Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Security - Somone other than me accessing my server?

Featured Replies

Hey all I was asking questions in in a different post here, http://lime-technology.com/forum/index.php?topic=3416.msg29359#msg29359 and RobJ came across something in my syslog which he said could be concerning.  I am posting this question here because it is off topic from my previous post and may need a more detailed response.

 

In my syslog this was found:

 

Mar  5 22:47:57 Tower login[1284]: ROOT LOGIN  on `pts/0' from `AC965835.ipt.aol.com'

 

 

I installed unmenu and this comes up as a minor warning as well as another ip which is my PC that is accessing my unraid server.  I understand the minor warning coming from my IP accessing my box but I do not know where this AOL address is coming from.  Does this mean something/someone outside of myself and my pc is accessing my server?  Is this of concern and if so are there ways to get rid of address from accessing my server/network?

 

 

I appreciate any help I can get.  Thanks.

 

 

 

This is more network security than a unraid setup. Your network is allowing some one from the internet to login to your unraid system. The quick fix would to be setup password protection on your unraid system. next would to be address the security issue. How is your internet setup? do you have a router? how is it configured? what hardware do you have on your network between your unraid system and the internet?

I think it is also possible that someone close by was able to connect to his wireless router meaning that they were INSIDE his network, not outside.

 

Does that email sound like one of your neighbors?

If it where from inside his network it would only be an internal IP address and not and resolved DNS address, so it would be like 192.168.1.154 instead of AC965835.ipt.aol.com which means it was an external connection from outside your network threw the internet. That means his firewall is not protecting his network.

  • Author

Thanks for the reply.

 

Sorry I put it here cause I wasn't sure where to post this.  If I should post elsewhere please do tell.

 

Otherwise here is some information:

I have a linksys router w/ its firewall enabled.  I have setup a password for my unraid system. 

 

how is it configured?

 

What specifically would you like to know.  I am not greatly experienced in with this but I can manage my way through things.

 

what hardware do you have on your network between your unraid system and the internet?

 

I have 4-5 PCs, 2 network printers, and the unraid server.

 

 

 

Update:  I tried some things to try to figure out what was going on.  First I just tried setting my router to not let my unraid have any internet access then I got the correct thing I believe which is:

 

Tower in.telnetd[1800]: connect from myIP (myIP)

Tower login[1801]: ROOT LOGIN on `pts/1' from `myIP', where myIP= this currents PCs IP address.

 

This was correct but when accessing my unraid via telnet or http://tower it is much slower than where the unraid box router setting was set to have internet access.

 

 

 

Next I reverted the router back to normal to let it have access to the internet and tried accessing my server not only from my PC but from various other PCs in my home network.  I got similar results to the original:

 

Tower in.telnetd[1577]: connect from myIP (myIP)

Tower login[1578]: ROOT LOGIN on `pts/0' from `AC965835.ipt.aol.com'

 

I tried accessing unraid from various other PCs and found that I still get the same aol.com results showing up but it ended up being ACxxxx...

 

Tower in.telnetd[1577]: connect from PCx_IP (PCx_IP),     where PCx_IP are various PC IPs on my network

Tower login[1578]: ROOT LOGIN on `pts/0' from `ACxxxxxx.ipt.aol.com',     where the xxxxxx values differ from one computer to the next.

 

 

 

I also did the 'ping -a PCx_IP' command on windows from my PC.  I get that it is:

 

'Pinging myPC.socal.rr.com [myIP] with 32 bytes of data'

 

I tried pinging my box and other PCs on my network and got:

 

'Pinging ACxxxxxx.ipt.aol.com [PCx_IP] with 32 bytes of data:

 

 

 

Would it be right to assuming that AOL.com is there because I have time warner cable?  If so why does is show rr.com on my pc and aol.com on the other PCs?  It is just confusing me.  Can you guys verify and clarify this to me to see if I really am at a security risk.  If it was just the box then I can just restrict it from having internet access and just turn it on if something needs to be done with it like updating unmenu's packages, other addons, and stuff (still new so playing with these options).  Unfortunately,  it feels like its with my my network right now and not only my box being affected. 

 

Sorry I know there is a lot of stuff and hopefully it is understandable.  Thanks for you patience and help.

 

 

 

Its likely its just you and your NAT is setup wrong.

 

In the interim audit your network for something setup wrong. Dont have any port forwards etc unless you absolutely need them.

 

The next time you see a log entry like this do a:

 

nslookup XXX.AOL.com

 

then go to

 

ipchicken.com

 

if the 2 are the same it is just borken NAT.

 

If they are not the same login to your router and check your public IP address there (this is the best way anyway I just cant talk you through this remotely since its router specific).

 

AOL use megaproxies that mean you web browsing IP can change so ipchicken can give you a false reading.

  • Author

NAS- Thanks for the reply.

 

Dont have any port forwards etc unless you absolutely need them.

 

I only have one port open which I use for torrents ocasionally. 

 

 

I am just curious at what you are asking me to compare.  When doing nslookup I get

 

Server: ...

Address: ...

 

Non-authoritative answer:

Name: ....aol.com

Address:  myIP (for this PC)

 

 

I checked my router as well as ipchicken and they give the same address.  I am assuming you are telling me to compare the first address given to the IP that my router/ipchicken gives me?  If so they are different.  Since they are different what does that mean.  I am confused because from what I understood they should be the same or am I wrong.  But what does it mean if they are different addresses?

