NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
/dbbroker exploit
3 weeks ago I purchased a Netgear ReadyNAS and moved all my files onto it. This week I tried to turn on "ReadyNAS Replicate" under the Cloud tab in the LAN http interface. There were some user cred...
The problem with disabling HTTP admin by default is the panic created by the browser WARNING THIS IS UNSECURE CONNECTION, BEWARE, YOU MAY BE GOING TO GET DESTROYED overdone messages warning that the HTTPS certificate isn't signed properly (doesn't match fqdn, etc.).
jak0lantash wrote:
The problem with disabling HTTP admin by default is the panic created by the browser WARNING THIS IS UNSECURE CONNECTION, BEWARE, YOU MAY BE GOING TO GET DESTROYED overdone messages warning that the HTTPS certificate isn't signed properly (doesn't match fqdn, etc.).
I understand the user heart attack resulting from the panic, and that is likely why Netgear leaves it enabled.
But the truth is https (with the warning) is more secure than http (without the warning). So if you forward http through your router then you should certainly disable http admin. Businesses probably should disable it too.
It doesn't matter very much if you are a home user who doesn't enable remote web access to the NAS.
StephenB wrote:
But the truth is https (with the warning) is more secure than http (without the warning)That's for sure! ^^
StephenB wrote:
But the truth is https (with the warning) is more secure than http (without the warning). So if you forward http through your router then you should certainly disable http admin. Businesses probably should disable it too.It doesn't matter very much if you are a home user who doesn't enable remote web access to the NAS.
I actually think the default setting is different on desktop units (HTTP) and on rackmount units (HTTPS) - OS6 of course.
Thanks guys - done all that and accepted warning etc and now there is an unlocked padlock permanently in the address bar when accessing administration pages - just wanted to check I'm doing it right and this is more secure / encrypted and I haven't missed an important step to get the data encrypted, like installing a certificate or such like.
FYI - I have a feeling the entire incident was caused by my 'NAT mapping' my router from Port 666 to my NAS port 21, in a vague attempt to mask my external FTP access - but perhaps someone hacked it during the week and when I returned they were sat on the link or in the middle watching for my login details...
Anyway - thanks for all the advice.
Jon
redstamp wrote:
Thanks guys - done all that and accepted warning etc and now there is an unlocked padlock permanently in the address bar when accessing administration pages - just wanted to check I'm doing it right and this is more secure / encrypted and I haven't missed an important step to get the data encrypted, like installing a certificate or such like.
If you've disabled http admin access, and are using https, then the link is encrypted. The padlock (and warning) are because the NAS is using a self-signed certificate. By definition, that can't be verified with a certificate authority.
There is a new tool called letsencrypt that automates installation of a free cert from a CA, it would be great if the NAS had an option to use it. Note that the cert from letsencrypt is for a URL (a ddns name for example, not an IP address).
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
