I have an internet hardware question, but I'm not using a Linux machine at the moment, so I'm asking it in this forum.

Hello everyone, I have an internet hardware question, but I'm not using a Linux machine at the moment, so I'm asking it in this forum.

I finally got fibre internet set up in my apartment, but at the moment I'm using only a Windows 10 laptop until I get everything straightened out. Then, I can put together a new Linux machine and delve back in.

My question is: Is it necessary to change the username and password on the ONT for security?

I've had a terrible time trying to do it. I'm trying to use the browser (Microshaft Edge) to access the webUI, but I can't get anywhere. Every IP address I've tried, in every doc I've found, has said "took too long to respond" or "refused to connect".

The ONT is a Nokia model XS-010X-Q. According to this webpage:
https://hack-gpon.org/xgs/ont-nokia-xs-010x-q/

it says:

IP address 192.168.100.1
Web Gui ✅ Port 80 user: admin, password: 1234
Telnet ✅ Port 23 user: admin, password: 1234 (see Telnet Full Shell)

With a default username "admin", and password "1234", this looks to me like it needs to be changed.

Am I barking up the wrong tree? Is it possible that changing the default username and password on the ONT is unnecessary?

When they installed it what did you do to allow the Windows to connect?

In my opinion, for what its worth, the password should definitely be changed, if for no other reason that default passwords are, for all practical purposes, public.

Unfortunately, I can't speak to the difficulties you are having accessing it, other than suggest maybe trying a different browser and seeing what happens.

What does https://learn.microsoft.com/en-us/wi...mands/ipconfig say?

I can explain better. My laptop is connected by wired ethernet to a switch/router/wifi unit:
TP-Link Deco X50

I was able to change the username and password for the Deco (I had to go through a lot of crapola to do it, but that's the short version).

The Deco is connected by wired ethernet to the ONT. The ONT is:
Nokia XS-010X-Q

The installation technician (my ISP is Distributel) said it is a dedicated ONT, having no other function. I don't know much about this, so I'm not exactly sure what that means/doesn't mean. It came with no documentation at all, so I hunted around the web for info.

I found somewhere that this model ONT has a default username and password that looked very insecure to me, so I decided to change them. After trying unsuccessfully to access some sort of configuration dialogue, I ended up calling Distributel. First, they said there was no way to change the username or password. Then, they said only Bell (who owns Distributel) could change them, and then they said it didn't matter because the ONT's function could not be altered in the first place.

At that point, I really didn't know what to believe. I went through Nokia's website looking for a customer/tech support phone number or email address, to no avail.

I wish I knew more about this. It could be that I'm tearing my hair out over nothing. On the other hand, I could be taking a serious risk every second the ONT is powered-up and connected to the fibre.

It would be an enormous relief to find that the ONT is a dumb box that can't be f*cked with. It could be true that having the username and password might only yield read-only info that poses no risk. At this point I just have no idea.

Is there a way and a need to secure this thing?

Did you read my post in your other thread?

There is no need to change the username or password. The ont is just a converter box from fiber to copper.

I am guessing you might be able to access the device by unplugging the fiber and router, reboot the box, plug the desktop directly into the ont and try via the web browser with the posted address. I would be surprised if you could login. Be careful not to damage the fiber...

IIRC Win 10 has "ping" and "traceroute" (they spell it differently but it does the same job) and I seem to recall some version of "nmap" is available too (might need to download it) and those 3 tools in a command terminal should help you find out where the bottleneck is. MS also names what in Linux is "ifconfig" differently (ipconfig?) but iirc "route" works as expected.

Thank you all for your responses, including those in the other thread. I'm not worried about the ONT anymore.

My post in the other thread was for a different consideration. For reference, it was:
"If I connect a computer directly to the ethernet port on an ONT, what will happen?"

What I had in mind was removing the Deco switch/router/wifi unit entirely. I don't use wifi in my apartment at all, and at the moment I have only one computer (and no other internet devices, eg. streaming, etc.). However, when I asked the installation technician about connecting my computer directly to the ONT, he said that having a router between them was mandatory. With all due respect to the technician, I'm not convinced yet.

My thought is to eliminate the router by setting up the computer to do the routing itself. Can this be done? Or, is it a bad idea from the start?

I strongly recommend having a separate firewall device of some kind. I have a mini PC running PFsense but there is other firewall software available. While you can do it with just linux and it's built-in filtering as a beginner I would suggest using a firewall distribution.

Keep the router. Change its administrative password. Enable all available firewall options. And, automatic router-software updates.

Then, also use software routers on all connected machines. This will vary by operating system.

I just looked up the Deco X50 and it is a top of the line router so I am not sure why you would want to use something else. You should be able to turn off wifi if not needed.

Greetings everyone, first I wanted to thank everyone for their help so far!

I've made some discoveries, so I'm back with more questions.

I am now able to access the webUI version of the configuration dialogue for the Deco router (I had to use an app on my phone via wifi at first). This dialogue has a page that shows "CWMP" settings, including:
ACS username and password
Connection Request Authentication username and password
STUN username and password

All of these usernames and passwords are defaults of the extremely unsecure sort.

I've started reading about CWMP, ACS, and STUN, but it looks involved enough that it will take a long time before I understand them well enough to know what I'm doing. I feel a certain sense of urgency about changing these usernames and passwords, but I thought I'd better ask you folks first because I don't want to break anything I can't unbreak (eg. I lock myself out somehow).

Any comments?

As long as you make an accurate log of some kind of the User and Password changes, you won't break anything. As a backup, many routers have a Factory Defaults reset button and some have guided and even forced factory firmware updates. A few have replaceable BIOS/Firmware chips. I know firmware seems scary to many but it's just software. Just keep notebook or even photo records and you'll be fine.

STUN is a protocol for real-time voice, video and messaging. You should be able to turn off STUN, CWMP as well as ACS. I would not expect them to be enabled by default but whatever. If they are disabled then no need to worry about username or password settings.