Jump to content
XPEnology Community

Security: brute-force attack against Synology NAS


Recommended Posts

Synology NAS systems are - along with QNAPs - currently the target of a wide brute-force attack. A botnet tries to break in via weak passwords and infects the system with ransomware. Once infected, it encrypts all files and data.

 

This affects systems which are reachable over the internet (open firewall ports / NAT).

 

To protect yourself you should

 

- activate the DoS protection including account blocking

- apply strong password rules to all users

- create a new admin account with a strong password and disable the standard „admin“ account

 

More informations:

 

https://www.synology.com/en-global/company/news/article/2019JulyRansomware

  • Like 1
Link to comment
Share on other sites

I've been under attack for a couple of days now and what's impressive is that the amount of IP's they have at their disposal(643 currently)

 

Anyway here's a blacklist I've put together from all the attacking IP's if you want to block them at your gateway.  Additionally, make sure to disable your admin account as that seems to be the only account they are targeting

Blacklist.txt

 

Here's how it will look in the auth log.

2019-07-29T08:11:03-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=139.59.84.30  user=admin
2019-07-29T08:11:48-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=52.221.135.26  user=admin
2019-07-29T08:14:37-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=128.199.80.77  user=admin
2019-07-29T08:16:22-04:00 Hostname synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=206.189.119.148  user=admin

 

PS. I guess if you Synology is not open to port 5000 your probably OK for now.

Edited by Polanskiman
Added code tag.
  • Like 1
Link to comment
Share on other sites

No attack so far, but I remember a time when I could see those many bots knock at the door and be blocked in real time thanks to the DSM notifications, it was very frightening.

Now I try to be less naive, there's surely room for improvement but here's what I did.

- admin account is disabled

- I changed the default 5000/5001 DSM ports

- disabled http access outside my local network, it's https only with let's encrypt certificate.

- added two-factor authentication to all accounts

- enabled auto block after 2 failed attempts within 20 minutes (well, this one is a bit excessive...)

- allowed DSM access to my own country only in DSM firewall.

Good luck guys!

Edited by pmchan
  • Like 3
Link to comment
Share on other sites

  • 4 weeks later...
  • 3 months later...
  • 2 months later...
No attack so far, but I remember a time when I could see those many bots knock at the door and be blocked in real time thanks to the DSM notifications, it was very frightening.
Now I try to be less naive, there's surely room for improvement but here's what I did.
- admin account is disabled
- I changed the default 5000/5001 DSM ports
- disabled http access outside my local network, it's https only with let's encrypt certificate.
- added two-factor authentication to all accounts
- enabled auto block after 2 failed attempts within 20 minutes (well, this one is a bit excessive...)
- allowed DSM access to my own country only in DSM firewall.

Good luck guys!
I don't suppose you have a tutorial some where that we can access do you? Would love to learn about how you did all of that. Thanks in advance.

Sent from my HD1925 using Tapatalk

Link to comment
Share on other sites

  • 1 year later...
On 2/15/2021 at 1:55 PM, Hemps said:

I just block all ip's except the ones that need access on our local network, so single ip then also single ip from the outside.

Also disable admin account

Strong passwords 

Enable firewall and open only the ports you need or using. 
There are tons of tutorials on youtube on this. :)

Link to comment
Share on other sites

  • 3 weeks later...

I only had once an incident where someone from russia tried to login in my NAS in Austria multiple times and then got blocked automatically by DSM. After that I changed my firewall settings inside DSM so that only ports from the services I need are allowed and restricted it just to my country.
My point is as @IG-88 already mentioned when you follow the instructions you should be safe.

Edited by smileyworld
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...