manually overriding this configuration usually demonstrates a sufficient enough understanding that the default credentials have likely also been changed
I don't think that's a reasonable assumption at all -- the router should ensure that the admin cred has been set to a (reasonably secure) password. Just because someone read on a web page that they should enable remote admin doesn't mean that they understand the risk.
And it should warn that exposing the admin interface to the internet may make the router more vulnerable to remote exploits - basically the same type warning that browsers show for a bad SSL cert should be shown for insecure router configs - tell the user that it's insecure and is a really bad idea before they do it.
1. Open the web browser and in the address bar type in:
http://192.168.1.1
2. Type the username and password in the login page. They are both admin by default.
3. Click Security->Remote Management on the left side
4. To enable this function, please change the Remote Management IP address from 0.0.0.0 to a specific authorized remote IP address.
Here's the warning they give at the bottom of the manual:
Few people read the entire manual, if they read it at all, they read enough to do what they want, and fewer still know what "Use this with caution" means. I don't even know what it means. I typed 255.255.255.255 carefully, is that sufficient caution?
Type 255.255.255.255 Remote Management IP Address means that you can connect to the router remotely from anywhere via Internet, this is not recommended and please use it with caution
We suggest changing the default log in Username and Password if the Remote Management feature is enabled, especially if you typed 255.255.255.255 as the Remote Management IP address.
That link isn't from the routers this post links to (specifically Archer C7 and C9 routers).
And, your link is old, to say the least. That screenshot is from the Windows XP era.
You're trying to lampoon TP-Link for things that simply are not true anymore, nor have been for a long while.
I'll repeat again - the defaults on these routers is to prohibit WAN access and they force a password change at setup. What more are you complaining about?
OK so what? Nothing you've stated here applies to the original post. You're fabricating some outrage about nothing relevant. The original post shows Archer C7 and C9 routers...
What original post? It was a google search that reveals some router's remote admin page, that search doesn't mention any specific router brand or model.
But regardless, I was responding specifically to your comment:
manually overriding this configuration usually demonstrates a sufficient enough understanding that the default credentials have likely also been changed
(That's why I quoted it in my reply)
And the point I was trying to make is that merely being able to override the default remote admin setting does not ensure that the user has any idea what the ramifications are. I'm surprised you're even arguing against that.
> What original post? It was a google search that reveals some router's remote admin page, that search doesn't mention any specific router brand or model.
It does, click any of the links. The specific search string OP used returns only C6, C7 and C9 routers (I clicked through 2 pages of results).
You saw TP-Link and went off about things that were valid to complain about in the past... but are not specifically with these routers, and probably no new model TP-Link or any sane manufacturer is turning out today.
> And the point I was trying to make is that merely being able to override the default remote admin setting does not ensure that the user has any idea what the ramifications are
Again, if you actually clicked through the OP, you'd notice most of the bare IP address results are dead (meaning they are no longer on the internet), and the ones with CNAME's attached appear to be professionally managed. The assumption is sound.
> Step 2 forces the default password to be changed. There is no way around that step.
Sure, and you can change that password to "foobar" or whatever bad password you want. And I bet that login page doesn't have any rate limiting or a lockout after too many failed logins.
Fortunately, though, I don't think there are any of these that enable remote admin by default, so the owner would need to do that explicitly. Hopefully they've paired that with a strong password. Even then, I still wouldn't advise anyone actually doing this...
(Your manual link is broken; it takes me to a page that just links to TP-Links main marketing website.)
I don't think that's a reasonable assumption at all -- the router should ensure that the admin cred has been set to a (reasonably secure) password. Just because someone read on a web page that they should enable remote admin doesn't mean that they understand the risk.
And it should warn that exposing the admin interface to the internet may make the router more vulnerable to remote exploits - basically the same type warning that browsers show for a bad SSL cert should be shown for insecure router configs - tell the user that it's insecure and is a really bad idea before they do it.