Client connect - What is this?

Ha Gei

Up to now...no sightings here, none of my users saw any tries here.. We all kept a watch during the day.

Erika - KØDD

Yeah like one from the land of hackers attempting to invade a port they can "SEE" or "SCAN" and try to get into.  All we can do is attempt to make it so  difficult to get into our systems that they get bored, leave it alone, and go away.

It takes a really bored wiz **** to hack away at a FLEX RADIO in Quincy Illinois and then spin down to the next.  Some of these yahoos are notorious hackers...  Hoping to **** things wide open, or steal information. Well have fun, I hope ya'all can figure out how to lock the world down, and keep others from gaining access.

Russians?  Ukrainians? North Koreans? Da CIA?  Your cousin Joey???  Everybody is in the hacking business..

Erika DD

Dan-N7HQ

Please check to ensure you have not inadvertently disabled the Private IP Connections protection mechanism.  The issue you describe would be caused by that if you have ports forwarded on your router. Smartlink is not impacted by this setting.  

John - AI4FR

Excellent point Dan. I just checked and mine is like yours above, it is and was Enabled.

KC7ES

Mine was enabled Dan, but was also enabled when I got a string of attempted connections the other day. No problems today.
Thanks for the post.
73,
Eric

Dan-N7HQ

Thanks, Eric and John, I'll discuss this with the software team and report back here. 

Please drop a note to me (dan@flex-radio.com) if this occurs again.

Best,
Dan

John - AI4FR

Will do and thanks again Dan. First and only time I have seen it in 2 years of running a Flex.

James Whiteway

Dan, I'm running the latest version of SSDR and I do not have the "Advanced" portion of the Network screen like you have. Is there a setting somewhere that will enable it?
James
WD5GWY

David

Did you click the Advanced button to the right of the MAC Address:?

John - AI4FR

James, go to SSDR, then settings, then radio setup, then network, then click on Advanced which is located at the end of the MAC address.

James Whiteway

There's not one.

James Whiteway

Maybe, I have the "Appliance Operator" version of SSDR!
:-)

James Whiteway

Version 3.1.8

John - AI4FR

Version here, 317. Flex 6700 with CAT cable to router.

Thanks for the pic. What happened to your advance button?

James Whiteway

That's a good question. Like I said, maybe I have the appliance operator version of SSDR. Or, the radio just doesn't trust me!
I'm running the radio thru a switch to my router. It seems in earlier versions of SSDR that the Advanced Tab was present. Not sure what happened here.

Max

You must be on a local network for that selection to appear.

Steve K9ZW

https://community.flexradio.com/flexradio/topics/m-series-radio-no-advanced-network-option

I don't think FRS ever spoke to this issue, as operators are finding the Advanced button missing on M models?  

73

Steve
K9ZW

Blog:  http://k9zw.wordpress.com  

James Whiteway

It's not on the M model display or in SSDR on my PC either. Maybe, it's only the M models that are affected. James WD5GWY

Dan-N7HQ

Yes, sir, it is only the M models impacted by this bug.  I'll update the status of that when I write up the results of the meeting with the software team.

Best,
Dan

Dan-N7HQ

I promised to get back to folks here about the questions asked or implied on this thread.  

We reviewed the reports, looked through our Azure-based server logs, and found nothing that indicated a security breach of any kind.

The messages generate when any TCP client connects to the radio. Messages do not generate when software using CAT or DAX to control or read data from a radio connection to the virtual serial port or the audio stream.

Connections from Private (local) Networks

Radios accept TCP connections without authentication from the following “local network” IPV4 address blocks:

Address Block  Use  Reference

Connections originating from these networks typically include SmartSDR, DAX and CAT clients, third-party software, or other devices that utilize the SmartSDR API, like the PGXL amplifier and Antenna Genius. For a successful connection, these devices must be visible to the subnet the radio is on. For example, a radio on the 192.168.0.0/24 network (netmask 255.255.255.0) with an IP address of 192.168.0.10 could accept unauthenticated connections from any device on the same network with an IP address of 192.168.0.1-254. Radios connected in a DMZ ignore connections from the Internet provided the radio is on a network described in the ranges specified above. The radio ignores direct TCP connection attempts from all other network ranges. 

Connections from Public Networks

Connections from public networks require a SmartLink connection authenticated through our SmartLink service by the OAuth mechanism and encrypted with the latest version of TLS (v1.3). The authentication and subsequent encrypted communications are radio-specific. Meaning, even armed with the external IP address and TCP port information, a connection spoof attempt would fail authentication, and the payload is unreadable by the radio because it is encrypted using a secure, radio-unique signature.

Can I Log Connections?

Currently, there is no way, through our software, for a customer to enable a connection log. Our development team can enable debug logging, but the space available on the SD cards in the radios is both insufficient for long-term use and inaccessible to customers. 

Can I Write Software to Monitor and Log Connections?

Yes, a monitoring function would best be implemented externally to the radio using our SmartSDR API. The API is more than capable of performing a monitoring function. It would be a straightforward software effort to build a Syslog bridge or a rudimentary logger to capture and log client connect events. The Windows SmartSDR client uses a publicly available .NET library (FlexLib), which encapsulates the SmartSDR API in C# objects and eliminates the network connection (TCP/UDP) and string parsing work.

Can Notifications be Disabled?

No, notifications cannot be disabled.

Under what conditions are connection messages generated from an external, non-private IP address?

 

• An SSDR client (PC and iPhone/IPad client via the SmartLink process. Please note this is also possible if you sold/purchased a radio without removing it from your SmartLink account, or someone connects from a stolen iPhone, iPad, PC, laptop, or your SmartLink credentials are compromised.

 

• A client connects to a radio directly connected to the Internet (and assigned a public IP address). Note: this would open the radio for anyone to connect to and use.

 

• A client connects to a radio connected to a private network, with TCP port access forwarded through the edge network/router, and with the “Enforce Private IP Connections” configuration setting disabled.