Reply

Re: Unauthorized Network Access

teksmith
Aspirant

Unauthorized Network Access

I was reviewing my R7000 logs today and I noticed many (50-100) log entries where China and Ukraine have been accessing one of my network drives. Since the R7000 doesn't really provide an firewall configuration I am not sure how to stop this. Any ideas?
Message 1 of 54
fordem
Mentor

Re: Unauthorized Network Access

What protocols are you using to access the network drives?

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 2 of 54
teksmith
Aspirant

Re: Unauthorized Network Access

I am not using FTP or anything. I don't access the net drive outside my network. Internally I just use TCP/IP.
Message 3 of 54
fordem
Mentor

Re: Unauthorized Network Access

By DEFAULT, the R7000 (or any other NAT router for that matter) will DISCARD all unsolicited incoming connection requests - so unless you have taken specific steps to expose your network drive(s) there's no way for anyone outside of your network to get access.

Do you have uPnP enabled on the router?

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 4 of 54
teksmith
Aspirant

Re: Unauthorized Network Access

Yes. UPnP is enabled.
From the looks of the log I think they are port scanning.
Funny, one of the source IP addresses come fro UC-Berkely Office of the President?
I am thinking the log is showing attempts and the firewall is actually stopping them?

Here is the log file:

[Admin login] from source 192.168.1.2, Wednesday, Nov 26,2014 18:13:10
[DHCP IP: (192.168.1.20)] to MAC address 78:31:C1:09:51:4E, Wednesday, Nov 26,2014 18:07:04
[LAN access from remote] from 129.253.8.24:58097 to 192.168.1.7:80, Wednesday, Nov 26,2014 18:01:46
[LAN access from remote] from 129.253.8.24:53057 to 192.168.1.10:80, Wednesday, Nov 26,2014 17:58:00
[DHCP IP: (192.168.1.15)] to MAC address 98Smiley Very Happy6:BB:ACSmiley Very HappyC:8E, Wednesday, Nov 26,2014 17:52:39
[DHCP IP: (192.168.1.23)] to MAC address 4C:B1:99:E9:C8:6F, Wednesday, Nov 26,2014 17:51:05
[LAN access from remote] from 194.150.11.201:53395 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:33
[LAN access from remote] from 194.150.11.201:52480 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:29
[LAN access from remote] from 194.150.11.201:52158 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:28
[LAN access from remote] from 194.150.11.201:51240 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:25
[LAN access from remote] from 194.150.11.201:50858 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:23
[LAN access from remote] from 194.150.11.201:49736 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:20
[LAN access from remote] from 194.150.11.201:49429 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:19
[LAN access from remote] from 194.150.11.201:48521 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:16
[LAN access from remote] from 194.150.11.201:48161 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:14
[LAN access from remote] from 194.150.11.201:47238 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:11
[LAN access from remote] from 194.150.11.201:46892 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:10
[LAN access from remote] from 194.150.11.201:46522 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:08
[LAN access from remote] from 194.150.11.201:45585 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:06
[LAN access from remote] from 194.150.11.201:44558 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:02
[LAN access from remote] from 194.150.11.201:44208 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:47:01
[LAN access from remote] from 194.150.11.201:43860 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:46:59
[LAN access from remote] from 194.150.11.201:42925 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:46:57
[LAN access from remote] from 194.150.11.201:42568 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:46:56
[LAN access from remote] from 194.150.11.201:41655 to 192.168.1.9:22, Wednesday, Nov 26,2014 17:46:53
Message 5 of 54
fordem
Mentor

Re: Unauthorized Network Access

No - those logs show the firewall as allowing access to a host at 192.168.1.9 on port 22 (which is used for SSH or secure shell) - I would disable uPnP and see what happens. uPnP - universal plug 'n' play - was intended to allow users to have their network devices "auto-configure" the firewall/router as a convenience, and in my opinion it has the potential to also allow a miscreant to re-configure the firewall/router to permit access.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 6 of 54
Wolf_666
Luminary

Re: Unauthorized Network Access

They are accessing your LAN, both on port 80 and 22 (worst).
Disable upnp, disable accessing port 22 from remote IP, check with care your firewall setup.
- Modem Draytek Vigor 160
- Router Netgear RAX200 (Stock FW)
- NAS Synology DS1621+
Message 7 of 54
teksmith
Aspirant

Re: Unauthorized Network Access

The R7000 doesn't give you access to any firewall settings other than to make NAT secure or open.

I called Netgear support and they said those log messages only indicated attempts, but the attempts failed. I asked if they were certain as I also thought it looked like someone was successfully accessing my network drive. They said they were sure.

