I don't recognize login activity...Help!

Currently reading
I don't recognize login activity...Help!

158
20
NAS
DS918+
I just got a system email from Synology stating that my account was used to login to my NAS on a new device. I do not recognize the IP address that it shows, and the location I found is for a town that is 4 hours away from me. I was there this past saturday, but to the best of my knowledge did not connect to any wifi sources and certainly did not intentionally login to my NAS while there. Sooo.... What is going on? has someone somehow hacked me? I've done everything you guys have suggested to secure my nas, including LE certificates, 2FA, and completely random passwords. Is it possible to break through 2FA, or has someone somehow spoofed my phone to get the key?

I called synology tech support and they weren't very helpful. He feels as though its far more likely that I'm somehow logging in myself, but I haven't any clue how I'd be doing that. I didn't have any of the synology apps open on my phone at the time of the supposed login, so I don't know where the login request would come from.
 
1,415
611
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
If you can share any more info without exposing any personal information or IP addresses, please do?
Can you share anything from the log?
It says a new device? Have you ever used your device (a phone, a laptop or whatever you had with you on that trip) to login to the NAS before not during that trip. I’m trying to rule your devices from being “a new device” to the NAS?

Was this an admin account?
 
158
20
NAS
DS918+
I'd share the "new" device IP, but I'm not 100% sure if its mine somehow or not... It says "new login", but the IP is not any of the devices I currently use. I brought my phone with me on the trip and had previously logged in DS file and moments from the phone, but did not do so while in the town. The only way I would've logged in while there was if there was some sort of auto-update or something that the app ran on its own, which should be impossible due to the 2FA requirement. This was not an admin account, but it was my personal "user" account. I cannot think of any other devices that I have that would trigger the new login email. For now I've changed the password on the account, and set the questionable IP address to untrusted. Changing the IP to untrusted did not kick me out of being logged into the account on either my computer or my phone, so it isn't somehow coming from either of the 2 devices I'm currently using to investigate this issue.
 
1,415
611
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
On a second thought. I don’t think it’s a new device per se, I think it recognizes an unusual login behavior and considers it a “new device”. So most likely it’s yours.
 
1,415
611
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
The IP address changes, it’s not static.
What apps did you install on your phone (Synology apps)?
So the date in the log is that date when you were on that trip?

Any particular info in log center for that date?
 
158
20
NAS
DS918+
ok, so just discovered a new piece to this puzzle that both makes me feel dumb and confused at the same time. Before I posted this thread, I checked to make sure my phone's IP didn't match the IP in the email. I did so on my android by going settings>about phone>status>IP address. The IP address shown there did not match the IP address in the email. After WST16's responses, I checked the IP by using one of the "what's my IP" websites, and the IP shown there does match the IP in the email. Sooo.. I am the new login. Crisis averted. Sort of.

Why did it send me an email warning of a "new" login if I've used this phone many times previously to access my NAS? When I first got the email, my first thought was that I'd left the DS file app open on my phone, and so I checked all open apps. I did not have any open synology apps. How did I login my NAS without having any of the apps open, and especially since the 2FA requirement would've required me to input my pin into my Authy app for the 2FA key?

Why doesn't the IP address shown in my phone settings match the IP address shown on the what's my IP websites?
 
158
20
NAS
DS918+
The IP address changes, it’s not static.
What apps did you install on your phone (Synology apps)?
So the date in the log is that date when you were on that trip?

Any particular info in log center for that date?
Apparently I was logging into DSM from my phone while there. I guessing for auto-uploads of phone pics via moments or something like that. IP address changed. It was different yesterday than it was today, so that's probably the "new" login. I'm guessing that given its a phone, the network I'm currently connected to is ultimately routed through the city I visited and actually has nothing to do with whether or not I visited it this past weekend.

I think I've now figured out most of it and am over my mini panic attack. Still don't understand how it is logging in by itself and bypassing 2FA though.
 
