My Synology NAS was ATTACKED!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
over the past four months I ran a test with two sonology NAS devices to see exactly what can be done to improve the overall security of them out of the box sonology devices aren't set up in a way that would be considered insecure but as we start to configure the nas there are things that can be done that will either increase or decrease the overall security of the device so the question is what are some important security steps that you can take to increase the overall security of your sonology Nas to highlight how some of these security features work I set up a completely isolated network with two different DSM instances one with the default port 50001 and one with a customized Port 6751 what I then did is exposed both Nas devices to the external internet there wasn't a firewall configured and there were no actual differences in DSM other than the port after 4 months the sonology device with the default DSM Port 50001 was attacked almost every minute this is where things started to get interesting and I think there's a lot that we can learn here so let's break down some of these findings the only only account that was used by the attackers was admin so technically if the admin account was disabled the attackers wouldn't actually be able to authenticate the other thing is that the attacks weren't as frequent as I expected initially I thought there would be multiple attacks per second to try and Brute Force the account and that is not what happened instead there would be One login attempt roughly every 60 to 90 seconds these login attempts mostly came from different IP addresses so there was not a single IP address that was blocked from sonies built-in auto block feature which I find to be interesting and I will explain in a little bit the important thing here is that we can try and use this information to increase the overall security of the device so let's do that now first and most obvious don't expose the nas to the external internet if the nas isn't accessible to the external World there wouldn't be any login attempts and the overall security of the device would be exponentially better but telling you to only do that wouldn't be a very good video especially because there are things like up P that exist which can port forward the DSM port to the external internet without the admin of the device even knowing about it if you want to test to see if it's accessible by the external world use a port Checker with the DSM port and if it's open you need to close that port on your router now that that's out of the way let's look at some of the settings that you should change based on the information I gathered that will help whether you're exposing your Nas to the external internet or not one you must ensure the admin account is disabled this was the only account the attackers attempted to login with so so disabling it means that outside of a separate security flaw with the login authentication process itself they would never be able to log in because the account they're attempting to log in with is disabled you'll receive a warning when logging into dsm7 that the admin account should be disabled and this is the main reason why so if you're using the admin account create a new user that will be your admin user then disable the admin account two auto block should be enabled but the default settings need to be modified at least when looking at this small small sample of attacks the attacks came in by different IP addresses all within 60 to 90 seconds so with the default auto block settings there was never an IP address that was blocked what this tells us is that if you're getting directly attacked meaning someone knows your Nas is exposed and is attacking from a single location as long as they attempt to log in based on the login attempts and minute settings that were configured they will be blocked however for bot attacks which is what I was experiencing they sophisticated enough that the default auto block settings are fairly useless proof being that after 4 months of being attacked basically every single minute there wasn't a single IP address blocked so how can we improve autolock first you have to ensure that your subnet is Whit listed in the allow SL block list create a new entry for either your entire subnet or use an IP range this should be local IP addresses so that you can never indirectly block yourself if you have multiple subnets that access the nas you must create one line for each of them once that's done we have to talk about these auto block settings using the information from the attacks we have a few interesting conclusions that we can draw first there were a few examples of two to three login attempts within a few seconds the majority of them weren't though and range from 6 hours to multiple days this means that one IP address that attempted to log in right this second didn't attempt to log in for multiple days a second time so we have two ways that we can handle this assuming you set up your allow lless correctly which like I said must be done to avoid indirectly blocking yourself the first option is to set the login attempts to one this will allow your local subnet to have unlimited login attempts since it's in the allow list but everything else will be blocked immediately with the sample of the data gathered using this approach every single one of the IP addresses would have been blocked on their first incorrect attempt option two is to increase the minute setting if you change the setting to 10,080 and keep the login attempts at two this would mean that if a single IP address attempted to log in more than once in one week incorrectly they will be blocked you can always increase these numbers to be longer as well on either the login attempts or total minutes but from the information I gathered almost all of the login attempts seem to be within 7 days now to be clear I'm not saying you should do this but I am saying that these bot attacks were sophisticated enough that this is the only defense you have in terms of actually making this feature work as expected this is something that I have always suggested is enabled but quite honestly isn't something that I knew had to be customized so drastically I thought the default values would be fine but they're not so assuming you set this up right you'll never block anyone on your local network but if you were getting attacked by Bots this way they'll be blocked from this feature three change the default DSM port at the beginning of the video I said that there were two instances exposed to the external internet one with a customized DSM Port of 6751 and one with the default Port 50001 the device with the customized Port did not receive a single login attempt in the same exact time frame as a device with the default Port this small change allowed the nas to be exposed to the external internet for over four months without receiving One login attempt I know if you're not exposing the nas to the internet there's no reason to change the port but security through obscurity is a thing and this is proof I personally suggest changing the default Port four configure two-factor authentication assuming two-factor authentication is configured for all your devices even if someone successfully authenticates they'll need a second factor to access DSM this should be configured at minimum for all admin user accounts and is a best practice five set up snapshots and backups the data stored on Nest devices is generally important and the only way to recover from any sort of data loss is to either restore the data through a snapshot or backup make sure you're using btrfs if you can and enable a snapshot schedule for each shared folder you can even enable immutable snapshots if you'd like but keep in mind that immutable snapshots cannot be deleted until the protection period expires next set up hyper backup to backup somewhere in a perfect world it would be backing up offsite but something is better than nothing so if you want to use an external hard drive use that just make sure that in some way you have backups that you can restore from these are data Integrity best practices and paired with some of the security changes we just made should protect you now there are other things you can do to secure your Nas and I have an in-depth sonology Nas security video that I will leave a link for in the description but even though the Nash shouldn't be exposed to the internet these changes are harmless and in my opinion should be considered as best practices for every setup especially when you bring the context of the attacks into the picture I'm hoping this video helps show why some of these settings are important and the direct impact that they can have on your sonology Nas device and its overall security thanks for watching I'll see you guys next time
Info
Channel: WunderTech
Views: 37,882
Rating: undefined out of 5
Keywords: synology nas security
Id: x9QPUXldNAc
Channel Id: undefined
Length: 8min 0sec (480 seconds)
Published: Sun Apr 14 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.