|
Time to move on
Hi Guys,
A courtesy post to say a final thank you.
So, other than a small number of files (I reacted quickly) which *may* have escaped from my network and which there is no point worrying about (all files were in a private secure area that would have needed hacking in to, it's too late now, and I don't know if the hack actually did anything anyway) I don't think any damage was done. Time to move on. Fresh backup to NAS running as I write this. "Cheers Guys" :ok: |
The BT HH
Good to see a happy ending. I have a MK1 HH - The default security settings are atrocious - It does support AES encryption too by the way.
Somewhere in the advanced setup you can disable Plug and Pray and also disable the acceptance of packet fragments as well. Once set up; AES network encryption (sometimes called WPA2),used on modern kit does not hamper router performance too much. The bad guys are cunning sods - As I have found out the hard way. It might be a good idea to monitor you network traffic for the future for a while just in case they come back for another go - unlikely but your can never be sure. Your IP could change your external designated IP address if needed. CAT III |
One thing the majority of HomeHub users may not be aware of, is that the default wifi channel is channel 6.
Now, with only 4 non-blocking channels in 802.11g, and the proliferation of HomeHubs, all on channel 6, if you live in wireless proximity of another HomeHub user the chances are you've got rubbish wifi functionality as a consequence. In order to fix this, go download a wifi sniffer onto your laptop, such as Airmagnet, and check the channels and their associated strengths. Channels up to 4 channels either side of someone else's channel will interfere, to a greater or lesser degree, so if you choose channels 1,5,9, and 13, and choose one of those which is furthest from the majority of your neighbours, then you should see a corresponding increase in your wireless reliability :ok: |
Absolutely right!
The alternative, if like me you have two neighbours who freely admit they know Jack about what to do, is to set up the wireless routers for them and consider such channel spacing as part of the work. :) Shhh. A third house is also within range, but the current elderly owner has no WiFi. The previous owner did, but with a SSID left at the default of NETGEAR I had everything I needed to know to find out what channel they were using without recourse to a sniffer, ahem. |
Your IP could change your external designated IP address if needed. |
I switch both the pc and the router of when I go to bed, apart from security, there's the possible fire hazard to be considered, to say nothing of the cost.
|
I switch both the pc and the router of when I go to bed, apart from security, there's the possible fire hazard to be considered, to say nothing of the cost. - They are designed to run 24x7 without being a fire risk - There is very little difference to the overall security of your house whether you run them during the day or 24x7 as you will have hacking attempts every 30 seconds or so anyway. - The cost differential of a 3 watt device over a year is insignificant ...however, the big issue is that the way the Exchange premises equipment monitors and tunes your link speed depends upon you having the device on 24x7. In fact you can lose a significant percentage of your bandwidth purely by adopting a "turn it off at night" attitude. |
A hub comes in very handy here - especially if you can't set up a switchport as a monitoring port. just use a x-over cable to connect the hub to the switch, then attach the NAS and the PC you are running your sniffer on to the hub. Now you will see all traffic between the NAS and everything else. I thought I'd followed the above instructions clearly when running Wireshark, but it would appear not because after resolutely remaining at zero relevant hits since the firewall rule* was defined a few days ago, my HomeHub has today blocked over 10,000 NAS attempts to get outside but Wireshark spotted none of them. Please will you be kind enough to re-describe? TVM, XV *Custom settings to block all WAN traffic to and from the NAS. |
A hub comes in very handy here As you might have gathered, my pseudonym is not sd..... but I feel I should state here that the chances of you owning or be able to buy a "hub" in 2009 are very, very slim. Even 8 port boxes these days are switches. In a day to day environment, hubs are more trouble than they are worth. I would not recommend you go out and buy one if you don't already own one because you will find very little useful use for it, unless you are plannig long term wiresharking ... but even then, you have to be very careful about how the hub is deployed. What you should be looking to achieve, if you've got an unmanaged switch is either of the following : (1) Get a managed switch (might be seen as a worthwile longterm investment, you can get small 8 or 12 port ones, no need for office sized ones) -OR- (2) Implement an in-line monitoring solution (i.e. two NICs on the PC) UPDATED TO ADD : Addmitedly, on a small home network, you probably will not see the difference between hub and switch unless things get really bad or you know what you are looking for. However the point I'm trying to make is hubs are bad feng shui on a network. :ok: |
Thanks, mixture; you confirmed what I suspected in that my ancient, decomissioned-until-the-last-few-days, four port ADSL router is a switch not a hub.
