Jump to content

Network Security

Greenbell7
By Greenbell7
in Networking
 Share
Posted

A few months back, I got an email from my ISP saying that someone used my network to pirate a game. I called them and told them that there wasn't anyone I knew in the house and someone must've been stealing our Wi-Fi. I changed the password and even signed up for and installed Glasswire, which seemed to have worked for a while. Then I got another email saying that someone used my connection to install two games (one of which was the same game as last time.) I will change the password and the SSID, but I want to ensure this won't happen again. I  just started online classes, and the only other ISP has poor service in my area. Are there wireless access points with a lockout feature for too many failed attempts to authenticate to the network? Any other tips are much welcome. This also only happened after I got a Synology NAS, but I don't know if that has anything to do with this.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

If you go onto your router management page you should be able to see If an unauthorized device is connecting to your network.

It'll be something like 192.168.1.1 or 192.168.1.254

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
3 minutes ago, BabbleDab said:

If you go onto your router management page you should be able to see If an unauthorized device is connecting to your network.

It'll be something like 192.168.1.1 or 192.168.1.254

I would do it, but the address lease time is 120 minutes, and I only have a few devices with a reserved IP address.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, Greenbell7 said:

I would do it, but the address lease time is 120 minutes, and I only have a few devices with a reserved IP address.

The (private) IP address of your router shouldn't change.

If you need to block a device, it should block the device's MAC address.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
2 minutes ago, BabbleDab said:

The (private) IP address of your router shouldn't change.

If you need to block a device, it should block the device's MAC address.

I forgot to mention that Glasswire didn't catch the offending device even though the computer I had it installed on was on, and it scanned the network once every 30 minutes. The two downloads were initiated about an hour apart, and the games installed were "Call of Duty Modern Warfare 2" and "Mafia 2 Digital Deluxe Editon," which are 12 GB and 8 GB, respectively, and my max download speed is about 270 Mbps.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
5 minutes ago, Greenbell7 said:

I forgot to mention that Glasswire didn't catch the offending device even though the computer I had it installed on was on, and it scanned the network once every 30 minutes. The two downloads were initiated about an hour apart, and the games installed were "Call of Duty Modern Warfare 2" and "Mafia 2 Digital Deluxe Editon," which are 12 GB and 8 GB, respectively, and my max download speed is about 270 Mbps.

Changing your password should have worked. What I would suggest is running anti virus/malware scans to check to see if your devices are clean. Also be sure no one on your network is running Bittorrent. That tends to be how people get caught "Downloading" copyrighted works. 

I just want to sit back and watch the world burn. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
49 minutes ago, Greenbell7 said:

A few months back, I got an email from my ISP saying that someone used my network to pirate a game. I called them and told them that there wasn't anyone I knew in the house and someone must've been stealing our Wi-Fi. I changed the password and even signed up for and installed Glasswire, which seemed to have worked for a while. Then I got another email saying that someone used my connection to install two games (one of which was the same game as last time.) I will change the password and the SSID, but I want to ensure this won't happen again. I  just started online classes, and the only other ISP has poor service in my area. Are there wireless access points with a lockout feature for too many failed attempts to authenticate to the network? Any other tips are much welcome. This also only happened after I got a Synology NAS, but I don't know if that has anything to do with this.

So you have physical access to the router and modem? Can you confirm there are no unknown devices plugged into them? 
 

Assuming no unknown devices are physically connected, the only other way onto the network is via WiFi. And if you boot all devices off and change the password (change the password, and turn the router off and back on), no one would be able to connect unless they know the password. 
 

The only way an ISP is going to send a DMCA notice would be if someone on your network is torrenting copyrighted data and the copyright holder found out. So if you are not torrenting anything, someone else on the network is (WiFi or plugged in via Ethernet). 

