NAS-542 - false positive detection of logged in SSH users

Hi All,

I think I found a bug in NAS-542
In UI I occasionally see users logged in via SSH from and have no idea who they are and how did they got there.
There were no incoming SSH connections reported by my router.
Since I was very concerned I tried investigating it and I think I know what happens.

I think NAS incorrectly parses netstat information to report it in UI as connected users or something very similar.
Something like > netstat | grep :22
Because all incoming connection which have :22 in their report line are accounted as  incoming SSH connections, which is clearly wrong.
Please see pictures taken from UI and from SSH netstat command as a proof.
SSH session from 192.168.1.13 is the legit one, another 'session' if fake.

Thanks


All Replies

  • ikubuf
    ikubuf Posts: 105
    First Comment Friend Collector
     Ally Member
    Are you using transmission on your NAS?
    I got the same behavior when using transmission.
    After not using it, there is no 22 port on it, I think it is a false positive, since I collect the packet on the top of router, there is no any ssh packet in it.
  • No, but I use another p2p download service available in NAS.
    I think it happens when service uses UPnP and opens incoming ports for data transfers.
    If such connection happen to use incoming ports starting with 22 in their id, it triggers the issue.
    For example, if UPnP uses incoming port 22345, it will be accounted as incoming SSH connection
    It is clearly seen in pictures I attached to my first message.
    IMHO, to fix the issue, firmware should be modified to use correct IP port parsing.
    This problem looks minor but cause a lot of confusion and impression that your entire system is hacked and you are going to lose all your precious data; especially for people who are not experienced in Linux and cannot use console to verify what happens actually.
    Personally, I started wit immediate password change for NAS and router as a precaution and then proceeded with my investigation.
  • Zyxel_Jerry
    Zyxel_Jerry Posts: 737
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 500 Comments
     Guru Member
    Hi @AdvancedUser, @ikubuf

    Thanks for your feedback.
    About the issue of this case, it will not affect the NAS  usage and we’ll put this case into our verification plan to make sure it won't happen in the future release

Consumer Product Help Center