Please will you be kind enough to elaborate on your suggestion for an alternative way of me sniffing everything to and from the NAS. As well as the old router I just described I also have a brand new Netgear GS605 gigabit switch but of course it is of unmanaged type. TVM! PS - I have two gigabit LAN ports in the PC I will run the sniff from but believe they relate to one physical card. (I need to check since I didn't pay any attention at the time to that part of the spec as having two ports was a Brucie Bonus I didn't need) |
Please will you be kind enough to elaborate on your suggestion for an alternative way of me sniffing everything to and from the NAS. PS - I have two gigabit LAN ports in the PC I will run the sniff from but believe they relate to one physical card. |
http://wiki.wireshark.org/CaptureSet...tm-2NIC-ws.png
Which comes from ..... CaptureSetup/Ethernet - The Wireshark Wiki Which I'm just looking through to see what detail is lacking.....:ok: |
XV,
An ethernet switch differs from an ethernet hub in that each port on a switch is a separate LAN segment, while each port on a hub is part of the same LAN segment. All ports on a hub are thus in a single collision domain, whereas each port in a switch is in its own collision domain - which essentially means that frame collisions do not occur with switches. Collisions are bad, btw! Switches also "learn" the MAC addresses of the connected hosts, so only directed unicast and broadcast frames are forwarded out each switch port. Only where the MAC address of a host is not yet in the switch MAC address table will a switch flood a unicast frame out all its ports. As mixture rightly states, hubs have been entirely superseded by switches (now that the cost per switch port has reduced to the trivial), and hubs would seriously impact the performance on medium to large networks (due to the collisions described above). In a home network with a handful of devices, frankly, there is little difference in performance. One of the switch's strengths (only forwarding frames to the necessary port) is also a pain when you actually want to monitor all the traffic between two nodes on the switch (or indeed all the traffic across the switch), as - by definition - the traffic is restricted to the ports that the two nodes are connected on. There are a number of ways around this, depending on the equipment. "Business class" switches tend to have the ability to configure a monitoring port, that can be used to output all traffic from a selection of other ports - ideal if you happen to have that kind of kit. Another possibility is to use a hub as described above - place the hub between the switch and the target device so that traffic passing from the switch to the target passes through the hub, and - by definition - is flooded out of all the hub ports. By hooking your sniffer to a hub port you get to see all the traffic. I'm not sure about the "inline" method mixture refers to. Perhaps he will elaborate for us. While you may struggle to buy a new ethernet hub, a quick look on ebay suggests that you'll easily pick one up from 99p to a fiver, plus P&P. Just ensure you get an ethernet hub, not a USB hub! SD |
I'm not sure about the "inline" method mixture refers to. Perhaps he will elaborate for us. |
It's been a little while since I've done it inline even more so when using a Windows box to capture, more used to using managed switches and spanning ports.
However, from memory, what needs to be done is as follows : (1) Bridge your two network cards If I recall, this is a simple as highlighting them both, right clicking and selecting "bridge interfaces". (updated -> in the text that was here before I said to configure bridge itself with IP settings.... technically it should work without because most of its magic is at Layer 2 rather than Layer 3 .... so try without extra bridge config work first) (2) Start a wireshark capture Hopefully wireshark will let you watch the virtual interface, otherwise you only need to watch one interface, it will pick up on all traffic. Let me know if you need more detail, although I might pop back an update this post later. |
Very helpful, thank you both :)
Using mixture's schematic, I have the NAS as "Host A" connected to successfully bridged LAN ports in my XP MCE machine that is also runnng Wireshark, and my BT HomeHub as "Host B". WiFi is switched off (adaptor disabled in the PC) for good measure. Using it's IP address I can browse the NAS from the PC so it's alive and well and I can also reach my Homehub admin page and the internet too. Homehub still set to block all LAN activity from the NAS' IP address that trys to reach the internet (and viccy verky) so time for some Sharking. Stay tuned.... |
XV105,
Gosh that was quick, you must be more IT litterate than I thought ! :p |
Ok, tuning back in....
