Client connect - What is this?

  • 2
  • Question
  • Updated 1 month ago
About 30 minutes after SSDR 317 was up and running I had an odd experience. See picture below. This IP address attempted to connect to SSDR about 30 or 40 times. I do not recognize it but a net search revealed it is from BlueOcean LLC from India. Any ideas?

Flex 6700
SSDR 317
Windows 7
4 instance of wsjt
4 instances of jtalert
Flex control
HF Auto software
DDUTIL





Photo of John - AI4FR

John - AI4FR

  • 325 Posts
  • 95 Reply Likes

Posted 2 months ago

  • 2
Photo of David

David

  • 342 Posts
  • 59 Reply Likes
I recommend you change your SmartLink password.
Photo of Erika - KØDD

Erika - KØDD

  • 94 Posts
  • 28 Reply Likes
Well yeah John, people out there smurfing the net are looking for ports to hack their way into.  In this case looks like a station from India on that internet provider made an attempt to play radio.  They need a user name and password though, and your radio must not necessarily be OPEN...  OR IS IT?  Erika DD
(Edited)
Photo of John - AI4FR

John - AI4FR

  • 325 Posts
  • 95 Reply Likes
Thanks David and Erika. I've never really used Smartlink and doubt that I could remember my password. As far as I know the radio is not open. Is there such a setting in SSDR or Smartlink? Time for me to pull out the manual.
Photo of David

David

  • 342 Posts
  • 59 Reply Likes
It has been a while since I have mine set to auto-reconnect. I think if you disconnect from the radio (from menu line: Setting - Chose Radio - SmartLink Setup) you will find an option to change the password and other account options.
Photo of Erika - KØDD

Erika - KØDD

  • 91 Posts
  • 27 Reply Likes
My smartlink setup which I am not currently using uses my "GOOGLIE" Username and password...  I am just local with this one anyway,

Not that a VU2 ham is a bad guy or anything but trying to hack a radio IS being a bad guy.  IT's so EZ to download various versions of the SSDR software right off the website, and ANYBODY could connect...  It's just that they can't get past the Username ETC...  FUNNY, apparently neither can you?
Photo of John - AI4FR

John - AI4FR

  • 325 Posts
  • 95 Reply Likes
Thanks David and I was just playing with that. I have unregistered the radio from smartlink. I'll leave it this way for a while or until I need it.
Photo of Erika - KØDD

Erika - KØDD

  • 91 Posts
  • 27 Reply Likes
It's nice to know the next time you're in India John, you'll be able to use your radio... That is after resetting things. giggle
Photo of John - AI4FR

John - AI4FR

  • 325 Posts
  • 95 Reply Likes
LOL, very true Erika!! Gosh is it ever good to know that it works in India. As far as we know the hacker is following this post.

Yes, I still have the vette. It sits in the garage which is right next to the shack. I've wanted one since before I was of age to drive. Many decades later, with an empty nest, we saved our pennies and finally got one. Thanks for asking.

I created a page about it here:
http://ai4fr.com/main/page_1965_corvette_1965_corvette.html

Photo of John - AI4FR

John - AI4FR

  • 325 Posts
  • 95 Reply Likes
Thanks Erika, I did log out of SmartLink and was able to log back in on the third try due to guessing at what password I used. I do not log in with Google or Facebook. For now I will run it unregistered since I do not use SmartLink.
(Edited)
Photo of Max

Max

  • 2 Posts
  • 0 Reply Likes
Same happened to me 2hrs ago but different ip
Photo of KC7ES

KC7ES

  • 49 Posts
  • 5 Reply Likes
Just turned up SSDR and seeing this IP trying to connect, over and over :45.56.126.141
Looks like the SIP bots we get at our broadcast plant before the devices permitted blacklisting. Any chance Flex needs to get involved. This only just started today (12/31/19) for me.

Photo of Ha Gei

Ha Gei

  • 68 Posts
  • 15 Reply Likes
John,
If you never used smartlink, i wonder why there would be any port open from outside to inside of your network at all. You should have that checked , this would offend a security flaw. Our flex opens his ports when switched on through the router via UPNP . Then , well if there is an occasional portscan against your public IP, SSDR will see this as a connection attempt and hopefully just not understand what the guy wants. 
As far as i understood the smartlink IP channel is only build up between SSDR and the Flex Box when the credentials are correct. 



Photo of Tim Blank

Tim Blank

  • 10 Posts
  • 0 Reply Likes
Same thing happened to me also, I am beginning to thing the flex licensing server dB was hacked? How else could such a large number of people see this same behavior?
Photo of John - AI4FR

John - AI4FR

  • 325 Posts
  • 95 Reply Likes
Ha Gei thanks for your thoughts. I had it turned on the help others and or to test it but never turned it off.

