My Synology NAS was ATTACKED!
Vložit
- čas přidán 7. 06. 2024
- After exposing my Synology NAS to the internet for over four months, these are the 5 steps I recommend changing to protect against ransomware.
🎯 Tutorials, comparisons, reviews: www.wundertech.net
NOTE: If you change the default DSM port, make sure you update any apps using the default port!
🚀 Hire Me: www.wundertech.net/wundertech...
⚡Best Synology NAS Devices: www.wundertech.net/which-syno...
⚡Product Recommendations: link.wundertech.net/rmYt
🔔 Subscribe for more tech-related tutorials and overviews: link.wundertech.net/ssYt
DISCLAIMER: The information in this video has been self-taught through years of technical tinkering. While we do our best to provide accurate, useful information, we make no guarantee that our viewers will achieve the same level of success. WunderTech does not assume liability nor responsibility to any person or entity with respect to damage caused directly or indirectly from its content or associated media. Use at your own risk.
WunderTech is a trade name of WunderTech, LLC.
0:00 Intro
0:26 Setting up the Security Test
0:47 Attacks on Synology NAS
0:59 Test Findings
1:41 Don't Expose NAS to the Internet
2:14 5 Settings to Increase Security
2:23 Disable Admin Account
2:53 Customize Auto Block
5:51 Change Default DSM Port
6:29 Configure 2FA
6:46 Configure Snapshots & Backups
7:32 Final Thoughts - Věda a technologie
I want to be clear that my overall recommendation is to ensure the NAS isn't exposed to the external internet. If it isn't, the overall risk is minimal and these changes won't do much, but can be used for peace of mind. Nothing is perfect though, so always keep that in mind.
The other thing is that if you're concerned about indirect attacks (a device on your local network being compromised and attacking your NAS locally), white listing the local addresses might not be the best option. This would be...bad though and would mean that a device on your local network is compromised in some way.
I would treat these suggestions as ideas and customize any changes you make based on your requirements. Thank you for watching!
Hi,
I already have, since day 1, almost everything you mentioned, being the minutes of Auto Block the only thing that was by default (5min), and that i changed now using your advise.
I also have QuickConnect disabled; i use DDNS with reverse proxy.
I have my NAS exposed in order for use DS Cam (2 Android phones for geofencing), Synology Photos, DS Audio, DS Video, DS Finder.
Many people says that if exposing the NAS, we should use a VPN (Tailscale, for example) and i think i already saw you saying the same. The thing is, and please correct me if i'm wrong, the VPN would have to be always on for Synology Photos, Drive, etc to automatically sync files from the phones (2 Android and 2 iPhones), right? So, there's my problem: I could do it if it was just me using it, but having my wife, mother and niece, to do that would be an impossible task...
I'm the only one with access to the entire NAS, with a "custom" admin account, with a VERY strong password and 2FA, while they have also strong passwords and 2FA but only access to Synology Photos (and my wife to Surveillance Station/DS Cam due to Home Mode/Geofence, like i mentioned earlier.
In this case, what can i do more?
Thanks
@@Kurt013 You are correct - you must be connected. In cases like that, I've found the easiest process being WireGuard + iPhones (it has to be an iPhone sadly, doesn't have the same feature on Android). The iPhone has auto on/off for the VPN so you can set it up to connect automatically as soon as you're not on your home network. You might be able to use Tailscale with it as "always on" as well, though I'm not positive.
How did you get the logs page? I cannot seem to find it in DSM 7.2.1
@@andrewenglish3810 Log Center > Logs > Change General to Connection.
@@WunderTechTutorials First of all, my apologies for replying only now. It has been a crazy week.
The more difficulty cases, are precisely with my mother and my niece, which both are IOS users. Explaining to them would be like talking to a wall because they don't understand and they "don't" want to understand. 😆
Also, with the VPN they would always be connected to my home network when they weren't at their home wi-fi? They probably would have slower speeds when using mobile data.
