Ransomware Protection: The Complete Guide for Synology NAS

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right how's it going y'all so today we're going over a critical video and that is very simple steps that everybody should take to avoid ransomware on their Synology Nas these are simple settings that you can take that will not negatively affect how you use the nas and will give you an incredible ransomware protection really without having to do too much in your current workflow before we go into setting all this stuff up let's talk about what ransomware is and there's kind of two different forms there is a crypto virus and then there is actually extortion with your files we're really going to be focusing on the crypto virus side of things this will help with the extortion but most of this stuff is going to be focused on making sure that you can always recover your files no matter what it is a lot more difficult to make sure nobody else can access your files to a further level because that requires additional things we will go over all that here so what a crypto virus is is effectively hackers compromising a computer on your network or even directly brute forcing their way into your Nas and then running a script that encrypts all the files it has access to by far the most common way that this actually occurs in real life is somebody gets a virus on their computer maybe they download something from a website maybe they get a phishing attack with an email and it execute something this script then goes through and finds every single drive and volume that it has access to and generally it's attacked a computer and that computer probably has mounted the SMB share of the Synology Nas and it's just going to start encrypting files every file it has access to the exact same thing happens with external hard drives and it is a very common attack and that is why it's really important to secure your files and all of your computers we are going to go over how you can also reduce risk on that but this is really going to be focusing on how to make sure the Synology itself is protected and effectively treating your users as hostile employees who you do not know what could happen and you kind of almost assume that they have a virus on their computer at any given time in general the Synology itself does not get hacked there have not been any exploits that I know of since like 2011 that have directly attacked the Synology the ones that did as well were the fact that people would open up their nasses with a username and password of admin the admin admin to the internet because they updated DSM and that was the default username and so that's why they actually recommend disabling that but in general we are focusing on the fact that a computer is probably going to be the one who's actually encrypting the files though we still will now with DSM 7.2 have additional protection for some Nas units and we'll go over that in a minute here and so there are going to be two different ways we are going to protect ourselves here one is we are going to limit access and hopefully reduce the chance that this ever occurs and two we're going to make sure that even if the worst happens we can recover from it for the most part you do not have to buy any new hardware to do this with one asterisk on that is you do require a Nas with a btrfs volume so that is generally not the J models and some people I did it myself when I bought my first Synology way back in the day set up their models with ext4 instead of btrfs unfortunately if you do not have a btrfest volume you're not going to be able to do the majority of this we'll still go over some things you can do and just basic practices but the really great part about this that's an incredible undo button for everybody is not going to work for the models with only ext4 volumes for business users using the Synology as an office file server I genuinely would recommend using the nas you've currently got that's a J model as a backup and switching over to a Nas with btrfs because this is one of those features that has an unbelievable undo button to your entire Nas and you can undo a employee getting mad and deleting everything and corrupting everything and writing over things all in the snap of her fingers none of this replaces a backup it is critical to have a backup but these are steps you can do without investing any more money to actually be able to have very good ransomware protection though have a off-site backup if at all possible or at minimum get a USB external hard drive and set it up as a hyper backup destination which will get you a lot of the way there so we're going to be focusing on on this part of the video how do you reduce the risk that your Nas gets hacked directly and we're going to be focusing on ways that do not really impede the way you've been using your Nas we can talk about some different security things here we're going to start with some very very very basic stuff that every single person should do so thankfully synologies are actually quite secure things by default I've had clients who have actually exposed synologies with a public IP address directly to the internet for years without changing any of the settings at all and while I freaked out a little bit nothing bad had happened I looked through all the logs and everything was looking okay so you do have that the next thing we are going to do is we're going to go into control panel and we're just going to set up some really useful defaults we're going to go in to our security settings and we're going to make sure that under account we have at minimum adaptive MFA for administrator group users what this means is if you're an admin log in from outside of the local network you will get a two-factor authentication email sent to you adaptive MFA is a great place that everybody should be at at a minimum because it's two-factor without all the pain and it's one of those things that doesn't require a ton of upkeep if you are a more sensitive business two-factor authentication especially if you're accessing the nas over the internet I highly recommend at minimum for the administrator users we can also just enable account protection that is protecting you against a botnet account where multiple IP addresses are trying to brute force their way on n and what this will do is say 1500 different IP addresses because there's a botnet are all trying to log in with the same user to effectively brute force it well those guys won't get blocked by autoblock because they're