Jump to content
C4 Forums | Control4

Recommended Posts

Posted

Hello, I have an EA5 controller as a director in version 2.10.6, a couple of weeks ago it began to constantly consume all the network bandwidth, it always kept sending data outwards, consuming 300 to 700 mb constantly. I have already tested disconnecting third-party services such as cameras, alarms, etc., but the constant sending of data continues. The packages it sends have been tracked and it is found that they are almost always to addresses in China and the IP address to which it sends the data changes constantly. It has been analyzed with network engineers and they tell me that it is likely that the equipment has been hacked and that I need to factory reset the equipment.

I would like to know if something similar has happened to any of you and how you solved it.
Do you know if there is any security part for this equipment in this version of software?

NOTE: This project has not been updated to OS3 because there are many devices that are not compatible and there is not currently the money to replace them all.

I appreciate your help.

 

 


Posted

Do you have your controller or anything port fwd’ed to the internet?  Is your controller not behind a router/firewall?  Is your router FW updated?

 

Share more of your network topology

Posted
3 hours ago, msgreenf said:

Do you have your controller or anything port fwd’ed to the internet?  Is your controller not behind a router/firewall?  Is your router FW updated?

 

Share more of your network topology

No, the only internet service that the controller uses is the connection with 4sight to use the application from outside, all other connections are local.

The project has a main mikrotic router that is responsible for managing the entire network, after the router there are 3 HP brand switches that are responsible for distributing the network and the final equipment is already there, including this main controller. The router is updated.

Posted

Good choice in your router, I’m a MikroTik fan as well.  Have you changed the username and password and also disabled the stock admin account?

Make sure it’s fully updated.  Next, check for open ports on your router.  If it’s close to a stock install, there should be a good half dozen ways someone can get in from outside.

Next, I’d check your firewall rules.  You should have a “drop all from WAN not DST NAT’d” rule, if not, create one and that should be your last rule.

Mikrotik is extremely popular and is used worldwide by many, which also has its cons.  There are bots that will brute force attack your router until they get in.  It happens and it sucks, but use it as a learning lesson.

Posted
22 minutes ago, JoseLuis1225 said:

No, the only internet service that the controller uses is the connection with 4sight to use the application from outside, all other connections are local.

The project has a main mikrotic router that is responsible for managing the entire network, after the router there are 3 HP brand switches that are responsible for distributing the network and the final equipment is already there, including this main controller. The router is updated.

Here is a decent set of default firewall rules to use on Mikrotik:

/ip firewall filter
add action=accept chain=input comment="DEF: accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="DEF: drop invalid" connection-state=invalid
add action=accept chain=input comment="DEF: accept icmp" protocol=icmp
add action=accept chain=input comment="DEF: accept trusted ssh" port=22 protocol=tcp src-address-list=\
    trusted
add action=accept chain=input comment="DEF: accept trusted api" port=8728-8729 protocol=tcp \
    src-address-list=trusted
add action=accept chain=input comment="DEF: accept trusted winbox" port=8291 protocol=tcp \
    src-address-list=trusted
add chain=forward comment="DEF: accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Block WLAN-Guests from General" connection-state=established,new \
    dst-address-list=vl10 src-address-list=vl31
add action=drop chain=forward comment="Block Security from General" connection-state=established,new \
    dst-address-list=vl10 src-address-list=vl50
add action=drop chain=forward comment="Block WLAN-Public from Security" connection-state=\
    established,new dst-address-list=vl50 src-address-list=vl31
add action=drop chain=forward comment="DEF: drop invalid" connection-state=invalid
add action=drop chain=input comment="DEF: drop everything else not from LAN" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=!LAN

There are some specific VLAN rules in there to give you an example of how to block traffic between VLANs if you need.  These rules also require you have two interface lists -- "LAN" and "WAN" which you can create.

As @lippavisual said -- make sure you are running the latest STABLE firmware and have changed default passwords, etc.  Check to make sure your router isn't acting as an open DNS resolver and that it doesn't have a proxy enabled.

Posted
44 minutes ago, LollerAgent said:

Here is a decent set of default firewall rules to use on Mikrotik:

/ip firewall filter
add action=accept chain=input comment="DEF: accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="DEF: drop invalid" connection-state=invalid
add action=accept chain=input comment="DEF: accept icmp" protocol=icmp
add action=accept chain=input comment="DEF: accept trusted ssh" port=22 protocol=tcp src-address-list=\
    trusted
add action=accept chain=input comment="DEF: accept trusted api" port=8728-8729 protocol=tcp \
    src-address-list=trusted
add action=accept chain=input comment="DEF: accept trusted winbox" port=8291 protocol=tcp \
    src-address-list=trusted
add chain=forward comment="DEF: accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Block WLAN-Guests from General" connection-state=established,new \
    dst-address-list=vl10 src-address-list=vl31
add action=drop chain=forward comment="Block Security from General" connection-state=established,new \
    dst-address-list=vl10 src-address-list=vl50
add action=drop chain=forward comment="Block WLAN-Public from Security" connection-state=\
    established,new dst-address-list=vl50 src-address-list=vl31
add action=drop chain=forward comment="DEF: drop invalid" connection-state=invalid
add action=drop chain=input comment="DEF: drop everything else not from LAN" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=!LAN

There are some specific VLAN rules in there to give you an example of how to block traffic between VLANs if you need.  These rules also require you have two interface lists -- "LAN" and "WAN" which you can create.

As @lippavisual said -- make sure you are running the latest STABLE firmware and have changed default passwords, etc.  Check to make sure your router isn't acting as an open DNS resolver and that it doesn't have a proxy enabled.

Thank you very much for your recommendations. In addition to this, do you recommend factory resetting the main controller or do you consider that it is not necessary?

Posted

All of these are already applied and the main controller continues to consume all the bandwidth by sending recommendations information, it is the only device on the network that does this, if I remove this device from the network everything is normalized, any other recommendations you can give me? thank you

Posted
5 minutes ago, JoseLuis1225 said:

ok thanks

Actually... I would suggest doing a full image restore as it can overwrite the restore file as well. Dealer will have access to the needed software.

I would first try making a back-up and clearing the project though: just to see if the issue goes away, as it's not inconceivable that a system driver is doing this.

This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.