I have to see if I manage to do something but I'm pretty sure I won't be successful.
The truth is that I never had any problems with my NAS. 😁
Thanks for your video and for replying to my comment.
Use something like tailscale, dont expose the NAS or anything directly to the internet
"We" all know that.
The idea of home users opening this access is the problem.
It isn't a Synology problem.
We drastically need better home firewall solutions.
I wish these things came with a setting option wizard that pointed you in this direction from day 1. Instead they assume everyone knows IT when I'm sure a lot of people don't have the first idea about any of this.
I complete agree! 👍
Just make a firewall rule to block all countries except your own, then add the auto blocker - change standard port, disable admin account and enable MFA :) . Good video though :)
Interesting, well presented, and no background music … the three keywords I appreciate your videos for.
These crawler attacks are pretty standard AFAIK, and has been for me as well ever since I exposed my first server to the internet, years ago.
Two of the things I've found to be by far the most effective, is a well configured firewall (I live in a small country, so blocking everything from outside, does the trick for me). If that is not a possibility, setting up IP ranges able to have access is also a great way of limiting exposure, although that can be difficult depending on use case.
The second one is reverse proxy, to only allow one or maybe a couple of ports access, while still being able to use multiple services on your NAS.
Thank you for this. It never hurts to double check things.
Dang Frank! No matter how much I learn about Synology devices you always seem to teach me something new and valuable! You are definitely on the top of my sub list! As always THANKS for being so informative! 👍🏻👍🏻
Thanks for the kind words and thank you for watching!
In my experience, attackers don't always target the "admin" login account. I've observed various usernames in different languages such as Chinese and Korean in the logs. To bolster my account protection, I've implemented a similar setup and subsequently export the list of blocked IPs to my firewall, preventing them from accessing my NAS altogether.
Thanks for this vid, i already disabled my admin account years ago but never knew how many attempts were being made on my system daily. You should see how many ip's were blocked today.
As soon as I get a Synology NAS I will look at this again! I am on a Mac though. Thank you for the info and for sharing for us! Security is important as it is important for us to access the data remotely.
i experimented with setting up a mail server on my NAS once, used the usual port 25. didn't take long to see a batch of IPs in the block list every day and ultimately decided not to continue. i still have other ports open (not defaults) and mitigated with geo blocking on my Synology router. I still get paranaoid though.
Step 0 - Use good quality IDS/IPS router which blocks scanner bots (like Shodan), bad reputation IPs, ban port scanners, etc. This ensure that your IP will be practically invisible for attackers.
I don't run a Synology NAS but this was a great video to demonstrate best practices for any service. I do like that this also served as an example that any obscurity is always better than no obscurity.
Thanks for watching!!
Great Video! I don’t understand a word you said as I’m clueless when it comes to NAS drives.
Next: How to create a honeypot collecting hacker's data.
All good suggestions. Thanks!!
Excellent PSA! The Synology user base applauds you.
Wow great video ! Thanks for the tips and for your hard work !
Even though my Synology NAS that is home and my remote off-site back-up one, is behind a firewall, I still configure the firewall on the Synology NAS so that if someone gets into my network they have a second firewall on the Synology NAS to get through. I hate the advice all over the internet that says "You don't need to turn on the firewall if it's behind your router or firewall". NO NO NO. Why wouldn't you want extra security just in case. More security is ALWAYS better. How do we know there isn't an undiscovered vulnerability in the firewall/router that is in use? We all know consumer grade routers are terrible for security and after a couple of years no longer get firmware updates and we are going to trust this to be our firewall to protect our NAS? YEAH, HARD NO! Furthermore, all the recommendations that are mentioned in this video I do and advise others to do. Thanks for a great video I can share.
Admin: Stealth Password Spray is tough for a device to spot, but easy for a human.
Great video, very sensible and practical advice.