different IP addresses if that happens this will automatically lock the account so nobody can sign into that username for 30 minutes really useful to have in the case where you're actually a high value Target then we're going to go in the production Tab and this is every single person should enable this 10 attempts within five minutes you do not need to make this three attempts within 10 minutes you really do not need to go that level because this right here to brute force with these settings would take two and a half million years with an eight character random password to have a 50 chance of actually accessing it it's just not going to happen in general autoblock should be very basic really chill because if somebody's brute forcing their way in you want them to get blocked but having super restrictive stuff is now going to help you if the person's password generally was leaked because if they have a hundred guesses of the password and they're pretty sure they know it they'll just do one per hour and play the waiting game so it's not worth it to increase anything past this because you're going to start blocking your users way more than you're going to be blocking legitimate people DDOS protection is only necessary if you're opening this up directly to the internet I generally do not recommend it and so those are the super basic settings that every single person should be have a at a minimum the next piece is going to users and group and making sure that this user that is called admin is deactivated so what this is is this is the default system user and you want to make sure that the admin user the user label is admin is deactivated this is where stuff gets very complicated because will is actually group of the administrators so he is an admin user as well this is where it's kind of hard to explain so we're going to say that anybody who's in the administrator group those are people who have root privileges and then this is the admin user it gets confusing there make sure to disable the account labeled admin and then have your own account that is in the administrator group in previous years I also recommended creating a separate regular user account an admin account for yourself so an administrator account for yourself with the addition of immutable snapshots this is not nearly as crucial and so I only recommend this for pretty serious businesses just because it's great security practice to kind of get in the habit of doing lease privileges but for smaller businesses and home users it ends up becoming very confusing and a bit Overkill so with immutable snapshots that have kind of eliminated 95 of the gain from that I no longer really recommend that unless you are an I.T group who actually knows about that and are comfortable understanding the differences the next thing to do is come in here to your groups and go to your administrators and check your members everyone will have a minimum of two users in this group the account label admin which is deactivated and the current account they're signed in with because otherwise if you're not admin you can't get in here one thing I have seen a lot of people do is they don't really understand permissions on the shared folders and so they just add everybody the admin group because that's what gets them the permission I would highly recommend not doing that because that is how you get yourself in trouble and that's how you accidentally mess up and now you've got eight account to all have admin access to the Nas and people can accidentally break things when they're admins so I would highly recommend looking at your group of Administrators and people who do not need to be administrators should not be administrators for more advanced ID groups there's the delegate options as well which is absolutely awesome so you can really start giving people only the permission they require that was an update in DSM 7.2 all right so those are the users and group settings really useful to have there really focus on making sure that the admin user is disabled and those who are in the administrator group are limited to actually people who need to be in the administrator group next up we're going to go into file services and we're going to go into some SMB settings right here by far the most important are this one right here your maximum protocol should be smb3 if you wanted to you can also have this sbv2 maximum protocol does not really matter too much but minimum protocol is critical do not have this be S and B V1 unless you absolutely know you have to and then it's okay as long as it's very well firewalled off but if at all possible avoid using SMB V1 because there are known exploits to that service where if somebody gets access to a computer they can start brute forcing their way in so really disable S B V2 unless you absolutely have to and then the other one is do not enable ntlmv1 auth that's another one of those things that has been shown and it is easy to brute force in tlmv1 authentication so once again unless you absolutely have to do not have this enabled and if you do have this enabled certainly under no circumstance should you have the SMB Port open to the internet at all but those are the critical ones within the SMB advanced settings under AFP ideally you have this disabled because it's not getting security updates anymore and is getting eoled if you are using AFP really you should look into getting off of it if at all possible NFS NFS should only be used if you know what you're doing and are able to VLAN off all the NFS traffic because you don't want NFS traffic going on the main subnet because you can get yourself in some trouble there because in general NFS does not have very good authentication generally use IP based authentication with NFS unless you really know your stuff with Kerberos which I have not seen a single person actually implement NFS should only be enabled if you are able to run it only on a secure VLAN where you trust every single client on there and when you do that also make sure it's leased privileges FTP do not enable standard FTP unless you really have to and you know what you're doing but if you are using FTP and you need to use one of the three FTB options I generally recommend SFTP because it's pretty easy to use and it's FTP over SSH if you do enable SFTP make sure you have SFTP on a different port than your SSH port or even better just have SSH disabled alright so that is it for those kind of primary pieces now let's go into external access and we can talk about this so quick connect