× Introducing the Orbi 970 Series Mesh System with WiFi 7 technology. For more information visit the NETGEAR Press Room.
Orbi WiFi 7 RBE973
Reply

Re: RAX120 login exposed?

Straitpipe
Tutor

RAX120 login exposed?

I have checked the router setting for port forwarding / triggering, disabled remote management, etc. However the router's login prompt is accessible external using HTTP (not https though). Using http://xxx.xxx.xxx.xx/m/ Any ideas? Critical defect? Thanks
Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 1 of 23
Killhippie
Prodigy

Re: RAX120 login exposed?

You are logging into the router not an internet site its not such a concern, its been like this for years. If it was a banking site it would be different but its directly into the machine and with a strong password it is secure. HTTPS would be an improvement never the less.

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 2 of 23
Straitpipe
Tutor

Re: RAX120 login exposed?

What? That does't make any sense....Having the login prompt for the router exposed to the internet is a serious and significant concern when remote management is off. Not only is it HTTP (which is insecure and easily sniffed) it allows anyone the ability to brute Force the router and gain access over time. That URL should not be accessible from any device anywhere on the internet. It should be blocked by default. I also was able to verify this on a RAX80 router as well.
Message 3 of 23

Re: RAX120 login exposed?


@Straitpipe wrote:
Having the login prompt for the router exposed to the internet ....

It isn't. See above.

 

"You are logging into the router not an internet site...."

 

 

Message 4 of 23
Straitpipe
Tutor

Re: RAX120 login exposed?

I know where the login is going. Remote management is disabled so access to that URL shouldn't be available remotely....even if it was it should be on ssl...no router makes access to it's admin interface available externally by default. (Cisco, D-Link, etc). That is a very bad practice. That being said and ignoring our differences on secure administration, how do I disable it?
Message 5 of 23
Killhippie
Prodigy

Re: RAX120 login exposed?

Belive me I am with you on HTTPS, but as far as I know you can't, https works with some models but mostly messes up. I would do what many of us have been doing for years and mention this to netgear and wait for nothing to happen. At the end you can use .com or  198.162.1.*  whatever * is, either default or what you have changed it to. For now its the best you will get, and its not considered by Netgear to be a problem... its been the same for years sadly as you can see here.

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Unencrypted-dashboard-Login-No-https/td-p/13...

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 6 of 23
Killhippie
Prodigy

Re: RAX120 login exposed?

Asus have HTTPS but you are still logging into your router like logging into a printer, not an internet site, and with a strong password you should be fine. You are using a browser to log into a routers GUI, not Amazon. Even though I would still prefer HTTPS.

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 7 of 23
Straitpipe
Tutor

Re: RAX120 login exposed?

So there is NO way to disable the router's login from an IP address that is outside of your local network (any IP address on the global) and only allow local administration of the device?

Message 8 of 23

Re: RAX120 login exposed?


@Straitpipe wrote:

login from an IP address that is outside of your local network (any IP address on the global)


Have you tried doing that?

 

Something tells me that you haven't understood all of the messages posted so far.

 

You need to enable remote access to use an IP address on the WAN that is outside your local network. That does use https as well as a different username and password.

 

 

 

 

Message 9 of 23
Straitpipe
Tutor

Re: RAX120 login exposed?

perhaps this group hasn't understood my post.

 

In very clear terms

 

-Remote management is DISABLED in the router's web GUI

-From an external IP address, in a browser a user can go to the HTTP external IP address (WAN IP) of the router.

-It exposes the login prompt for the router which enables remote management which should be disabled as per the first bullet.

 

 

Message 10 of 23
Killhippie
Prodigy

Re: RAX120 login exposed?

If you look in remote management after logging in its not on, because remote managment is only used by the Nighthawk app amongst other things. The link the router provides is a way to log into its interface directly, its not facing the internet and its not remote management in the way you are thinking. Netgear has always offered a link to the GUI interface via a brower straight into the router, its not going via the internet and remote management is not in use. How else would you log in?

Message 11 of 23
Straitpipe
Tutor

Re: RAX120 login exposed?

when you login in locally you use the intneral LAN ip address.  somethink like http://192.168.0.1.  I am talking about when i am NOT ON the local LAN and I use Using http://WANIP/m/

This url allows remote access to the router using the WAN IP from a location like my local coffee shop. 

 

I am asking how to disable remote access from an external ip address to my router.  I would only like admin my router from within my own network.  

Message 12 of 23

Re: RAX120 login exposed?

As no one seems to understand the issue, perhaps you can convince people by describing the steps they need to take to reproduce this behaviour.

 

There are some serious informed people here. (Count me out there.) That no one gets the point, despite the number of times you have put it forward, is puzzling.

Message 13 of 23
Straitpipe
Tutor

Re: RAX120 login exposed?

Let's start over.  I will over simplify this.  The network would look like this (using incorrect IPs so don't try and access them).

 

RAX120 router with Internal network IP of router is 192.168.0.1.  This is the IP used for accessing the router's web gui. 

The External WAN IP of router is 71.71.40.5 which is connected to an internet provide like Spectrum, xfintity, (it doesn't matter which one)

 

I go to my local starbucks and buy an $8 coffee.  I boot up my laptop and connect to the starbucks network.  I go into chrome and type in.  

http://71.71.40.5/m/ 

 

This brings up a login prompt for my router.  How do i disable the ability to remotely access the login of my router using the above url?

 

It can't be any simpler than that.

(latest firmware, no port forwarding, no port trigger, remote managment disabled, using a very strong password, etc.)

Message 14 of 23
xjn
Apprentice
Apprentice

Re: RAX120 login exposed?