Thanks for the update on Synology security. It opens my eyes on some settings. I actually never use the HTTP port for connecting to my NAS. You can't reach it from outside cause the port is not forwarded. I was using Quick Connect to connect to my NAS from outside, but I found out that it was not as secure as it should be. I can't use 2FA with Quick Connect. I blocked all external IP addresses to connect to my NAS. The only IP addresses that are allowed are that of my subnet and the IP address of my external Router.
I'm curious if there any way to gauge the risks of using quickconnect.
This video a freaking masterpiece! nothing less! Thank you Frank and bravo!
Thanks for watching, Avi!
You're certanly right about default autblock settings so i will extend to this: If you plan expose your NAS to the internet wipe out all defaults including default port for ssh. Pretty much anything that's setup default you gotta change if possible. If you wanna have your nas exposed to internet so you can access it think about running true nas within vps and you have options such as proxxmox even xcp-ng, that way you can make multiple copies of vm's and just deleate one that is compromised while keeping other say two exact copies intact. Always build your network scurity in layers and i said elswhere already. use OSI as reference and set up protection at each level and document it and print it out so you know what you have on each layer. that alone will allow you to track incoming attack. also use vlans too as it will make things even more difficult for attackers.
Excellent tips thank you
Hi Frank,
I have done all of the security settings you mentioned, except changing default DSM port.
I am seriously considering to change the Default DSM port, but I am not sure whether it will affect QuickConnect.
My family members frequently use Synology Photos and Drive through App externally and all of them use QuickConnect. They need to fast access so my NAS needs to be opened to the Internet
But AFAIK, Quickconnect cannot specify port. That means if I change the port, Quickconnect may fail to directly access to my NAS from outside and it will change to relay server, which will be painfully slow
I know VPN is the best solution, but it is difficult to tell all of my family to vpn every time they use the Synology Apps.
Is there any workaround for this issue?
Someone else commented about that and the truth is, I don't know. On one hand, if it's a direct connection, port 5001 has to be forwarded which means you're opening yourself up to the risk. If you use the relay service, it'll be slow but the port won't be forwarded. My guess is DSM port forwards 5000 or 5001 using uPnP and that's how you get the direct connection, but the best way to confirm that is to use a port checker and test to see if 5000 or 5001 is open. I'll see if I can get a clearer answer on my test environment.
Had to do a soft restart of my Synology NAS. Than you login with admin. Is that the moment the bots are aiming for? So should best practice be, first disconnect from the internet and than perform a soft restart, if needed?
As long as the NAS isn't exposed to the external internet, a soft reset wouldn't cause these types of attacks. You'd have to actually expose the NAS externally. However, still a best practice to disable the admin account when you're done.
If I change port 5001 to something else, are there any downstream effects that I need to adjust for such as logging in ? Or other apps that are expecting to see port 5001 open ?
Another great video Frank. Thanks so much.
They probably scan the other ports too so like with. Ssh, effectiveness is limited
It shouldn't affect your transfer speeds. Just change your ports to something high like over 50000. The thing is if your Synology access ports are default 5000/5001, then hackers will pretty much know you are running a Synology NAS and if a vulnerability for it pops up in the future, they'll know to use that exploit on you. 😬
Yes, great point - thanks for pointing it out. If you're connecting using the default port to any of the apps and you change it, you'll have to update them. I'll add a note to the description for that. Thanks for the kind words/watching!
@@WunderTechTutorials I was just watching your video on setting up the firewall and noted that the DSM ports need to be allowed. So, changing from 5001/5001 to xxxx would require a change to the firewall rule presumably so you don't lock yourself out.
@@DavidM2002 If you specify the port directly (as a custom port), yes, it would have to be updated. If you use the DSM HTTP/HTTPS rules (preselected rule in the firewall), it should automatically be updated after changing the port.
Great tips for securing your NAS! I pretty much did all of these plus a few extras when I got my Synology NAS'es years ago. As you mentioned, one of the best things you can do is not expose your NAS directly over the Internet. Mine can only be accessed via VPN (which I host locally at home) with specific IPs. Scanner bots or anyone at all won't even know my NAS'es exists. 😎
How do you host a VPN locally at home?
