Security: brute-force attack against Synology NAS

[jensmander]

Synology NAS systems are - along with QNAPs - currently the target of a wide brute-force attack. A botnet tries to break in via weak passwords and infects the system with ransomware. Once infected, it encrypts all files and data.

 

This affects systems which are reachable over the internet (open firewall ports / NAT).

 

To protect yourself you should

 

- activate the DoS protection including account blocking

- apply strong password rules to all users

- create a new admin account with a strong password and disable the standard „admin“ account

 

More informations:

 

https://www.synology.com/en-global/company/news/article/2019JulyRansomware

[polanskiman]

Sorry I didn't see this before. I am creating an announcement right away to inform people about this.

[modboxx]

I've been under attack for a couple of days now and what's impressive is that the amount of IP's they have at their disposal(643 currently)

 

Anyway here's a blacklist I've put together from all the attacking IP's if you want to block them at your gateway.  Additionally, make sure to disable your admin account as that seems to be the only account they are targeting

Blacklist.txt

 

Here's how it will look in the auth log.

2019-07-29T08:11:03-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=139.59.84.30  user=admin
2019-07-29T08:11:48-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=52.221.135.26  user=admin
2019-07-29T08:14:37-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=128.199.80.77  user=admin
2019-07-29T08:16:22-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=206.189.119.148  user=admin

 

PS. I guess if you Synology is not open to port 5000 your probably OK for now.

Edited August 1, 2019 by Polanskiman
Added code tag.

[pmchan]

No attack so far, but I remember a time when I could see those many bots knock at the door and be blocked in real time thanks to the DSM notifications, it was very frightening.

Now I try to be less naive, there's surely room for improvement but here's what I did.

- admin account is disabled

- I changed the default 5000/5001 DSM ports

- disabled http access outside my local network, it's https only with let's encrypt certificate.

- added two-factor authentication to all accounts

- enabled auto block after 2 failed attempts within 20 minutes (well, this one is a bit excessive...)

- allowed DSM access to my own country only in DSM firewall.

Good luck guys!

Edited July 31, 2019 by pmchan

[sliders]

thanks, is there more info for security

[polanskiman]

10 hours ago, sliders said:

thanks, is there more info for security

 

Not sure what you mean but you should follow Synology guidelines.

[jastsai]

I have over 1000 attempts and after changing my Port out it stopped.  

[test4321]

I wonder if its possible to add Fail2Ban with https://www.abuseipdb.com/ integration. That would stop these attacks easy. 

[Dvalin21]

No attack so far, but I remember a time when I could see those many bots knock at the door and be blocked in real time thanks to the DSM notifications, it was very frightening.
Now I try to be less naive, there's surely room for improvement but here's what I did.
- admin account is disabled
- I changed the default 5000/5001 DSM ports
- disabled http access outside my local network, it's https only with let's encrypt certificate.
- added two-factor authentication to all accounts
- enabled auto block after 2 failed attempts within 20 minutes (well, this one is a bit excessive...)
- allowed DSM access to my own country only in DSM firewall.

Good luck guys!

I don't suppose you have a tutorial some where that we can access do you? Would love to learn about how you did all of that. Thanks in advance.

Sent from my HD1925 using Tapatalk

[flyride]

18 minutes ago, Dvalin21 said:

I don't suppose you have a tutorial some where that we can access do you? Would love to learn about how you did all of that. Thanks in advance.

 

These are all settings in DSM. 

[Hemps]

I just block all ip's except the ones that need access on our local network, so single ip then also single ip from the outside.

Also disable admin account

Strong passwords 

[IG-88]

13 hours ago, Hemps said:

Also disable admin account

Strong passwords 

 

also dsm supports 2nd factor, that might be useful too

https://www.synology.com/en-global/knowledgebase/DSM/tutorial/Management/How_to_add_extra_security_to_your_Synology_NAS#t6

 

hiding it behind a firewall and using vpn to access it might be even better

[AbuMoosa]

On 2/15/2021 at 1:55 PM, Hemps said:

I just block all ip's except the ones that need access on our local network, so single ip then also single ip from the outside.

Also disable admin account

Strong passwords 

Enable firewall and open only the ports you need or using. 
There are tons of tutorials on youtube on this.

[adamazam0489]

we have to make our password strong to make our account secure and we have to block that source through which threat comes to our account and system. by M3technology

[smileyworld]

I only had once an incident where someone from russia tried to login in my NAS in Austria multiple times and then got blocked automatically by DSM. After that I changed my firewall settings inside DSM so that only ports from the services I need are allowed and restricted it just to my country.
My point is as @IG-88 already mentioned when you follow the instructions you should be safe.

Edited March 5, 2021 by smileyworld