Firewalla is guessing SSH passwords on my router

January 13, 2022 20:01

Recently installed the dark blue Firewall box. Really like the intel it provides. However one alarm I got was puzzling: "Firewalla appears to be guessing SSH passwords on device Office - RBR850 (Gateway)."

Anyone know why it would be doing this?

Comments

11 comments

Firewalla

January 14, 2022 00:21
Tap into the alarm and see if the direction of the message is reversed. (it should say which device is doing what ...) Do you have the blue+ or the blue unit?
0

Comment actions Permalink
Robert Squires

January 14, 2022 13:33
That was the exact message in quotes above of the Firewalla alarm, implying it was from Firewalla to the router. I have the Blue+ unit.
0

Comment actions Permalink
Firewalla

January 14, 2022 18:32
Can you tap on the alarms, there will be more details, such as the source and destination. We used to have a bug that the "alarm wording" is the opposite of the direction.

Also, are you running in DHCP or simple mode?
0

Comment actions Permalink
Robert Squires

January 14, 2022 18:55
It definitely states Firewalla is doing the scan to my Orbi router. I used the default installation mode which was Simple. I have the WiFi 6 mesh router and three satellites. It has worked fine to this point in discovering and monitoring devices across the mesh net.
0

Comment actions Permalink
Robert Squires

January 20, 2022 13:32
Today the message was reversed, so I assume the bug was fixed? Still, not sure why my Orbi router would be trying to guess Firewalla SSH password. Has this been reported before?
0

Comment actions Permalink
Firewalla

January 20, 2022 21:59
are you running any security software on the Orbi? We have seen some antivirus software will try to 'test' network security by ssh/telenet into devices and try a bunch of default passwords.
0

Comment actions Permalink
Robert Squires

January 21, 2022 14:38
Yes, Orbi uses Bitdefender from Netgear Armour. Your comment is the most likely cause. Thank you! I also noticed pings to the PC from the router that coincided with a periodic scan of devices from the router App.
0

Comment actions Permalink
beachdog

November 21, 2022 20:23
My Orbi 763 has been installed for a little over a week. By default the router pulled Netgear Armor ( Bitdefender) because I had a prior subscription attached to my Netgear account from an older Netgear Orbi. Last night was the first time I received the Orbi guessing ssh passwords on Firewalla Blue+ even though it isn't the first time Armor has run. Using DHCP mode.

Is there a risk to Armor ssh guessing? Other than using a complex Firewalla password (I do), is there a way to harden the Firewalla from these probes?
0

Comment actions Permalink
Firewalla

November 22, 2022 02:54
Firewalla already using a pretty complex password that changes itself once a while, you shouldn't worry. If you are for sure that the orbi is doing the ssh ... then it should be fine. Just make sure it is not a bad actor trying to do thing, then it is a different problem
0

Comment actions Permalink
beachdog

November 22, 2022 15:47
"Just make sure it is not a bad actor trying to do thing, then it is a different problem"

How do I figure that out? I bought the Firewalla to be in charge of keeping unwanted activities off of my network. The IP and MAC above for the router are correct. There's no other info provided for this alarm.
0

Comment actions Permalink
Firewalla

November 22, 2022 18:29
Well, in this case, firewalla detected the problem, and is telling you about it. Since your Orbi runs before firewalla (you have a blue+ in DHCP mode), firewalla can only detect, and not able to block any router packets.

If you do worry about an external attack, you should get FWG or FWP and run them as the primary router
0

Comment actions Permalink

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?