@@SergioBlackDolphin use the Synology feature to create an instance of OpenVPN.
How are you viewing the attacks? What kind of log viewer and how did you access that?
Synology's Log Center has all the connection logs.
@@WunderTechTutorials Thanks for your reply!!
So qnap isn't the only one being attacked.... 🤔
Good stuff... Thank you.
Video of the month - this real test is the edge you have over the competition I mentioned. Super interesting and learned something new (enlarged the block time frame to 7 days!). One thing which helps quite a few people: country whitelisting….
Thanks for the kind words! Totally agree on the country whitelisting - great point. Thanks for watching!
Is it reasonable to allow access to apps like DS Audio? Which means quick connect needs to work?
I feel like anything is reasonable if it fulfills the requirements and the risk(s) are understood. A lot of people use QC, and it hasn't been known to have major security flaws, so I'd say that if it works for you, go for it.
My custom built unRAID server was attacked but I don’t have SSH turned on and I was behind a firewall and I use cloudflare. Luckily the fix common problems plugin caught it, so I lowered the failed password attempts to 3 and I never figured out who/when/where/why/how aspect of the attack. Since then I added an extra layer using CF, you gotta enter an email to get a code, then you can enter your log on creds….
If I have used the file sharing facility within File Station app (using a simple password and for non-users), do I need to "allow" their IP access for this file sharing facility to continue to work? Up to now (without an IP Range defining in the Allow List) it's worked fine, but if I define my internal IP Range will that then lock them out, unless I add their IP (as I don't know 'em!).
How are you sharing the data? Externally through port forwarding?
@@WunderTechTutorials I’m using the built-in share facility in File Station which I think automatically uses the Quickconnect method does it not? I know I have only allowed that method of external access on the NAS currently anyway for my own external access, so I am assuming it’s using that.
@@sonarfreq If it's a gofile link, yes, QC.
@@WunderTechTutorials Yes sorry it IS a go file link… so will it fail if I set up an internal IP Range for security purposes as you advised here, or will it still function as it always has via Quickconnect?
Really new to this... what is it asking for in subnet allow? The ip of my router? And what is the mask? Where can i find this info...
If you're a beginner, I'd recommend skipping the firewall for now. Focus on some of the other settings and don't expose your NAS to the internet.
I have setup over 50 Synology servers and never have I seen the admin account enabled by default! so my question is: Why did you enable the admin account in the first place?
The admin account can be enabled for various reasons. In older versions of DSM, it was enabled by default. If you do a soft reset, it will be enabled. Obviously, it's a best practice to have it disabled, but many people have it enabled and this was to show what can happen if it's enabled.
My Admin account is disabled and I receive the same bot attack with the most stupid list of user/pass that’s spread all over the internet.
With 2FA enabled that attack don’t bother me. As I use my Synology for much more than a simple storage device it’s impossible to don’t expose. But it’s a nice video, thanks.
Second vid today that I can directly implement! 👌💪
Ps. your website, that supports the CZcams vids is amazing. 🎓
Thank you for the effort and work you're putting into it! I can watch the vid first and afterwards just use the website to do it myself, learn and Google stuff.
Obviously Subscribe is my way to go here. ✅✅
enable 2 factor with google authenticator on your phone, change the default port that is open to the internet, add a security policy after 2 failed login attempts the account is disabled , dont use default name admin and like you said disable it. If attacked Change your homes IP address can easily be done by changing your mac id o n your router. The isp will push a new ip , if you are not using a paid vpn. I do all this on remote desktop and have no issues. I also have mine set two invalid logins = 60 min lockout
Any 2FA authenticator works, not just Google and there is several out there,
Without wiping my settings, what can I do do setup security from scratch. I have no idea if I did anything to open myself up to attack. I'm a novice when it comes to this.
