March 15, 200917 yr Hey all I was asking questions in in a different post here, http://lime-technology.com/forum/index.php?topic=3416.msg29359#msg29359 and RobJ came across something in my syslog which he said could be concerning. I am posting this question here because it is off topic from my previous post and may need a more detailed response. In my syslog this was found: Mar 5 22:47:57 Tower login[1284]: ROOT LOGIN on `pts/0' from `AC965835.ipt.aol.com' I installed unmenu and this comes up as a minor warning as well as another ip which is my PC that is accessing my unraid server. I understand the minor warning coming from my IP accessing my box but I do not know where this AOL address is coming from. Does this mean something/someone outside of myself and my pc is accessing my server? Is this of concern and if so are there ways to get rid of address from accessing my server/network? I appreciate any help I can get. Thanks.
March 15, 200917 yr This is more network security than a unraid setup. Your network is allowing some one from the internet to login to your unraid system. The quick fix would to be setup password protection on your unraid system. next would to be address the security issue. How is your internet setup? do you have a router? how is it configured? what hardware do you have on your network between your unraid system and the internet?
March 15, 200917 yr I think it is also possible that someone close by was able to connect to his wireless router meaning that they were INSIDE his network, not outside. Does that email sound like one of your neighbors?
March 15, 200917 yr If it where from inside his network it would only be an internal IP address and not and resolved DNS address, so it would be like 192.168.1.154 instead of AC965835.ipt.aol.com which means it was an external connection from outside your network threw the internet. That means his firewall is not protecting his network.
March 15, 200917 yr Author Thanks for the reply. Sorry I put it here cause I wasn't sure where to post this. If I should post elsewhere please do tell. Otherwise here is some information: I have a linksys router w/ its firewall enabled. I have setup a password for my unraid system. how is it configured? What specifically would you like to know. I am not greatly experienced in with this but I can manage my way through things. what hardware do you have on your network between your unraid system and the internet? I have 4-5 PCs, 2 network printers, and the unraid server. Update: I tried some things to try to figure out what was going on. First I just tried setting my router to not let my unraid have any internet access then I got the correct thing I believe which is: Tower in.telnetd[1800]: connect from myIP (myIP) Tower login[1801]: ROOT LOGIN on `pts/1' from `myIP', where myIP= this currents PCs IP address. This was correct but when accessing my unraid via telnet or http://tower it is much slower than where the unraid box router setting was set to have internet access. Next I reverted the router back to normal to let it have access to the internet and tried accessing my server not only from my PC but from various other PCs in my home network. I got similar results to the original: Tower in.telnetd[1577]: connect from myIP (myIP) Tower login[1578]: ROOT LOGIN on `pts/0' from `AC965835.ipt.aol.com' I tried accessing unraid from various other PCs and found that I still get the same aol.com results showing up but it ended up being ACxxxx... Tower in.telnetd[1577]: connect from PCx_IP (PCx_IP), where PCx_IP are various PC IPs on my network Tower login[1578]: ROOT LOGIN on `pts/0' from `ACxxxxxx.ipt.aol.com', where the xxxxxx values differ from one computer to the next. I also did the 'ping -a PCx_IP' command on windows from my PC. I get that it is: 'Pinging myPC.socal.rr.com [myIP] with 32 bytes of data' I tried pinging my box and other PCs on my network and got: 'Pinging ACxxxxxx.ipt.aol.com [PCx_IP] with 32 bytes of data: Would it be right to assuming that AOL.com is there because I have time warner cable? If so why does is show rr.com on my pc and aol.com on the other PCs? It is just confusing me. Can you guys verify and clarify this to me to see if I really am at a security risk. If it was just the box then I can just restrict it from having internet access and just turn it on if something needs to be done with it like updating unmenu's packages, other addons, and stuff (still new so playing with these options). Unfortunately, it feels like its with my my network right now and not only my box being affected. Sorry I know there is a lot of stuff and hopefully it is understandable. Thanks for you patience and help.
March 15, 200917 yr Its likely its just you and your NAT is setup wrong. In the interim audit your network for something setup wrong. Dont have any port forwards etc unless you absolutely need them. The next time you see a log entry like this do a: nslookup XXX.AOL.com then go to ipchicken.com if the 2 are the same it is just borken NAT. If they are not the same login to your router and check your public IP address there (this is the best way anyway I just cant talk you through this remotely since its router specific). AOL use megaproxies that mean you web browsing IP can change so ipchicken can give you a false reading.
March 15, 200917 yr Author NAS- Thanks for the reply. Dont have any port forwards etc unless you absolutely need them. I only have one port open which I use for torrents ocasionally. I am just curious at what you are asking me to compare. When doing nslookup I get Server: ... Address: ... Non-authoritative answer: Name: ....aol.com Address: myIP (for this PC) I checked my router as well as ipchicken and they give the same address. I am assuming you are telling me to compare the first address given to the IP that my router/ipchicken gives me? If so they are different. Since they are different what does that mean. I am confused because from what I understood they should be the same or am I wrong. But what does it mean if they are different addresses?
