As you may have read, yesterday I commissioned my RAID1 NAS and it's working great. Very, very slick and a number of the features have brought a smile to my face! I actually got to bed at 3:00am as I couldn't stop playing, ahem.

Browsing the log file just now however I found that for 30 minutes not long after I went to bed it was subjected every two seconds to a brute force FTP attack:

2009/10/07 04:05:32 [admin] FAIL LOGIN: Client "60.217.229.222"

Google revealed the I.P. address to likely be in China and that it has been blacklisted by some ISPs for exactly what caused me to research it.

I'm not an I.T. numpty but I certainly don't know it "all", so my question is "How was my NAS found?". I could understand my firewall repelling an intruder since it's knowingly exposed to the outside world but the fact that the NAS log shows the attack implies the firewall was breached.

I'm running a BT HomeHub with (checked and confirmed just now) default firewall and the only intentional way to reach my NAS from the outside world is via the secure MioNet web-based remote access account that I have created. If that's the weakness it gets deactivated right away; I have chosen a long and meaningless username and password but if that's breached I can't imagine it's rocket science to trawl even the "unshared" parts of my network.


TVM,
XV

I may be wrong but if your NAS has uPNP activated and so does the router then your NAS could be visible to the outside world.....

I don't know the HomeHub, but can I assume it has Network Address Translation (NAT)? Most home gateways do, and if so, then devices behind it are not actually on the Internet, they are on a private network with a different IP address range. The typical private range (http://en.wikipedia.org/wiki/Private_network) of 192.168.xxx.xxx is one of several that are not actually valid on the Internet, and routers will not forward them.

So, behind NAT, nothing gets through unless an outgoing port is opened on it, and that happens in two ways: explicitly by a Port Forwarding setting on the gateway, or by some application that has a persistent attachment to the Internet.

In your case, in my opinion, that points the finger directly at the MioNet function on the NAS box. I would disable it, and also check the HomeHub for any Port Forwarding settings. (The only ones there should be ones that you know you need - if in doubt, make a note of them, then remove them and see if anything breaks.)

A friend of mine has a WD NAS box that he uses behind his home hub. When I visited him back in August he was annoyed that MioNet was asking him to pay for an account, but when I read about it, I learned that MioNet is specifically for getting to your files from outside, from the Internet, If you don't need to do that, you don't need MioNet - full stop. We stripped it off all the PCs in my friend's house (he has a lot), and set the WD box as a plain SMB share on Windows (\\wdstorage). Sorted. :ok:

Thanks, bnt.

I'm familiar with the principles of NAT, thanks, and yes, my internal addresses are along the lines you describe (and fixed per MAC address to make network maintenance easier and short cuts more reliable to use).

Unfortunately you confirm my fear that it's MioNet that's the likely catalyst.I say unfortunately because this service (in my case free for the basic option for the life of the unit it came bundled with) is something I do actually want to use.


I have family and friends worldwide to whom I'm often posting things on DVD so to dump these things in a folder in to which said family and friends can dip whenever they like is quite appealing
I also work from home when in the UK and have been doing my work backup using Memeo Backup. I do this as near-real-time net change to a brace (one always off site and one plugged in) of USB drives. This is massively faster than VPN to the company's servers in Sweden or UK. To instead back up to the MyBook and know I can access my files wherever I am, regardless of whether I have laptop or USB backup with me, is a nice thought


All this only applies though if security is not unduly compromised...


Cheers,
XV

I'd second that uPNP is the cause. If it wasn't negotiated between the NAS and the router then there would be no open tcp port 20/21 through which the Chinese script kiddie could attempt hacking (unless you've inadvertently manually opened those ports and forwarded them on to the NAS's LAN IP).

I'd second that uPNP is the cause.

I don't have a detailed understanding of UPnP, but from what I understand about the way it works, I too would think it's probably the cause.

However....

there would be no open tcp port 20/21 through which

You don't need the port under attack to be open.

If you've got any inbound services open on perimeter devices then you are at risk if vulnerabilities exist in their implementation (or your configuration thereof) and you have failed to keep your patches up to date (assuming patches exist of course).

There are some very innovative attack strategies out there that can make use of what might look to the lay-person as innocent services.... for example ICMP (a.k.a PING / TRACEROUTE etc.)..... the average Joe might not know what can be done these days with such an innocent sounding service allowed through firewalls..... :cool:

I also work from home

Ask your company if they will pay for an DSL service upgrade to one with a static IP.... then you can have your very own VPN and do things properly !

P.S. Just noticed it's you XV105...... so how about making a VPN your next pet project... :ok:

Well, gentlemen, I think you are collectively in with a very good chance of being correct...

I just took a look at my HomeHub settings and found "allow UPnP" enabled. I don't recall doing it, but I must have as I can't believe it'd be the default setting.

Needless to say it's now disabled but in the mean time someone (ostensibly an IT services provider in California according to whois!) has successfully connected via FTP according to the log. Damn. They were connected for about half an hour before I realised and hit the "off" switch supplying the Home Hub.