Security for Synology NAS devices is generally just a set of best practices, assuming the NAS is not exposed to the outside internet. Use a port checker to see if the DSM port is open to the external world. If it is, it has to be closed (it shouldn't be). Then, you can follow this more in-depth guide on security if you'd like: czcams.com/video/B826kB0p8T0/video.html
@@WunderTechTutorials Thanks. I know I messed with the firewall a bunch but I'm so honestly I'm not sure what I'm doing.
Your devices do not need to support customization of the listening port. Just use your router to forward from a non standard port number to the local device on a standard port. Provided your local network is trusted then only the client side needs to support custom port numbers. When selecting your custom ports first google syandard port numbers so that you don't select custom ports that are commonly in use and may be targetted by port scanner bots.
I’m wondering how practical it is to not expose your nas to the net? If I want to access images or documents when I’m out and about, doesn’t it need access to the net so I can successfully get to those documents?
The best way to access it is by using a VPN if possible.
Can you delete the default admin account if you have a admin account made?
Yes, just create a new user with admin privileges and disable all default users
Not delete. Disable.
Keep in mind.
If someone has physical access to your NAS and hits the reset button with a paper clip, the admin account will reappear and the management port will reset to 5000/5001.
Only disable, but as long as it's disabled and you have a different local admin, you're good.
Would you recommend - create firewall rules- then based on location and block all but your own country? Would this also stop the attempts you had?
I tracked the country of the source IP address hoping to draw some sort of a conclusion to implement a firewall rule but they were ALL over the place. I was expecting certain countries to have higher totals than others but it was pretty even. Doesn't hurt to implement a rule, just make sure you create a LAN rule as well (the country rule doesn't allow local IPs).
Good question. But, what about updates from Synology ? Presumably they would have update servers in many countries but I'd want to know that first.
Great video however when I changed my port My mobile apps broke. All but my photo app still works. Tried port number even and no luck. Desktop works fine with port number defined.
The DS video apps says Failed to connect to the synology nas. Please check the network connection the ip address of your synology nas. Even when it searches lan it does not find it. Tried modifing the app still no go. Nothing works
If you changed the port, you do need to update it on the app side. Have you tried logging out of the app and logging back in? Does it connect? If so, are you using Synology's Firewall?
@@WunderTechTutorials Yes I logged out. The only way I get the Dsvideo app to work is if I turn on local network in the app. However my dsphoto app now fails to log in local or remotely. When you say update teh port info I am looking at Login portal>DSM>application>I select my port. However it says that port is used by another application when I change it.
@@RobSnow-ui4sz Are you using Synology's Firewall? If so, turn it off temporarily and see if it works. That would mean there are firewall rules you need to add.
Excellent video!
Thanks for watching, Tony!
to be fair, if you have a decent password, brute force attacks tying once every week are kind of pointless from the beginning having near zero chance of success.
Nice to see default ports and user accounts are still being attacked like a good deal from a grocery store.
1:41, if you need exactly that, then it's a bad advice.
I can't imagine having my NAS available through VPN or only from within my local network, this would kill the whole point of having a dedicated device capable or running 24/7 to access the data at the moment you need it.
I'm interested in why you think a VPN is such an inconvenience? I'm the opposite - couldn't imagine having my NAS available to the whole world when I can use a VPN and limit the risk 99%+. Especially when connecting to it can be entirely automated if you're using Apple devices and is only a few clicks on Windows/Android.
This video is extremely needed. The principals applied here could also be applied in other nas brands such as Qnap, right?
You are an amazing speaker and teacher. Thank you for all the work that you go through to create these videos to inform about this stuff.
I know that you are focused on Synology products but, if by any chance you get any other brand Nas... The lessons and tutorials would be much appreciated.
Thank you for the kind words! I appreciate you watching!
One thing you might want to tell people is if they are using Quickconnect and they change port 5001 anyone conceting from the internet will not connect direct to the NAS at high speed. They will connect to the NAS at sinology's relay rate which is real slow.
