NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Failed logins to my QNAP NAS from my Netgear BE9200
With Armour enabled I am seeing numerous failed login attempts reported by all of my QNAP NAS devices
The problem is bad enough that my QNAPs are blocking the source IP of my router, which is their default gateway!
Has anyone else had this issue?
18 Replies
Would be something to post about in QNAP forums or make contact with there support group regarding help and information for there product.
Which RS series router is this?
What Firmware version is currently loaded?
What is the Mfr and model# of the Internet Service Providers modem/ONT the NG router is connected too?Try disabling the following and see:
Armor, Smart Parental Controls or Circle, IPv6, Protection Engine, Traffic Meter.The QNAPs are reporting failed SSH login attempts with several user names like oracle, root, admin, operator, and the source IP of the router.
The issues stop when I disable Netgear Armor
I opened a ticket with Netgear and they would not confirm or deny that Armor intentionally, by design, exhibits this behavior.
I am running the latest firmware for the BE9200 device.
It seems clear to me that either the Armor software itself is attempting these logins or there is a backdoor that 'bad actors' are using.
I find it very odd that the vendor cannot answer the question "Does Armor do this by design?"
Which RS### series router is this?
What actual Firmware version is currently loaded?
The QNAPs are reporting failed SSH login attempts with several user names like oracle, root, admin, operator, and the source IP of the router.
Just guessing, but I am thinking the vulnerability scan built into Armor is attempting those logins. Then the QNAP protection methods kick in.
I think you can remove the QNAPs from the device scan list. Then try a test by enabling ssh again.
Though I don't use Armor myself, so I might be wrong on that.
FYI, you can also report this to BitDefender (who provide the technology to Netgear). Go to https://www.bitdefender.com/consumer/support/help/ and select "How To..." and then "Troubleshooting". You'll be able to select "NETGEAR Armor powered by BitDefender" and then enter a support request.
RS280 running V1.0.1.90
If protection engine enabled on the RS router? If so, try disabling it and reboot the router and then check your NAS device...
Been there,done that.
The issues are:- Why can't Netgear answer definitively?
- Since the issue goes away with Armor disabled, why isn't there an option for me to configure "hands off"?
It is very scary to me that Netgear apparently does not know what the firmware they release for our devices actually does...
You may need to disable Armor while NG takes a close look into this. Something to keep in contact with NG support about.
Do you already have a case #?
I had one open for months with Armor disabled, waited for a new firmware,and re-enabled Armor
unfortunately, my email settings on QNAP 'expired' so I got no alerts and believed it was resolved and NetGear closed the case
I discovered the "expiration", fixed it, and was immediately flooded again the next morning (It appears Armor runs the 'scans' just after midnight)
I just wanted to share with the community to both make folks aware and to see if anyone had ideas
I have not opened a new ticket yet, as I am not convinced it will make any difference
I have disabled SSH on all of my NAS, hoping my router default gateway will no longer get blocked!
-I will enable SSH if I want to use it, then disable again..
So you think that the SSH feature on the NAS is causing this interaction with Armor if enabled on the RS router?
The NAS just starts a listener because I enabled SSH access. I was going to change the port and decided to simply disable it until I need it.
I think Armor tries to login as part of the vulnerability scanning, QNAP decides it is being hacked and blocks the source IP
But Netgear should document that the scan will attempt SSH as user1, user2, and user3, or whatever
and if it is not doing that, they should admit that there must be a back door and I am being hacked!
The logging logic is horrific! It doesn't log the actual traffic it sees.
It logs port forwarding like it is direct. No public IP is going to connect to my internal private IPs
It should log the incoming traffic and the fact that it performed port forwarding
I think Armor tries to login as part of the vulnerability scanning, QNAP decides it is being hacked and blocks the source IP
Agreed.
Were you able to follow the instructions to remove the QNAP from the scan? It's clear it's already well protected.
But Netgear should document that the scan will attempt SSH as user1, user2, and user3, or whatever
FWIW I don't agree here. If they publish too many details then malware could pass the scan.
The logging logic is horrific!
I've been running Orbi for quite a while (been some years since I used Nighthawk).
Orbi logging could be better too. Better filtering would be nice, since mine have a lot of routine clutter. But I have no problem with the contents port forwarding info.
OK, there is no longer any doubt
I re-enabled SSH on one QNAP
I went to the armor.netgear.com site and told it to scan that QNAP
I just received the failed login emails for:
user dummy
user root
user operator
user oracle
user 1111
user library
and my router IP is blocked
So, it seems Bitdefender is trying each of these user names, (and I am guessing here), presumably with common default passwords
WRT the advice to "remove" my QNAPs on the site:
It clearly states that "it may be rediscovered and added back to the list if it reconnects to the network"
And I have no intention of removing them from the network
And I have scheduled reboots on each, as a precaution against possible memory leaks or other issues.
(I am still, and have been, an IT professional for 50 years and have my own 'best practices' that I have adopted, based upon my work experiences.)
I also still firmly believe Netgear should respond honestly when asked if their software/firmware is doing specific things.
And if they do not know, they should not be shipping said software into the homes of their consumers.
I have left SSH enabled on the device, but moved it to a new, non-standard (not TCP 22) port to see just how thorough the security scan actually is...
WRT the advice to "remove" my QNAPs on the site:
It clearly states that "it may be rediscovered and added back to the list if it reconnects to the network"
The KB article didn't say that (and it should).
IMO there should be a way to disable the scan for specific devices.
Maybe leave that feedback with BitDefender.
I have left SSH enabled on the device, but moved it to a new, non-standard (not TCP 22) port to see just how thorough the security scan actually is
Please report back either way.
I also still firmly believe Netgear should respond honestly when asked if their software/firmware is doing specific things.
And if they do not know, they should not be shipping said software into the homes of their consumersI agree here, I just don't think they should publicly document all the details of the scan.
Did you try to escalate? It's possible L3 does know. QNAP is a mainstream brand, so you'd think this would have come up before.
It's possible your device's IP address was unintentionally added to a deny rule within either firewall, blocking its access to the NAS.
It's possible your device's IP address was unintentionally added to a deny rule within either firewall, blocking its access to the NAS.
I don't think so. It sounds like the QNAP's intrusion protection was triggered by the Armor scan, so it started to block access. batemanr​ - do you agree?
Wow! A lot of interest here now!
answering in order:
StephenB - My original ticket was open for months... No knowledge of L3 involvement
Peris1966 I have explicit port forwarding for my NAS for what I want in and no blocking for SSH. I have started adding some blocks for the IPs reported blocked for attacks
StephenB - You are correct that the block was the NAS self-protect
ALL- The scan ran and reported no vulnerabilities and the NAS did not complain, meaning Bitdefender did not find the non-standard port, or at least did not attempt to authenticate to it.
