Hi,
A person, who just bought a new 520 about a few months ago, contacted me and I helped him to set up the nas for basic home usage. But somebody, before me told him at a forum (where he also asked for help) to open ports 80,22,23,25,21. And he did it... So, when I noticed this offered him to immediatelly close theese ports. So now, only the TM's communication port is open, the UPnP are disabled on the router.
But this afternoon, he also send me an interesting screenshot from the NAS's webGUI, where I Could see some external IPs logged in to SSH...
He Can't speak English, that's why I write this, but please help. I am puzzled about what's happening now...
Thanks!
Unknown SSH connections on an NSA520
Unknown SSH connections on an NSA520
Thanks nas-central the lot of help! 

Re: Unknown SSH connections on an NSA520
Can you post the output of 'netstat -tu' on that box? And can you test if you can actually connect to port 22 on his public IP?
-
- Posts: 117
- Joined: Sat Jun 08, 2013 9:02 am
Re: Unknown SSH connections on an NSA520
Now that its mentioned i remembered that i have this "problem" as well:
https://dl.dropboxusercontent.com/u/120 ... l/ssh-.PNG
From netstat -tu:
Full dump:
https://dl.dropboxusercontent.com/u/120 ... l/ssh-.txt
I never bothered to start a thread since an outsider cannot connect to it(verified it through my mobile internet and my laptop)...
I checked it again and its the same, there is nothing on port 22, i blocked that IP in my router just in case.
/edit
who -a does not show it, hmmm....
https://dl.dropboxusercontent.com/u/120 ... l/ssh2.PNG
/edit2
Just checked it again, its still established despite my router is configured to block that IP. I set that rule to make a log entry every time it blocks traffic to that IP, but i cant see any entry made by this rule...
/edit3
Found it, it was a connection made by transmission...
https://dl.dropboxusercontent.com/u/120 ... al/ssh.PNG
I disabled then re enabled it and it gone. But i dont know why it was showing up in current connections as SSH...
https://dl.dropboxusercontent.com/u/120 ... l/ssh-.PNG
From netstat -tu:
Code: Select all
tcp 0 73824 10.125.210.20:krb524 203.87.129.162:22892 ESTABLISHED
https://dl.dropboxusercontent.com/u/120 ... l/ssh-.txt
I never bothered to start a thread since an outsider cannot connect to it(verified it through my mobile internet and my laptop)...
I checked it again and its the same, there is nothing on port 22, i blocked that IP in my router just in case.
/edit
who -a does not show it, hmmm....

https://dl.dropboxusercontent.com/u/120 ... l/ssh2.PNG
/edit2
Just checked it again, its still established despite my router is configured to block that IP. I set that rule to make a log entry every time it blocks traffic to that IP, but i cant see any entry made by this rule...
/edit3
Found it, it was a connection made by transmission...
https://dl.dropboxusercontent.com/u/120 ... al/ssh.PNG
I disabled then re enabled it and it gone. But i dont know why it was showing up in current connections as SSH...
Last edited by jagdtigger on Sun Dec 04, 2016 8:38 pm, edited 4 times in total.
Zyxel NSA325 [4.81(AAAJ.1) + Metarepo, local apt-mirror for ubuntu and debian]
Zyxel NAS540 [V5.20(AATB.0)]
Synology DS416
Zyxel NAS540 [V5.20(AATB.0)]
Synology DS416
Re: Unknown SSH connections on an NSA520
Hi,Mijzelf wrote:Can you post the output of 'netstat -tu' on that box? And can you test if you can actually connect to port 22 on his public IP?
First of all, thanks for Your reply!
No, I Cannot connect to his port 22 So it is closed. The netstat showed the unknown address, but I told him to check the 'env', where a variable (i don't exactly know what's the exact name without a linux shell) shows the current "real" SSH connections. And here, we Cannot see the IP. So that was another type of connection. Secondly, I told him to disable the Transmission, and when he did it, all of theese secret IP addresses disappeared.

So, mistery solved!
Thanks nas-central the lot of help! 

Re: Unknown SSH connections on an NSA520
@jagdtigger, looks like, You have similar problem. 

Thanks nas-central the lot of help! 

Re: Unknown SSH connections on an NSA520
Transmission of course gives a bunch of random connections. I wouldn't expect the webinterface to erroneously list that as ssh connections. But it's zyxel, so...
Re: Unknown SSH connections on an NSA520
Sorry, folks, I cannot agree that it is an Transmission connection 
https://1drv.ms/i/s!AhOcYBMesZg91DYc-X-gvTHDcNru
At router I forwarded port 22 from WAN to wrong port at non-existing intranet IP, but no avail:
https://1drv.ms/i/s!AhOcYBMesZg91D5RYTH28nlQAuRL

https://1drv.ms/i/s!AhOcYBMesZg91DYc-X-gvTHDcNru
At router I forwarded port 22 from WAN to wrong port at non-existing intranet IP, but no avail:
https://1drv.ms/i/s!AhOcYBMesZg91D5RYTH28nlQAuRL
Last edited by voland on Thu Mar 09, 2017 12:10 pm, edited 1 time in total.
Re: Unknown SSH connections on an NSA520
...and again, this time with AFP protocol (not SSH) - again there is no match with Transmission:
https://1drv.ms/i/s!AhOcYBMesZg91D0h5QlLZ7AGr9sp
......
But in that case there is the match:
https://1drv.ms/i/s!AhOcYBMesZg91DUGGdAJvcAjlPN0
https://1drv.ms/i/s!AhOcYBMesZg91DcqLUJgS-dakbVH
WTH?!
------
Is it possible to Transmission have had some flaw, allowed attacker to tunnel his IP/activity/protocol through other IP/activity/protocol? In other words, is it possible to "Current connections" window say true, when basic utilities such a netstat are being deceived?
https://1drv.ms/i/s!AhOcYBMesZg91D0h5QlLZ7AGr9sp
......
But in that case there is the match:
https://1drv.ms/i/s!AhOcYBMesZg91DUGGdAJvcAjlPN0
https://1drv.ms/i/s!AhOcYBMesZg91DcqLUJgS-dakbVH
WTH?!
------
Is it possible to Transmission have had some flaw, allowed attacker to tunnel his IP/activity/protocol through other IP/activity/protocol? In other words, is it possible to "Current connections" window say true, when basic utilities such a netstat are being deceived?