Do you mean locally? If so, changing the port should still allow local connections at full speed.
@@WunderTechTutorials If you are using quickconnect from outside of the local network (from remote) it will only connect to your NAS using Synology's relay speeds. I wish there was a way around it. It seems to be the way quickconnect works. Quickconnect can be a bit confusing, basically when you connect to it, it determines if you are on the local side or the internet side. If you are on the local side, it will connect to the NAS direct using the local Ip address. If you are on the internet side (outside the network) it looks to see if it can connect to your NAS via an open port (ie:5000,5001) if it can link to your NAS directly using a direct port it will. This will only be as fast as your NAS internet connection, but if it cannot connect direct through an open port it will use Synology's relay servers to connect. Synology's relay servers are really slow. They offer a great service for free, but they do not want everyone connected through them using a bunch of bandwidth so it is limited.
Have you checked to see if DSM used uPnP to port forward 5001? I don't see any other way you'd connect to it directly without port forwarding which is concerning. In this case, you DO want to use the relay service to avoid having that port open.
This night it starded, got attacked every minut
Just don't expose your nas the the internet and set it up only on your LAN ?
is it ok to expose jellyfin to the web?
Better to use a VPN if it's an option. Generally, you want to limit self-hosted applications to the world if you don't have to, but it depends on your requirements.
Disable admin account and in firewall block every country u are not simple.
But if you white list your local network and anything in it is compromised then they have unlimited brute force access.
I mentioned that in the pinned comment. Yes, that is correct, but that would be very bad if that happened.
Hahahaha
Snapshots take up space. Hence no snapshots
Extremely, extremely minimal with Btrfs.
@@WunderTechTutorials I had to delete snapshots when 1/3 of my NAS space (5TB of 15TB was taken up with them. I have backups. And people should stop saying that a NAS is not a backup. It could be somebody's backup and it's confusing to hit new NAS user with that. No everyone is an IT person.
If Snapshots took up a third of the storage, the retention policy was most likely too long. Sadly, RAID is not a backup and neither are snapshots. Snapshots are a best practice. They're an insurance policy and protect against various forms of data loss. If you're willing to risk it, then I understand not wanting to configure them but speaking generally, almost everyone should have them configured.
@@WunderTechTutorials In total I have 10 copies (backups) of all my data and one in the cloud.
You don't have to use them and I don't want you to think I'm trying to convince you to use them. They just have their place in a good data integrity plan.
Poor choice to go Synoloshit in the first place 😂
What's the better option? I have qnap and it's okay but feel like there's better options.
Merci !
Thank you so much!
Why did it got attacked? Frank. Did you not set up it in the right way?
There are bot networks worldwide that scan IP addresses for an open 5000 or 5001 port, and attempt an admin login. So if you operate a web server, this bot network will try to login to your admin account. They know that there are people who don’t change the default admin password of their account. It’s a very, very easy attack to protect yourself from; just disable your admin account, whether you’re using Synology or anything else.
@@marshallgoldberg8376 why even use the default stuff. I asked Frank why he got hacked. He of all folks have the knowledge.
@@vardagsteknik6576 He did not get hacked. He was attacked, unsuccessfully… the same as anyone else who hosts a web server on the Internet. Same thing happens to my Synology and every other server on the Internet. People try to get root access to your home router all the time.
@@vardagsteknik6576 You shouldn’t use the default stuff, but routers and servers need to have a default account and password so they can be initially configured. You always change these defaults when you set up the device. With Synology, always create a new account with Administrator privileges and then disable the admin account. This is Security 101, going back decades.
@@vardagsteknik6576 he did not get hacked lol, he purposely set up the Synology with default port/settings for this video as a demonstration.
Ok, so less than 2 weeks ago you make a videos saying that Synology is the best, now you say you were attacked? pathetic, Or? ah ok you need views on the videos, ok, understood.
It was a test...