I now have a new external I.P address (confirmed) as well as having switched off external UPnP but now need to think what to check for malicious intent.

Ask your company if they will pay for an DSL service upgrade to one with a static IP.... then you can have your very own VPN and do things properly !

P.S. Just noticed it's you XV105...... so how about making a VPN your next pet project...

:)

Don't tempt me!

Seriously, I already have a dyndns account but unfortunately company policy is (a) that they will pay for domestic ADSL and (b) mandatory use only of Cisco VPN and associated company-supplied certificates.

I just took a look at my HomeHub settings and found "allow UPnP" enabled. I don't recall doing it, but I must have as I can't believe it'd be the default setting.

I googled BT Home Hub and indeed it appears that BT Home Hub has UPnP enabled as the default. It beggars belief if that is the case.

That's bizarre - but it still has me wondering how the FTP traffic got in, through NAT. If they weren't on the correct FTP port (21) the login attempts would not have registered at all. So I don't think uPNP is the final answer here, and would still check for any Port Forwarding settings on the HomeHub.

I'm a bit rusty on the issues, but I'm reading about some of the problems with uPNP, and they include security holes in its Internet Gateway Device spec. According to a report on Wikipedia (http://en.wikipedia.org/wiki/Universal_Plug_and_Play#Lack_of_Default_Authentication), a Flash applet on a website can get a uPNP-enabled router to set up port forwarding, exposing a computer to internet attacks.

That's bizarre - but it still has me wondering how the FTP traffic got in, through NAT. If they weren't on the correct FTP port (21) the login attempts would not have registered at all. So I don't think uPNP is the final answer here, and would still check for any Port Forwarding settings on the HomeHub.

I'm a bit rusty on the issues, but I'm reading about some of the problems with uPNP, and they include security holes in its Internet Gateway Device spec. According to a report on Wikipedia (http://en.wikipedia.org/wiki/Universal_Plug_and_Play#Lack_of_Default_Authentication), a Flash applet on a website can get a uPNP-enabled router to set up port forwarding, exposing a computer to internet attacks.

Basically, uPNP devices within a small network will negotiate (without your knowledge) with a uPNP-enabled router in order to open the relevant ports required for the services the device wants to use.

Hence, the NAS firmware's uPNP has told the HomeHub that it wants to open 20/21 and the HomeHub has duly obliged.....leaving an FTP service open on the internet, which has subsequently been found by script kiddies with probes looking at 20/21 on a range of IP addresses.

You don't need the port under attack to be open.

If you've got any inbound services open on perimeter devices then you are at risk if vulnerabilities exist in their implementation (or your configuration thereof) and you have failed to keep your patches up to date (assuming patches exist of course).

There are some very innovative attack strategies out there that can make use of what might look to the lay-person as innocent services.... for example ICMP (a.k.a PING / TRACEROUTE etc.)..... the average Joe might not know what can be done these days with such an innocent sounding service allowed through firewalls..... http://images.ibsrv.net/ibsrv/res/src:www.pprune.org/get/images/smilies/cool.gif

In this instance, the edge device was his HomeHub, and without the HomeHub ports open his SPF and NAT in the HomeHub would have denied all access to the NAS located on his LAN, irrespective of the ports on the NAS being open.

Thanks for all that; very interesting to read.

The questions now are:


Did anything get transferred even though the FTP logs only show a connection, not any activity, and the two "public" folders were empty at the time? (The private folders were chokka with files)
Has anything been silently installed on the (Flavour of Linux) NAS and should I therefore reset it to as-delivered defaults and start again?


I guess the real answer is "who knows?", so having plugged the hole (switched off UPnP) I need to stop worrying, reconfigure the NAS from factory defaults, and for my sanity, also forget about going anywhere near MioNet or any other service that gives remote access! ;)

There is a great tool ShieldsUp (http://www.grc.com) which is available free to check open ports on your network.

Did anything get transferred even though the FTP logs only show a connection, not any activity, and the two "public" folders were empty at the time? (The private folders were chokka with files)

Anyone with half a brain will do their utmost to cover their tracks. Trashing logs is what you learn at hacker nursery.... so you should assume your logs have been tampered with and are unreliable.

Has anything been silently installed on the (Flavour of Linux) NAS and should I therefore reset it to as-delivered defaults and start again?

Personally, I would assume yes. Much like a virus infested computer. You'll sleep much better if you do the proper thing and reset it (NOT using the reset button in the GUI, that would be a waste of time, but a proper reformat and re-install from CD).

In this instance, the edge device was his HomeHub, and without the HomeHub ports open his SPF and NAT in the HomeHub would have denied all access to the NAS located on his LAN, irrespective of the ports on the NAS being open.

Mike, as I said, I don't have much to do with UPnP, Homehubs or that sort of trash.

The concept of UPnP doesn't even exist on the routers and firewalls I use at home .... let alone any that I might have come across elsewhere :ok:

Thanks very much, srobarts.
No vulnerabilities were found.
I know that's not to say my setup is perfect and cannot be exploited, but at least none of the obvious things tested showed a weakness.

