all right how's it going youall so today we're going to talk about the fact that there is a massive group of hack devices that have created botn net that are trying to break into syalis all around the world we're going to talk about what it is how to protect yourself against it and also why it's not necessarily as scary as that sounds because it is actually something that is not as big of a deal as you might think in a lot of ways this is not what to worry about compared to other much more risky situations but we're going to talk about all today and why if you've logged into your Nas and you've got Port 5000 or 50001 open to the Internet you may have seen your screen look just like this with thousands of login attempts with either the username admin or with a dictionary attack of random names and so we're going to go through talk about what's happened and how to protect yourself against this all right so first off what is a botn net and what is going on so a botnet is essentially a bunch of devices that have been hacked and they're actually probably devices that are not owned by the hackers at all instead hackers have found a bunch of iot devices and routers that had bad security either default passwords stuff open the internet who knows what but especially things that use telnet very old insecure protocol and have essentially been able to brute force or hack their way into them in some way and start controlling them and they then use these devices to actually hack and take more devices and so in this case there are tens of thousands of IP addresses which means tens of thousands of unique devices who are essentially compromised and these hackers can tell these devices to do whatever they want and their goal is to make money obviously now hacking into somebody's router or smart fridge probably is not going to be of very much value to you because people who have these insecure devices you don't even know how to get their information enough to get them to pay you there's no value value in there so what these hacker groups do is essentially they take all of them and they use them to try to brute force their way into devices and that is what creates a botnet essentially you have thousands of devices specifically with thousands of different public IP addresses all taking a turn trying to guess their way into a device and in this case they are scanning the internet for either Port 5000 or 50001 open to the internet and if they find it they are going to essentially start trying to log into DSM and hopefully get your admin credentials and if they do they'll actually manually log in encrypt your files and then go ahead and send you a message that says hey you have to pay us X Y andz Bitcoin in order to get your files back but first I'd like to take a quick break to thank the sponsor today's video delete me did you know that your personal data is sold online by data Brokers you have the right to stay private and protect your personal data data Brokers are corporations that collect a huge amount of personal information like phone numbers addresses and even your relatives from a variety of sources like government public records and social media they then aggregate this information into listings or profiles and then sell it to either other data Brokers or other organizations who have an interest in your private data having this information out there increases the risk of being a target of identity theft which has been made easier by the of personal information online and that's where delete me comes in delete me can help protect you from the risks of identity theft by removing your personal data from hundreds of data Brokers online they will then provide a privacy report showing what data they were able to find and remove and will continue to Monitor and repeat removals as required I personally used delet me and recommend it to help protect your personal information get 20% off delete me Us customer plans when you go to join delet me.com Rex and use promo code Rex at checkout that is code reex jooin delet me.com Rex thanks again to delete me for sponsoring today's video now back to the video so that is the goal of this situation essentially to get admin login to the nas so they can upload malicious code which will essentially encrypt every single file on the Nas and then demand Ransom production that's overall the setup and the important thing that makes this work is the fact that they have thousands of IP addresses because one of the first things that everybody should do and if you don't already you should is set up auto block autolock is very simple if an IP address guesses a login too many times incorrectly in x amount of time it will actually just block that IP address from doing anything and so if you've only got a few IP addresses it'll take millions of years to have a 50% chance of guessing a password but if you have 10,000 IP addresses well now you might actually have a chance to be able to get in because auto block only blocks IP addresses if you've got 50 different accounts or 5,000 different IP addresses it is not going to block those and so that is what these groups are trying to do the groups try two different things first they try admin so this is why it's the very first step you should always do if you're upgrading Nas or anything like that is make sure your admin account is disabled that is the account labeled admin because these attackers are guessing the username admin and if you have a different username than that it's almost like having a different password it's almost like they have to guess two passwords rather than just one because they don't even know what your admin username is they don't know what your account names are and so they first have to guess the account name and then guess the password and and so you're