That was so easy, ta! :) Here's the result, with the total number of records exactly equalling the difference in my firewall rule's "blocked" count when I started and when I finished sniffing.
Any comments on the missing pieces, please? *WD have acknowledged a bug in response to a support case that I logged whereby it is impossible to fully disable the MioNet service on the NAS. It restarts by itself every half an hour and when the server is booted even if the "do not start MioNet" flag was selected before shutdown. From Wireshark it seems that it's slumbering rather than hibernating when disabled too as the blocked traffic is from when the NAS admin console reports that MioNet is "off"! |
These are multicast addresses - 224.0.0.0 through 239.255.255.255.
The range from 224.0.0.0 to 224.0.0.255 (or 224.0.0.0/24) is designated for multicasting on the local LAN only. 224.0.0.251 is the Multicast DNS address. 224.0.0.22 is used by the IGMP Version 3 (Internet Group Management Protocol). More details here: http://www.iana.org/assignments/multicast-addresses/ SD |
Thanks, SD :)
Three down, one to go, and one to be confirmed! |
but I feel I should state here that the chances of you owning or be able to buy a "hub" in 2009 are very, very slim. |
Hello XV105,
I see SD got there first. I'll add a little bit more.... (1) Ref 224.0.0.22 / 224.0.0.251 / 239.255.255.250 / 235.1.1.1 These are "special use" addresses that have no place on the internet, in internet terms they are known as "bogons" because they should not be routed by any ISP. Infact, best practice recommends to block the following ranges (amongst others, see link....) unless you've got a specific use for them : 223.0.0.0/8 (i.e. 223.0.0.0 to 223.255.255.255.255 - inclusive) 224.0.0.0/3 (i.e. 224.0.0.0 to 255.255.255.255 - inclusive) There is a handy website known as "Team Cymru" (no relation whatsoever to that part of the UK) which gives a list of current "bogons" that you should be blocking .... go here ... The Bogon Reference - Team Cymru scroll down to "1. HTTP Bogon References" and open, I would suggest, "The Text Bogon List, Aggregated". All the addresses listed on the TC website are addresses that should essentially be never seen from the internet (i.e. you should never receive traffic from those IPs) and should never be leaked out onto the internet (i.e. you should not send traffic to the internet from those IPs without appropriate measures in place, e.g. NAT). (2) Ref 198.107.148.254 Sounds like you've tracked this one down. (3) WD have acknowledged a bug in response to a support case that I logged whereby it is impossible to fully disable the MioNet service on the NAS. It restarts by itself every half an hour and when the server is booted even if the "do not start MioNet" flag was selected before shutdown |
Mike,
But not that slim. Guess who happens to have a bunch of boxed 8-port 10 mbit/s hubs in the office http://www.radiotimes.com/shows/the-it-crowd/main.jpg |
If the multicast addresses were simply seen on the LAN, that is probably quite normal, if there are devices that rely on various IGMP messages for network discovery / management. It's quite possible that the NAS and mionet does this.
As mixture says, these addresses should not be routed to or from the internet (all firewalls should block these by default). SD |
all firewalls should block these by default But most of the bogons yes, should be blocked.... |
Mixture, you're quite right about the allocatable bogons (and thanks for the link :ok:).