Thanks for your help, too, mixture. The problem I have is that the NAS doesn't ship to be "consumer rebuilt" by doing anything other than pressing the reset pip (only resets the network and admin password) or by using the option in the admin console that deletes all user data and reverts to factory defaults*. It does not reformat and reading "how to hack your NAS" and "Linux for newbies" (you get my drift) puts the fear of God in me that I will end up with a nice white brick. :)

*Added later via edit: I have now done a reset via the Admin console and as you imply, it doesn't reset to factory defaults, despite what the manual says; the firmware is still at the version I upgraded to via download from WD, not the version that came installed.

It does not reformat and reading "how to hack your NAS" and "Linux for newbies" (you get my drift) puts the fear of God in me that I will end up with a nice white brick

The problem with the reset button or command line reset is it probably just runs some script..... if they've installed something then the script won't trash it.

Anyhow.... I understand your point of view, so I'll leave it as "your call".

Yes, that was my point; it's obvious from what I have seen that I don't have a NAS that's truly back to "as delivered" and therefore anything installed (and I assume it was) is probably still there.

The NAS is now unplugged whilst I pause and think rationally what to do.

The NAS is now unplugged whilst I pause and think rationally what to do.

Difficult one.

Theoretically, if you were very careful and your router/firewall provides a way to block outbound as well as inbound traffic from its IP address you could reduce the risk of data leakage.

Maybe the manufacturer will let you send it back to them under warranty and format it... unless they'll send you some tools on a CD.

What I would suggest is to download ethereal or some other free network analyzer and see what, if anything, is going on on the network between your NAS and other devices / internet.

A hub comes in very handy here - especially if you can't set up a switchport as a monitoring port. just use a x-over cable to connect the hub to the switch, then attach the NAS and the PC you are running your sniffer on to the hub. Now you will see all traffic between the NAS and everything else.

SD

Hence, the NAS firmware's uPNP has told the HomeHub that it wants to open 20/21 and the HomeHub has duly obliged.....leaving an FTP service open on the internet, which has subsequently been found by script kiddies with probes looking at 20/21 on a range of IP addresses.
Well, that's not good, is it?

What? :8

What I would suggest is to download ethereal

For info ethereal is now called "WireShark"

Thanks for that; I'll give Wireshark ago with the config suggested.

As an aside, as a way of junking all the data I thought of rebuilding the NAS from RAID1 to RAID0 using the Admin Console, and then reverting to RAID1 but I guess (a) this doesn't necessarily reformat (so data still "exists") and (b) the RAID controller / MoBo is probably flashable and therefore could have been exposed to a hack anyway?

Wireshark

That did come to mind.... but then I thought it might be a bit beyond the realms of available IT know how in the XV105 household. :ok:

Wireshark easily produces a whole ton of data which can be confusing and difficult to interpret if you don't know what you're looking for or how to configure it.

as a way of junking all the data I thought of rebuilding the NAS from RAID1 to RAID0 using the Admin Console, and then reverting to RAID1 but I guess (a) this doesn't necessarily reformat (so data still "exists") and (b) the RAID controller / MoBo is probably flashable and therefore could have been exposed to a hack anyway?

Rebuilding the RAID as suggested is certainly an easy way to trash your data.... but it's not going to solve the problem of what might be going on at embedded OS level.

I think the chances of the Motherboard being targetted are fairly slim in this scenario .... more likely is that the OS was targetted in order to attempt to ensure a backdoor remained available.

Thanks again mixture. I take it then that if Wireshark doesn't show something dodgy (it doesn't so far*, amongst the tons and tons of data yuo correctly predicted!) then a RAID rebuild could be a sensible thing to do before forgetting the affair and moving on? Remember I have now verified that UPnP is "off" and that ShieldsUp found no weaknesses so it's only something already inside trying to get out that I think I need to consider.

*I let it capture for a while and then sorted the records alphabetically by source column so I could quickly scan I.P. addresses and names outside those I know. I then did likewise for destination. Nothing found. I'll let it run for a couple of hours more and then look again.

then a RAID rebuild could be a sensible thing to do before forgetting the affair and moving on?

In all honesty, yes that's probably the best course of action in your circumstances.

What you could do is leave the RAID as RAID1, but just reformat it (or even better do a quick one pass zero overwrite) ....you might as well keep the benefit of RAID1.

Then, you might want to consider making use of TrueCrypt (or other tool of your choice) to create encrypted disks (not "whole disk" encryption, just little disk images of manageable sizes - or larger sizes if you know you're never going to be doing remote access)..... so then at least your data is encrypted at rest and "they" can copy it as much as they want but would be able to see :mad: all. :ok:

By the way, I forgot to say ...

Congratulations on you for being security aware and actually keeping an eye on your logs etc.

So don't feel too bad about this whole lesson ! You did well to pick up on it so quickly.

XV105 there must be a utility to securely erase the data on the drive and reset to the factory condition They must have thought of the end of life or moving locations. Look at the manufacturers web site and search the knowledge base. If no answer pose the question to them. They should have phone support available.