 

 

 

 

 

 

 

NAS is asking you to compare the response IP from

 

nslookup XXX.AOL.com

 

to the one at

 

ipchicken.com

 

So; say nslookup gives you 192.168.1.23 (which of course it couldn't but i'm just using that number for illustration)

and when you go to ipchicken.com it gives you 192.168.1.23 (it may also give you the .aol dns name on ipchicken).  It this happens you are ok (but I still don't understand how that could happen as you shouldn't have outside access to your unraid machine... I would think this kind of issue would be caused by bad routing data on your local machine that is trying to access the unraid box)

 

Can you do a "route print" from a cmd prompt and post?

 

 

This was correct but when accessing my unraid via telnet or http://tower it is much slower than where the unraid box router setting was set to have internet access.

 

When I hear of inconsistent access times through the network, and the only change is configuration related, I recommend making sure that your nameserver is set correctly, see the Improving unRAID Performance, Update nameserver & hosts file section.  I really don't know if it will make a difference, just something to try...  It can't hurt, and often helps Telnet and other types of initial access.

Something else you could try to get an idea of open ports is GRC's Shields Up https://www.grc.com/x/ne.dll?bh0bkyd2 and you can run this scan and see what ports you have open to the internet.

  • Author

NSlookup:

 

Server: ....rr.com

Address:  66.xx.xxx.xx

Non-authoritative answer:

Name:    ACxxxxxx.ipt.aol.com

Address:  172.xx.xxx.xx

 

ipchicken (as well as on my router):

76.xx.xxx.xx

 

So; say nslookup gives you 192.168.1.23 (which of course it couldn't but i'm just using that number for illustration)

and when you go to ipchicken.com it gives you 192.168.1.23 (it may also give you the .aol dns name on ipchicken).  It this happens you are ok...

 

66.xx.... != 76.xx.....  (they not equal) Is this not ok?

 

 

Can you do a "route print" from a cmd prompt and post?

 

===========================================================================

Interface List

  8 ...00 16 e6 51 4e 85 ...... Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Co

troller

  1 ........................... Software Loopback Interface 1

  9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface

26 ...00 00 00 00 00 00 00 e0  isatap.socal.rr.com

27 ...00 00 00 00 00 00 00 e0  6TO4 Adapter

===========================================================================

 

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0     172.150.88.1    172.150.88.53     10

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      169.254.0.0      255.255.0.0         On-link     172.150.88.53    286

  169.254.255.255  255.255.255.255         On-link     172.150.88.53    266

     172.150.88.0    255.255.255.0         On-link     172.150.88.53    266

    172.150.88.53  255.255.255.255         On-link     172.150.88.53    266

   172.150.88.255  255.255.255.255         On-link     172.150.88.53    266

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link     172.150.88.53    266

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link     172.150.88.53    266

===========================================================================

Persistent Routes:

  None

 

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination      Gateway

27   1110 ::/0                     2002:c058:6301::c058:6301

  1    306 ::1/128                  On-link

27   1010 2002::/16                On-link

27    266 2002:ac96:5835::ac96:5835/128

                                    On-link

  8    266 fe80::/64                On-link

  8    266 fe80::bdc8:8b75:4bcb:26e0/128

                                    On-link

  1    306 ff00::/8                 On-link

  8    266 ff00::/8                 On-link

===========================================================================

Persistent Routes:

  None

 

 

RobJ - Thanks for the page and looking into the different options.  I just mentioned it earlier because the slowdown was only when I cut off internet access from my box, otherwise it runs fine.  I just haven't decided if I will let it access the internet because I found different scripts/add-ons here and maybe or maybe not require internet access.  This which I will determine after I verify whether or not I have a security risk on my box and such.

 

 

Something else you could try to get an idea of open ports is GRC's Shields Up https://www.grc.com/x/ne.dll?bh0bkyd2 and you can run this scan and see what ports you have open to the internet.

 

The File Sharing, common ports, and all service ports all passed and are in 'Stealth'.

 

 

 

 

This line from your routing table is interesting:

0.0.0.0 0.0.0.0   172.150.88.1 172.150.88.53   10

So your internal network is 172...

 

which is coming back in the nslookup for the ACxxx... 172.xx.xxx.xx

 

So I doubt you have a security breach... unless the 172.xx address space is your ISPs internal address (you have your desktop directly connected to the ISPs modem?), but then I don't understand how you are sharing your internet with unRAID and other machines.

 

Although, I just looked up the allowed (reserved) address space for internal networks (as I use 10. personal so didn't remember the 172. range):

RFC1918 name IP address range number of addresses classful description largest CIDR block (subnet mask) host id size

24-bit block 10.0.0.0 – 10.255.255.255 16,777,216 single class A 10.0.0.0/8 (255.0.0.0) 24 bits

20-bit block 172.16.0.0 – 172.31.255.255 1,048,576 16 contiguous class Bs 172.16.0.0/12 (255.240.0.0) 20 bits

16-bit block 192.168.0.0 – 192.168.255.255 65,536 256 contiguous class Cs 192.168.0.0/16 (255.255.0.0) 16 bits

 

This shows that 172.150 (which you use) is actually a public range. You should change your router to use a different address space.

192.168.?, or 10.?

 

and see if that solves your problem. ... [edit] Re-reading this thread, I'm am fairly certain that changing your internal network address space will solve this problem.

 

I think marcusone has nailed it.  I suspect that whoever set up your networking was aware that you could 'personalize' the IP for your subnet, by changing the third number of the 4 that make up an IP.  But on seeing the default for this router of 172.16.*.*, changed the second number instead.  You will want to change the 150 to something between 16 and 31.  Then ensure any other router settings are consistent with that, such as DHCP configuration, then check all of your networked devices and machines to make sure they either use DHCP or change their static IP to be consistent with your new local IP range.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.