Failed login attempts in hourly intervals to DSM from 192.168.1.1 IP - ideas why?

Currently reading
Failed login attempts in hourly intervals to DSM from 192.168.1.1 IP - ideas why?

7
0
NAS
DS218+
Operating system
  1. Windows
Mobile operating system
  1. Android
So yesterday from mid day I started getting notification emails that s login failed for a user account (my wife's) for DSM coming from the 192.168.1.1. At first I figured ahe misstyped her password on the laptop (since some folders are mounted to the laptop via Samba). What made me wary is that the login attempts were for DSM (so the browser login, my wife rarely uses it) and from the 192.168.1.1 (which is my router). Error message:
User [xxxxxx] from [192.168.1.1] failed to sign in to [DSM] via [password] due to authorization failure.

Is this a hacking attempt? If yes, why does it seem to come from my internal router IP?

What I've done for now is deactivated my wife's account until I figure it out. My DSM port was changed away from the default one even before this, admin account is deactivated, no quickconnect (but ddns), and aside from my country IPs from sll other countries is blocked via firewall rule on the NAS

Interesting test: I've deactivated the port forwarding rule for the DSM port in my router yesterday, and the failed login attempts stopped. I've just now reactivated the port forwarding, and almost directly got another failed login attempt. Does that help in any way to narrow down the issue?
 
Welcome to the forum!

Considering all that you have already done eliminates a lot of questions and attack vectors, but the fact that as soon as opened the port again, the issue started all over would indicate this is some sort of external threat.

What is interesting is that the IP address is internal and one of your routers no less.

Any special network configuration that you can share with us? How the NAS is configured in the network, are there multiple routers (or any other network device)? Are you in bridge or router configuration mode with your provider, etc...

Considering this is a "laptop" and Samba is in question, can we know what OS are we talking about here? Do those reports show up when port forward is active but the laptop is not connected to the network at all (or shut off)?
 
My home network is essentially: DSL modem (in bridge mode)->Router (USG from Ubiquiti, just this one)->Switch (from Ubiquiti) and from the switch hardwired ethernet cables to most devices, among them my NAS (DS218+) and 2 wireless access points.

What I meant with Samba is SMB protocol, we use Windows on home computers and laptop, sorry for the confusion. The login attempts kept happening in exactly hourly intervals, also all throughout the night while the laptop was shut off. My first thought was also that's it's just the laptop trying to access the folders with a wrong password. But then if one of our devices would want to access network folders, then the message in the Log Center would look differently like this:
User [aaaaaaa] from [bbbbbbb(192.168.1.31)] via [CIFS(SMB3)] accessed shared folder [photo].
so the IP of the device and SMB3 as access protocol would be listed. However with those login attempts, it looked like this:
User [ccccccccc] from [192.168.1.1] failed to sign in to [DSM] via [password] due to authorization failure.
 
Last edited:
Well, we can rule out the laptop then. Is USG reporting anything on its end that might give some clues?
Nothing really reported as some threat or anything, though to be honest I don't exactly know where and what to look for in the router and how to go about it

Edit: interestingly, I've activated port forwarding for the DSM port in my router an hour ago and haven't received any kind of login attempt/ notification yet
 
Edit: interestingly, I've activated port forwarding for the DSM port in my router an hour ago and haven't received any kind of login attempt/ notification yet
And this is with all your devices including the said laptop running yes?
 
And this is with all your devices including the said laptop running yes?
well, celebrated too early I guess. 2 hours ago the failed logins started again, and the laptop was definitely shut off the whole time
 
Think you should choose which forum to continue this on. There's no benefit having the same people mixing on two.

As I said on the Synology community, this does sound like it could be a loopback NAT: that would stop asynchronous return packets from the NAS direct to LAN source IP, forcing them to return via the router. But it needs validating that loopback works like that and normal Internet port forwards don't NAT the source IP.

You may have other devices you erroneously entered the account credentials. Investigating router logs and live packets on various interfaces could shed some light on it.
 
I tried to but can't figure out the loopback NAT thing. I've already had this Zyxel Modem in bridge mode -> Ubiquiti USG router -> Ubiquiti managed switch -> NAS network constellation for the last ~3 years and it worked flawlessly without any issues, this can't just suddenly start to happen?

I've tried to tcpdump on my NAS and in my router but honestly I'm not even sure what I'm looking for or how to look for problems
 
Basically, what you’re looking for is packets on different devices and different interfaces that have very similar timestamps. What are the source IPs and can you track back to one before it gets NAT’ed to 192.168.1.1?

You probably have to leave tcpdump running for an hour or so, until you get the auth failure event.
 
So since today morning I'm not getting those failed logins anymore, even after I activated port forwards and the user account itself. I've restarted the laptop and just logged out and logged in from the account for good measure. Not sure if this is what actually fixed it or not.

But I'm still confused and stumped why it suddenly decided to produce such errors after 3 years of normal working and also stopped doing that now.
 
Did you check Auto-Block? If there’s been repeated failed authentication the it could get the IP temporary blocked.

But that doesn’t really explain why the source IP was the router’s LAN IP. Unless it was due to loopback. Plus any account would be similarly blocked, not just the one in the event log.

Keep an eye on it. You may want to change passwords, and activate multi-factor authentication.
 
Last edited:
I have been noticing the same failed attempt log via email, although for me specifically it would say HyperBackup Vault. I had a full backup task that I had created, messed with and then removed from schedule and was just sitting there not doing anything. Every morning around 5 am I would get this error. Don’t know why but 5 am would be when my other HB task triggered to do offsite backup. I deleted that full backup task and now the authorization attempts are gone.

Do you use hyper backup?

Also I have seen this when using the DS Finder app, does she use that?

Go to control panel, users, open the user in question, what is the date of last password change showing?
 
Did you check Auto-Block? If there’s been repeated failed authentication the it could get the IP temporary blocked.

But that doesn’t really explain why the source IP was the router’s LAN IP. Unless it was due to loopback. Plus any account would be similarly blocked, not just the one in the event log.

Keep an eye on it. You may want to change passwords, and activate multi-factor authentication.
My auto-block was always set to block after multiple attempts. Since this login stuff was happening once per hour, auto-block never got triggered.

Anyway it seems to have resolved itself now, probably that loopback you mentioned. I don't have the capacity though to check if it was loopback and won't adress it anymore since it doesn't seem to re-occur.

Mostly I was just confused about the IP the attempts were coming from, as if the login attempts were coming from outside my LAN the IP shouldn't be 192.168.1.1 right?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Thanks for your response. You are correct. When I initially tried what you advised, the screens were...
Replies
2
Views
1,681
I don’t know for sure what port it came in on, but I don’t use 5000/5001. Yes, it was just an IP address...
Replies
6
Views
1,425
You are right. I think I'm getting this error because I can't allow cloudflared.
Replies
2
Views
1,270
What user group is the new user in? Can you post a screen shot? also go to applications tab of the user...
Replies
1
Views
2,494
  • Question
With me, it gets triggered when I log in (remotely) from an unusual location (usually new, first time...
Replies
6
Views
3,605
This setting is turned off by default. Enabling it with mobile push notifications can be useful. Of...
Replies
0
Views
2,071
This could be a job for… Renowned, conspiracy theorist at night and international diplomacy expert by...
Replies
32
Views
9,074

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top