It appears that several Flex users are seeing this IP attack today. Scary.


Photo of Erika - KØDD

Erika - KØDD

  • 91 Posts
  • 27 Reply Likes
Just flippen wonderful... If so maybe they'll put that on a list of things to fix some day?
(Edited)
Photo of Danny K5CG

Danny K5CG

  • 400 Posts
  • 62 Reply Likes
This kind of thing is going to happen when your network becomes more complex and you don't reinforce your front door. Consumer grade Internet routers are not adequate.
Photo of Chris DL5NAM

Chris DL5NAM

  • 724 Posts
  • 159 Reply Likes
... and if you use your Google or Facebook account login for other software login = open your door for the world and invite them to come !

Chris
Photo of Erika - KØDD

Erika - KØDD

  • 89 Posts
  • 27 Reply Likes
I would never have UPNP setup...  I'd get the correct port numbers from FLEX and manually set them up.  When I had UPNP turned on every hacker in on the planet walked right in my front door.  I needed to find out from the defaults on my router what loopholes existed.

I LOCKED it down tight.  I also changed the time server.  It was using the European Netgear default one and all of Europe was monitoring!!!!!  Wowsers...

I then set ONLY MAC address filtering and DHCP has reservations and only those and no new ones can connect.

That keep the front door locked down, but if they find individual ports...  Well that could be another thing.

My attacks went from 25 different IPs to maybe one a week or so.

Close your doors and lock them.  also close the ability to log in to your router remotely.  This is why I didn't use the router from the Provider and bought my own.

Erika DD
Photo of Erika - KØDD

Erika - KØDD

  • 89 Posts
  • 27 Reply Likes
Oh Chris, all of my googlie accounts have 15 character randomly generated passwords.  each one is a different ONE...  I'd never have anything important on less than 15 characters and they're weird ones...  I can barely type them twice when I have to !

Photo of Chris DL5NAM

Chris DL5NAM

  • 724 Posts
  • 159 Reply Likes
Erika, i believe you but you count to the 0.1% they do it right . Most used password of the is ?

PASSWORD
Photo of Erika - KØDD

Erika - KØDD

  • 89 Posts
  • 27 Reply Likes
and their USER NAME is USERNAME...  Dummies  Yeah I found a site on the net with a random password generator and had the thing bang out 80 of them for me.  I only mark the pages with a used when i actually use them and there's no X-reference.  I usually add an additional character to some too.  HOWEVER if somebody got into my file cabinet and pulled my master password list out...  YOUWSERS...  Even my husband doesn't know ehere that thing is at at and if he did probably couldn't type one in correct.  HAHAHAHA.  Yes I have all his passwords and got rid of his 5 and 6 character ones, hahahaha.  I hate computers...  sigh
Photo of Ha Gei

Ha Gei

  • 68 Posts
  • 15 Reply Likes
Her, UPNP is the best solution :  

My Router will ONLY let the Flex and 2 other machines from inside use UPNP at all and never ever expose UPNP to the outside. I trust the handbook and the proposals of AVM who make my fritzbox router.

I have not seen the attack here myself, but was online just a while last day. I will monitor this today.

What scares me :  Why does no one from flex comment here at all ??  
Photo of Danny K5CG

Danny K5CG

  • 400 Posts
  • 62 Reply Likes
"Why does no one from flex comment here at all ??"

Because it's not a problem with the radio.
Photo of Bill -VA3WTB

Bill -VA3WTB

  • 4243 Posts
  • 1019 Reply Likes
Flex employees could chime in to explain what we are seeing here.
It is nothing new, I have seen this for a long time time. I was under the impression that DAX and CAT both have an IP address. When my radio starts I always see 3 IP addresses pop up. I thought I am seeing DAX IP CAT IP and the radio IP. I may be wrong about this.
Photo of John - AI4FR

John - AI4FR

  • 325 Posts
  • 95 Reply Likes
Bill what you are seeing is normal. We all see that. We are also familiar with the IP addresses. What happened here is a NEW IP address attempting to connect over and over again, 30 or 40 times for nearly a minute.
Photo of Bill -VA3WTB

Bill -VA3WTB

  • 4243 Posts
  • 1019 Reply Likes
John, it sounds like your very concerned, perhaps you should start a help desk ticket to find out what it is.
Photo of Erika - KØDD

Erika - KØDD

  • 89 Posts
  • 27 Reply Likes
Yeah like one from the land of hackers attempting to invade a port they can "SEE" or "SCAN" and try to get into.  All we can do is attempt to make it so  difficult to get into our systems that they get bored, leave it alone, and go away.