almost doubling your layers of security so they are first trying admin and seeing if they can get in then if they're unsuccessful they will go in and start a dictionary attack essentially they've got a dictionary composed of the top I think like probably 10,000 usernames and they're just going in one by one and guessing those to see if they get in and so that's basically their M Mo and while this seems really scary when you see your log page and you see five th000 logs saying hey somebody's trying to get into my Nas that is a scary situation right but I'll be honest with you this is not the thing to worry about the thing to worry about is the person who actually has an exploit who actually can get into DSM without credentials somebody who finds a vulnerability in sonology DSM that lets them get in without doing the sprute force while this attack looks scary if the nas they're going after has the most basic security stuff that I've gone in in videos they're not going to get really far at all for numerous reasons but that's not the point for These Guys these guys don't have to break into every Nas they don't even have to break into 1% of nases the way this works is it's so low effort for them to try 10,000 nases that even if just 10 people they get a 0.1% return it is still financially worth it for them so they are really looking for the lowest common denominator to be able to get in and so that's how this works and that's why it's really important to kind of schedule yourself once a year go in log in Nas and check your security stuff make sure you're up to date make sure all those things are there because while this is not a big deal if you keep up to date and you've got a good password well if you've kind of not looked it into security stuff for five years and then ass just been plugging along those new things may have changed and you may need different security stuff and so now let's go ahead and talk about what you should do when you see this and also how to protect yourself from this in general and just give a good security overhaul I actually manage a lot of client nases who this is going on with some of them are even available with SFTP so they're getting sshh attempts and there's been a large increase over the past 6 months in these and so it's pretty common but it's still nothing necessarily to work worry about I actually have a dashboard where I just see the numbers keep going up but we're going to talk about about what security things to do to really mitigate the possibility of this occurring and we're going to go from the least intrusive down to the most intrusive as in we're going to start with things that are not going to affect your daily life and kind of move up to things that may limit the capability of your Nas One Way the other at the benefit of security so first off let's go in and make sure we've got three things for every single Nas first off you should really make sure that your admin account is disabled if you look look these botn nets are spending 90% of the time trying the word admin as the username so disable that deactivated it and so if you come in here and admin is enabled make sure one that you're not signed in with the admin account if you are just create a new account as an administrator and then two come in here hit edit and deactivate the account I also am weird I will often just change the password to something random and and save it like that I don't think it does anything deactivating it should be totally fine but I always just do that more so than anything just in case there was ever weird thing that happened I do change that password and so just by having that account as disabled you are going to really be able to weather the vast majority of these people because they are not looking for you they're looking for that Nas running DSM 6.2 and still having the admin account enabled because they've never changed it those are the people it's looking for so then after you've done that the next thing you want to do is you want to come into security and make sure you've got protection auto block enabled I did tell you that auto block isn't going to do anything for this specific attack but it's still really important to have in there so really easy recommendation is 10 attempts within 5 minutes and unblock after 4 days that way if you're on vacation anything happens you accidentally block yourself out it'll expire after 4 days and these settings are still very restrictive so it's not like you're going to be able to be a setting duck or anything like that because this will limit that so just make sure you've got auto block enabled and the next thing you really want to do is you need to come in and enable under account account protection enable account protection this is the trick so just as I said earlier these botn nets have tens of thousands of IP addresses at their disposal so Auto BL doesn't do anything but account protection actually gives you the flip side so whereas auto block checks the IP address to see if they have guessed a login X number of times within the last X minutes account protection doesn't care about the IP address it cares about the username and so if account protection detex that a username is being logged into five times within one minute it's going to block that username from being logged in for 30 minutes so if somebody is using 50,000 IP addresses and trying to brute force your account they're going to get the account locked for all IP addresses for 30 minutes and this can be a huge slowdown and why it's definitely worth enabling for you because you don't want somebody to figure out your username and then all of a sudden they can use all these IP P addresses to eventually get in with a matter of months instead you want to go ahead and make sure that they are locked