Hi,
I have SH2 and 2 Complete wifi disks (black), have a fairly complex network with 5 network switches, with around 60 devices including doorbells, smartplugs/lights, Synology NAS,, TVs, PCs and laptops etc, and recently I noticed some hacking attempts on my NAS. I have a laptop running wireshark to try an identify the source eg from internet, or if one of my devices like smartplugs are allowing entry via upnp. I am considering purchasing a managed switch to route all LAN traffic into a single port of the SH2, and hence configure one of the managed switch ports as act a monitor. However, could someone to confirm if I connect the "wireshark" laptop via wifi, it can see all wifi traffic from any device ie do the wifi disks simply broadcast all wifi traffic irrespective of which wifi device they are connected to eg SH2 or any wifi disk, so I can determine which device, or if it is coming from the internet via port forwarding (and which port it is using) , is doing the hacking.
Thanks
Gary
Its kinda hard to say without knowing how you have setup Wireshark, the basic setup of Wireshark is the monitor a particularly interface such as an ethernet port or wifi but local to the device where it is installed, IE you dont want to just see whats coming in to the laptop as that would defeat the purpose. How have you set it up?
Also more importantly what is the nature of the hacking attempts on the NAS, what are they?
I'm not too concerned with hackers scanning for open ports and attempting login to admin account, which has been disabled, and I've also implemented indefinite ip blocking after a single failed attempt to any account. Synology does not provide details of which port ie the application to which an attempt was made. I have disabled remote port forwarding for direct DSM access, as I don't need this, but I do have access via port forwarding on SH2 for videos, files, photos, and surveillance cameras appplications. I guess hackers are continually scanning for ports on all ip addresses to identify open ones and what they think is at the end of it to attempt admin logins. I intend to setup wireshark to monitor all LAN traffic to the Synology NAS, and wifi (after I install a managed switch to allow monitoring to LAN traffic). I have a main switch connected directly to SH2 to avoid overloading SH2 for local heavy traffic (file transfers/video streaming etc) and this is where I should be able to monitor all LAN traffic to NAS. However I was unsure on how the Wifi complete network operates, ie if my laptop logs into the SH2 wifi, will it be able to see all traffic on the wifi network, do the wifi complete disks act as basically dumb ethernet hubs (not switches)? and all wifi traffic should be visible to my laptop (once I have configured the wifi port for monitoring)? or will my laptop only be able to see wifi traffic on the SH2 or disk it is connected to? I also just wanted to verify that none of my smart devices eg smartplugs/lights made in china are being used as a backdoor. I don't really want to spend a lot of time reconfiguring my network with VLANs to isolate them (and I don;t think SH2 and wifi complete support multiple vlans)
Nte, the hacking attempts are sporadic, tend to come in groups (roughly anywhere from 10 to 100) from mainly china/us (although who knows in reality). Once the attempt and IP is blocked, it is usually followed immediately by another attempt from a different IP address since the previous one is blocked, always using the admin username (this acount is blocked, and I have long password for accounts with admin access. Looking up these ip addresses shows they are commonly observered as frequent hacking ips, no douby someone's PC is infected as a trojan. Reported a whole block previously to BT security but too many to deal with
cheers for the response
Ethernet switches filter by MAC address so packets are only sent on the port that is connected to the destination MAC address, unlike multiport repeaters that send all packets to all ports. It is very difficult to therefore use Wireshark on a PC that only has 1 interface to see packets directed to a MAC address on another port of a switch even in promiscuous mode.
A switch that supports MAC address monitoring is one way to see what is sending packets to a given MAC, or allows port mirroring, alternatively configuring a PC with 2 interfaces so that it acts as a router allowing Wireshark to monitor packets to a given MAC address as everything passes through the PC. Does you NAS allow you to install any ethernet monitoring on it's ethernet interface?
Yeah you could infact build a Raspberry Pi and install an eth1 onto it via USB adapter and run it there monitoring the in and out, placing it between your SH2 and a core switch.
But if I understand it right your NAS is externally facing so you can access your content remotely? If that’s what you’re saying just use a VPN server. The OpenVPN Pi Server project is so easy to setup and free for your first two users, in fact unless multiple users will need to be connected at one time you can indefinitely share the same two users.
So you’ll have a VPN server at home and then client installations on the devices who need access to the NAS, instead of accessing via and external IP you’ll just be safely going through your VPN and your client device will just use local IP’s like they are actually sitting on your home network. Then you can turn off ALL external access to the NAS.
In my opinion you’re gonna be chasing your tail looking for ‘China’ etc
You could use a Pi-Hole project if you wanted a little more monitoring of what you’re devices are doing and have a little more faith that you are protected, you’ll have to turn off the SH2 DHCP server and enable it on the Pi-Hole as you cannot configure the SH2 to use alternative DNS.
Lastly if you’re that into this sort of stuff you might want to move away from the SH2 all together and give yourself far more data to work with off the bat.
Good luck with it though if you decide to proceed.
'Hackers', and I use the term loosely in this example as I dont consider it real hacking, just scan for stuff they can hit over the internet then try to log in with generic usernames. Your 'hacking attempts' I would put money on have nothing to do with your IOT devices such as smart plugs and switches. These groups just know Synology uses certain ports so chances are alot of them are going to be open, Synology being a major brand and have a variety of methods for external access, many users will have one of the methods open.
At work we have an external facing SFTP server which I sometimes see 100's of daily attempts to generic accounts such as 'vmware', 'root', 'admin', 'linuxadmin', and so on....no such generic accounts exist and any attempt to log in with a username that doesnt exist immediately blacklists the IP....then the same stuff comes in from another IP, quite the waste of IPV4 addresses if you ask me. It also sits behind an enterprise firewall and web application filtering, belt and braces.
Generally i'd never recommend a single device being open to the internet especially one that contains all of your stuff, for me its not a concern of privacy its just a concern of how long it took me to collect it all, 1000's of photo's over the years etc. OpenVPN will use certs plus you can set a mental password ontop, it has further benefits as well because once you are connected to the VPN you have access to your entire network so your media client on your phone/tablet/laptop or whatever it is you take away with you.....can just remain configured with the local IP of your NAS.
You can buy your own domain name for next to nothing, setup dynamic DNS and have your VPN clients configured to connect to it.
There are far better Complete WIFI solutions out there and routers but your integrated 4G backup is a good thing to have but I wouldnt have that over having my own gear that I can play with, I can dump out all sorts from my router and create completely custom firewall rules, multi VLANs to segregate my IOT from my NAS.....if you are concerned about hacking attempts then take the power back 🙂
Anyway, I guess you didnt ask for my advice like this so ill leave you to consider the options now.
If it makes you feel better, I have 20 ish smart bulb/switches/plugs, all 3rd party brands, by that I mean not Hive, Hue etc....the ones you connect to the Smart Life app.....none have exhibited even a packet of suspicious behavior the entire time ive had them (years).
Your web browsing/purchasing and Alexa's (if you have them) will be tracking more of what you do, these dumb smart devices probably dont even have the capability to log or track anything.