Thanks (again!), and for the comment. It still hurts though as I try to be absolutely as security aware as I am backup plan conscious, and something got past me. Grrrr!

Regarding encryption I have been using Memeo Backup for some time now but whilst I have elected to continue using it with the NAS I have likewise elected to continue using it without invoking the encryption option. My thinking here was that the benefit of being able to manually restore if the auto restore was ever needed but failed [the backup follows the same logical structure and is viewable (but must not be edited!) via Windows Explorer] outweighed the encryption benefit of a device on an internal network with strong firewall and which is unlikely to be stolen.

Perhaps time to have a rethink.

Regarding the RAID "reformat" I have successfully gone from RAID 1 to RAID 0, rebooted the NAS, and then gone back from RAID 0 to RAID 1. All is well and the free byte count is correct.

The next job?

To work out how the hell to remove (a) MioNet, (b) the Public Folder, and (c) the Download Folder without resorting to SSH and a hack. I have decided to live without MioNet and use web-hosted file sharing on demand instead and I don't need the two described folders that are a CIFS standard.

resorting to SSH and a hack

Don't be scared by Linux !

Post the commands they've told you to type on SSH and I'll soon tell you how likely they are to trash your box assuming they are standard Linux commands and not some proprietary NAS box commands ! :cool:

Perhaps time to have a rethink.

I'm not a huge supporter of encryption, it can be a hinderance rather than a help in many cases, as well as a risk of its own. Evaluate on a case-by-case basis as they say.

Can I just point out the following little-known facts:

1) the number of script kiddy attacks is inversely proportionate to their effectiveness.

i.e. - there's thousands of teenage students out there, using P2P software and have probably downloaded a generic script which wants to replicate itself and does so via scanning IPs and trying basic exploits

2) another reason there are lots of attacks are because not everyone understands the benefits of keeping systems up to date regarding security exploit fixes etc

3) the VAST majority of script kiddy attacks are automated, basic, and targeted towards the exploits not patched in #2 above.

4) the VAST majority of exploits are for Windows systems, which make up a VAST majority of internet-connected computers

5) the VAST majority of exploits are done for commercial gain in some shape or form

...

Hence, unless you are convinced that you had a manually initiated attack, onto your IP address, using exploits which were sufficient to compromise your own specific embedded Linux variant, and the operator was skilled enough to be able to install a trojan as a result, and they had something significant to gain from doing so on your NAS box (versus the time they would have had to do so, in a time and motion study sorta thing)......then i'd suggest you can sleep safe in your bed.

FWIW, I have LOTS of devices on the internet, and attempted attacks are a regular occurrence. Granted you can't be 100% sure that someone's not smarter than you are, but on the law of averages and looking at the reasons behind the exploits, you really need to chill about this IMHO.

(besides, the NAS specifically included uPNP in order to configure itself to do this very task on the internet - if you were a product designer, would you do this as standard if you weren't very confident about it's security?)

5) the VAST majority of exploits are done for commercial gain in some shape or form

Not always ....

Zombie nets
Somewhere to host questionable content to share amongst "friends"
etc. etc.


(besides, the NAS specifically included uPNP in order to configure itself to do this very task on the internet - if you were a product designer, would you do this as standard if you weren't very confident about it's security?)

If you were a product designer, product marketing probably came downstairs to see you with a list of features from competitive products and said "what other funky features can we put in to our box to give us a USP". In today's IT market it's all about maximising sales ....

Lets face it .... product design for residential products is NOT security lead. That includes residential firewalls embedded on cheapo routers, which don't compare in the least with their commercial variants.

using exploits which were sufficient to compromise your own specific embedded Linux variant,

There is pleanty of software that can target specific OS and software variants and versions automatically.

But just to make my point of view clear... I think XV should take a little time to make sure his house is in order and then move on. I don't think he should spend days or weeks on it.

But just to make my point of view clear... I think XV should take a little time to make sure his house is in order and then move on. I don't think he should spend days or weeks on it.

Once again, I think Mixture and I are coming to agreement but from different start points. I agree totally with my quote from him. It's not a clear-cut thing, but I think we both agree that as long as you have a modicum of diligence then you can rest easy that it's a lot less easy to 'hack' into a 'managed' computing device than is sometimes glorified by the media.

Mike,

It does indeed seem we have the same end goal in mind even if certain methods of achieving it are up for debate, however now is not the time and PPRuNe is not the place.

In the end, I think it has been correctly identified that UPNP was to blame here which, like WiFi and all the other residential technologies sold as a way to make your life easier, are so easily abused and mis-configured due to the manufacturers and resellers focus on marketing and sales rather than product development and user education/support.

As for pointing fingers at BT and Homehub .... I will leave that one as an exercise for the reader..... :ok:

The security of the BT hub leaves a lot to be desired, I got mine because I they offered me the Voip service for free. When I came to set it up I looked at the manual and could find no mention of WPA encryption at all, the only security mentioned was to enter the serial number of the router into the WEP box.
So I rang the help desk and the person I spoke to didn't even know what I was talking about. :ugh:

I found WPA eventually. But it's a bloody awful setup menu, very difficult to find your way through (or at least it was 2 years ago when I got mine).

