, you need to make sure the PC will not change its IP address if you want your PC to become the only device to access the switch. You can set a static IP for it. Or set a static DHCP binding. By the way, you can back up the configuration before setting the remote access control in case of the wrong configuration.

Zyxel_Melen

Hi @PersonX,

It might be because someone in your network tried to access your switches and he guessed your password correctly.

It is recommended to use "Remote Access Control" to allow a specific IP range to access your switch. It can prevent unauthorized clients in other IP subnets from accessing. Please navigate to Menu > Configuration > Management > Remote Access Control > Global to set up and monitor if this problem occurs again.

PersonX

Thanks Melen,

My password looks like this "zpgNPQtz5fOzld4" so it would be amazing if someone was able to guess it.

Also I'm in a residential set-up with 2 small kids who don't know how to work with a computer and my wife who is IT-agnostic.

I had a look at your suggestion, but I must admit it looks quite daunting to set-up this remote access control correctly.

westcoast

Hi @personX,

According to your reply for Melen, there's only you and two kids as far as you know who have acces to your environment. In this case I belive it means that If your switches are been hacked, your intire network has been hacked. So there is another player fooling around…. he can only acces your environment form the outside I presume.

Perhaps you should review your security on a larger scale.

PersonX

Hio @westcoast,

Problem is that I'm not really sure how to review my security :-/

Also I find it very strange that:

• someone is able to guess my complex password
• That someone is noticeably messing with my Zyxel switches but nothing else
• That person is doing so in a strange way (e.g. I see now one of my switches again changed its IP adress from static to dynamic and put the login and password back to the default 'admin' and '1234').

I would see no logic to this behaviour

Zyxel_Melen

Hi @PersonX,

Since it is not possible to track who hacked your switch currently, I recommend setting up a syslog server so you track who (IP address) logged in to your switch.

By the way, did this problem occur again after you set remote management?

PersonX

Thank you @Zyxel_Melen ,

I see have been looking at the syslog option on one of my GS1900 switches.

My finding is that even if I set it to record the most detailed information, it does not capture information about when someone logged in and with which IP address:

On your question on remote access control: I would like to set it up, but as mentioned the setup looks a bit daunting and I'm afraid I will lock myself out by doing it wrong. How can I set it up so that only internal IP-addresses can access it?

Many thanks!

Zyxel_Melen

Hi @PersonX,

It seems like you are using firmware that won't record the login IP address. Please upgrade to the latest firmware version. You may find the download link in this post. It will record the login IP address in the syslog. Please reference the screenshot below:

For the remote access control, I recommend setting a permit rule for internal access. Below is an example:

In addition, you need to make sure the PC will not change its IP address if you want your PC to become the only device to access the switch. You can set a static IP for it. Or set a static DHCP binding. By the way, you can back up the configuration before setting the remote access control in case of the wrong configuration.

PersonX

Thank you @Zyxel_Melen,

I have upgraded my firmware and now indeed the IP adress that logs appears in the logs. I have also set-up a remote Syslog server so that I can see what happened even when I can't login to my Switch anymore or it has been reset.

I don't know what the "facility" setting does, but one one of my switches I chose Facility0 and on the other Facility1. This way I can distinguish the events that are coming in on my remote syslog server, as both are called "GS1900".

On the remote access control. I guess it would make most sense that I allow access to the devices on my local network, so those are the devices with an IP ranging from 192.168.0.100 until 192.168.0.254. In your picture you show how to add a specific IP (192.168.1.100), how can I define a range?

thanks again!

Zyxel_Melen

Hi @PersonX,

Since GS1900 uses IP/subnet mask format to set remote access control, please reference the settings below to configure.