Can a 314 ReadyNAS get hacked?

Danthem wrote:
Hi IanWilson, It's bad luck what happened but at least now you know for next time. There's no need to be paranoid if you have a strong password, the problem with tech support mode + port forwarding is that it uses a password that people know about.

I don't understand this. I've not had to use tech support, yet, but my understanding is that tech support mode opens the standard SSH port to a login from a Netgear controlled server with, if I'm reading the above correctly, a bog standard password for all logins. If the machine is inadvertently placed in a DMZ or port 22 is forwarded then it's open to hacking from any random driveby who knows the password?

I'm no *nix guru but I have managed to set up public/private key SSH access to my router on a non-standard port with restricted ip address access as well, and disabled password login to dump fairly constant password login attempts on port 22.

I'm sure the systems programmers at Netgear are capable of setting up something along the same lines to close what I see as a potentially serious hole?

A script to generate a public/private key, IP address restrictions and a non-standard SSH port shouldn't be too hard to do (using Putty and copy/paste I think it took me about 10 minutes in total, including reading the Putty and router firmware documentation). Send the relevant key and port number to Netgear in the same way the current tech support mode notification is done and then I'd feel a lot more comfortable that only a Netgear tech could access my NAS if I opened up tech support mode.

Am I missing something or is this not a doable, much more secure access mode? I don't know that much about the Netgear remote access/admin modes because I will admit that I feel nervous about enabling them as I haven't found much documentation on access security, such as key only access, port reassignment and address limitations backed up by brute force/anti-hammer options. For now I'm happy just to use it for local file backup/serving but I'd be interested in reading whatever documentation is available on remote access security.