I have checked the router setting for port forwarding / triggering, disabled remote management, etc. However the router's login prompt is accessible external using HTTP (not https though). Using http://xxx.xxx.xxx.xx/m/ Any ideas? Critical defect? Thanks
You are logging into the router not an internet site its not such a concern, its been like this for years. If it was a banking site it would be different but its directly into the machine and with a strong password it is secure. HTTPS would be an improvement never the less.
What? That does't make any sense....Having the login prompt for the router exposed to the internet is a serious and significant concern when remote management is off. Not only is it HTTP (which is insecure and easily sniffed) it allows anyone the ability to brute Force the router and gain access over time. That URL should not be accessible from any device anywhere on the internet. It should be blocked by default. I also was able to verify this on a RAX80 router as well.
I know where the login is going. Remote management is disabled so access to that URL shouldn't be available remotely....even if it was it should be on ssl...no router makes access to it's admin interface available externally by default. (Cisco, D-Link, etc). That is a very bad practice. That being said and ignoring our differences on secure administration, how do I disable it?
Belive me I am with you on HTTPS, but as far as I know you can't, https works with some models but mostly messes up. I would do what many of us have been doing for years and mention this to netgear and wait for nothing to happen. At the end you can use .com or 198.162.1.* whatever * is, either default or what you have changed it to. For now its the best you will get, and its not considered by Netgear to be a problem... its been the same for years sadly as you can see here.
Asus have HTTPS but you are still logging into your router like logging into a printer, not an internet site, and with a strong password you should be fine. You are using a browser to log into a routers GUI, not Amazon. Even though I would still prefer HTTPS.
So there is NO way to disable the router's login from an IP address that is outside of your local network (any IP address on the global) and only allow local administration of the device?
login from an IP address that is outside of your local network (any IP address on the global)
Have you tried doing that?
Something tells me that you haven't understood all of the messages posted so far.
You need to enable remote access to use an IP address on the WAN that is outside your local network. That does use https as well as a different username and password.
If you look in remote management after logging in its not on, because remote managment is only used by the Nighthawk app amongst other things. The link the router provides is a way to log into its interface directly, its not facing the internet and its not remote management in the way you are thinking. Netgear has always offered a link to the GUI interface via a brower straight into the router, its not going via the internet and remote management is not in use. How else would you log in?
when you login in locally you use the intneral LAN ip address. somethink like http://192.168.0.1. I am talking about when i am NOT ON the local LAN and I use Using http://WANIP/m/
This url allows remote access to the router using the WAN IP from a location like my local coffee shop.
I am asking how to disable remote access from an external ip address to my router. I would only like admin my router from within my own network.
As no one seems to understand the issue, perhaps you can convince people by describing the steps they need to take to reproduce this behaviour.
There are some serious informed people here. (Count me out there.) That no one gets the point, despite the number of times you have put it forward, is puzzling.
Try going to the web UI and Enable remote management and then disable remote management. It sounds similar to the QoS issue where QoS is enabled even though it shows as disabled in the UI. The only way to truly disable it is to enable it.... wait 30 seconds... then disable it... after that it may be truly disabled instead of just showing as disabled in UI.
You cant, and with a strong password it should not matter. Its like saying can I only want to log into Amazon via my own network, not the coffee shop. The answer is no but that's down to you, Amazon want people to log in from anywhere, and Netgear want people to have access to thier routers from anywhere too (should have HTTPS) although even thats not as secure as you think, just have a google. The URL is there so you can log in and check your router or update settings (never leave it to auto update, that can be a nightmare) from any source, although if you have set up email notifications that should save you having to do that.
The case here is dont log in from untrusted networks, dont store the password in your browser and only log in from your home network, now that's not difficult. Its like logging into a banking site from a wifi point in any shop, you just don't do it. You could log in using a VPN possibly that would be better, but if you are not logging in nobody else can log in either, there are millions of Netgear routers and people tend to access them from own home networks, or the app, which I avoid. Yes HTTPS should be used, but also using common sense from where you login goes a long way. People are not trying to log into every Netgear router all the time they look for backdoors in that show in logs, hence keep your security up to date. Netgear routers also now force you to use a more complex password during set up. Basically I understand what youre asking for but that isn't available, and wont be. Netgear are lagging with a SSL login but you cant turn that feature off, just as you cant turn off the ability to lgin into amazon from anywhere in the world, or stop someone trying to use a brute force attack to get your amazon password. Maybe suggest Netgear use 2FA, and HTTPS. Until then use a complex password and log in from public wifi access points, only login from your home. Also make sure your firmware is always up to date to make sure bad actors cant break in easily anyway in ways that are much more than a devices primary login.
Just a thought what firmware are you using? With remote manament turned off you should not be able to log in unless you enable remote managment. Have you updated to the latest Hotfix and done a factor reset? With remote management turned on you can define what device/devices can acess your router, maybe that would be preferable as a work around. Also as mentioned everywhere online, have a complicated password, they really do help.
I have done a factory reset. I did try enabling remote management. Then waiting and disabling similar to a previous defect.
I am using firmware V1.0.1.90.
The default remote management url for Netgear is https://ipaddress:8443. The url I am referring to which is exposed is different hence the original request.
If people are responding with responses like "it's ok to have it exposed" it's Pleaselike using Amazon...thank you but please refrain from responding as exposing administrative interfaces to routers fro. External network locations is not even close to the same thing as a publicly facing site.
I totally understand what you are saying. Just to clarify, are you actually able to login or is the router just displaying the username/password screen and would actually reject login attempts? If you are actually able to login to the router from an external network with remote management turned off, it should be marked as a security bug in firmware.
I cannot test this because I run the router in AP mode which greys out remote management.
If you have a fixed WAN address from your ISP it probably isnt difficult for someone to find out your specific IP address.
However, I'd imagine there are lots of tools out there that would just cycle through random IP address & look for an active responce.
If the router responds to a request for WAN IP & opens a login page then you are wide open to a brute force attack.
Accepted, someone could only modify your router settings & mess up your network but I guess they can also see connected devices, change your password, open ports, enable port forwarding etc.
If the router is set to "Remote Management Disabled" then I, like the OP, would not expect the router to respond at all from outside the local network....
Have things changed with the new firmware update? 1.0.1.108? As said if you can actually log in then report this as a security bug ASAP, if you can just but see a HTTP login but cant actually log into the router itself then as much of a pain as it is you are going to have to wait till netgear decides to use HTTPS. Contact them as many of us have and complain.
