*Fixing* a Virgin Media Super Hub...

So, After struggling with getting SSH to work reliably on my Virgin Media Super Hub I finally decided to give them a call and face the inevitable "ss what" questions from tech support. They didn't dissapoint but did however tell me (after suggesting I restart my router) that there is a firmware update available and that I should reset my router to get the update.

My super hub (which I will refer to a router from here on as it's neither super nor a hub) is a Netgear VMDG480, I have no idea what the firmware was before the update but it is now on boot code 2.3.0beta7 software version R36. This info can be found by connecting to your router in a browser and going to router status in the top right of the page (before you log on).

I was worried that this would mean re-configuring my wireless and port forwards etc but thought it was worth it for the potential fix to ssh.

The first step was to press and hold the reset button on the router for 20 seconds. I counted this out much to the amusement of the tech support operative however it looks like 20 seconds is when the virgin logo on the front of the router (normally Blue) turns red. I released the reset button and waited for the lights to calm down.

After renewing the dhcp lease on my PC ( start, run, cmd, ipconfig /renew) I logged onto the router which was now on 192.168.0.1, my first task was to change the ip address back to 192.168.1.1 as that's what the rest of my network would be expecting. Turns out this is not as simple as it ought to be.

So, after going to the router in your browser and loggin in with the default username and password (admin, changeme) you have to go to advanced settings (button in the lower right of the window). Once there you need to go to the DHCP section and select DHCP settings. Once there you will find the IP settings. I found that trying to change to 192.168.1.x caused an error relating to the"guest lan" which is interesting as I can't find any reference to the "guest LAN" anywhere else. Changing to 192.168.30.1, restarting, renewing ip, then changing back to 192.168.1.1 did seem to fix this issue however.



The DHCP setup is a little different to "normal". You enter the starting IP address for the DHCP range and then specify how many users you want. This then sets the end IP address. A little backward if you ask me but then since when has the router IP address been a DHCP option?

Please note that you need to click the Apply button from the bottom right of the window, wait for the router to restart, renew your IP and log back on to the router each time you change the IP address. Failure to do so will cause problems.

At this point I decided it would be a good idea to change the admin password, no option to change the username unfortunately but I wasn't expecting miracles. From the advanced menu you will find the password option in the "user interface management" part of the "device management" section. Turns out they are doing something wrong with the passwords as there is a limit of 15 characters and can only be letters and numbers. No salted hashing going on there then.....Still, that's not a bad length and alphabet size.


Last but not least there are two very insecure, flawed systems turned on by default that need turning off.

The first is WPS which allows you to connect wireless devices using a pin number rather than a proper passphrase. WPS can be trivially cracked using free software in 4-10 hours this then gives the attacker the ability to get your WPA passphrase (this is a bad thing!) Turn it off by going to Wireless, WPS Settings and unticking the Enable WPS box followed by apply.

The Second is UPnP. This is almost universally considered to be a bad thing from a security stand point. It introduces all sorts of security loopholes most of which are used by Virus to give them access to parts of your network they would not normally have. Take my word for it and turn it off. Right down the bottom of the advanced menu, under UPnP, uncheck the box and click apply.

That's about it for now. You could go and change the ssid and wpa key too as I always think having those on the back of the router is a bad plan (especially if someone can look through the window and see it) but I'm not going into that.