March 15, 200917 yr NAS is asking you to compare the response IP from nslookup XXX.AOL.com to the one at ipchicken.com So; say nslookup gives you 192.168.1.23 (which of course it couldn't but i'm just using that number for illustration) and when you go to ipchicken.com it gives you 192.168.1.23 (it may also give you the .aol dns name on ipchicken). It this happens you are ok (but I still don't understand how that could happen as you shouldn't have outside access to your unraid machine... I would think this kind of issue would be caused by bad routing data on your local machine that is trying to access the unraid box) Can you do a "route print" from a cmd prompt and post?
March 15, 200917 yr This was correct but when accessing my unraid via telnet or http://tower it is much slower than where the unraid box router setting was set to have internet access. When I hear of inconsistent access times through the network, and the only change is configuration related, I recommend making sure that your nameserver is set correctly, see the Improving unRAID Performance, Update nameserver & hosts file section. I really don't know if it will make a difference, just something to try... It can't hurt, and often helps Telnet and other types of initial access.
March 15, 200917 yr Something else you could try to get an idea of open ports is GRC's Shields Up https://www.grc.com/x/ne.dll?bh0bkyd2 and you can run this scan and see what ports you have open to the internet.
March 15, 200917 yr Author NSlookup: Server: ....rr.com Address: 66.xx.xxx.xx Non-authoritative answer: Name: ACxxxxxx.ipt.aol.com Address: 172.xx.xxx.xx ipchicken (as well as on my router): 76.xx.xxx.xx So; say nslookup gives you 192.168.1.23 (which of course it couldn't but i'm just using that number for illustration) and when you go to ipchicken.com it gives you 192.168.1.23 (it may also give you the .aol dns name on ipchicken). It this happens you are ok... 66.xx.... != 76.xx..... (they not equal) Is this not ok? Can you do a "route print" from a cmd prompt and post? =========================================================================== Interface List 8 ...00 16 e6 51 4e 85 ...... Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Co troller 1 ........................... Software Loopback Interface 1 9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface 26 ...00 00 00 00 00 00 00 e0 isatap.socal.rr.com 27 ...00 00 00 00 00 00 00 e0 6TO4 Adapter =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 172.150.88.1 172.150.88.53 10 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 169.254.0.0 255.255.0.0 On-link 172.150.88.53 286 169.254.255.255 255.255.255.255 On-link 172.150.88.53 266 172.150.88.0 255.255.255.0 On-link 172.150.88.53 266 172.150.88.53 255.255.255.255 On-link 172.150.88.53 266 172.150.88.255 255.255.255.255 On-link 172.150.88.53 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 172.150.88.53 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 172.150.88.53 266 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 27 1110 ::/0 2002:c058:6301::c058:6301 1 306 ::1/128 On-link 27 1010 2002::/16 On-link 27 266 2002:ac96:5835::ac96:5835/128 On-link 8 266 fe80::/64 On-link 8 266 fe80::bdc8:8b75:4bcb:26e0/128 On-link 1 306 ff00::/8 On-link 8 266 ff00::/8 On-link =========================================================================== Persistent Routes: None RobJ - Thanks for the page and looking into the different options. I just mentioned it earlier because the slowdown was only when I cut off internet access from my box, otherwise it runs fine. I just haven't decided if I will let it access the internet because I found different scripts/add-ons here and maybe or maybe not require internet access. This which I will determine after I verify whether or not I have a security risk on my box and such. Something else you could try to get an idea of open ports is GRC's Shields Up https://www.grc.com/x/ne.dll?bh0bkyd2 and you can run this scan and see what ports you have open to the internet. The File Sharing, common ports, and all service ports all passed and are in 'Stealth'.
March 16, 200917 yr This line from your routing table is interesting: 0.0.0.0 0.0.0.0 172.150.88.1 172.150.88.53 10 So your internal network is 172... which is coming back in the nslookup for the ACxxx... 172.xx.xxx.xx So I doubt you have a security breach... unless the 172.xx address space is your ISPs internal address (you have your desktop directly connected to the ISPs modem?), but then I don't understand how you are sharing your internet with unRAID and other machines. Although, I just looked up the allowed (reserved) address space for internal networks (as I use 10. personal so didn't remember the 172. range): RFC1918 name IP address range number of addresses classful description largest CIDR block (subnet mask) host id size 24-bit block 10.0.0.0 – 10.255.255.255 16,777,216 single class A 10.0.0.0/8 (255.0.0.0) 24 bits 20-bit block 172.16.0.0 – 172.31.255.255 1,048,576 16 contiguous class Bs 172.16.0.0/12 (255.240.0.0) 20 bits 16-bit block 192.168.0.0 – 192.168.255.255 65,536 256 contiguous class Cs 192.168.0.0/16 (255.255.0.0) 16 bits This shows that 172.150 (which you use) is actually a public range. You should change your router to use a different address space. 192.168.?, or 10.? and see if that solves your problem. ... [edit] Re-reading this thread, I'm am fairly certain that changing your internal network address space will solve this problem.
March 16, 200917 yr I think marcusone has nailed it. I suspect that whoever set up your networking was aware that you could 'personalize' the IP for your subnet, by changing the third number of the 4 that make up an IP. But on seeing the default for this router of 172.16.*.*, changed the second number instead. You will want to change the 150 to something between 16 and 31. Then ensure any other router settings are consistent with that, such as DHCP configuration, then check all of your networked devices and machines to make sure they either use DHCP or change their static IP to be consistent with your new local IP range.
Archived
This topic is now archived and is closed to further replies.