MHS Posted December 2, 2013 Share #1 Posted December 2, 2013 (edited) Hello, I am running Trantor's XPEnology DS3612xs DSM 4.3 build 3810++ (repack v1.0) on the stock HP N54L (Gen7) ProLiant MicroServer and I have been experiencing some strange behavior on my home network with DS Finder and wondered if one of you might be able to tell me what's going on. A short while ago Synology's DS Finder on my phone notified me in french: Ládresse IP [201.238.###.##] de XPEnology a ete bloquee par SSH Shortly after this I blocked the above IP and then recieved this message: NAS_Maxime experienced an improper shutdown Then another message in french: Batteries faibles de lónduleur connecte a SynoStation I don't speak french but can make out just fine what's being said, my box is also not called NAS_Maxime and the IP range is very different from my home network's. I don't have any 3rd party packages installed either. My box also shows two recent logs after the IP was blocked: External disk [uSB Disk 2 Partition 1] is ejected.External disk [uSB Disk 2] is mounted and shared folder [usbshare2] is exported There is no second USB Disk attached to the NAS. I did some cursory Google searches but found no information to help me understand what's going on. I'm a bit baffled as to why this cross-talk is happening. Edited December 5, 2013 by Guest Link to comment Share on other sites More sharing options...
neonflx Posted December 2, 2013 Share #2 Posted December 2, 2013 I have seen the same behavior on mine from same/similar address and others something about ssh login attempt failed I checked logs and did not find anything, doesn't mean something is not going on it could be because of identical serial numbers or Mac address I will change my macs to match my system as well as the serial number and see what happens Link to comment Share on other sites More sharing options...
MHS Posted December 2, 2013 Author Share #3 Posted December 2, 2013 I glanced over a thread on changing the MAC's and serials and had no idea it could cause this. I think I will do the same as you and report back if the MAC and serial changes makes the issue go away. Link to comment Share on other sites More sharing options...
neonflx Posted December 3, 2013 Share #4 Posted December 3, 2013 I was looking around and people trying hack into synology ssh is a commonh thing, based on what I read at the synology forums, me personally going to change the default ssh port to something else here is how > /usr/syno/etc.defaults/rc.d/S95sshd.sh stop > vi /etc/ssh/sshd_config > /usr/syno/etc.defaults/rc.d/S95sshd.sh start When editing the sshd_config change the line #Port 22 to Port 10022 or some other port number. Link to comment Share on other sites More sharing options...
sporti Posted December 3, 2013 Share #5 Posted December 3, 2013 Do you have connected xpentoligy n54l direct to the internet with no router or firewall? Or do you have Port forwarding on your Firewall/Router activated. Normaly Ssh is blocked by the Internet Router so you cannot connect to your Server ?? I am very interested in your case because i am not sure how secure xpenelogy is .... I hope there are no backoors in the System ??? Link to comment Share on other sites More sharing options...
neonflx Posted December 3, 2013 Share #6 Posted December 3, 2013 I use PFSense as my firewall and have noticed that "activity" increases with the box turn on I will run wireshark and see also snort seems to be blocking more isthan usual Maybe I'm been paranoid haha Link to comment Share on other sites More sharing options...
sporti Posted December 3, 2013 Share #7 Posted December 3, 2013 For me it is interesting to know: Is it a security problem special from xpenology (like a build in Backdoor or so) or is it a "normal" Synology DSM Ssh Attack try over the internet ???? Link to comment Share on other sites More sharing options...
DHD Posted December 4, 2013 Share #8 Posted December 4, 2013 Trust me, you change serial and problems are gone. No back door and no one try to "hack" your XPEnology. Because, your XPEnology used 'universal' serial. Therefore when DS Finder connect to Synology's server it will receive alerts from another XPEnology that use the same serial with yours. Guide to change serial is here: viewtopic.php?f=2&t=1353 Link to comment Share on other sites More sharing options...
MHS Posted December 5, 2013 Author Share #9 Posted December 5, 2013 Changing the serial/MAC and the SSH config does the trick. Thank you for your help neonflx and DHD! Link to comment Share on other sites More sharing options...
Xpeno_usr Posted December 10, 2013 Share #10 Posted December 10, 2013 Changing the serial/MAC and the SSH config does the trick.Thank you for your help neonflx and DHD! Hey, Thanks for this thread...I was also trying to find out a solution for this...I changed the serial # and Mac Address, However I am still getting SSH logs like this - Warning Connection 2013/12/10 04:54:11 SYSTEM User [root] from [198.13.110.108] failed to log in via [sSH] due to authorization failure. Warning Connection 2013/12/10 04:54:09 SYSTEM User [root] from [198.13.110.108] failed to log in via [sSH] due to authorization failure. Warning Connection 2013/12/10 04:54:07 SYSTEM User [root] from [198.13.110.108] failed to log in via [sSH] due to authorization failure. Warning Connection 2013/12/10 04:54:04 SYSTEM User [root] from [198.13.110.108] failed to log in via [sSH] due to authorization failure. Warning Connection 2013/12/10 04:54:01 SYSTEM User [root] from [198.13.110.108] failed to log in via [sSH] due to authorization failure. Warning Connection 2013/12/10 04:53:59 SYSTEM User [root] from [198.13.110.108] failed to log in via [sSH] due to authorization failure. Warning Connection 2013/12/10 04:53:55 SYSTEM User [root] from [198.13.110.108] failed to log in via [sSH] due to authorization failure. Warning Connection 2013/12/10 04:53:53 SYSTEM User [root] from [198.13.110.108] failed to log in via [sSH] due to authorization failure. Warning Connection 2013/12/10 04:53:51 SYSTEM User [root] from [198.13.110.108] failed to log in via [sSH] due to authorization failure. Now I suspect it is coming because of my dyndns....I am using dyndns and NO-IP....Any thoughts ? Is your problem completely solved ?? I still have to see if I get any msgs on my DSFinder.... Update :: Take my words back for now...As I haven't seen any such activity since yesterday...I'll keep an eye and will report further...Tx Link to comment Share on other sites More sharing options...
Recommended Posts