It takes a really bored wiz bang to hack away at a FLEX RADIO in Quincy Illinois and then spin down to the next.  Some of these yahoos are notorious hackers...  Hoping to crack things wide open, or steal information. Well have fun, I hope ya'all can figure out how to lock the world down, and keep others from gaining access.

Russians?  Ukrainians? North Koreans? Da CIA?  Your cousin Joey???  Everybody is in the hacking business..

Erika DD
Photo of Wayne Schonfeld

Wayne Schonfeld

  • 16 Posts
  • 3 Reply Likes
I have seen this message when my network was unstable.  I think if you check the IP address , it will be the IP address of the device you were using for smart SDR-like your PC.  I have seen this occur when part of your network is hard wired and some wireless.  The network sometimes fails to "talk" with itself and generates this on Smart SDR.  I doubt it's a hacker.

I am no "elmer" but have been using by 6700 for over 5 years and have seen this in the past on many ocassions.
Photo of John - AI4FR

John - AI4FR

  • 325 Posts
  • 95 Reply Likes
On this end everything is hardwired. Radio to router and computer to router. Been running this way for about 2 years now and today was the first time I have ever seen this issue.
Photo of Erika - KØDD

Erika - KØDD

  • 91 Posts
  • 27 Reply Likes
me 2 time to look at the router logs
Photo of Erika - KØDD

Erika - KØDD

  • 91 Posts
  • 27 Reply Likes
Only thing I've been seeing is accessing from various ports to the ECHOLINK port...

[LAN access from remote] from 185.156.73.52:57710 to 192.168.1.11:5200, Tuesday, Dec 31,2019 06:08:56

That's happening about once a week and NOT when I get on with the YLRL ladies.

I'm getting an occasional IP Spoof here also..  Somebody is trying to get in with a "DOT 5" IP address. HAHAHAHA yeah buddy I only accept MAC addresses.

This 185 guy is a a KNOWN and reported hacker.  Nice.

Photo of Ha Gei

Ha Gei

  • 68 Posts
  • 15 Reply Likes
Up to now...no sightings here, none of my users saw any tries here.. We all kept a watch during the day.


Photo of Dan Quigley N7HQ, 4O7HQ

Dan Quigley N7HQ, 4O7HQ, Service/Support Manager

  • 64 Posts
  • 65 Reply Likes
Please check to ensure you have not inadvertently disabled the Private IP Connections protection mechanism.  The issue you describe would be caused by that if you have ports forwarded on your router. Smartlink is not impacted by this setting.  


Photo of KC7ES

KC7ES

  • 49 Posts
  • 5 Reply Likes
Mine was enabled Dan, but was also enabled when I got a string of attempted connections the other day. No problems today.
Thanks for the post.
73,
Eric
Photo of Dan Quigley N7HQ, 4O7HQ

Dan Quigley N7HQ, 4O7HQ, Service/Support Manager

  • 64 Posts
  • 65 Reply Likes
Thanks, Eric and John, I'll discuss this with the software team and report back here. 

Please drop a note to me (dan@flex-radio.com) if this occurs again.

Best,
Dan
Photo of John - AI4FR

John - AI4FR

  • 325 Posts
  • 95 Reply Likes
Will do and thanks again Dan. First and only time I have seen it in 2 years of running a Flex.
Photo of James Whiteway

James Whiteway

  • 1080 Posts
  • 303 Reply Likes
Dan, I'm running the latest version of SSDR and I do not have the "Advanced" portion of the Network screen like you have. Is there a setting somewhere that will enable it?
James
WD5GWY
Photo of David

David

  • 342 Posts
  • 59 Reply Likes
Did you click the Advanced button to the right of the MAC Address:?
Photo of John - AI4FR

John - AI4FR

  • 325 Posts
  • 95 Reply Likes
James, go to SSDR, then settings, then radio setup, then network, then click on Advanced which is located at the end of the MAC address.
Photo of James Whiteway

James Whiteway

  • 1080 Posts
  • 303 Reply Likes
There's not one.
(Edited)
Photo of James Whiteway

James Whiteway

  • 1080 Posts
  • 303 Reply Likes
Maybe, I have the "Appliance Operator" version of SSDR!
:-)
Photo of James Whiteway

James Whiteway

  • 1080 Posts
  • 303 Reply Likes
Version 3.1.8
Photo of John - AI4FR

John - AI4FR

  • 325 Posts
  • 95 Reply Likes
Version here, 317. Flex 6700 with CAT cable to router.