I will disable the UPnP and see what happens. The unauthorized access is still happening as I type.
Thanks.
Message 8 of 54
fordem
Mentor

Re: Unauthorized Network Access

I have yet to see a firewall that didn't "give access to the settings" (and I don't have an R7000 either) - it just may not do it the way you expect - if you can do a port forward on the R7000 (and I'm pretty sure you can), you just opened a port that was previously closed, so that was a firewall setting that was changed. It may not give you a great deal of control - what we term granularity - in that you may not be able to determine who can access once the port has been opened, but, you gets what you pays for, and that's the reason none of my Netgear equipment is from their consumer line.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 9 of 54
teksmith
Aspirant

Re: Unauthorized Network Access

Yes, the R7000 does provide port forwarding, and a few other security related features, but none are currently in use. Netgear documentation indicates that the firewall settings are not accessible. I imagine there is some sort of craftsperson access that only their engineers can get into to modify.
Message 10 of 54
fordem
Mentor

Re: Unauthorized Network Access

What we have here is a failure to understand that every one of those "security settings" is a firewall setting - my point simply is that they are accessible.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 11 of 54
R01k
Follower

Re: Unauthorized Network Access

I also see a few entries labeled "LAN access from remote" on my logs. In my case there are IPs from different countries (spoofed?) accessing the port 54539 in my laptop. However, my antivirus network monitor shows that port as closed. Maybe the logs actually show attepmts, as Netgear says.
Message 12 of 54
fordem
Mentor

Re: Unauthorized Network Access

When you see the "LAN access from remote" log entry, the firewall/router HAS permitted access - the request was sent to the laptop - whether or not your laptop allows the access is a completely different matter. See if the laptop anti-virus network monitor allows you to log/show blocked attempts and you'll see what I'm talking about.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 13 of 54
R01k
Follower

Re: Unauthorized Network Access

I've got it. It's peers connecting to BitTorrent. I'm using a random port each time BitTorrent opens and UPnP.
Message 14 of 54
wiko
Novice

Re: Unauthorized Network Access

I have a slightly different problem. After updating to V1.0.3.80_1.1.38 today (not seeing the instructions) it nevertheless worked ok, but I was unable to then log in to the Router and had to reset it. I shortly thereafter set up a new password and some basic security settings. Par phrase had not changed nor any IP Addresses of my 8 allowed connected devices.

Anyway just reading the LOG I noted the following entry only 56/100 seconds after the firmware was set up and prior to eventually loggin-in with a new password:

[Remote login] from source fe80::9c60:fe13:cd7d:1d27, Sunday, Apr 17,2016 23:40:54

(wrong date and time - date and times then changed to correct date and time after my first log-in) There were quite a few such Remote login's from that "un-normal" unknown address even after I had made initial security changes. the last one (so far after I downloaded the log) over 2 hours after my initial log-in.

Does that mean some stranger got into my system and is still able to do so?
Message 15 of 54
MatM
Guide

Re: Unauthorized Network Access

Itś good you checked this because I have the same Problem !

[LAN access from remote] from 218.77.79.43:60668 to 192.168.1.3:80, Tuesday, Dec 09,2014 21:48:49
[LAN access from remote] from 124.232.142.220:40938 to 192.168.1.3:53, Tuesday, Dec 09,2014 20:57:08
[LAN access from remote] from 98.126.135.138:7000 to 192.168.1.3:80, Tuesday, Dec 09,2014 18:58:04
[LAN access from remote] from 61.160.247.7:6000 to 192.168.1.3:80, Tuesday, Dec 09,2014 17:02:44
[LAN access from remote] from 61.160.224.128:57767 to 192.168.1.3:80, Tuesday, Dec 09,2014 16:35:43
[LAN access from remote] from 5.196.225.158:45895 to 192.168.1.3:53, Tuesday, Dec 09,2014 15:15:21
[LAN access from remote] from 46.45.178.250:35219 to 192.168.1.3:53, Tuesday, Dec 09,2014 15:15:16
[LAN access from remote] from 124.232.142.220:56763 to 192.168.1.3:53, Tuesday, Dec 09,2014 14:29:53

the internal connection is my xbox one and I have port forwarded port 80 and 53 to it. But today my xbox one was not online. It has no power - how can you connect to a device which is NOT online?

https://support.xbox.com/en-US/xbox-one/networking/network-ports-used-xbox-live

if you see port 53 (DNS) and Port 80 (http) should be forwarded. I disabled now both - becaus I think I do not have to forward these two ports.
Message 16 of 54
fordem
Mentor