Try going to the web UI and Enable remote management and then disable remote management. It sounds similar to the QoS issue where QoS is enabled even though it shows as disabled in the UI. The only way to truly disable it is to enable it.... wait 30 seconds... then disable it... after that it may be truly disabled instead of just showing as disabled in UI.
@Straitpipe wrote:

Let's start over.  I will over simplify this.  The network would look like this (using incorrect IPs so don't try and access them).

 

RAX120 router with Internal network IP of router is 192.168.0.1.  This is the IP used for accessing the router's web gui. 

The External WAN IP of router is 71.71.40.5 which is connected to an internet provide like Spectrum, xfintity, (it doesn't matter which one)

 

I go to my local starbucks and buy an $8 coffee.  I boot up my laptop and connect to the starbucks network.  I go into chrome and type in.  

http://71.71.40.5/m/ 

 

This brings up a login prompt for my router.  How do i disable the ability to remotely access the login of my router using the above url?

 

It can't be any simpler than that.

(latest firmware, no port forwarding, no port trigger, remote managment disabled, using a very strong password, etc.)


 

Message 15 of 23
Killhippie
Prodigy

Re: RAX120 login exposed?

You cant, and with a strong password it should not matter. Its like saying can I only want to log into Amazon via my own network, not the coffee shop. The answer is no but that's down to you, Amazon want people to log in from anywhere, and Netgear want people to have access to thier routers from anywhere too (should have HTTPS) although even thats not as secure as you think, just have a google. The URL is there so you can log in and check your router or update settings (never leave it to auto update, that can be a nightmare) from any source, although if you have set up email notifications that should save you having to do that.

 The case here is dont log in from untrusted networks, dont store the password in your browser and only log in from your home network, now that's not difficult. Its like logging into a banking site from a wifi  point in any shop, you just don't do it. You could log in using a VPN possibly that would be better, but if you are not logging in nobody else can log in either, there are millions of Netgear routers and people tend to access them from  own home networks, or the app, which I avoid. Yes HTTPS should be used, but also using common sense from where you login goes a long way. People are not trying to log into every Netgear router all the time they look for backdoors in that  show in logs, hence keep your security up to date. Netgear routers also now force you to use a more complex password during set up. Basically I understand what youre asking for but that isn't available, and wont be. Netgear are lagging with a SSL login but you cant turn that feature off, just as you cant turn off the ability to lgin into amazon from anywhere in the world, or stop someone trying to use a brute force attack to get your amazon password. Maybe suggest Netgear use 2FA, and HTTPS. Until then use a complex password and  log in from public wifi access points, only login from your home. Also make sure your firmware is always up to date to make sure bad actors cant break in easily anyway in ways that are much more  than a devices primary login.

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 16 of 23
Killhippie
Prodigy

Re: RAX120 login exposed?

* and dont log in from public wifi access points

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 17 of 23
Killhippie
Prodigy

Re: RAX120 login exposed?

Just a thought what firmware are you using? With remote manament turned off you should not be able to log in unless you enable remote managment. Have you updated to the latest Hotfix and done a factor reset? With remote management turned on you can define what device/devices can acess your router, maybe that would be preferable as a work around. Also as mentioned everywhere online, have a complicated password, they really do help.

 

https://kb.netgear.com/976/Enabling-your-router-s-remote-management

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 18 of 23
Straitpipe
Tutor

Re: RAX120 login exposed?

I have done a factory reset.  I did try enabling remote management.  Then waiting and disabling similar to a previous defect. 

 

I am using firmware V1.0.1.90.

 

The default remote management url for Netgear is https://ipaddress:8443. The url I am referring to which is exposed is different hence the original request.

 

If people are responding with responses like "it's ok to have it exposed" it's Pleaselike using Amazon...thank you but please refrain from responding as exposing administrative interfaces to routers fro. External network locations is not even close to the same thing as a publicly facing site.

 

 

Message 19 of 23
ArunGupta
Apprentice

Re: RAX120 login exposed?

I totally understand what you are saying. Just to clarify, are you actually able to login or is the router just displaying the username/password screen and would actually reject login attempts? If you are actually able to login to the router from an external network with remote management turned off, it should be marked as a security bug in firmware.

 

I cannot test this because I run the router in AP mode which greys out remote management. 

 

Message 20 of 23

Re: RAX120 login exposed?


@Straitpipe wrote:

 

The default remote management url for Netgear is https://ipaddress:8443.

 

 


This is, of course, also the entry point through Remote Management itself, but with the address

 

https://[username].mynetgear.com:8443

 

How would someone else find your WAN address from a coffee shop?

 

Or is it just a random attack thing?

Message 21 of 23
GabboCH
Apprentice

Re: RAX120 login exposed?

If you have a fixed WAN address from your ISP it probably isnt difficult for someone to find out your specific IP address.

However, I'd imagine there are lots of tools out there that would just cycle through random IP address & look for an active responce.

 

If the router responds to a request for WAN IP & opens a login page then you are wide open to a brute force attack.

Accepted, someone could only modify your router settings & mess up your network but I guess they can also see connected devices, change your password, open ports, enable port forwarding etc.

 

If the router is set to "Remote Management Disabled" then I, like the OP, would not expect the router to respond at all from outside the local network....

Message 22 of 23
Killhippie
Prodigy

Re: RAX120 login exposed?

Have things changed with the new firmware update? 1.0.1.108? As said if you can actually log in then report this as a security bug ASAP, if you can just but see a HTTP login but cant actually log into the router itself then as much of a pain as it is you are going to have to wait till netgear decides to use HTTPS. Contact them as many of us have and complain. 

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 23 of 23
Top Contributors
Discussion stats
  • 22 replies
  • 4108 views
  • 1 kudo
  • 6 in conversation
Announcements

Orbi WiFi 7