jensmander

Security: brute-force attack against Synology NAS

Recommended Posts

Synology NAS systems are - along with QNAPs - currently the target of a wide brute-force attack. A botnet tries to break in via weak passwords and infects the system with ransomware. Once infected, it encrypts all files and data.

 

This affects systems which are reachable over the internet (open firewall ports / NAT).

 

To protect yourself you should

 

- activate the DoS protection including account blocking

- apply strong password rules to all users

- create a new admin account with a strong password and disable the standard „admin“ account

 

More informations:

 

https://www.synology.com/en-global/company/news/article/2019JulyRansomware

  • Like 1

Share this post


Link to post
Share on other sites

Sorry I didn't see this before. I am creating an announcement right away to inform people about this.

  • Like 1

Share this post


Link to post
Share on other sites
Posted (edited)

I've been under attack for a couple of days now and what's impressive is that the amount of IP's they have at their disposal(643 currently)

 

Anyway here's a blacklist I've put together from all the attacking IP's if you want to block them at your gateway.  Additionally, make sure to disable your admin account as that seems to be the only account they are targeting

Blacklist.txt

 

Here's how it will look in the auth log.

2019-07-29T08:11:03-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=139.59.84.30  user=admin
2019-07-29T08:11:48-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=52.221.135.26  user=admin
2019-07-29T08:14:37-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=128.199.80.77  user=admin
2019-07-29T08:16:22-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=206.189.119.148  user=admin

 

PS. I guess if you Synology is not open to port 5000 your probably OK for now.

Edited by Polanskiman
Added code tag.

Share this post


Link to post
Share on other sites
Posted (edited)

No attack so far, but I remember a time when I could see those many bots knock at the door and be blocked in real time thanks to the DSM notifications, it was very frightening.

Now I try to be less naive, there's surely room for improvement but here's what I did.

- admin account is disabled

- I changed the default 5000/5001 DSM ports

- disabled http access outside my local network, it's https only with let's encrypt certificate.

- added two-factor authentication to all accounts

- enabled auto block after 2 failed attempts within 20 minutes (well, this one is a bit excessive...)

- allowed DSM access to my own country only in DSM firewall.

Good luck guys!

Edited by pmchan
  • Like 1

Share this post


Link to post
Share on other sites
10 hours ago, sliders said:

thanks, is there more info for security

 

Not sure what you mean but you should follow Synology guidelines.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.