Thanks for the pic. What happened to your advance button?
(Edited)
Photo of James Whiteway

James Whiteway

  • 1080 Posts
  • 303 Reply Likes
That's a good question. Like I said, maybe I have the appliance operator version of SSDR. Or, the radio just doesn't trust me!
I'm running the radio thru a switch to my router. It seems in earlier versions of SSDR that the Advanced Tab was present. Not sure what happened here.
(Edited)
Photo of Max

Max

  • 2 Posts
  • 0 Reply Likes
You must be on a local network for that selection to appear.
Photo of Steve K9ZW

Steve K9ZW, Elmer

  • 1642 Posts
  • 800 Reply Likes
https://community.flexradio.com/flexradio/topics/m-series-radio-no-advanced-network-option

I don't think FRS ever spoke to this issue, as operators are finding the Advanced button missing on M models?  

73

Steve
K9ZW

Blog:  http://k9zw.wordpress.com  
Photo of James Whiteway

James Whiteway

  • 1080 Posts
  • 303 Reply Likes
It's not on the M model display or in SSDR on my PC either. Maybe, it's only the M models that are affected.
James
WD5GWY
Photo of Dan Quigley N7HQ, 4O7HQ

Dan Quigley N7HQ, 4O7HQ, Service/Support Manager

  • 64 Posts
  • 65 Reply Likes
Yes, sir, it is only the M models impacted by this bug.  I'll update the status of that when I write up the results of the meeting with the software team.

Best,
Dan
Photo of John - AI4FR

John - AI4FR

  • 325 Posts
  • 95 Reply Likes
Excellent point Dan. I just checked and mine is like yours above, it is and was Enabled.
Photo of Dan Quigley N7HQ, 4O7HQ

Dan Quigley N7HQ, 4O7HQ, Service/Support Manager

  • 64 Posts
  • 65 Reply Likes
I promised to get back to folks here about the questions asked or implied on this thread.  

We reviewed the reports, looked through our Azure-based server logs, and found nothing that indicated a security breach of any kind.

The messages generate when any TCP client connects to the radio. Messages do not generate when software using CAT or DAX to control or read data from a radio connection to the virtual serial port or the audio stream.

Connections from Private (local) Networks

Radios accept TCP connections without authentication from the following “local network” IPV4 address blocks:


Address Block  Use  Reference


Connections originating from these networks typically include SmartSDR, DAX and CAT clients, third-party software, or other devices that utilize the SmartSDR API, like the PGXL amplifier and Antenna Genius. For a successful connection, these devices must be visible to the subnet the radio is on. For example, a radio on the 192.168.0.0/24 network (netmask 255.255.255.0) with an IP address of 192.168.0.10 could accept unauthenticated connections from any device on the same network with an IP address of 192.168.0.1-254. Radios connected in a DMZ ignore connections from the Internet provided the radio is on a network described in the ranges specified above. The radio ignores direct TCP connection attempts from all other network ranges. 

Connections from Public Networks

Connections from public networks require a SmartLink connection authenticated through our SmartLink service by the OAuth mechanism and encrypted with the latest version of TLS (v1.3). The authentication and subsequent encrypted communications are radio-specific. Meaning, even armed with the external IP address and TCP port information, a connection spoof attempt would fail authentication, and the payload is unreadable by the radio because it is encrypted using a secure, radio-unique signature.

Can I Log Connections?

Currently, there is no way, through our software, for a customer to enable a connection log. Our development team can enable debug logging, but the space available on the SD cards in the radios is both insufficient for long-term use and inaccessible to customers. 

Can I Write Software to Monitor and Log Connections?

Yes, a monitoring function would best be implemented externally to the radio using our SmartSDR API. The API is more than capable of performing a monitoring function. It would be a straightforward software effort to build a Syslog bridge or a rudimentary logger to capture and log client connect events. The Windows SmartSDR client uses a publicly available .NET library (FlexLib), which encapsulates the SmartSDR API in C# objects and eliminates the network connection (TCP/UDP) and string parsing work.

Can Notifications be Disabled?

No, notifications cannot be disabled.

Under what conditions are connection messages generated from an external, non-private IP address?

 

  • An SSDR client (PC and iPhone/IPad client via the SmartLink process. Please note this is also possible if you sold/purchased a radio without removing it from your SmartLink account, or someone connects from a stolen iPhone, iPad, PC, laptop, or your SmartLink credentials are compromised.

 

  • A client connects to a radio directly connected to the Internet (and assigned a public IP address). Note: this would open the radio for anyone to connect to and use.

 

  • A client connects to a radio connected to a private network, with TCP port access forwarded through the edge network/router, and with the “Enforce Private IP Connections” configuration setting disabled.
   
(Edited)