Re: Unauthorized Network Access

All that entry means is that a connection request was made on port 80 (or 53) and the router passed the entry through as configured - whether or not there is a device at the address to receive the request is of little relevance. I can see no reason to forward port 53 - unless you're running a publically accessible DNS server which is something that would be very unusual on a NATted network, port 80 on the other hand is for a web server, so that one is fairly common.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 17 of 54
MatM
Guide

Re: Unauthorized Network Access

ok I understand - but if Port 80 is neede for a webserver it's not needed for a xbox? Or does a xbox work like a webserver?
Message 18 of 54
R01k
Follower

Re: Unauthorized Network Access

wiko wrote:
I have a slightly different problem..


fe80::9c60:fe13:cd7d:1 is an IPv6 Link-Local Address, what means that the accessing device was in your local network.
Message 19 of 54
teksmith
Aspirant

Re: Unauthorized Network Access

I am still seeing these remote accesses all the time. I am not sure I believe Netgear support who indicated they are just attempts. I think they are actually getting to my device. I am not sure why the router would let them through.



LAN access from remote] from 89.248.171.2:31895 to 192.168.1.16:80, Saturday, Dec 13,2014 12:09:32
[LAN access from remote] from 129.253.8.24:5330 to 192.168.1.16:80, Saturday, Dec 13,2014 12:01:49
Message 20 of 54
MatM
Guide

Re: Unauthorized Network Access

You should DISABLE UPnP and all the Ports you need you should port Forward. Restart your Router then ! I think you have some sort of malware which opens Port 80 via UPnP and because of this people can connect.
Message 21 of 54
R01k
Follower

Re: Unauthorized Network Access

Yes, the router is letting them through. I'd also recommend a deep scan and cleaning of you PC just in case.
Message 22 of 54
NUKLRSOLDR
Guide

Re: Unauthorized Network Access

MatM, So does that mean that when port forwarding for my xbox one I should not forward port 80 tcp even though it is listed by xbox as a port to forward? right now i only have port forwarding setup dmz and upnp are turned off, after playing a few games of advanced warfare on xbox one this is what my logs showed: [LAN access from remote] from 24.253.151.15:3076 to 192.168.1.8:3076, Friday, Dec 19,2014 12:43:25 [LAN access from remote] from 218.77.79.43:55085 to 192.168.1.8:80, Friday, Dec 19,2014 12:40:42 [LAN access from remote] from 98.212.247.251:3086 to 192.168.1.8:3076, Friday, Dec 19,2014 12:30:36 [LAN access from remote] from 50.138.218.165:55078 to 192.168.1.8:3076, Friday, Dec 19,2014 12:27:26 [LAN access from remote] from 124.232.142.220:39935 to 192.168.1.8:53, Friday, Dec 19,2014 12:25:24 [LAN access from remote] from 72.14.114.34:3121 to 192.168.1.8:3076, Friday, Dec 19,2014 12:18:04 [LAN access from remote] from 209.170.124.118:3075 to 192.168.1.8:3076, Friday, Dec 19,2014 12:17:26 [LAN access from remote] from 65.55.158.119:3544 to 192.168.1.8:3074, The green line at the top i believe is normal and good for what i was doing so i deleted all but one of them to show as an example. The rest are questionable to me and were mixed in with all the normal ones. I forward all of the standard ports and also 3075 and 3076 as these are sometimes used by call of duty games (and they were being opened when upnp was enabled previously.
Message 23 of 54
MatM
Guide

Re: Unauthorized Network Access

I'm no expert. But Port 80 and Port 53 are ports you need outbound. So no inbound connection is needed. Port Forward 3076 seems to be ok because xbox live uses them if 3075 is not available. I have also an xbox one and because in another thread someone wrote that he has NO Port Forwarding on his R7000 I deleted all Port Forwarding rules. My NAT is open (checked it with my xbox) and I can take part on partys and I have no Issues for playing. So I have no Port Forwarding an no UPnP. On all old Routers I had in the past I had to port forward because my NAT was strict or medium but not open. With R7000 the NAT is open even with no Portforwarding. All my Problems with lan Access are gone Smiley Happy
Message 24 of 54
teksmith
Aspirant

Re: Unauthorized Network Access

MatM wrote:
You should DISABLE UPnP and all the Ports you need you should port Forward. Restart your Router then !
I think you have some sort of malware which opens Port 80 via UPnP and because of this people can connect.


I have done all that. UPnP disabled. No port forwarding. But it looks like people are still getting through. It looks like they are going after my network drives. This seems like a flaw in the router. Otherwise, I have been pretty happy with this router.
Message 25 of 54
Top Contributors
Discussion stats
  • 53 replies
  • 10613 views
  • 0 kudos
  • 12 in conversation
Announcements

Orbi WiFi 6E