Rig: i7 13700k - - Asus Z790-P Wifi - - RTX 4080 - - 4x16GB 6000MHz - - Samsung 990 Pro 2TB NVMe Boot + Main Programs - - Assorted SATA SSD's for Photo Work - - Corsair RM850x - - Sound BlasterX EA-5 - - Corsair XC8 JTC Edition - - Corsair GPU Full Cover GPU Block - - XT45 X-Flow 420 + UT60 280 rads - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 RAID Z1 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
2 hours ago, Donut417 said:

Changing your password should have worked. What I would suggest is running anti virus/malware scans to check to see if your devices are clean. Also be sure no one on your network is running Bittorrent. That tends to be how people get caught "Downloading" copyrighted works. 

 

2 hours ago, Donut417 said:

Changing your password should have worked. What I would suggest is running anti virus/malware scans to check to see if your devices are clean. Also be sure no one on your network is running Bittorrent. That tends to be how people get caught "Downloading" copyrighted works. 

 

2 hours ago, LIGISTX said:

So you have physical access to the router and modem? Can you confirm there are no unknown devices plugged into them? 
 

Assuming no unknown devices are physically connected, the only other way onto the network is via WiFi. And if you boot all devices off and change the password (change the password, and turn the router off and back on), no one would be able to connect unless they know the password. 
 

The only way an ISP is going to send a DMCA notice would be if someone on your network is torrenting copyrighted data and the copyright holder found out. So if you are not torrenting anything, someone else on the network is (WiFi or plugged in via Ethernet). 

 

2 hours ago, whispous said:

Are you using any "free" "unblocker"/VPN extensions in your browser?

I'm currently scanning the computers I can.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 minutes ago, Greenbell7 said:

 

 

 

I'm currently scanning the computers I can.

What do you mean “the computers you can”? Which ones can you not scan? Do you have physical access to the router, just to confirm there isn’t anything plugged in that doesn’t belong to you. 

Rig: i7 13700k - - Asus Z790-P Wifi - - RTX 4080 - - 4x16GB 6000MHz - - Samsung 990 Pro 2TB NVMe Boot + Main Programs - - Assorted SATA SSD's for Photo Work - - Corsair RM850x - - Sound BlasterX EA-5 - - Corsair XC8 JTC Edition - - Corsair GPU Full Cover GPU Block - - XT45 X-Flow 420 + UT60 280 rads - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 RAID Z1 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
4 minutes ago, LIGISTX said:

What do you mean “the computers you can”? Which ones can you not scan? Do you have physical access to the router, just to confirm there isn’t anything plugged in that doesn’t belong to you. 

I meant the devices that can be scanned with Norton Power Eraser. So, not my Mac or smart devices.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
8 minutes ago, Greenbell7 said:

I meant the devices that can be scanned with Norton Power Eraser. So, not my Mac or smart devices.

Ah. Are there any other people using your network besides you?

Rig: i7 13700k - - Asus Z790-P Wifi - - RTX 4080 - - 4x16GB 6000MHz - - Samsung 990 Pro 2TB NVMe Boot + Main Programs - - Assorted SATA SSD's for Photo Work - - Corsair RM850x - - Sound BlasterX EA-5 - - Corsair XC8 JTC Edition - - Corsair GPU Full Cover GPU Block - - XT45 X-Flow 420 + UT60 280 rads - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 RAID Z1 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
19 hours ago, LIGISTX said:

Ah. Are there any other people using your network besides you?

Yes, but none of them said they did it. I highly doubt they even know where to pirate games.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 minutes ago, Greenbell7 said:

Yes, but none of them said they did it. I highly doubt they even know where to pirate games.

Well, I’m thinking someone must have been torrenting. You don’t get a DMCA takedown for fun. 
 

2 minutes ago, Greenbell7 said:

Does anyone know of a DNS that will block torrenting?

Thats not really possible. Torrents come from random peoples houses, so it’s from any random IP address. You basically can’t stop torrenting…

 

You can look for torrent software on the computers on the network. The big ones are utorrent, qbitorrent, deluge, and many more. Google is your friend. 

