Router's firewall being bypassed?

[hiriskpaul]

Over the last few days I have been getting emails from my Synology NAS looking like this:

Dear user,

The IP address [218.65.30.25] experienced 10 failed attempts when attempting to log into SSH running on Synology1 within 5 minutes, and was blocked at Sat Mar 24 01:20:44 2018.

Sincerely,
Synology DiskStation

So it looks as though someone is trying to hack into my network/NAS. Initially I thought I may have left port forwarding set up in my BT Smart Hub to direct SSH to my NAS, but I do not and currently have no port forwarding configured. So the question is, how can people be connecting to my NAS in the first place? And if this is happening, what other attacks might be going on?

My other thought is that this may be some nonsensical message being sent from my NAS, which does update itself fairly regularly.

[kyu66]

So it looks as though someone is trying to hack into my network/NAS. Initially I thought I may have left port forwarding set up in my BT Smart Hub to direct SSH to my NAS, but I do not and currently have no port forwarding configured. So the question is, how can people be connecting to my NAS in the first place? And if this is happening, what other attacks might be going on?

My other thought is that this may be some nonsensical message being sent from my NAS, which does update itself fairly regularly.

Another potential attack surface could be QuickConnect. This bypasses your local router allowing a virtual tunnel between a client and your NAS via the Synology QuickConnect Servers. If your NAS has this enabled then it could be a random attack using your QuickConnect id.

[hiriskpaul]

I was wondering whether this was a potential issue with QuickConnect, but I have now found the problem - a bug in my BT not-so-smart Hub!

I put an SSH app on my phone (JuiceSSH), disabled wifi and tried to connect to my hubs IP address and low and behold it directs me to my Synology NAS, even though I did not have port forwarding set up. I set up port forwarding to a PC that is not listening on port 22 and that stops me getting in, but when I delete the port forwarding rule it again directs me back to my NAS. So the BT Hub is somehow remembering the fact that I did at one time have port 22 forwarding set up and defaults to that forwarding in the absence of an alternative rule.

[johnhemming]

I run my private office off a BT fibre optic with 16 externally addressable IP addresses on a subnet x.x.x.x/240. A while ago I decided to swap from a BT Business Hub to Draytek because the Business Hub is unpredictable in its behaviour and for example appeared to block DNS UDP queries as it thought they were a DOS attack. BT said they could not support anything out of the ordinary

Draytek has been quite good and also enables me to do a proper packet sniffing job if I want to as it mirrors all of the packets to a particular IP address.

[hiriskpaul]

I just tried to find a way to report the bug in the hub, but could not find a way to! I guess BT don't really care. Having a flaky firewall though is not ideal.

[johnhemming]

I guess BT don't really care.

I think their view is that they are not really bothered about any subtleties.

[Breelander]

...I have now found the problem - a bug in my BT not-so-smart Hub! ... the BT Hub is somehow remembering the fact that I did at one time have port 22 forwarding set up and defaults to that forwarding in the absence of an alternative rule.

BT Hubs have a reset option on their Admin pages, that should make it forget everything (including any passwords you've changed). Mine says...

Reset to Factory Defaults
This reset will return your Hub’s settings back to its original default factory settings.

After reset is complete you will need to re-apply your personal hub settings and configuration, you will also need to reconnect your devices and reset any port forward rules.

You may like to consider creating a back-up copy of your hub settings before you reset. You can select the ‘Backup/Restore’ menu above; or you can choose the ‘Help’ or A-Z’ links on the top right for more information.

[hiriskpaul]

Good idea, hopefully that should clear it.

[martint123]

if you google 218.65.30.25 there are a lot of reports of attempts at SSH hacking from that chinese address. Not sure how they seem to be bypassing your router firewall though - I've not read many of teh google posts.

[Infrasonic]

https://www.grc.com/x/ne.dll?bh0bkyd2