Orbi WiFi 7 RBE973

Any need to beef up my security for this?

donawalt
Prodigy

Any need to beef up my security for this?

Hi all, I noticed in my router log this week for the first time, "Remote login failure". I only had about 5 of them for the week. Here is a sample, the IP addresses are all different countries - Macedonia, Netherlands, Russia....maybe the IP addresses are spoofed too? I don't know. Example:

 

[Remote login failure] from source 185.83.254.56, Wednesday, Jul 05,2023 18:04:58

 

So my question is this - what are the best practices to ensure I am protected from these? I have a very secure long obscure password for admin access to the router and separately for the WiFi password (which I don't think this is). Guest network is not enabled.  I have no port forwarding or triggering, no DDNS, VPN, static routes, or VLAN/Bridge. 

 

Anything else I should check or set up? Thanks! 

Message 1 of 31

Accepted Solutions
FURRYe38
Guru

Re: Any need to beef up my security for this?

Message 30 of 31

All Replies
F_V
Luminary
Luminary

Re: Any need to beef up my security for this?

I have one piece of security advice.  DO NOT allow router admin page access from the WAN side.  In other words, only allow logins from a device that is already associated with your LAN.  If you allow outside access, the router is going to get hammered 24/7/365.  If you are seeing login failures that you can't explain from within your network, it's already too late 🙂

 

That example IP you pasted has been very very busy, port scans, all sorts of random connection attempts going back months.

Message 2 of 31
donawalt
Prodigy

Re: Any need to beef up my security for this?

Thanks @F_V for the tip. Question for you though, how do I prevent router admin page access from the WAN side? Since the router admin page has an internal IP address, don't I have to explicitly map that thorough? Or does this mean turn off Anywhere Access in the Orbi app?

 

Thanks!

Message 3 of 31
FURRYe38
Guru

Re: Any need to beef up my security for this?

FYI, NG removed WAN side support for access to the RBRs web page about two years ago. 

Message 4 of 31
F_V
Luminary
Luminary

Re: Any need to beef up my security for this?

Eep!  So maybe you're running VERY old firmware that still allows WAN side access?  What Orbi Model and firmware version are you running?  If Netgear disabled WAN side access, not sure how would someone get a "remote" login failure to the Orbi admin pages from a public IP.

Message 5 of 31
FURRYe38
Guru

Re: Any need to beef up my security for this?

He's not.

 

Probably just an attempt on his WAN side that someones maybe try to gain access and can't and the system is just reporting it. Seen lots of these over the years. Not much we can do about them. Just the system reporting what it see's and is blocking is all.

Message 6 of 31
donawalt
Prodigy

Re: Any need to beef up my security for this?

Yeah so I wonder what remote login failure means?

Message 7 of 31
FURRYe38
Guru

Re: Any need to beef up my security for this?

Just means the system saw what was happening, blocked it and reported it. 

Message 8 of 31
F_V
Luminary
Luminary

Re: Any need to beef up my security for this?

I'm all for logging and reporting failed login attempts, but how in the world would there be an attempt at all?  You should not be seeing public IPs knocking on the router's door since it's only accessible from the LAN side of the network, or through Anywhere Access, which is only on the router owners preauthenticated devices.

 

I'd say if you are running up to date firmware, and you don't even see the option for remote management anymore under Advanced/Advanced Setup/Remote Management, and you aren't doing some funky port forwarding, I'd reset the device and reflash the latest firmware.  I'd also turn off Anywhere Access, but that's just me, perhaps you have a need to manage the Orbi when you are away from your home.  If you don't have that need, I'd certainly turn that off as well.

Message 9 of 31
donawalt
Prodigy

Re: Any need to beef up my security for this?

I did have Anywhere Access running on two mobile devices, and I did just disable it as I don't use it. I suspect what this may be from what I have read, is software-generated port scanning. These bad actors in the world run software that just pings IP addresses and ports on those IPs looking for holes. Only when the software discovers some weakness then an operator amy get involved to exploit. While I haven't seen these messages for a long time if ever, I am on the beta publicly announced (which is running great!), maybe they are watching for probes now more carefully or something - yet don't have the perfect message that would not be confusing. I do know in years past with different routers than the Orbi 850, I would see tons of port scans from all over the world, so I bet they are still out there of course!

 

The remote management page doesn't exist any more and I am current on everything, plus I don't have anything special set up - no Guest network, port forwarding, triggering, DDNS, VPN, static routes, or VLAN/Bridge. 

Message 10 of 31
FURRYe38
Guru

Re: Any need to beef up my security for this?

Possible someone or something is trying the WAN IP address and port number of historical configurations that worked when NG supported WAN side remote access to the routers web page. Since NG removed that, I presume some are still trying to attempt that config but failing due to it not being there and the system is just seeing this and reporting it. There are port scanners out there. Again, just the system reporting it and should be mostly innocuous. 

Message 11 of 31
F_V
Luminary
Luminary

Re: Any need to beef up my security for this?

We are in total agreement about good and bad actors constantly scanning all IPs of the world looking for vulnerabilities.  It's been happening for decades and is only getting worse.  This still wouldn't explain why you'd get a login failure from Macedonia or wherever since you should not have an externally facing admin interface for them to attempt to log in on...  If there is no port open and no admin interface to log in to, how are they failing to log in...  Would be silly to log login attempts to a webserver that doesn't exist on a port that's closed.

 

I'm just curious, have you tried going to your WAN IP from a device that's not on your LAN?  Get your public IP and type it in to a browser on your phone when you have phone wifi turned off...

Message 12 of 31
donawalt
Prodigy

Re: Any need to beef up my security for this?

Whoa you nailed it! I am on 5G/AT&T with all WiFi turned off. I typed in my public IP address and got this screen (below). I typed a bogus password, and I got the Remote login failure! I typed my real password and got in! Anywhere access is disabled on my phone too. @Furry what do you think? @F_V can you try this with your FW?

 

IMG_6934.jpeg

Message 13 of 31
F_V
Luminary
Luminary

Re: Any need to beef up my security for this?

Well it's unfortunate to hear that the beta firmware has once again opened the WAN side admin access.  My guess is this is on purpose to make it easier for them test stuff and track down issues.  You may have even agreed to this in some beta firmware EULA, but who knows.  They won't offer it to me so I couldn't say either way.

 

On the bright side they are showing failed/successful login attempts on the WAN, so there is some transparency there.

Message 14 of 31
FURRYe38
Guru

Re: Any need to beef up my security for this?

What do you see under Advanced Tab/Admin/Web Services or Router Management? Should be something about enable HTTPS? 

I'll see if I can get some info from NG on this. 

Should not be seeing this I believe. 

@KevinLiT @Straq 


@donawalt wrote:

Whoa you nailed it! I am on 5G/AT&T with all WiFi turned off. I typed in my public IP address and got this screen (below). I typed a bogus password, and I got the Remote login failure! I typed my real password and got in! Anywhere access is disabled on my phone too. @Furry what do you think? @F_V can you try this with your FW?

 

IMG_6934.jpeg


 

Message 15 of 31
donawalt
Prodigy

Re: Any need to beef up my security for this?

Thanks @FURRYe38 should I turn on Enable HTTPS? Any other impacts for doing that?

Message 16 of 31
donawalt
Prodigy

Re: Any need to beef up my security for this?

@FURRYe38 I just tried turning on "Enable HTTPS", and (1) I still get to the router login screen via the public ip address and cellular, and (2) I got these errors when I connected to the router web page from a device on the network (which did connect successfully, but complaining about this):

Screenshot 2023-07-09 at 2.58.34 PM.png

Message 17 of 31
FURRYe38
Guru

Re: Any need to beef up my security for this?

OK. Thank you Don. 

I've sent this on to NG. Wont see anything probably until tomorrow.

I've asked some others to confirm this as well on there systems. 

 

 

 

Message 18 of 31
donawalt
Prodigy

Re: Any need to beef up my security for this?

Thanks @FURRYe38 . I'll stay tuned, if there's anything you want me to try/change/test etc let me know!

Message 19 of 31
F_V
Luminary
Luminary

Re: Any need to beef up my security for this?

Enabling HTTPS just encrypts the connection between your device and the webserver on your router.  IF you have to have remote management of your Orbi, HTTPS is the only way to go, however I'd strongly reccomend you disable remote management of the Orbi alltogether if you are able.  Leaving that door open on the internet facing side of your Orbi is an absolutely terrible idea, and there are many instances of vendor devices being owned by bad actors over the years.  I was happy to see that Orbi removed the option a few years ago, however it seems to be back now.  Perhaps this is just for the beta, but only Netgear can answer that question.

Message 20 of 31
donawalt
Prodigy

Re: Any need to beef up my security for this?

Yeah, I have to assume it's a mistake/bug. I have been reading about this, if I understand it properly; when they killed the Remote Management, they closed a port used for remote management permanently. In my own words, Anywhere Access goes through their cloud and accesses something inside the router/firmware, so they believe it's more secure - there is no port open anymore. I did find the port number formerly used and fiddled with it/tested it, and I am confident that port is closed. So that's one consolation for the short term. As you can see @FURRYe38 has notified NG and agrees this should not be, so I suspect it will get cleared up! Thanks @F_V for the reply.

Message 21 of 31
F_V
Luminary
Luminary

Re: Any need to beef up my security for this?

Either a mistake or an on purpose for testing or tracking things down with the beta you are running.  The remote management port is 80 (unencrypted web traffic), and you selecting HTTPS just redirect this to port 443 (encrypted web traffic presumably).  Not sure what you mean by you fiddled with the port and it's closed.  If you can get to your router from the internet in a browser port 80 and/or port 443 are certainly open for business.  Glad @FURRYe38 is tracking it down, he's an invaluable resource on this forum!  

Message 22 of 31
FURRYe38
Guru

Re: Any need to beef up my security for this?

I checked my MK system and it's not reproducing. However my 960 is. Oy vay. 🙄

 

Message 23 of 31
FURRYe38
Guru

Re: Any need to beef up my security for this?

@F_V Can you confirm this with your system as well or is it in AP mode? 


@F_V wrote:

Enabling HTTPS just encrypts the connection between your device and the webserver on your router.  IF you have to have remote management of your Orbi, HTTPS is the only way to go, however I'd strongly reccomend you disable remote management of the Orbi alltogether if you are able.  Leaving that door open on the internet facing side of your Orbi is an absolutely terrible idea, and there are many instances of vendor devices being owned by bad actors over the years.  I was happy to see that Orbi removed the option a few years ago, however it seems to be back now.  Perhaps this is just for the beta, but only Netgear can answer that question.


 

Message 24 of 31
FarmerBob1
Luminary

Re: Any need to beef up my security for this?

I tend to get a lot of DDoS Inquiries and other nefarious listings in the logs. AND since my Hopper3s are contacting Russia, Belarus and other Soviet Block countries. So extraneous access for me is not a priority.

Message 25 of 31
Top Contributors
Discussion stats
  • 30 replies
  • 13722 views
  • 3 kudos
  • 4 in conversation
Announcements

Orbi 770 Series