GUI is sluggish in FT when accessed from WAN

Issue #199 resolved

Sysres created an issue 2022-02-05

I have noticed that GUI access in FT from WAN side is very sluggish. It often takes 5 - 15 sec. for some pages to fully refresh and show information. Access from LAN side is normal and quick. This is not an Internet latency issue as when I daisy chain test router to my primary LAN I get the same results. Original Shibby firmware v132 and earlier didn’t have this problem. Don’t know when this issue was introduced as I skipped many releases and recently switched to FT. Not sure if this is a bug or intentional but all my routers have slow access from WAN. Not the end of the world but it would be nice if GUI access would have the same WAN response as it is from the LAN side.

Comments (10)

M_ars
You you probably experience the brute force mitigation rule on port defined for GUI remote access → added in July 2020

see

https://bitbucket.org/pedro311/freshtomato-arm/commits/31a8eb0b64af9a7892b72ef32759e5f3296831dd

and

https://bitbucket.org/pedro311/freshtomato-arm/commits/8208f872e6496092f0751e57b5e2a2d7ddb0470c

and

https://bitbucket.org/pedro311/freshtomato-arm/commits/1a38597bcb52ff00010a093fcc0f582e72f49caa

‌

I checked my notes for that change:

Test in 2020: LTE connection to fiber home

Test 1:
hitcount: 4
sec: 60
--> no connection possible on my side (timeout)

Test 2:
hitcount: 4
sec: 30
--> no connection possible on my side (timeout)

Test 3:
hitcount: 11
sec: 10
--> connection possible but GUI feels (very) slow

Test 4:
hitcount: 11
sec: 5
--> connection possible and GUI does load/work faster

Test 5:
hitcount: 11
sec: 3
--> connection possible and GUI does load/work faster

‌

==> currently we have hitcount 15 with seconds 5 and should work OK

‌
- 2022-02-07T19:12:21+00:00
Sysres reporter
Thanks for explanation. I figured that something like that has been implemented in recent versions of FT. I do occasionally get timeouts and have to wait and reload/refresh which is annoying when I have to do something really quick and have limited time.

I was wondering would it be possible to add “Trusted public address/network” to Remote Access and disable brute force mitigation for these addresses? Most professional routers/firewalls have such option. It would make my life and anyone who often does remote admin much easier.

Another possibility is to have an option in GUI to completely disable brute force mitigation and put a quick note with explanation. For remote access I personally always use HTTPS with none standard high numbered random 5 digit port, so chances of scan bots hitting that port are very slim. Both proposed options are listed as Prevention Techniques here:

https://phoenixnap.com/kb/prevent-brute-force-attacks

An approach presently used in FT is somewhat intrusive and interfering. Once you successfully login into the GUI, brute force mitigation should not interfere anymore and leave you alone and let you do your job as quickly as possible. Thanks.
- 2022-02-07T20:24:37+00:00

Sysres reporter

@M_ars, would it be possible to simply add an option to disable your present implementation of “brute force mitigation”? Frankly it doesn’t do much to prevent spybots to scan routers and prevent login attempts. But it greatly interferes with remote administration. As a test I setup remote access port to 443 and within few hours I began to see “bad password attempts” from all over the world, see log below. It was going on for over a week. Once I changed the remote port to random 5 digit number, those attempts stopped right away. Thanks.

