jensmander Posted July 24, 2019 Share #1 Posted July 24, 2019 Synology NAS systems are - along with QNAPs - currently the target of a wide brute-force attack. A botnet tries to break in via weak passwords and infects the system with ransomware. Once infected, it encrypts all files and data. This affects systems which are reachable over the internet (open firewall ports / NAT). To protect yourself you should - activate the DoS protection including account blocking - apply strong password rules to all users - create a new admin account with a strong password and disable the standard „admin“ account More informations: https://www.synology.com/en-global/company/news/article/2019JulyRansomware 1 Quote Link to comment Share on other sites More sharing options...
Polanskiman Posted July 31, 2019 Share #2 Posted July 31, 2019 Sorry I didn't see this before. I am creating an announcement right away to inform people about this. 1 Quote Link to comment Share on other sites More sharing options...
modboxx Posted July 31, 2019 Share #3 Posted July 31, 2019 (edited) I've been under attack for a couple of days now and what's impressive is that the amount of IP's they have at their disposal(643 currently) Anyway here's a blacklist I've put together from all the attacking IP's if you want to block them at your gateway. Additionally, make sure to disable your admin account as that seems to be the only account they are targeting Blacklist.txt Here's how it will look in the auth log. 2019-07-29T08:11:03-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=139.59.84.30 user=admin 2019-07-29T08:11:48-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=52.221.135.26 user=admin 2019-07-29T08:14:37-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=128.199.80.77 user=admin 2019-07-29T08:16:22-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=206.189.119.148 user=admin PS. I guess if you Synology is not open to port 5000 your probably OK for now. Edited August 1, 2019 by Polanskiman Added code tag. 1 Quote Link to comment Share on other sites More sharing options...
pmchan Posted July 31, 2019 Share #4 Posted July 31, 2019 (edited) No attack so far, but I remember a time when I could see those many bots knock at the door and be blocked in real time thanks to the DSM notifications, it was very frightening. Now I try to be less naive, there's surely room for improvement but here's what I did. - admin account is disabled - I changed the default 5000/5001 DSM ports - disabled http access outside my local network, it's https only with let's encrypt certificate. - added two-factor authentication to all accounts - enabled auto block after 2 failed attempts within 20 minutes (well, this one is a bit excessive...) - allowed DSM access to my own country only in DSM firewall. Good luck guys! Edited July 31, 2019 by pmchan 3 Quote Link to comment Share on other sites More sharing options...
sliders Posted July 31, 2019 Share #5 Posted July 31, 2019 thanks, is there more info for security Quote Link to comment Share on other sites More sharing options...
Polanskiman Posted August 1, 2019 Share #6 Posted August 1, 2019 10 hours ago, sliders said: thanks, is there more info for security Not sure what you mean but you should follow Synology guidelines. Quote Link to comment Share on other sites More sharing options...
jastsai Posted August 24, 2019 Share #7 Posted August 24, 2019 I have over 1000 attempts and after changing my Port out it stopped. Quote Link to comment Share on other sites More sharing options...
test4321 Posted December 2, 2019 Share #8 Posted December 2, 2019 I wonder if its possible to add Fail2Ban with https://www.abuseipdb.com/ integration. That would stop these attacks easy. Quote Link to comment Share on other sites More sharing options...
Dvalin21 Posted February 3, 2020 Share #9 Posted February 3, 2020 No attack so far, but I remember a time when I could see those many bots knock at the door and be blocked in real time thanks to the DSM notifications, it was very frightening. Now I try to be less naive, there's surely room for improvement but here's what I did. - admin account is disabled - I changed the default 5000/5001 DSM ports - disabled http access outside my local network, it's https only with let's encrypt certificate. - added two-factor authentication to all accounts - enabled auto block after 2 failed attempts within 20 minutes (well, this one is a bit excessive...) - allowed DSM access to my own country only in DSM firewall. Good luck guys!I don't suppose you have a tutorial some where that we can access do you? Would love to learn about how you did all of that. Thanks in advance.Sent from my HD1925 using Tapatalk Quote Link to comment Share on other sites More sharing options...
flyride Posted February 3, 2020 Share #10 Posted February 3, 2020 18 minutes ago, Dvalin21 said: I don't suppose you have a tutorial some where that we can access do you? Would love to learn about how you did all of that. Thanks in advance. These are all settings in DSM. 1 Quote Link to comment Share on other sites More sharing options...
Hemps Posted February 15, 2021 Share #11 Posted February 15, 2021 I just block all ip's except the ones that need access on our local network, so single ip then also single ip from the outside. Also disable admin account Strong passwords Quote Link to comment Share on other sites More sharing options...
IG-88 Posted February 15, 2021 Share #12 Posted February 15, 2021 13 hours ago, Hemps said: Also disable admin account Strong passwords also dsm supports 2nd factor, that might be useful too https://www.synology.com/en-global/knowledgebase/DSM/tutorial/Management/How_to_add_extra_security_to_your_Synology_NAS#t6 hiding it behind a firewall and using vpn to access it might be even better 1 Quote Link to comment Share on other sites More sharing options...
AbuMoosa Posted February 16, 2021 Share #13 Posted February 16, 2021 On 2/15/2021 at 1:55 PM, Hemps said: I just block all ip's except the ones that need access on our local network, so single ip then also single ip from the outside. Also disable admin account Strong passwords Enable firewall and open only the ports you need or using. There are tons of tutorials on youtube on this. Quote Link to comment Share on other sites More sharing options...
adamazam0489 Posted March 5, 2021 Share #14 Posted March 5, 2021 we have to make our password strong to make our account secure and we have to block that source through which threat comes to our account and system. by M3technology Quote Link to comment Share on other sites More sharing options...
smileyworld Posted March 5, 2021 Share #15 Posted March 5, 2021 (edited) I only had once an incident where someone from russia tried to login in my NAS in Austria multiple times and then got blocked automatically by DSM. After that I changed my firewall settings inside DSM so that only ports from the services I need are allowed and restricted it just to my country. My point is as @IG-88 already mentioned when you follow the instructions you should be safe. Edited March 5, 2021 by smileyworld Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.