Mixed Signals
Any sufficiently advanced information is indistinguishable from noise
Thursday 20 March 2008, 5:09 PM
Intel servers and Chinese hackers
18 months ago, Intel dropped off an SS4000-E NAS box for me to look at. It was a desirable little box on the surface Linux-based, four drive bays, dual gigabit Ethernet ports and I lost no time in installing it in the ZDNet UK Laboratory (Holloway). It came configured with four 250 GB drives, which I turned into a single 1TB system: it supports the usual RAID configurations for those who rate reliability over size.
My experiences thereafter were mixed. I run Linux and Windows at home sorry, ZDNet UK Laboratory (Holloway) and the SS4000-E supposedly supports both, with CIFS for Windows and NFS for Linux/Mac. Since it's easier to run CIFS on Linux than NFS on Windows (on Vista, for example, you have to buy either the Enterprise or Business Super Premium Four Star editions to get NFS support. MS won't let you have it otherwise), I decided to configure the various users for that.
Didn't work; after much enormo-pain, this proved to be a known bug to do with permissions in the version of CIFS in the SS4000-E and I had a strong suspicion, backed by various email conversations with Intel support, that I'd probably die of old age or apoplexy before I extracted a fix or managed to get enough information to fix it myself. Intel had bought the SS4000-E from another company and didn't have in-house support who really knew the system, and the source code was available but in a form that promised nothing but misery.
So, I decided to use it for the Linux computers under NFS and use FTP for the Windows boxes. After learning more than I wanted about file ownership and permissions under Linux, I got things how I wanted them. It's been very reliable in those roles, although the gigabit ethernet ports only ever really aspire to 100 Mbps speeds, the box is a trifle noisy for domestic surroundings, and I've found the web management interface to be rather clumsy and limited (I'd kill for shell access to the root; the things I could fix...).
Nevertheless, it's sat under my computer desk storing all sorts of nice things for me. I also routed incoming FTP requests from the Net to it, so I could get my files when out and about that, combined with VNC on the main server, has proved really useful. It's also been useful for friends: I have a couple of semi-private FTP accounts on it I give out to those with special needs. There's only so much harm they can do, right?
One evening last week, I was moving some photos around. I logged onto the FTP server which told me I was user 4 of 8 allowed. That was... interesting. So I changed the log-in details of the friend accounts, emailed my pals with the news and assumed that somewhere along the line, the old logins had slipped out. A reset (the management interface gives no control over the FTP server beyond enabling or disabling it), and I was back to being number one on my own system.
Last night, I checked again. And again, I was number 4. This time, I asked my router to show incoming connections and there were three persistent IP addresses, all on the FTP port. I tracerouted them: they vanished in a constellation of asterixes before I could find their home ISP but not before it was clear that they'd originated in China.
Fascinating, captain. I'd used the FTP server the last couple of times I'd visited China had someone been sniffing my connection? But even so, how were they still there, after I'd changed the login details? And what on earth were they doing?
I still can't answer the last question: there's not enough logging in the SS4000-E to watch users by file operation or examine the whole filing system. But I soon found out that I'd mistakenly included the Guest account (which you can't delete why not?) in a group with access privileges to a shared directory; removing that group link and resetting freed my incoming IP log of any and all FTP connections from China. They haven't been back since. (I did check the share that the Guest account had access to, and there was nothing amiss nor anything that anyone would particularly want to download, so that mystery remains).
But. What would happen if my drive had been filled with warez or worse? -- and I'd had a knock on the door from the fuzz? Is there any connection between this and the ongoing (and badly underpublicised) online hacking war between the US and us, and China? Would I be breaking the law if I started to take a closer interest in those IP addresses? I was very tempted to nmap them. (Incidentally, recommendations of good tools to investigate suspicious IP addresses are very welcome; I know a few tricks, but sure ain't l33t).
Perhaps, over the weekend, I'll hook up a completely different server one I can watch with much more detail and see who comes visiting.
My experiences thereafter were mixed. I run Linux and Windows at home sorry, ZDNet UK Laboratory (Holloway) and the SS4000-E supposedly supports both, with CIFS for Windows and NFS for Linux/Mac. Since it's easier to run CIFS on Linux than NFS on Windows (on Vista, for example, you have to buy either the Enterprise or Business Super Premium Four Star editions to get NFS support. MS won't let you have it otherwise), I decided to configure the various users for that.
Didn't work; after much enormo-pain, this proved to be a known bug to do with permissions in the version of CIFS in the SS4000-E and I had a strong suspicion, backed by various email conversations with Intel support, that I'd probably die of old age or apoplexy before I extracted a fix or managed to get enough information to fix it myself. Intel had bought the SS4000-E from another company and didn't have in-house support who really knew the system, and the source code was available but in a form that promised nothing but misery.
So, I decided to use it for the Linux computers under NFS and use FTP for the Windows boxes. After learning more than I wanted about file ownership and permissions under Linux, I got things how I wanted them. It's been very reliable in those roles, although the gigabit ethernet ports only ever really aspire to 100 Mbps speeds, the box is a trifle noisy for domestic surroundings, and I've found the web management interface to be rather clumsy and limited (I'd kill for shell access to the root; the things I could fix...).
Nevertheless, it's sat under my computer desk storing all sorts of nice things for me. I also routed incoming FTP requests from the Net to it, so I could get my files when out and about that, combined with VNC on the main server, has proved really useful. It's also been useful for friends: I have a couple of semi-private FTP accounts on it I give out to those with special needs. There's only so much harm they can do, right?
One evening last week, I was moving some photos around. I logged onto the FTP server which told me I was user 4 of 8 allowed. That was... interesting. So I changed the log-in details of the friend accounts, emailed my pals with the news and assumed that somewhere along the line, the old logins had slipped out. A reset (the management interface gives no control over the FTP server beyond enabling or disabling it), and I was back to being number one on my own system.
Last night, I checked again. And again, I was number 4. This time, I asked my router to show incoming connections and there were three persistent IP addresses, all on the FTP port. I tracerouted them: they vanished in a constellation of asterixes before I could find their home ISP but not before it was clear that they'd originated in China.
Fascinating, captain. I'd used the FTP server the last couple of times I'd visited China had someone been sniffing my connection? But even so, how were they still there, after I'd changed the login details? And what on earth were they doing?
I still can't answer the last question: there's not enough logging in the SS4000-E to watch users by file operation or examine the whole filing system. But I soon found out that I'd mistakenly included the Guest account (which you can't delete why not?) in a group with access privileges to a shared directory; removing that group link and resetting freed my incoming IP log of any and all FTP connections from China. They haven't been back since. (I did check the share that the Guest account had access to, and there was nothing amiss nor anything that anyone would particularly want to download, so that mystery remains).
But. What would happen if my drive had been filled with warez or worse? -- and I'd had a knock on the door from the fuzz? Is there any connection between this and the ongoing (and badly underpublicised) online hacking war between the US and us, and China? Would I be breaking the law if I started to take a closer interest in those IP addresses? I was very tempted to nmap them. (Incidentally, recommendations of good tools to investigate suspicious IP addresses are very welcome; I know a few tricks, but sure ain't l33t).
Perhaps, over the weekend, I'll hook up a completely different server one I can watch with much more detail and see who comes visiting.
PreviousComments on this post
I get around this issue by using OpenVPN to log into my servers: only one port ever needs to be open and you need a username/password combo AND a pair of PKI keys to get into it. Works for me...
Yes, that's an idea - I already have other more secure services I can log into with that sort of level of security.
It's not what I want for FTP access, though. I can send non-technical people links for file retrieval and sending as clickable URLs with embedded username and password info - and I don't think I could ask them to cope with OpenVPN and PKI keys!