Rig: i7 13700k - - Asus Z790-P Wifi - - RTX 4080 - - 4x16GB 6000MHz - - Samsung 990 Pro 2TB NVMe Boot + Main Programs - - Assorted SATA SSD's for Photo Work - - Corsair RM850x - - Sound BlasterX EA-5 - - Corsair XC8 JTC Edition - - Corsair GPU Full Cover GPU Block - - XT45 X-Flow 420 + UT60 280 rads - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 RAID Z1 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

I know my family, and they wouldn't even be interested in the games my ISP said were downloaded. I will still scan their devices to ensure they don't have malware facilitating this.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, Greenbell7 said:

I know my family, and they wouldn't even be interested in the games my ISP said were downloaded. I will still scan their devices to ensure they don't have malware facilitating this.

It’s possible they downloaded those games simply to get better ratio on the torrent trackers they use. They may not actually care about the game…

 

Again, if no strange devices are physically connected to your network, the only other way in is via WiFi. And if the password is a good password, no one is getting in via WiFi. 

Rig: i7 13700k - - Asus Z790-P Wifi - - RTX 4080 - - 4x16GB 6000MHz - - Samsung 990 Pro 2TB NVMe Boot + Main Programs - - Assorted SATA SSD's for Photo Work - - Corsair RM850x - - Sound BlasterX EA-5 - - Corsair XC8 JTC Edition - - Corsair GPU Full Cover GPU Block - - XT45 X-Flow 420 + UT60 280 rads - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 RAID Z1 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

Well, I checked the devices, changed the SSID, and picked a new (hopefully) even more robust password. I hope that should be enough to stop this from happening again.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 hours ago, Greenbell7 said:

Well, I checked the devices, changed the SSID, and picked a new (hopefully) even more robust password. I hope that should be enough to stop this from happening again.

If it continues to happen then someone's device has a P2P file sharing app running in the background.

 

Is this Synology NAS accessible by everyone in the home? Do they have the ability to store files on the NAS remotely or run apps from it like a server?

 

As an aside...

 

I remember when a relative told me that they used to stream popular movies and TV shows for free online with an app, then I would notice the network slow down to a slug's pace when they "streamed". When I examined the network activity, it looked highly suspicious for BT traffic, but I knew they didn't know how to use BT. Anyway, it turns out they were using an app that presents a "Netflix-like" frontend but pulls BT traffic on demand and deletes it after. While they were innocent in not knowing what was happening in the background, I'm sure the authorities would still recognize this as piracy, so some education was required to correct the behaviour. That app was never seen again!

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
On 9/1/2023 at 9:34 PM, Falcon1986 said:

If it continues to happen then someone's device has a P2P file sharing app running in the background.

 

Is this Synology NAS accessible by everyone in the home? Do they have the ability to store files on the NAS remotely or run apps from it like a server?

 

As an aside...

 

I remember when a relative told me that they used to stream popular movies and TV shows for free online with an app, then I would notice the network slow down to a slug's pace when they "streamed". When I examined the network activity, it looked highly suspicious for BT traffic, but I knew they didn't know how to use BT. Anyway, it turns out they were using an app that presents a "Netflix-like" frontend but pulls BT traffic on demand and deletes it after. While they were innocent in not knowing what was happening in the background, I'm sure the authorities would still recognize this as piracy, so some education was required to correct the behaviour. That app was never seen again!

Well, I disabled the services that I don't need/use on the NAS. Now, it only runs Synology Drive and Photos and Plex. I might also set it up as the DHCP server and turn that service off in the middle of the night since that is when my ISP says the infractions are happening. If God forbid it still happens again, I will have to check the programs installed on my family's devices to ensure that nothing suspicious is installed on them. (Don't worry, I'll check sooner than that when I have the time.)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
53 minutes ago, Greenbell7 said:

Well, I disabled the services that I don't need/use on the NAS. Now, it only runs Synology Drive and Photos and Plex. I might also set it up as the DHCP server and turn that service off in the middle of the night since that is when my ISP says the infractions are happening. If God forbid it still happens again, I will have to check the programs installed on my family's devices to ensure that nothing suspicious is installed on them. (Don't worry, I'll check sooner than that when I have the time.)

