Synology Inc. Online Community Forum

[dvd]

Hi, I'd like to see Auto Block working, but it doesn't seem to be doing anything on my 212j, DSM 3.2-1944. I do have Auto Block w/ notify turned on, and I have watched several dict & port-scan ssh attacks as they're happening, but no IPs ever get blocked, nothing appears in my block list, and I don't get notified. I have auto block set to block 5 bad logins in 5 mins, but in /var/log/messages I can see hundreds of attempts at a time, and when I watch them real time they are around 1 attempt per second.

My main question is have I maybe done something that accidentally disables Auto Block? I do have ipkg installed- I've included my package list below, maybe one of these is shadowing something Auto Block relies on? Or maybe my setup circumvents Auto Block for some reason?

Here's everything I can think of about my setup that might be relevant:

When I toggle Auto Block either on or off I see this message in /var/log/messages. I don't have ftp enabled, so maybe this message is natural & harmless:
Feb 25 12:37:47 autoblock.cgi: autoblock_services_hup.c:16 Failed to hup ftpd

I use key authentication only, here are the manual changes I've made to /etc/sshd_config:
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
AllowUsers <my-user-name>

I think my security is pretty good at this point, but it still would be nice to be able to keep an eye on auto blocked IPs, as well as allow the DS to spin down my HDs during these frequent and long attacks.

--
David.

> ipkg list_installed
apr - 1.4.5-1 - Apache Portable Runtime library
apr-util - 1.3.12-1 - Apache Portable Runtime utilities library
autoconf - 2.68-1 - Creating scripts to configure source code packages using templates
automake - 1.11.1-2 - Creates GNU standards-compliant Makefiles from template files
bash - 3.2.49-1 - A bourne style shell
binutils - 2.19.1-1 - The GNU assembler and linker and related tools
bison - 2.4.1-1 - a general-purpose parser generator that converts an annotated context-free grammar into an LALR(1) or GLR parser for that gramm
bzip2 - 1.0.6-1 - Very high-quality data compression program
coreutils - 8.4-1 - Bunch of heavyweight *nix core utilities
cyrus-sasl-libs - 2.1.23-2 - Provides client or server side authentication (see RFC 2222).
diffutils - 3.1-1 - contains gnu diff, cmp, sdiff and diff3 to display differences between and among text files
e2fslibs - 1.41.14-1 - Ext2 Filesystem Libraries
expat - 2.0.1-1 - XML Parser library
file - 5.09-1 - Ubiquitous file identification utility.
findutils - 4.2.32-1 - File finding utilities
flex - 2.5.35-1 - Generates programs that perform pattern-matching on text.
gawk - 4.0.0-1 - Gnu AWK interpreter
gcc - 4.2.3-1 - The GNU Compiler Collection.
gdbm - 1.8.3-2 - GNU dbm is a set of database routines that use extensible hashing. It works similar to the standard UNIX dbm routines.
groff - 1.19.2-2 - front-end for the groff document formatting system
gzip - 1.4-4 - GNU Zip data compression program
libc-dev - 2.5-5 - libc development files.
libdb - 4.2.52-3 - Berkeley DB Libraries
libidn - 1.21-1 - GNU Libidn is an implementation of the Stringprep, Punycode and IDNA specifications defined by the IETF Internationalized Domai
libnsl - 2.5-4 - Network Services Library
libstdc++ - 6.0.9-6 - Standard C++ library, needed for dynamically linked C++ programs
libtool - 1.5.26-1 - Library tools.
libxml2 - 2.7.8-1 - Libxml2 is the XML C parser and toolkit developed for the Gnome project.
m4 - 1.4.16-1 - gnu macro processor and compiler front end
make - 3.82-1 - examines files and runs commands necessary for compilation
md5deep - 3.9.2-1 - md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256 Tiger, or Whirlpool message digests on an arbitrary
nano - 2.2.6-1 - A pico like editor
ncurses - 5.7-1 - NCurses libraries
ncursesw - 5.7-1 - NCurses libraries with wide char support
neon - 0.29.3-1 - an HTTP and WebDAV client library, with a C interface
openldap-libs - 2.3.43-2 - Open Lightweight Directory Access Protocol
openssl - 0.9.8p-1 - Openssl provides the ssl implementation in libraries libcrypto and libssl, and is needed by many other applications and librari
optware-devel - 6.8-10 - This is a meta package that bundles all the packages required for optware native development. When fully functional, it should
patch - 2.6.1-1 - applies a diff to produce a patched file
perl - 5.10.0-6 - Practical Extraction and Report Language.
pkgconfig - 0.15.0-2 - Package configuration tool
psmisc - 22.13-1 - A set of some small useful utilities that use the proc filesystem.
python25 - 2.5.6-1 - Python is an interpreted, interactive, object-oriented programming language.
readline - 6.1-2 - The GNU Readline library provides a set of functions for use by applications that allow users to edit command lines as they are
rsync - 3.0.8-1 - fast remote file copy program (like rcp)
sed - 4.2.1-1 - Stream editor.
sqlite - 3.7.3-1 - SQLite is a small C library that implements a self-contained, embeddable, zero-configuration SQL database engine.
sudo - 1.8.1.2-1 - System utility to execute commands as the superuser
svn - 1.6.17-1 - a compelling replacement for CVS
tar - 1.26-1 - heavyweight version of the Tape ARchiver
tcl - 8.4.19-2 - The Tool Command Language
wget-ssl - 1.12-2 - A network utility to retrieve files from the Web
zlib - 1.2.5-1 - zlib is a library implementing the 'deflate' compression system.

[iket]

Why don't you change the SSH port externally and port forward to 22?

[dvd]

Why don't you change the SSH port externally and port forward to 22?

Hi iket, thanks, yes I have changed my external ssh port away from 22. But that didn't seem to fix Auto Block.

I'm not too worried about the strength of my security, I'm more curious why Auto Block isn't working, and whether I broke it somehow. That seems likely since others report it works well.

Speculating wildly, like, does Auto Block do its thing based on failed password login attempts, so my disabling password authentication never allows Auto Block to see failed logins? Or perhaps Auto Block is triggered by a library or executable that I have shadowed with something from ipkg, e.g., openssl or something?

[josh.lawless]

I have the same problem, and I noticed the alerts from Auto Block stopped at the same time as I installed ipkg on my DS1511+ -- there must be something in the ipkg installation preventing autoblock from working. I used to see several IPs added to the block list every week; there have been no new IPs added since November (despite the setting flagging 5 login attempts within a 10 minute period).

[ronyweng]

yes, that is because you install optware.
The ssh of optware takes replace of the ssh of synology.
I don't know why optware automatically installed its own ssh.
you should check for this.