Hi Guys,

A courtesy post to say a final thank you.


UPnP proven as the cause
UPnP disabled on both router and NAS (I don't need media streaming internally - it's a backup device)
Manually initiated Shields Up attack on my own external I.P. address revealed no weaknesses
Both disks in the NAS "reformatted" to destroy all data (albeit by switching from RAID 1 to RAID 0 and back to RAID 1)
Wire Shark installed and which confirms nothing trying to report back to base or any other kind of suspicious network activity
MioNet remote access service now disabled (Not the cause of my troubles but a potential future weak link removed)
NAS loaded with non-personal files and left running all night; this morning it was in standby mode and the logs show no activity overnight (they can be scrubbed, yes, but given the above I trust them)


So, other than a small number of files (I reacted quickly) which *may* have escaped from my network and which there is no point worrying about (all files were in a private secure area that would have needed hacking in to, it's too late now, and I don't know if the hack actually did anything anyway) I don't think any damage was done.

Time to move on.
Fresh backup to NAS running as I write this.

"Cheers Guys" :ok:

Good to see a happy ending. I have a MK1 HH - The default security settings are atrocious - It does support AES encryption too by the way.

Somewhere in the advanced setup you can disable Plug and Pray and also disable the acceptance of packet fragments as well. Once set up; AES network encryption (sometimes called WPA2),used on modern kit does not hamper router performance too much.

The bad guys are cunning sods - As I have found out the hard way. It might be a good idea to monitor you network traffic for the future for a while just in case they come back for another go - unlikely but your can never be sure.

Your IP could change your external designated IP address if needed.


CAT III

One thing the majority of HomeHub users may not be aware of, is that the default wifi channel is channel 6.

Now, with only 4 non-blocking channels in 802.11g, and the proliferation of HomeHubs, all on channel 6, if you live in wireless proximity of another HomeHub user the chances are you've got rubbish wifi functionality as a consequence.

In order to fix this, go download a wifi sniffer onto your laptop, such as Airmagnet, and check the channels and their associated strengths. Channels up to 4 channels either side of someone else's channel will interfere, to a greater or lesser degree, so if you choose channels 1,5,9, and 13, and choose one of those which is furthest from the majority of your neighbours, then you should see a corresponding increase in your wireless reliability :ok:

Absolutely right!

The alternative, if like me you have two neighbours who freely admit they know Jack about what to do, is to set up the wireless routers for them and consider such channel spacing as part of the work. :)

Shhh. A third house is also within range, but the current elderly owner has no WiFi. The previous owner did, but with a SSID left at the default of NETGEAR I had everything I needed to know to find out what channel they were using without recourse to a sniffer, ahem.

Your IP could change your external designated IP address if needed.

Indeed so. Thanks anyway for the suggestion, CAT III, but one of the first things I did was check my external IP address, switch off the router, wait (actually overnight since I didn't need the router to do anything anyway), reboot the router, and check (with almost complete certainty) that I had a different IP address. I did.

I switch both the pc and the router of when I go to bed, apart from security, there's the possible fire hazard to be considered, to say nothing of the cost.

I switch both the pc and the router of when I go to bed, apart from security, there's the possible fire hazard to be considered, to say nothing of the cost.


Whilst on the face of it you might think you're doing the right thing there, you should really keep the router on 24x7.

- They are designed to run 24x7 without being a fire risk
- There is very little difference to the overall security of your house whether you run them during the day or 24x7 as you will have hacking attempts every 30 seconds or so anyway.
- The cost differential of a 3 watt device over a year is insignificant

...however, the big issue is that the way the Exchange premises equipment monitors and tunes your link speed depends upon you having the device on 24x7. In fact you can lose a significant percentage of your bandwidth purely by adopting a "turn it off at night" attitude.

A hub comes in very handy here - especially if you can't set up a switchport as a monitoring port. just use a x-over cable to connect the hub to the switch, then attach the NAS and the PC you are running your sniffer on to the hub. Now you will see all traffic between the NAS and everything else.

Calling SD! :)

I thought I'd followed the above instructions clearly when running Wireshark, but it would appear not because after resolutely remaining at zero relevant hits since the firewall rule* was defined a few days ago, my HomeHub has today blocked over 10,000 NAS attempts to get outside but Wireshark spotted none of them.

Please will you be kind enough to re-describe?

TVM,
XV


*Custom settings to block all WAN traffic to and from the NAS.

A hub comes in very handy here

Hello XV105,

As you might have gathered, my pseudonym is not sd..... but I feel I should state here that the chances of you owning or be able to buy a "hub" in 2009 are very, very slim.

Even 8 port boxes these days are switches.

In a day to day environment, hubs are more trouble than they are worth. I would not recommend you go out and buy one if you don't already own one because you will find very little useful use for it, unless you are plannig long term wiresharking ... but even then, you have to be very careful about how the hub is deployed.