Nov 29 04:06:11 RT-AC56U daemon.warn httpd[26075]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:12 RT-AC56U daemon.warn httpd[26076]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:13 RT-AC56U daemon.warn httpd[26078]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:14 RT-AC56U daemon.warn httpd[26079]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:15 RT-AC56U daemon.warn httpd[26080]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:15 RT-AC56U daemon.warn httpd[26081]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:16 RT-AC56U daemon.warn httpd[26083]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:17 RT-AC56U daemon.warn httpd[26084]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:17 RT-AC56U daemon.warn httpd[26085]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:18 RT-AC56U daemon.warn httpd[26086]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:19 RT-AC56U daemon.warn httpd[26088]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:20 RT-AC56U daemon.warn httpd[26089]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:20 RT-AC56U daemon.warn httpd[26090]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:06:21 RT-AC56U daemon.warn httpd[26091]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:03 RT-AC56U daemon.warn httpd[26303]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:04 RT-AC56U daemon.warn httpd[26304]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:05 RT-AC56U daemon.warn httpd[26306]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:06 RT-AC56U daemon.warn httpd[26307]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:07 RT-AC56U daemon.warn httpd[26308]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:07 RT-AC56U daemon.warn httpd[26309]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:08 RT-AC56U daemon.warn httpd[26311]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:09 RT-AC56U daemon.warn httpd[26312]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:10 RT-AC56U daemon.warn httpd[26313]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:11 RT-AC56U daemon.warn httpd[26316]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:12 RT-AC56U daemon.warn httpd[26317]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:13 RT-AC56U daemon.warn httpd[26318]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:13 RT-AC56U daemon.warn httpd[26319]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:15:14 RT-AC56U daemon.warn httpd[26321]: bad password attempt (GUI) from: 185.212.149.207
Nov 29 04:43:23 RT-AC56U daemon.warn httpd[26979]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 04:43:24 RT-AC56U daemon.warn httpd[26980]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 04:43:25 RT-AC56U daemon.warn httpd[26981]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 04:43:26 RT-AC56U daemon.warn httpd[26982]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 04:43:27 RT-AC56U daemon.warn httpd[26984]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 04:43:27 RT-AC56U daemon.warn httpd[26985]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 04:43:28 RT-AC56U daemon.warn httpd[26986]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 04:43:29 RT-AC56U daemon.warn httpd[26988]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 10:19:42 RT-AC56U daemon.warn httpd[2331]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 10:19:42 RT-AC56U daemon.warn httpd[2332]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 10:19:43 RT-AC56U daemon.warn httpd[2334]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 10:19:44 RT-AC56U daemon.warn httpd[2335]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 10:19:45 RT-AC56U daemon.warn httpd[2337]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 10:19:46 RT-AC56U daemon.warn httpd[2339]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 10:19:47 RT-AC56U daemon.warn httpd[2340]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 10:19:48 RT-AC56U daemon.warn httpd[2341]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 16:10:12 RT-AC56U daemon.warn httpd[10520]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 16:10:13 RT-AC56U daemon.warn httpd[10521]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 16:10:14 RT-AC56U daemon.warn httpd[10522]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 16:10:15 RT-AC56U daemon.warn httpd[10523]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 16:10:16 RT-AC56U daemon.warn httpd[10525]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 16:10:17 RT-AC56U daemon.warn httpd[10526]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 16:10:17 RT-AC56U daemon.warn httpd[10527]: bad password attempt (GUI) from: 185.204.1.185
Nov 29 16:10:18 RT-AC56U daemon.warn httpd[10529]: bad password attempt (GUI) from: 185.204.1.185

