Can a 314 ReadyNAS get hacked?

alexofindy wrote:
I don't have port forwarding enabled

mdgm wrote:
...You had it on DMZ.

Which of course means a boatload of ports were forwarded.

StephenB wrote:
alexofindy wrote: I don't have port forwarding enabled mdgm wrote: ...You had it on DMZ. Which of course means a boatload of ports were forwarded.

Pretty sure it was IanWilson who had the device in DMZ.

@Alexofindy, if you don't have any port forwarding towards your NAS - nobody can access the NAS from outside your network, and if they're inside your network I'd say that's quite a security hole you need to fix. If you're very worried about it, disable SSH on the device and then the only way someone can gain access to the OS of the NAS would be to have inside access to your network, figure out your web GUI admin password (which should be strong) and enable SSH.

I'd say this is very unlikely to happen.

Ah, oops. It can get confusing sometimes when multiple users post. Thanks for picking that up.

Danthem wrote:

@Alexofindy, if you don't have any port forwarding towards your NAS - nobody can access the NAS from outside your network, and if they're inside your network I'd say that's quite a security hole you need to fix. If you're very worried about it, disable SSH on the device and then the only way someone can gain access to the OS of the NAS would be to have inside access to your network, figure out your web GUI admin password (which should be strong) and enable SSH.

I don't disagree with Danthem's comments, but want to add a couple points.

Most networks (including your home network) use a "soft center with hard edges" model for security. If someone can penetrate your home network, then they likely can get access to everything. So the first line of defense for the network is to maintain that edge security.

There are two basic ways an outsider can penetrate your edge w/o physical access to your home. One is wifi, the second is through your internet connection / router. So you want to enable wifi security (WPA) and use a good passphrase. 5 Ghz doesn't carry as far as 2.4 Ghz, so if your devices all support 5 Ghz, then you might turn your 2.4 Ghz WiFi off.

And you want to have a strong password on the router, especially if you enable remote administration. (if you don't actually need remote administration for the router, then don't enable it). Keeping router firmware up to date is also a good idea, since there are possibly security fixes being made there also.

Powerline networking is a bit like WiFi, in that the powerline network can carry beyond your home. There is encryption on the powerline link, and if you use that technology you should make sure you've set that up properly as well (since the powerline also is part of your "edge").

If you use ReadyCloud (really any cloud package or VPN) on the NAS, then that creates another path to get into the home network. So if you enable that service, then you also need strong passwords there, and keep in mind that you are essentially trusting Netgear's readycloud security, since it is part of your "edge".

So start with that stuff. Enabling ssh on the NAS within the home network doesn't really add much vulnerability to data loss, if a hacker penetrates your edge, they can also reach your data through your PCs. Personally I think the benefits of keeping ssh enabled outweigh the risks - when the gui fails, you have more options available to fix the problem. But of course it does add some risk.

I set my NAS IP to DMZ and it was left for around 12 hours or so like that, believing it would "help" technical support get into my NAS to fix a problem. During that time it appears the hack occured, one of the cardinal symptoms being massively reduced LAN performance and unexplained ReadyNAS network activity viewable on the Performance page in the web GUI.

Yes, yes, I know it was a really dumb thing to do, but I am rather green when it comes to networking and thought I'd better do it to prevent any barriers to Netgear's techs. I've learned my lesson and understand it was totally unnecessary.

As for SSH - mine remains disabled. I may enable it on a temporary basis if I have to install / maintain apps in the future, but it will only be enabled while the DSL modem is disconnected from the LAN due to total paranoia now!!

My DSL modem, wireless, NAS and readycloud have strong passwords as well.


Can anyone recommend a good site that is accurate for double-checking my port forwarding settings are as they are reported by the router? (I'm so paranoid now I thought it might be a good idea to "attack" my own LAN ports and check they are closed off properly!) :?

Hi IanWilson,

http://www.ipfingerprints.com/portscan.php is pretty good. You can set a range of ports to try.

It's bad luck what happened but at least now you know for next time. There's no need to be paranoid if you have a strong password, the problem with tech support mode + port forwarding is that it uses a password that people know about.

Danthem, thanks for the link that looks just the ticket!

Live and learn as they say - my paranoia is improving thanks to your "counselling" !

I wonder if I have also been hacked. I thought I had the IP6 packet flooding issue, but I have 6.2.2 and still have issues with lan flooding coming from the NAS. Did the OS reinstall work? I am loathed to do it but it might be the only way.

Danthem wrote:
Hi IanWilson, It's bad luck what happened but at least now you know for next time. There's no need to be paranoid if you have a strong password, the problem with tech support mode + port forwarding is that it uses a password that people know about.

I don't understand this. I've not had to use tech support, yet, but my understanding is that tech support mode opens the standard SSH port to a login from a Netgear controlled server with, if I'm reading the above correctly, a bog standard password for all logins. If the machine is inadvertently placed in a DMZ or port 22 is forwarded then it's open to hacking from any random driveby who knows the password?

I'm no *nix guru but I have managed to set up public/private key SSH access to my router on a non-standard port with restricted ip address access as well, and disabled password login to dump fairly constant password login attempts on port 22.

I'm sure the systems programmers at Netgear are capable of setting up something along the same lines to close what I see as a potentially serious hole?

A script to generate a public/private key, IP address restrictions and a non-standard SSH port shouldn't be too hard to do (using Putty and copy/paste I think it took me about 10 minutes in total, including reading the Putty and router firmware documentation). Send the relevant key and port number to Netgear in the same way the current tech support mode notification is done and then I'd feel a lot more comfortable that only a Netgear tech could access my NAS if I opened up tech support mode.

Am I missing something or is this not a doable, much more secure access mode? I don't know that much about the Netgear remote access/admin modes because I will admit that I feel nervous about enabling them as I haven't found much documentation on access security, such as key only access, port reassignment and address limitations backed up by brute force/anti-hammer options. For now I'm happy just to use it for local file backup/serving but I'd be interested in reading whatever documentation is available on remote access security.

With tech support mode and also secure diagnostic mode we don't need any ports to be forwarded to access the system. We just need the 5-digit number and the agreement to the Remote Access Policy.

Tech support mode is a low-level diagnostic mode that needs to work in as close to 100% of situations as possible.