What you should be looking to achieve, if you've got an unmanaged switch is either of the following :

(1) Get a managed switch (might be seen as a worthwile longterm investment, you can get small 8 or 12 port ones, no need for office sized ones)
-OR-
(2) Implement an in-line monitoring solution (i.e. two NICs on the PC)


UPDATED TO ADD :

Addmitedly, on a small home network, you probably will not see the difference between hub and switch unless things get really bad or you know what you are looking for. However the point I'm trying to make is hubs are bad feng shui on a network. :ok:

Thanks, mixture; you confirmed what I suspected in that my ancient, decomissioned-until-the-last-few-days, four port ADSL router is a switch not a hub.

Please will you be kind enough to elaborate on your suggestion for an alternative way of me sniffing everything to and from the NAS. As well as the old router I just described I also have a brand new Netgear GS605 gigabit switch but of course it is of unmanaged type.

TVM!

PS - I have two gigabit LAN ports in the PC I will run the sniff from but believe they relate to one physical card. (I need to check since I didn't pay any attention at the time to that part of the spec as having two ports was a Brucie Bonus I didn't need)

Please will you be kind enough to elaborate on your suggestion for an alternative way of me sniffing everything to and from the NAS.

I'll endeavour to return a little later with some more detail..... just trying to see if I can find a diagram that will do the job of a thousand words first, or at least a paragraph or two of words ! :ok:


PS - I have two gigabit LAN ports in the PC I will run the sniff from but believe they relate to one physical card.

Wouldn't worry about that too much ... anything in your PC becomes a managed switch (not the correct word, but contextually appropriate !)..... if it's anything like macs or servers then you'll probably find it's not even a network card but just coming off the motherboard ....:ok:

http://wiki.wireshark.org/CaptureSetup/Ethernet?action=AttachFile&do=get&target=Capture-switch-mitm-2NIC-ws.png

Which comes from .....

CaptureSetup/Ethernet - The Wireshark Wiki (http://wiki.wireshark.org/CaptureSetup/Ethernet)


Which I'm just looking through to see what detail is lacking.....:ok:

XV,

An ethernet switch differs from an ethernet hub in that each port on a switch is a separate LAN segment, while each port on a hub is part of the same LAN segment.

All ports on a hub are thus in a single collision domain, whereas each port in a switch is in its own collision domain - which essentially means that frame collisions do not occur with switches. Collisions are bad, btw!

Switches also "learn" the MAC addresses of the connected hosts, so only directed unicast and broadcast frames are forwarded out each switch port. Only where the MAC address of a host is not yet in the switch MAC address table will a switch flood a unicast frame out all its ports.

As mixture rightly states, hubs have been entirely superseded by switches (now that the cost per switch port has reduced to the trivial), and hubs would seriously impact the performance on medium to large networks (due to the collisions described above). In a home network with a handful of devices, frankly, there is little difference in performance.

One of the switch's strengths (only forwarding frames to the necessary port) is also a pain when you actually want to monitor all the traffic between two nodes on the switch (or indeed all the traffic across the switch), as - by definition - the traffic is restricted to the ports that the two nodes are connected on.

There are a number of ways around this, depending on the equipment. "Business class" switches tend to have the ability to configure a monitoring port, that can be used to output all traffic from a selection of other ports - ideal if you happen to have that kind of kit.

Another possibility is to use a hub as described above - place the hub between the switch and the target device so that traffic passing from the switch to the target passes through the hub, and - by definition - is flooded out of all the hub ports. By hooking your sniffer to a hub port you get to see all the traffic.

I'm not sure about the "inline" method mixture refers to. Perhaps he will elaborate for us.

While you may struggle to buy a new ethernet hub, a quick look on ebay suggests that you'll easily pick one up from 99p to a fiver, plus P&P. Just ensure you get an ethernet hub, not a USB hub!

SD

I'm not sure about the "inline" method mixture refers to. Perhaps he will elaborate for us.

Basic detail above your post, but looks like I've got to supplement with more detail..... on its way in due course...

It's been a little while since I've done it inline even more so when using a Windows box to capture, more used to using managed switches and spanning ports.

However, from memory, what needs to be done is as follows :

(1) Bridge your two network cards

If I recall, this is a simple as highlighting them both, right clicking and selecting "bridge interfaces".

(updated -> in the text that was here before I said to configure bridge itself with IP settings.... technically it should work without because most of its magic is at Layer 2 rather than Layer 3 .... so try without extra bridge config work first)

(2) Start a wireshark capture

Hopefully wireshark will let you watch the virtual interface, otherwise you only need to watch one interface, it will pick up on all traffic.


Let me know if you need more detail, although I might pop back an update this post later.

Very helpful, thank you both :)

Using mixture's schematic, I have the NAS as "Host A" connected to successfully bridged LAN ports in my XP MCE machine that is also runnng Wireshark, and my BT HomeHub as "Host B". WiFi is switched off (adaptor disabled in the PC) for good measure.

Using it's IP address I can browse the NAS from the PC so it's alive and well and I can also reach my Homehub admin page and the internet too.