and you will really slow down any kind of attack for that that being said if you ever do see multiple login attempts for your actual username in a row you should be worried and really go in and figure out what's going on and shut the assas off until you can figure that out because that's actually a situation but this will really limit the capability of somebody even if they do get the usern name right being able to start brute forcing their way in even if they have tons of IP addresses so that's a great thing to have you will see you'll get notices that the admin account has been locked due to account protection if you do have this so I will often go in and then just go into notification and disable that if it is going on just because you don't want to get a zillion of those emails and then you stop looking at the emails so that is the way to do it you can really limit the exposure You by having that so those are three settings that are incredibly easy to do and should not disrupt the nas at all next up is going to be adaptive MFA this is essentially zero overhead and a super easy way of adding in a lot more protection because adaptive MFA works just like your bank account does if it detects that you're logging in from an IP address that you don't normally log in with or it's external it's going to say hey let's just double check this and send you an email to your email address and you put it in a code I love this this is a feature that came out with DSM 7.2 and is going to make this whole thing way harder to hack into because now with adaptive MFA even if these hackers guess your password and guess your username they're probably also not hacked into your email so it makes it so much harder it's really simple and does not have a large disruption on your ability to use the nas and so it's definitely something that you should enable every single time though unfortunately it is only on DSM 7.2 or later so it may be worth updating just for that all right so those were all things that have really minimal disruption to your daily life and actually the use of the nas we're going to start talking about some additional things here that are a little bit harder so while adaptive MFA is great two factor is always going to be better because two Factor works on everything and it actually uses a pre-shared code to make sure it goes in so if you do have the ability to run a mail server and you know how to use two Factor authentication codes and you know how to keep them and you know whenever you get a new phone you need to make sure you update that it's a good idea to enable two Factor authentication for all administrator users I've got videos on that it's pretty easy to set up and it is more secure than adaptive MFA alone so that's the next step up though for people who aren't used to having an authenticator code it can be very difficult to use and a bit of a pain the next thing that's not too disruptive but a little bit is to actually change the port number this is often called security through obscurity and in this case it does actually have a large impact because these botn nets are really low effort they are just going for the lowest common denominator and so one really easy thing you can do is just not run DSM publicly on Port 5000 and 50001 you can change it anything choose 89 81 this is only the case if you do have DSM open up to the internet if you're only running DSM locally as in you don't have Port 5000 or 50001 open to the internet through your router there's no benefit in doing this but if you do want to be able to access it specifically publicly through either ddns or faster quick connect this will actually help help because now nobody knows you're running a sonology Nas when they do the first pass and this actually helps a ton even though this is not doing anything from a true security perspective it's really just hiding behind a sea of chaos so instead of just being a easy hey they're running sonology Nas because they've got 5,000 One open it takes way longer to scan all 60,000 ports and this is one of those things where if you just change the port number these botn nets that are really dumb and really simple aren't even going to notice you because they're only looking for 5,000 50001 this is not going to do too much for people who are really targeting you specifically because it's not that hard to do a full scan but just from a hey I don't want to deal with all the chaos and clutter of the internet change the default Port can help a lot for that and everybody who I do with that don't get these login attempts if you do this is going to restart the web server and then you're going to have to go in and redo your port forwarding rules and if you're using ddns you're going to have to tell all of your clients hey this is updated but if you use Quick Connect it'll automatically figure it out all right so now let's go ahead and talk about things that are a little bit more disruptive but can actually be very effective in these cases and let's talk about geob blocking because it's actually surprisingly effective so I have my threat map right here these are all my clients that I monitor their bad login attempts from the last month and there's 170,000 of them it is a ton of logins going around the world the vast majority of these are outside the United States so what you can do is you can actually block everybody who is not in your country from accessing the DSM web page and that is not a bad idea at all to do so if you wanted to you can really say you know I never travel I never need to send files to people who are outside of my country well let's go in and I'm going to show you how to make a firewall rule to block people who are not in your country from accessing the web page and so they're never going to even be able to log in and so what we can do is we can come into control panel and actually set up a firewall rule I would always disable this firewall notification and we're going to go ahead and just set it up where we're going to make it really easy so what we're going to do is we are going to block DSM from outside of our home country for me I'm going to do us and you can actually choose as many countries as you want here and we're actually going to first allow DSM from our local IP addresses we're actually going to allow all from this I'm going to set this up very simply where everybody can fill this out so it's going to be a little bit well a little bit long- winded here so we're going to first go in and allow all the local networks if you've watched my video on setting up firewall rules it's going to be identical to that start all right so I'm blowing through this because I don't want to spend too too much time on it but I want to give you something that you can easily add on into your own Nas so what we've done right here is we have first gone in and we specifically said all the local IP addresses written down in RFC 1918 are allowed into all ports so if somebody's on the local network we're not going to do any blocking you can change this later on if you want to but that is our Basics here so we're going to say hey all local stuff is not going to be blocked from the firewall at least and then we're going to now go ahead and say hey now we're going to say DSM DSM is going to be allowed from what country we' like to and sonology has a really easy location option here and we're just going to say the US and if you do business with other countries and other specific things you can check off these as well anything else you like I believe there's a limit of a certain number of countries here but it's easy enough to add in so now what we're saying is anybody who is in the United States we're not going to block going to DSM and then we're going to go ahead and say hey everybody else deny so just like that you can set up where okay only people in the United States are able to access the web interface of DSM or you could also say all right anybody else going to DSM is denied so what you can do there is you can really customize this down to whatever you like so you could use maybe sonology drive share sync with anybody in the world but block DSM there's a lot of options there but the most basic options are going to be this right here allow all on the local networks make sure these are always up here then for DSM we're going to allow any countries we want specifically and then everything else deny and so this is a really easy fireal rule that should work for everybody if you use something like tail scale you may need to add in those IP addresses here as well but this is the basics there so that is a simple firewall rule that will lock out everybody who's not in your country which is limiting this by a factor of a 100 in my case and so it's really really easy to go ahead and actually do all this stuff with and that's a great place to start all right so now everything we've talked about so far shouldn't have been too big of a deal for most people now we're going to talk about actually limiting the capability of the nas for the sake of security and that's actually where using Quick Connect alone instead of using ddns or synology.me can actually be a lot more secure in this case because if we do not open up those DSM ports to Quick Connect it's going to force it to use what's called a relay server and this means that we don't have to have any worry about blocking on our end because sonology does not let those connections on through so the next step is to just disable Port 40 entirely for 5,000 50001 or whatever your DSM ones are and the biggest downside of this is sharing files and being able to quickly access files remotely so if you use something like syy photos with your family and you want a really fast connection well unfortunately Quick Connect is not that fast when it's used with a relay server and so it will slow things down but that is by far the most secure way of doing this is to just limit down quick connect or even disable Quick Connect entirely and only use something like a VPN server but those are much more disruptive and so if you use the Nast be able to share massive files with businesses who you don't want to give a VPN connection to those kinds of things might not necessarily work and that's why it's really important to have things like two Factor authentication enabled and things like that okay so I know there were a ton of things there but I wanted to give it in a nice list where you can start from stuff that everybody can do and it's not going to disrupt your Nas all the way to things that are going to limit real functionality of the nas depending on what you're doing the biggest thing to do is to stay up to date across the board here is making sure that your Nas is not really out of date will help a ton because there are cves being patched all the time vulnerabilities in DSM that are patched and fixed before anybody can actually exploit them so by keeping your Nas up to date you will also really be helped there all right well I hope you found that helpful I do want people to remember while this looks scary in a lot of ways if you followed security best practices in this case you're really not too much at risk because these are Bots who are looking for people who have not set up things properly and have an easy way in use strong passwords use two Factor authentication and don't use the regular admin account and you're going to be very protected from this specific case and it's just an easy way to mitigate your exposure in general if you'd like to hire me there's a link for that down description below and have a good one bye a [Music]