I was writing with the narrow thought of the particular multicast addresses XV had found. SD |
Which one of the following are you ? Bizarrely, one of my IT-mates was giving tech support to the writer of that series last night. It seems he's a big Left 4 Dead fan :8 |
I was writing with the narrow thought of the particular multicast addresses XV had found. I'll try to leave you to it now, since he did ask for you in the first place !:ok: |
mixture, SD, and M-B
Wow! :) I'm actually kinda pleased that I had the problem that started this all off. The thread is fascinating, and although far from being a computer numpty I have certainly learned much of practical benefit and enjoyed digging a little deeper in to vast territories new. Now to pluck up the courage to use Putty.exe (installed and a test login to the NAS worked) to put that bullet through MioNet. It does make me wonder though about the majority of internet users who just about know how to plug their ADSL modem in or reboot it if the network crashes... Cheers, XV |
It does make me wonder though about the majority of internet users who just about know how to plug their ADSL modem in or reboot it if the network crashes... You've hit the nail on the head there. THAT is the absolute example of why the current IT industry has to change radically away from the box-shifting model. It's all about sell, sell, sell .... for example, to become a "Microsoft Gold Partner", it's 95% about how much Microsoft stuff you sell and 5% about trained staff and satisified customers. The same for most other names out there, so I'm not just picking on Microsoft. If home users were adequatley educated and supported post-sales, particularly in relation to security many problems would be greatly reduced, if not almost eradicated ..... propagation of viruses , botnets and spam relays being one of them ! But even if they don't want to spend the money on post-sales hand-holding, many of the products out there could easily be more secure "out of the box" with minimal additional development cost to the manufacturer/developer. Taking your example, WHY should uPNP be enabled by default ? It should have been your explicit choice to enable it once you had clicked "OK" to half a dozen popups telling you how bad it could be ! WHY should the default Windows acount have administrator rights ? 99% of what you do on your PC does not need admin rights ! Anyway, I could rant all day , but I'll stop here ... since nobody with any significant influence in the IT industry cares anyway, as long as they get their fat salary at the end of the month and the company that employs them manages to snatch a few measly percent more market share from the nearest competitor ! Now to pluck up the courage to use Putty.exe |
I'm assuming that the talk of putty (and rm -rf /) :eek: means that you have discovered that there's a linux / unix OS powering the NAS and that you are contemplating firing up a blowtorch to make "adjustments"?
Sounds like fun. :E SD |
SD:
I'm assuming that the talk of putty (and rm -rf /) means that you have discovered that there's a linux / unix OS powering the NAS and that you are contemplating firing up a blowtorch to make "adjustments"? It's running BusyBox on Linux. Having established what SSH is (something else learned as a result of the problem encountered) and how any command line hacking automatically invalidates the warranty I was amazed to then find "Enable SSH" as an option in the Admin console! Sure enough, duly enabled and using aforementioned Putty I connected first time using root/welc0me. At this stage I simply want to do two things: 1) Change the root password! 2) Kill the MioNet service by removing the start command. A quick Google has revealed some possibilities on how to do this but I don't want to end up with a brick instead of a NAS so I'll "measure twice (or three times or four) and cut once". mixture: I couldn't agree more! |
Incidentally, if the NAS is a ReadyNAS from Netgear, I have some very good links into that company and can deal with most issues. :ok:
|
Thanks for the offer, M-B, but whilst the Netgear ReadyNAS was one of the ranges I looked at, I ultimately purchased a WD MyBook World Edition II device.
|
I've just read this whole thread from start to finish twice!
Some very useful and eye opening information in there, unlike XV105 I want / need to access a remote NAS and I want to transfer the data from that NAS to another NAS in our main office and I want to do that daily. I was considering using MioNet because I have it bundled with both NAS devices, a Western Digital MyBook World 1TB and a Western Digital ShareSpace 4TB. The software is also capable of running scheduled FTP so I was thinking perfect, I could run it at night when the LAN's aren't being used and everyone is tucked up in bed, except of course, our hacker mates. The data on the remote NAS is not that critical and sending it over the internet does not pose any real security threat to our company but the NAS in the main office has or will have stuff on it that is confidential, I cannot risk exposing that data. I'm still in a bit of quandary to be honest and MioNet are doing their best to convince me that there system is safe and secure. Hmmmm. Anyway, just wanted to let you know that this thread has helped more than just XV105 Al. |
Gwilo,
Welcome to PPRuNe, I see you've made good use of your inaugural post ! Glad this thread has been of use to more than XV. I shall leave you to your deliberations, but feel free to come back and ask questions in a new post if you're stuck. |
Hey Mixture, thanks very much...
I particularly liked this thread because XV made very clear and understandable posts and he came back and posted the solution, you don't get that very often, most people take the advice, fix the problem and then don't even bother thanking anyone, let alone confirming the solution and of course, this is very relevant to what I will soon be attempting to do. And thanks for inviting me back if I get any problems, I'll be trying to execute my little project within the next couple of weeks, so I've bookmarked this thread :ok: |
| All times are GMT. The time now is 16:12. |
Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.