Homehub still set to block all LAN activity from the NAS' IP address that trys to reach the internet (and viccy verky) so time for some Sharking.

Stay tuned....

XV105,

Gosh that was quick, you must be more IT litterate than I thought ! :p

Ok, tuning back in....

That was so easy, ta! :)

Here's the result, with the total number of records exactly equalling the difference in my firewall rule's "blocked" count when I started and when I finished sniffing.


"Whois 198.107.148.254" resolves this IP address to Western Digital MioNet despite the fact that I have disabled* this remote access service on the NAS!
"Whois 224.0.0.22" does not resolve to a domain name but Google returned
The World Knocks at the Door of Your Internet Connection Joejolly’s Weblog (http://joejolly.wordpress.com/2009/06/06/the-world-knocks-at-the-door-of-your-internet-connection/) !
"Whois 224.0.0.251" doesn't give any clues.
"Whois 239.255.255.250" doesn't give any clues.
"Whois 235.1.1.1" does not resolve to a domain name but Google indicates that it's probably connected to the (Twonky Media) streaming service on the NAS that we use to allow our two WiFi radios to play all music from the NAS; although I wanted to keep it as a backup-only device, the lure of always on music was tempting for the family so I invoked it at the weekend.


Any comments on the missing pieces, please?

*WD have acknowledged a bug in response to a support case that I logged whereby it is impossible to fully disable the MioNet service on the NAS. It restarts by itself every half an hour and when the server is booted even if the "do not start MioNet" flag was selected before shutdown. From Wireshark it seems that it's slumbering rather than hibernating when disabled too as the blocked traffic is from when the NAS admin console reports that MioNet is "off"!

These are multicast addresses - 224.0.0.0 through 239.255.255.255.

The range from 224.0.0.0 to 224.0.0.255 (or 224.0.0.0/24) is designated for multicasting on the local LAN only.

224.0.0.251 is the Multicast DNS address.

224.0.0.22 is used by the IGMP Version 3 (Internet Group Management Protocol).

More details here: http://www.iana.org/assignments/multicast-addresses/

SD

Thanks, SD :)
Three down, one to go, and one to be confirmed!

but I feel I should state here that the chances of you owning or be able to buy a "hub" in 2009 are very, very slim.

But not that slim. Guess who happens to have a bunch of boxed 8-port 10 mbit/s hubs in the office :E

Hello XV105,

I see SD got there first. I'll add a little bit more....

(1) Ref 224.0.0.22 / 224.0.0.251 / 239.255.255.250 / 235.1.1.1

These are "special use" addresses that have no place on the internet, in internet terms they are known as "bogons" because they should not be routed by any ISP. Infact, best practice recommends to block the following ranges (amongst others, see link....) unless you've got a specific use for them :

223.0.0.0/8 (i.e. 223.0.0.0 to 223.255.255.255.255 - inclusive)
224.0.0.0/3 (i.e. 224.0.0.0 to 255.255.255.255 - inclusive)

There is a handy website known as "Team Cymru" (no relation whatsoever to that part of the UK) which gives a list of current "bogons" that you should be blocking .... go here ... The Bogon Reference - Team Cymru (http://www.team-cymru.org/Services/Bogons/) scroll down to "1. HTTP Bogon References" and open, I would suggest, "The Text Bogon List, Aggregated".

All the addresses listed on the TC website are addresses that should essentially be never seen from the internet (i.e. you should never receive traffic from those IPs) and should never be leaked out onto the internet (i.e. you should not send traffic to the internet from those IPs without appropriate measures in place, e.g. NAT).

(2) Ref 198.107.148.254

Sounds like you've tracked this one down.

(3)

WD have acknowledged a bug in response to a support case that I logged whereby it is impossible to fully disable the MioNet service on the NAS. It restarts by itself every half an hour and when the server is booted even if the "do not start MioNet" flag was selected before shutdown

I'm sure it's easily doable through the Linux command line.... "restarts by itself every half hour" sounds suspiciously like a crontab entry !

Mike,

But not that slim. Guess who happens to have a bunch of boxed 8-port 10 mbit/s hubs in the office

Which one of the following are you ? :ok:

http://www.radiotimes.com/shows/the-it-crowd/main.jpg

If the multicast addresses were simply seen on the LAN, that is probably quite normal, if there are devices that rely on various IGMP messages for network discovery / management. It's quite possible that the NAS and mionet does this.

As mixture says, these addresses should not be routed to or from the internet (all firewalls should block these by default).

SD

all firewalls should block these by default

Just to be a little pedantic .... they probably won't block the allocatable bogons .. which have a tendency to be announced and used by less scrupulous individuals...

But most of the bogons yes, should be blocked....

Mixture, you're quite right about the allocatable bogons (and thanks for the link :ok:).

I was writing with the narrow thought of the particular multicast addresses XV had found.

SD

Which one of the following are you ?

hehe, probably all three at any one time :)

Bizarrely, one of my IT-mates was giving tech support to the writer of that series last night. It seems he's a big Left 4 Dead fan :8

I was writing with the narrow thought of the particular multicast addresses XV had found.