1,415
611
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Why doesn't the IP address shown in my phone settings match the IP address shown on the what's my IP websites
If you’re on your cell data, the IP address will be what’s assigned at that time by your carrier.
If you’re at home it’ll be something on your subnet from 192.168.0.x if I recall.
 

jeyare

Subscriber
1,579
529
NAS
1811+, 3x 1813+, 718+, 214play ... multisite Ubiquiti Unifi networks (USG-Pro,PoE,NanoHD)
Operating system
Linux, Windows
Mobile operating system
Android, iOS
What kind of service for the IP address location was used?
it is almost impossible to find exact location by assigned IP public address.
Just location of ISP only who is provider of the searched public address (no matter if the IP is fixed or from Dhcp). This is valid for fixed connection or WIFI.
From OSS system of mobile operator yes, but it isn’t a public service (triangulation of your mobile signal from nearest BTSs), just for police or device fingerprint activity (geo customer base monetization).
 
1,415
611
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Yes, this changes depending on where you’re and what are you connected to. It’s not that if you check it once on a mobile phone and jot it down, it’ll be the same every time.

Do you have Log Center installed on the NAS?
Just check under logs for that particular day.
 
1,415
611
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Why did it send me an email warning of a "new" login if I've used this phone many times previously to access my NAS?
It sees an unusual behavior not a new device. This happens when I play silly and I log in to my NAS from a remote country for the first time.

This is what you wanted, remember?! 😂
You wanted an intelligent system that can tell when it sees something fishy. It cannot yet tell if it’s you or not. Coming in DSM 7. A new feature called telepathy. Just kidding :)
 

jeyare

Subscriber
1,579
529
NAS
1811+, 3x 1813+, 718+, 214play ... multisite Ubiquiti Unifi networks (USG-Pro,PoE,NanoHD)
Operating system
Linux, Windows
Mobile operating system
Android, iOS
as WST wrote
your mobile every time checked a communication with nearest BTS (Base Transmitting Station), then evaluated free channels (up to 2G/3G/4G technology). Then continue to switching of evaluated network and new IP address is assigned. It is never ending process, especially when you are in motion.
 
158
20
NAS
DS918+
Yes, this changes depending on where you’re and what are you connected to. It’s not that if you check it once on a mobile phone and jot it down, it’ll be the same every time.

Do you have Log Center installed on the NAS?
Just check under logs for that particular day.
yeah, I keep forgetting that. Pretty sure I have it figured out now, thanks. If I go options>Personal>Account tab>Account activity>Login history it shows all of my logins. it says that I've been repeatedly logging in every day since I set this up, and it does show the history of the ip addresses. I still don't really understand how it is doing these auto-logins without requiring 2FA keys. I don't have my phone as a trusted device, but it appears to be doing something in the background via the synology apps.
 
158
20
NAS
DS918+
It sees an unusual behavior not a new device. This happens when I play silly and I log in to my NAS from a remote country for the first time.

This is what you wanted, remember?! 😂
You wanted an intelligent system that can tell when it sees something fishy. It cannot yet tell if it’s you or not. Coming in DSM 7. A new feature called telepathy. Just kidding :)
yeah I know. Just kind of spooked me when I forgot about the whole IP address not being static thing. I figured that the IP shown in my phone info should match what the NAS is being accessed by, but forgot it gets assigned a new one by my cell network. thanks for the help.
 
1,415
611
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
There you go. Relax. We’ve got some chlorine in the lounge but we’re out of cookies.
 

jeyare

Subscriber
1,579
529
NAS
1811+, 3x 1813+, 718+, 214play ... multisite Ubiquiti Unifi networks (USG-Pro,PoE,NanoHD)
Operating system
Linux, Windows
Mobile operating system
Android, iOS
are you 100% sure, that the IP address is address assigned by your mobile carrier or not of your fixed ISP?
Because it can be a reason of trusted device login w/o 2FA
 
158
20
NAS
DS918+
are you 100% sure, that the IP address is address assigned by your mobile carrier or not of your fixed ISP?
Because it can be a reason of trusted device login w/o 2FA
I specifically haven't accepted my phone as a trusted device because I wanted it to force 2FA use.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top