Don’t move DHCP to your synology, and turning off DHCP doesn’t really do anything… anyone who knows anything about PC’s can just set a static IP, basically you are trying to solve the issue the wrong way. 
 

If it happens again, someone on the network is running a torrent client, I guarantee it…

Rig: i7 13700k - - Asus Z790-P Wifi - - RTX 4080 - - 4x16GB 6000MHz - - Samsung 990 Pro 2TB NVMe Boot + Main Programs - - Assorted SATA SSD's for Photo Work - - Corsair RM850x - - Sound BlasterX EA-5 - - Corsair XC8 JTC Edition - - Corsair GPU Full Cover GPU Block - - XT45 X-Flow 420 + UT60 280 rads - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 RAID Z1 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
1 minute ago, LIGISTX said:

Don’t move DHCP to your synology, and turning off DHCP doesn’t really do anything… anyone who knows anything about PC’s can just set a static IP, basically you are trying to solve the issue the wrong way. 
 

If it happens again, someone on the network is running a torrent client, I guarantee it…

Okay, I'll keep the DHCP settings the way they were. I have, however, increased the lease time just to make it a little easier to spot any rogue devices on the network. I have no idea how good this person is covering their tracks, but maybe it'll help. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
3 hours ago, Greenbell7 said:

Okay, I'll keep the DHCP settings the way they were. I have, however, increased the lease time just to make it a little easier to spot any rogue devices on the network. I have no idea how good this person is covering their tracks, but maybe it'll help. 

If they are good enough to crack WPA2 WiFi encryption, there is nothing you will be able to do to stop them, or even trace them…

 

I promise, if you have changed your password and it’s still happening, it’s someone in your family, or someone you have told the password to/a device you are authorizing to be on the network, or your password is extremely bad and easy to guess. 

The only way someone is getting into your network is via being hard wired, maybe a switch you don’t know about..? Or a Ethernet run you don’t know about..? Or they have your WiFi password. 

 

Extending the lease time won’t help much, at best you will get a MAC address, but that would suppose that all of your devices are already set up as static and you are looking for a device at an IP that you didn’t manually set. But that also wouldn’t help much, because if someone WAS good enough to crack WPA2, they would either be able to wipe any logs from your router, would spoof a MAC address of a device you already have, or probably some other things that I am not even aware exist. 

Rig: i7 13700k - - Asus Z790-P Wifi - - RTX 4080 - - 4x16GB 6000MHz - - Samsung 990 Pro 2TB NVMe Boot + Main Programs - - Assorted SATA SSD's for Photo Work - - Corsair RM850x - - Sound BlasterX EA-5 - - Corsair XC8 JTC Edition - - Corsair GPU Full Cover GPU Block - - XT45 X-Flow 420 + UT60 280 rads - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 RAID Z1 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

Update: I got another notification, but this time, I checked the programs installed on the PCs on the network. I found the program "Citrus Uptater." I couldn't find anything else, but since that computer is pretty bad for gaming, I think that must be the one. I believe that some virus installed Citris updater as a part of its package since it would not uninstall easily. Anyway, I had to reset the computer. I also installed a paid antivirus for extra security.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Are you sure the emails are actually from your ISP?

If so, could you perhaps post the emails here? IF YOU DO, PLEASE BE CAREFUL AND CENSOR ANY PERSONAL INFORMATION.

 

The reason I am asking is because it sounds weird that your ISP would say someone "used your connection to install a game".

 

 

On 9/1/2023 at 12:13 AM, Greenbell7 said:

I forgot to mention that Glasswire didn't catch the offending device even though the computer I had it installed on was on, and it scanned the network once every 30 minutes.

I don't have much experience with Glasswire, but I suspect it doesn't work the way you think it works.

Glasswire can't detect and see which traffic other devices send. I could sit on the same network as you and run a torrent or whatnot, and it won't show up on your computer running Glasswire.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×