Yes, sorry about that !

I'll try to leave you to it now, since he did ask for you in the first place !:ok:

mixture, SD, and M-B

Wow! :)
I'm actually kinda pleased that I had the problem that started this all off.
The thread is fascinating, and although far from being a computer numpty I have certainly learned much of practical benefit and enjoyed digging a little deeper in to vast territories new.

Now to pluck up the courage to use Putty.exe (installed and a test login to the NAS worked) to put that bullet through MioNet.

It does make me wonder though about the majority of internet users who just about know how to plug their ADSL modem in or reboot it if the network crashes...


Cheers,
XV

It does make me wonder though about the majority of internet users who just about know how to plug their ADSL modem in or reboot it if the network crashes...

X105,

You've hit the nail on the head there.

THAT is the absolute example of why the current IT industry has to change radically away from the box-shifting model. It's all about sell, sell, sell .... for example, to become a "Microsoft Gold Partner", it's 95% about how much Microsoft stuff you sell and 5% about trained staff and satisified customers. The same for most other names out there, so I'm not just picking on Microsoft.

If home users were adequatley educated and supported post-sales, particularly in relation to security many problems would be greatly reduced, if not almost eradicated ..... propagation of viruses , botnets and spam relays being one of them !

But even if they don't want to spend the money on post-sales hand-holding, many of the products out there could easily be more secure "out of the box" with minimal additional development cost to the manufacturer/developer.

Taking your example, WHY should uPNP be enabled by default ? It should have been your explicit choice to enable it once you had clicked "OK" to half a dozen popups telling you how bad it could be !

WHY should the default Windows acount have administrator rights ? 99% of what you do on your PC does not need admin rights !

Anyway, I could rant all day , but I'll stop here ... since nobody with any significant influence in the IT industry cares anyway, as long as they get their fat salary at the end of the month and the company that employs them manages to snatch a few measly percent more market share from the nearest competitor !

Now to pluck up the courage to use Putty.exe

Feel free to come back and ask questions, I'm sure one of us will pluck up the courage to help you ! I'm sure you'll be fine though ! Just don't do the famous "rm -rf /" ! :ok:

I'm assuming that the talk of putty (and rm -rf /) :eek: means that you have discovered that there's a linux / unix OS powering the NAS and that you are contemplating firing up a blowtorch to make "adjustments"?

Sounds like fun. :E

SD

SD:

I'm assuming that the talk of putty (and rm -rf /) means that you have discovered that there's a linux / unix OS powering the NAS and that you are contemplating firing up a blowtorch to make "adjustments"?


Yup :ok:
It's running BusyBox on Linux.

Having established what SSH is (something else learned as a result of the problem encountered) and how any command line hacking automatically invalidates the warranty I was amazed to then find "Enable SSH" as an option in the Admin console! Sure enough, duly enabled and using aforementioned Putty I connected first time using root/welc0me.

At this stage I simply want to do two things:

1) Change the root password!
2) Kill the MioNet service by removing the start command. A quick Google has revealed some possibilities on how to do this but I don't want to end up with a brick instead of a NAS so I'll "measure twice (or three times or four) and cut once".

mixture:

I couldn't agree more!

Incidentally, if the NAS is a ReadyNAS from Netgear, I have some very good links into that company and can deal with most issues. :ok:

Thanks for the offer, M-B, but whilst the Netgear ReadyNAS was one of the ranges I looked at, I ultimately purchased a WD MyBook World Edition II device.

I've just read this whole thread from start to finish twice!

Some very useful and eye opening information in there, unlike XV105 I want / need to access a remote NAS and I want to transfer the data from that NAS to another NAS in our main office and I want to do that daily.

I was considering using MioNet because I have it bundled with both NAS devices, a Western Digital MyBook World 1TB and a Western Digital ShareSpace 4TB. The software is also capable of running scheduled FTP so I was thinking perfect, I could run it at night when the LAN's aren't being used and everyone is tucked up in bed, except of course, our hacker mates.

The data on the remote NAS is not that critical and sending it over the internet does not pose any real security threat to our company but the NAS in the main office has or will have stuff on it that is confidential, I cannot risk exposing that data.

I'm still in a bit of quandary to be honest and MioNet are doing their best to convince me that there system is safe and secure.

Hmmmm.

Anyway, just wanted to let you know that this thread has helped more than just XV105

Al.

Gwilo,

Welcome to PPRuNe, I see you've made good use of your inaugural post !

Glad this thread has been of use to more than XV.

I shall leave you to your deliberations, but feel free to come back and ask questions in a new post if you're stuck.

Hey Mixture, thanks very much...

I particularly liked this thread because XV made very clear and understandable posts and he came back and posted the solution, you don't get that very often, most people take the advice, fix the problem and then don't even bother thanking anyone, let alone confirming the solution and of course, this is very relevant to what I will soon be attempting to do.

And thanks for inviting me back if I get any problems, I'll be trying to execute my little project within the next couple of weeks, so I've bookmarked this thread :ok: