About 1 year ago, I had setup a NAS server (Linux-based), for a small company.
I set it all up, including remote access to the admin area, and to an online file manager (so that employees could do some work from home, if needed).
Well, a few days ago, the backups started giving error messages, so while fixing the issue, I also upgraded the firmware, and I was also asked to see if it was possible to track user access to files (eg which file was accessed, and when).
So I enabled the system connection logs, hoping they would show the information needed.
Well, the logs didn’t show what I wanted, but a few hours later, I noticed an unusual number of failed login attempts…
About 25 attempts per minute… and this would continue for about 5 to 10 minutes
They would try typical usernames like “root”, “admin” and “bin”, as well as others.
The really interesting part was when I looked up the country of origin for the logged IP addresses of the hackers:
Most were located in China
Although this particular company didn’t have huge secrets, the server had IP property, which might have been useful to some Chinese companies.
So, it looks like is any company has servers that can be accessed externally, they they will be subject to hacking attempts (and consequently: industrial espionage) from China.
In this case, the solution was easy, The NAS server has a Network Access Protection system, where I can specify if a particular IP address generates more than 5 failed login attempts within 1 minute, then the IP address is blocked from any further attempts.
Some of the IP addresses captured are:
58.215.56.110: China
117.21.208.26: China
117.79.91.55: China
183.136.128.217: China
211.94.161.84: China
114.205.1.149: Korea
117.79.91.209: China
And after implementing the Network Access Protection:
113.163.22.170: Vietnam
65.164.153.141: USA
189.112.236.116: Brazil
217.174.152.147: Bulgaria
85.31.105.66: France
61.234.146.22: China
80.252.241.37: Ukraine
111.74.82.33: China
221.13.34.3: China
Obviously not enough data here, but there are strong indications of Chinese (individuals, or companies, or even Government) involvement in hacking for company secrets.
I’m not exactly sure why lots of different countries started appearing in the hacking logs only after the Network Protection was enabled… but I’ll check again in a few weeks, and see if there is a more definite pattern.
After thinking about this for a few days, my paranoia got the better of me, and I implemented similar security on this blog… The Computer Aid blog represents over 900 blog posts (most personally written by myself), and thousands of hours of work over 7 years… I don’t want to lose it.