Re: Unwanted Remote Login To My LAN

Sealine · ‎2020-05-29

I keep getting LAN Access from remote entries in the log on my Orbi RBR20.
UPnP is dissabled. I have added some of the IP addresses to the blocked list on my NAS.

What can I do/check please?

CrimpOn · ‎2020-05-30

You are, of course, correct. The NAS can be programmed to be sophisticated about who to admit (and who to reject). The Orbi is a more simpleminded gatekeeper. It is either "let people knock on this door" or "turn everybody away." Who gets admitted is up to whoever is running the door.

If you tell Orbi to allow connection to the NAS (or any other local resource), it is up to the resource to determine who should (and who should not) be granted access.

View solution in original post

CrimpOn · ‎2020-05-29

Can you take a screen shot of some of these entries? I'd like to see the exact wording of the message.

Sealine · ‎2020-05-30

Yep, here you go. This is only 1 days worth:

[LAN access from remote] from 83.143.86.62:43352 to 192.168.0.4:80, Thursday, May 28, 2020 23:57:42

[LAN access from remote] from 83.143.86.62:43276 to 192.168.0.4:80, Thursday, May 28, 2020 23:57:41

[LAN access from remote] from 185.101.33.146:50412 to 192.168.0.4:80, Thursday, May 28, 2020 23:57:40

[LAN access from remote] from 196.52.43.84:34247 to 192.168.0.4:554, Thursday, May 28, 2020 23:47:02

[LAN access from remote] from 193.42.99.162:57408 to 192.168.0.4:80, Thursday, May 28, 2020 23:37:44

[LAN access from remote] from 193.42.99.162:56173 to 192.168.0.4:80, Thursday, May 28, 2020 23:37:43

[LAN access from remote] from 164.52.24.162:47400 to 192.168.0.4:443, Thursday, May 28, 2020 23:31:21

[LAN access from remote] from 164.52.24.162:50391 to 192.168.0.4:443, Thursday, May 28, 2020 23:31:17

[LAN access from remote] from 164.52.24.162:42945 to 192.168.0.4:443, Thursday, May 28, 2020 23:30:58

[LAN access from remote] from 156.231.45.78:42659 to 192.168.0.4:80, Thursday, May 28, 2020 23:26:29

[LAN access from remote] from 134.19.215.196:54912 to 192.168.0.4:80, Thursday, May 28, 2020 23:23:24

[LAN access from remote] from 134.19.215.196:54895 to 192.168.0.4:80, Thursday, May 28, 2020 23:23:23

[LAN access from remote] from 134.19.215.196:42270 to 192.168.0.4:80, Thursday, May 28, 2020 23:23:22

[LAN access from remote] from 193.42.99.162:52223 to 192.168.0.4:80, Thursday, May 28, 2020 23:13:48

[LAN access from remote] from 193.42.99.162:51073 to 192.168.0.4:80, Thursday, May 28, 2020 23:13:47

[LAN access from remote] from 185.200.118.89:54597 to 192.168.0.4:1194, Thursday, May 28, 2020 23:05:29

[LAN access from remote] from 194.26.29.21:55544 to 192.168.0.4:5000, Thursday, May 28, 2020 22:50:08

[LAN access from remote] from 81.42.250.190:8425 to 192.168.0.4:80, Thursday, May 28, 2020 22:36:40

[LAN access from remote] from 185.202.2.149:62795 to 192.168.0.4:5000, Thursday, May 28, 2020 22:12:07

[LAN access from remote] from 193.42.99.162:58099 to 192.168.0.4:80, Thursday, May 28, 2020 22:03:51

[LAN access from remote] from 195.54.161.51:56188 to 192.168.0.4:5000, Thursday, May 28, 2020 21:16:10

[LAN access from remote] from 193.42.99.162:54892 to 192.168.0.4:80, Thursday, May 28, 2020 21:08:45

[LAN access from remote] from 39.134.26.20:46460 to 192.168.0.4:80, Thursday, May 28, 2020 20:34:11

[LAN access from remote] from 203.128.5.74:53031 to 192.168.0.4:80, Thursday, May 28, 2020 20:21:36

[LAN access from remote] from 203.128.5.74:53032 to 192.168.0.4:80, Thursday, May 28, 2020 20:21:35

[LAN access from remote] from 203.128.5.74:48938 to 192.168.0.4:80, Thursday, May 28, 2020 20:21:34

[LAN access from remote] from 80.82.64.46:64656 to 192.168.0.4:5001, Thursday, May 28, 2020 20:16:06

[LAN access from remote] from 93.174.95.73:45907 to 192.168.0.4:5000, Thursday, May 28, 2020 20:14:08

[LAN access from remote] from 168.0.130.132:10876 to 192.168.0.16:88, Thursday, May 28, 2020 20:13:17

[LAN access from remote] from 170.106.37.189:42055 to 192.168.0.4:443, Thursday, May 28, 2020 19:47:49

[LAN access from remote] from 61.147.103.136:37752 to 192.168.0.4:80, Thursday, May 28, 2020 19:30:54

[LAN access from remote] from 61.147.103.136:54301 to 192.168.0.16:88, Thursday, May 28, 2020 19:30:53

[LAN access from remote] from 195.54.160.130:46397 to 192.168.0.4:80, Thursday, May 28, 2020 19:27:25

[LAN access from remote] from 185.94.88.158:39878 to 192.168.0.4:80, Thursday, May 28, 2020 19:19:45

[LAN access from remote] from 198.108.67.80:16648 to 192.168.0.4:80, Thursday, May 28, 2020 19:19:43

[LAN access from remote] from 61.219.11.153:65223 to 192.168.0.4:443, Thursday, May 28, 2020 19:01:01

[LAN access from remote] from 208.91.109.50:49465 to 192.168.0.4:80, Thursday, May 28, 2020 18:39:39

[LAN access from remote] from 208.91.109.50:65029 to 192.168.0.4:80, Thursday, May 28, 2020 18:39:38

[LAN access from remote] from 208.91.109.50:64309 to 192.168.0.4:80, Thursday, May 28, 2020 18:39:37

[LAN access from remote] from 89.248.168.217:59151 to 192.168.0.4:5000, Thursday, May 28, 2020 18:18:27

[LAN access from remote] from 216.243.31.2:41979 to 192.168.0.4:443, Thursday, May 28, 2020 18:16:14

[LAN access from remote] from 195.142.115.111:49139 to 192.168.0.4:443, Thursday, May 28, 2020 18:15:15

[LAN access from remote] from 172.104.161.130:49532 to 192.168.0.4:443, Thursday, May 28, 2020 18:07:51

[LAN access from remote] from 107.6.183.226:59272 to 192.168.0.16:88, Thursday, May 28, 2020 18:04:22

[LAN access from remote] from 107.6.183.228:41322 to 192.168.0.16:88, Thursday, May 28, 2020 18:03:59

[LAN access from remote] from 198.108.67.80:60341 to 192.168.0.4:80, Thursday, May 28, 2020 18:01:12

[LAN access from remote] from 185.10.68.149:41986 to 192.168.0.4:80, Thursday, May 28, 2020 17:59:09

[LAN access from remote] from 192.168.0.9:58120 to 192.168.0.4:5001, Thursday, May 28, 2020 17:53:18

[LAN access from remote] from 192.168.0.9:58119 to 192.168.0.4:5001, Thursday, May 28, 2020 17:53:17

[LAN access from remote] from 192.168.0.9:58118 to 192.168.0.4:5001, Thursday, May 28, 2020 17:53:16

[LAN access from remote] from 192.168.0.9:58117 to 192.168.0.4:5001, Thursday, May 28, 2020 17:53:15

[LAN access from remote] from 192.168.0.9:58116 to 192.168.0.4:5001, Thursday, May 28, 2020 17:53:14

[LAN access from remote] from 192.168.0.9:58115 to 192.168.0.4:5001, Thursday, May 28, 2020 17:53:13

[LAN access from remote] from 192.168.0.9:58114 to 192.168.0.4:5001, Thursday, May 28, 2020 17:53:12

[LAN access from remote] from 192.168.0.9:58111 to 192.168.0.4:5001, Thursday, May 28, 2020 17:53:11

[LAN access from remote] from 192.168.0.9:58109 to 192.168.0.4:5001, Thursday, May 28, 2020 17:53:10

[LAN access from remote] from 192.168.0.9:58108 to 192.168.0.4:5001, Thursday, May 28, 2020 17:53:09

[LAN access from remote] from 192.168.0.9:58106 to 192.168.0.4:5000, Thursday, May 28, 2020 17:53:08

[LAN access from remote] from 198.108.67.80:5386 to 192.168.0.4:80, Thursday, May 28, 2020 17:45:07

[LAN access from remote] from 185.172.1.25:37689 to 192.168.0.4:80, Thursday, May 28, 2020 17:10:44

[LAN access from remote] from 185.172.1.25:20191 to 192.168.0.4:80, Thursday, May 28, 2020 17:10:43

[LAN access from remote] from 162.243.142.154:59806 to 192.168.0.4:80, Thursday, May 28, 2020 16:56:32

[LAN access from remote] from 194.26.29.52:55005 to 192.168.0.16:88, Thursday, May 28, 2020 16:48:46

[LAN access from remote] from 77.247.108.77:61001 to 192.168.0.16:88, Thursday, May 28, 2020 16:39:02

[LAN access from remote] from 189.68.46.2:39693 to 192.168.0.4:80, Thursday, May 28, 2020 16:21:02

[LAN access from remote] from 185.176.27.94:53305 to 192.168.0.4:5000, Thursday, May 28, 2020 16:06:39

[LAN access from remote] from 141.98.10.142:50718 to 192.168.0.4:80, Thursday, May 28, 2020 16:06:21

[LAN access from remote] from 176.113.115.33:57973 to 192.168.0.4:5000, Thursday, May 28, 2020 16:05:11

[LAN access from remote] from 198.199.94.181:44832 to 192.168.0.16:88, Thursday, May 28, 2020 15:56:16

[LAN access from remote] from 198.199.94.181:53026 to 192.168.0.16:88, Thursday, May 28, 2020 15:52:20

[LAN access from remote] from 198.23.217.98:53307 to 192.168.0.4:443, Thursday, May 28, 2020 15:52:01

[LAN access from remote] from 45.141.87.4:1253 to 192.168.0.16:88, Thursday, May 28, 2020 15:33:42

[LAN access from remote] from 128.1.91.205:23771 to 192.168.0.4:443, Thursday, May 28, 2020 15:23:04

[LAN access from remote] from 193.118.53.210:56770 to 192.168.0.4:5001, Thursday, May 28, 2020 15:15:56

[LAN access from remote] from 193.118.53.210:46326 to 192.168.0.4:5000, Thursday, May 28, 2020 15:15:55

[LAN access from remote] from 193.118.53.210:53714 to 192.168.0.4:80, Thursday, May 28, 2020 15:15:54

[LAN access from remote] from 193.118.53.214:25775 to 192.168.0.4:80, Thursday, May 28, 2020 15:15:53

[LAN access from remote] from 37.233.77.228:39274 to 192.168.0.4:443, Thursday, May 28, 2020 15:08:15

[LAN access from remote] from 110.46.13.130:22352 to 192.168.0.4:80, Thursday, May 28, 2020 15:05:25

[LAN access from remote] from 193.42.99.162:62325 to 192.168.0.4:80, Thursday, May 28, 2020 14:50:16

[LAN access from remote] from 193.42.99.162:61624 to 192.168.0.4:80, Thursday, May 28, 2020 14:50:15

[LAN access from remote] from 185.46.218.168:34848 to 192.168.0.4:80, Thursday, May 28, 2020 14:49:20

[LAN access from remote] from 185.46.218.168:38895 to 192.168.0.4:80, Thursday, May 28, 2020 14:49:13

[LAN access from remote] from 208.91.109.50:53325 to 192.168.0.4:80, Thursday, May 28, 2020 14:48:10

[LAN access from remote] from 162.243.135.174:50715 to 192.168.0.4:80, Thursday, May 28, 2020 14:39:07

[LAN access from remote] from 141.212.125.76:46058 to 192.168.0.4:80, Thursday, May 28, 2020 14:10:44

[LAN access from remote] from 141.212.124.76:44657 to 192.168.0.4:80, Thursday, May 28, 2020 14:08:56

[LAN access from remote] from 189.50.86.73:11477 to 192.168.0.4:80, Thursday, May 28, 2020 13:41:09

[LAN access from remote] from 18.184.185.245:46815 to 192.168.0.4:5001, Thursday, May 28, 2020 13:28:08

[LAN access from remote] from 18.184.185.245:25407 to 192.168.0.4:5001, Thursday, May 28, 2020 13:28:07

[LAN access from remote] from 18.184.185.245:10217 to 192.168.0.4:80, Thursday, May 28, 2020 13:28:06

[LAN access from remote] from 18.184.185.245:64530 to 192.168.0.4:80, Thursday, May 28, 2020 13:28:05

[LAN access from remote] from 18.184.185.245:38352 to 192.168.0.4:443, Thursday, May 28, 2020 13:27:50

[LAN access from remote] from 18.184.185.245:9525 to 192.168.0.4:443, Thursday, May 28, 2020 13:27:49

[LAN access from remote] from 195.54.160.130:43750 to 192.168.0.4:443, Thursday, May 28, 2020 13:15:07

CrimpOn · ‎2020-05-30

This is great, thanks. So 192.168.0.4 and 192.168.0.16 are devices connected to the Orbi LAN?

