So yesterday from mid day I started getting notification emails that s login failed for a user account (my wife's) for DSM coming from the 192.168.1.1. At first I figured ahe misstyped her password on the laptop (since some folders are mounted to the laptop via Samba). What made me wary is that the login attempts were for DSM (so the browser login, my wife rarely uses it) and from the 192.168.1.1 (which is my router). Error message:
Is this a hacking attempt? If yes, why does it seem to come from my internal router IP?
What I've done for now is deactivated my wife's account until I figure it out. My DSM port was changed away from the default one even before this, admin account is deactivated, no quickconnect (but ddns), and aside from my country IPs from sll other countries is blocked via firewall rule on the NAS
Interesting test: I've deactivated the port forwarding rule for the DSM port in my router yesterday, and the failed login attempts stopped. I've just now reactivated the port forwarding, and almost directly got another failed login attempt. Does that help in any way to narrow down the issue?
User [xxxxxx] from [192.168.1.1] failed to sign in to [DSM] via [password] due to authorization failure.
Is this a hacking attempt? If yes, why does it seem to come from my internal router IP?
What I've done for now is deactivated my wife's account until I figure it out. My DSM port was changed away from the default one even before this, admin account is deactivated, no quickconnect (but ddns), and aside from my country IPs from sll other countries is blocked via firewall rule on the NAS
Interesting test: I've deactivated the port forwarding rule for the DSM port in my router yesterday, and the failed login attempts stopped. I've just now reactivated the port forwarding, and almost directly got another failed login attempt. Does that help in any way to narrow down the issue?