Nov 29 02:58:34 RT-AC56U daemon.warn httpd[24441]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:35 RT-AC56U daemon.warn httpd[24442]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:36 RT-AC56U daemon.warn httpd[24444]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:37 RT-AC56U daemon.warn httpd[24445]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:38 RT-AC56U daemon.warn httpd[24447]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:39 RT-AC56U daemon.warn httpd[24449]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:43 RT-AC56U daemon.warn httpd[24450]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:44 RT-AC56U daemon.warn httpd[24453]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:46 RT-AC56U daemon.warn httpd[24454]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:47 RT-AC56U daemon.warn httpd[24455]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:48 RT-AC56U daemon.warn httpd[24457]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:49 RT-AC56U daemon.warn httpd[24458]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:50 RT-AC56U daemon.warn httpd[24459]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:51 RT-AC56U daemon.warn httpd[24461]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:52 RT-AC56U daemon.warn httpd[24462]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:53 RT-AC56U daemon.warn httpd[24464]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:55 RT-AC56U daemon.warn httpd[24465]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:56 RT-AC56U daemon.warn httpd[24466]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:57 RT-AC56U daemon.warn httpd[24468]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:58 RT-AC56U daemon.warn httpd[24469]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:58:59 RT-AC56U daemon.warn httpd[24471]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:00 RT-AC56U daemon.warn httpd[24473]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:01 RT-AC56U daemon.warn httpd[24474]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:03 RT-AC56U daemon.warn httpd[24476]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:04 RT-AC56U daemon.warn httpd[24477]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:05 RT-AC56U daemon.warn httpd[24478]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:06 RT-AC56U daemon.warn httpd[24480]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:07 RT-AC56U daemon.warn httpd[24481]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:08 RT-AC56U daemon.warn httpd[24482]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:09 RT-AC56U daemon.warn httpd[24484]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:11 RT-AC56U daemon.warn httpd[24485]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:12 RT-AC56U daemon.warn httpd[24487]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:13 RT-AC56U daemon.warn httpd[24488]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:14 RT-AC56U daemon.warn httpd[24489]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:15 RT-AC56U daemon.warn httpd[24491]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:16 RT-AC56U daemon.warn httpd[24492]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:17 RT-AC56U daemon.warn httpd[24493]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:18 RT-AC56U daemon.warn httpd[24496]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:20 RT-AC56U daemon.warn httpd[24497]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:21 RT-AC56U daemon.warn httpd[24499]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:22 RT-AC56U daemon.warn httpd[24500]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:23 RT-AC56U daemon.warn httpd[24501]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:27 RT-AC56U daemon.warn httpd[24503]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:28 RT-AC56U daemon.warn httpd[24505]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:29 RT-AC56U daemon.warn httpd[24506]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:31 RT-AC56U daemon.warn httpd[24508]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:32 RT-AC56U daemon.warn httpd[24509]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:33 RT-AC56U daemon.warn httpd[24511]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:34 RT-AC56U daemon.warn httpd[24512]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:35 RT-AC56U daemon.warn httpd[24513]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:36 RT-AC56U daemon.warn httpd[24515]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:37 RT-AC56U daemon.warn httpd[24516]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:38 RT-AC56U daemon.warn httpd[24519]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:40 RT-AC56U daemon.warn httpd[24520]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:41 RT-AC56U daemon.warn httpd[24521]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:42 RT-AC56U daemon.warn httpd[24523]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:43 RT-AC56U daemon.warn httpd[24524]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:44 RT-AC56U daemon.warn httpd[24525]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:45 RT-AC56U daemon.warn httpd[24527]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:46 RT-AC56U daemon.warn httpd[24528]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:48 RT-AC56U daemon.warn httpd[24530]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:49 RT-AC56U daemon.warn httpd[24531]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:50 RT-AC56U daemon.warn httpd[24532]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:51 RT-AC56U daemon.warn httpd[24534]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:52 RT-AC56U daemon.warn httpd[24535]: bad password attempt (GUI) from: 103.147.184.187
Nov 29 02:59:53 RT-AC56U daemon.warn httpd[24536]: bad password attempt (GUI) from: 103.147.184.187

‌

2022-02-16T21:09:07+00:00

M_ars
its possible to add an option to disable it again.

pedro what do you think ?
- 2022-02-17T10:19:21+00:00
Sysres reporter
@M_ars, @Pedro, seriously, your existing implementation of “brute force mitigation” doesn’t do much except it greatly interferes with Remote Access. The log I posted above was collected couple of month ago with FT 2021.7. As you can see “bad password attempts” were recorded every second and sometimes 2-3 times per sec.

If you really serious about having true “brute force mitigation” you should look into different solution which actually blocks an attacker IP addresses for certain period of time based on defined threshold. Or implement 2-factor authentication, CAPTCHAs, etc. This is how professional UTM appliances do it. But it would be way too complicated and way outside of scope for FT.

But if you really like what you presently have, that is fine, keep it, but please give us an option to disable it. I would suggest to put a quick note in GUI and instruct users to avoid using HTTP and also well known ports 80, 8080, 443, 8443 for remote access.

In my opinion, for FT, the best options would be: 1). to use HTTPS with random 5 digit port, and 2). implement optional “Trusted Public IPs”. Thanks.
- 2022-02-17T23:50:59+00:00
pedro repo owner
Sure, it could be added, why not.

@M_ars : do you have some time to do it?
- 2022-02-18T13:53:24+00:00
M_ars
i will adjust it
- 2022-02-18T18:38:52+00:00
M_ars
ok, here we go

https://bitbucket.org/M_ars/freshtomato-arm/commits/b4c5828fd0e57a9fdb4100f783f79a2ff3b6835d

issue can be closed i think

‌

‌
- 2022-02-19T17:44:48+00:00
Techie007
The problem is that the brute-force mitigation is counting every access as a potential violation, thus allowing many attempts from a single IP, while throttling legitimate traffic. Why don’t we simply count bad password hits?
- 2022-02-19T23:15:19+00:00
pedro repo owner
- changed status to resolved
GUI: admin-access.asp: add option to enable/disable the brute force mitigation rule on port defined for GUI remote access (resolves ~~#199~~)

→ <<cset 7c5c62e6cba4>>
- 2022-02-20T14:40:08+00:00
Log in to comment

Assignee: –

Type: bug

Priority: trivial

Status: resolved

Votes: 1

Watchers: 1