Mikey94025 · ‎2020-05-30

What is the device at 192.168.0.4? It looks like it is a website serving both HTTP (port 80) and HTTPS (port 443), as well as port 5000 and 5001.

If you don't have UPnP then did you explicitly setup port forwarding rules for these ports to this device so that it can be accessed by the outside internet? Any open port to the internet will be accessed/attacked and logged like this. It's usually safe as long as your device and the web software it's running keeps up with proper security patches and you're only serving web traffic.

CrimpOn · ‎2020-05-30

I neglected to ask, what device is at 192.168.0.9:58120?

It would be helpful to know the IP subnet of the Orbi LAN and how it relates to 192.168.0.x.

Ordinarily, I would not expect 192.168.0.9 to be "Remote" to 192.168.0.x if the Orbi LAN is 192.168.0.x with subnet mask 255.255.255.0

Probably a good time to ask

What (exactly) the Orbi is connected to (make, model)?
Does the public IP address of the Orbi begin with 192.168.0 ?

Sealine · ‎2020-05-30

Thanks for all the replies.

192.168.0.4 is my Synology NAS

192.168.0.16 is a security camera

@CrimpOn wrote:
This is great, thanks. So 192.168.0.4 and 192.168.0.16 are devices connected to the Orbi LAN?

Sealine · ‎2020-05-30

@Mikey94025 wrote:
What is the device at 192.168.0.4? It looks like it is a website serving both HTTP (port 80) and HTTPS (port 443), as well as port 5000 and 5001.

If you don't have UPnP then did you explicitly setup port forwarding rules for these ports to this device so that it can be accessed by the outside internet? Any open port to the internet will be accessed/attacked and logged like this. It's usually safe as long as your device and the web software it's running keeps up with proper security patches and you're only serving web traffic.

Thanks for the reply.

192.168.0.4 is my Synology NAS. I had set up port forwarding for Ports 80 and 443, I have temporarily dissabled them along with 5000 and 5001.

The Synology NAS is up to date so should be secire. The fright was the message that there was a remote login to my LAN

Sealine · ‎2020-05-30

@CrimpOn wrote:
I neglected to ask, what device is at 192.168.0.9:58120?

It would be helpful to know the IP subnet of the Orbi LAN and how it relates to 192.168.0.x.
Ordinarily, I would not expect 192.168.0.9 to be "Remote" to 192.168.0.x if the Orbi LAN is 192.168.0.x with subnet mask 255.255.255.0

Probably a good time to ask
What (exactly) the Orbi is connected to (make, model)?
Does the public IP address of the Orbi begin with 192.168.0 ?

192.168.0.9 is listed as an iPhone......

The Orbi is 192.168.0.1

Not exactly sure what this means (What (exactly) the Orbi is connected to (make, model)?) did you want to list of devices on the LAN or the Orbi make and model?

No, the public address does not begin with 192.169.0

Thank you.

CrimpOn · ‎2020-05-30

@Sealine wrote:
192.168.0.4 is my Synology NAS. I had set up port forwarding for Ports 80 and 443, I have temporarily dissabled them along with 5000 and 5001.
The Synology NAS is up to date so should be secire. The fright was the message that there was a remote login to my LAN

Makes sense now. Once ports are "open", anyone (anywhere - are you Russians listening?) will discover them as they scan the entire IP address space looking for some computer to respond. So, they hit your public IP address and probe the "common" ports (21,22,25,80,443, etc.) and the NAS responds with a login page. Now all they have to do is try user names and passwords until either (a) they get in, or (b) they decide to move on. Once you close the ports, then the intrusions cease.

Sort of cool that the Orbi logs when a connection comes through to the NAS.

p.s. sorry about the sick humor. It's not Russians, it's the NSA.

Sealine · ‎2020-05-30

Thank you for your reply. Ah, right. That is probably what is happening then.

However, the NAS can block IP addresses and can also do it by country. The Russians and Asia are already blocked so I would have thought that they would not get a login response?

Why Orbi doesn’t have this feature is beyond me. It would stop these scans dead.

CrimpOn · ‎2020-05-30

You are, of course, correct. The NAS can be programmed to be sophisticated about who to admit (and who to reject). The Orbi is a more simpleminded gatekeeper. It is either "let people knock on this door" or "turn everybody away." Who gets admitted is up to whoever is running the door.

If you tell Orbi to allow connection to the NAS (or any other local resource), it is up to the resource to determine who should (and who should not) be granted access.

Sealine · ‎2020-05-30

OK thanks - love your analogous prose - brilliant.