exposes your Nas to the internet since 7.2 and Beyond it's now only using relay servers by default so it's not super insecure but it does now open up your Nas to the internet in it in a sense there's a ton of large businesses that use Quick Connect all the time and so I would not say you have to disable it so if you're incredibly security conscious and you very rarely ever access your NAS from outside of your local network disabling it can be very valuable if your home user trying to make sure you've got access to it on your phone keep cool connect enabled and don't worry about it the next piece on this is your router configuration so for your router configuration if you have this set up here you have used what's called universal plug and play the FBI actually recommends disabling universal plug and play on any router you've got so it's not really a Synology setting but it is a general setting go to your router your Wi-Fi router if you know about a router you probably know how to disable universal plug and play anyway but go to your router find the name of it underneath and Google that router name disable universal plug and play you and PNP is the other ways written what universal plug and play does is it allows a device on the network to open up ports to the internet without actually you doing it through the router super useful for things like Xbox Live but you should disable universal plug and play and open up ports that you require and you know about so that way you don't have random devices on the internet just opening ports willy-nilly this has been a very common issue with other Nas providers who accidentally without the user even intending to opened up FTP to the internet and things like that so if you're going to do port forwarding you should know about port forwarding and you should be doing it manually back in the day I used to use the router configuration just because it was easy to tell people with tutorials but as things have gotten worse I really do recommend disabling universal plug and play figuring out how to do your own manual port forwarding this brings us to the next part we want to talk about and that is what is even open on your network there are a bunch of things that people will open up to the broad internet and that is the key way that people actually get hacked so I'm going to go ahead and open up a browser and we're going to do a port scan on our own local network I'm going to talk through which ports you should be worried about if you see so what I always do and this is actually something I do at the beginning of pretty much every single session is I open up a browser and just go to what ports are open and then I like the one from you get signal and we're just going to go ahead and hit scan all common ports and what you ideally want to assume is a bunch of red meaning nothing's open I do want to talk about what a lot of these ports are and which ones are a strong absolutely not and which ones are you know okay that's fine so FTP at this point do not open up so if you have FTP figure out what's FTP and disable it SSH Port 22 that is if you know what you're doing SSH is very strong if you know what you're doing and you're using key only authentication it's the way most web servers are configured in this day and age anyway so it's actually okay but you should know what you're doing telnet absolutely not so Port 23 no Port 25 another SMTP absolutely do not Port 53 DNS do not unless you really know what you're doing and actually know how to run a DNS server and actually know that if you have a publicly exposed DNS server it can be used in a botnet account very easily if you don't already know that definitely disable DNS unless you really know what you're doing and have made sure that there's no reoccur recursive queries able to be done on anything but a local subnet I really would avoid it at all costs 80 which is HTTP there's a good chance that this is open if you've got maybe your browser settings are exposed to the internet not great not terrible this is what websites use in unencrypted traffic just look into it probably is what I would say 110 top three only if you're actively running a mail server on your local network should you have that open 115 SFTP can be secure if you know how to run an SFTP server would not worry about it too much 135 absolutely not 139 nope do not open that up that is part of the SMB setup 143 once again part of a mail server almost certainly you should not have that on unless you're actively running a mail server IRC nope 443 SL if you've got a public website same thing with http is not too much of a thing to worry about really just make sure you know what it is and you know that that website is designed to be open to the internet SMB is a strong no because that is how people actually get hacked one of the only ways I've ever seen somebody actually get hacked was SMB because they had SMB exposed to the internet and they just got brute force their way in now there is autoblock with DSM 7.2 for SMB but unless you really really know what you're doing and you've only got SMB allowed to specific endpoints and you're super security aware you're probably not even watching this video do not have SMB opening the internet use a VPN server and run with that some SQL databases do not have either one of those remote desktop avoid at all costs if you need to use remote desktop or VNC go ahead and set up a VPN server and use that and then PC anywhere in Minecraft up to you all right so those are the the key ones and a lot of those actually would not even go to your Synology but those are just the ones to understand one last thing to check out Synology has a good article about what ports are used by DSM and rather than talk about the ones that are not okay I'm only really going to focus on the ones that are okay if you know what you're doing to open up so active backup for business 55 10 can be okay to do if you want to back up devices it is designed for the internet I would avoid it if you can but it can work so gray area 5510 hyper backup destination 6281 that is pretty okay it is designed for the internet five thousand five thousand one or if you change your own custom ports that is okay they are designed to be publicly accessible that is not insecure inherently but just realize that having those two ports open to the internet makes it so people can start trying to log into your Nas and see it you'll probably get a bunch of logs of people trying to guess their way in the thing is if you look at those logs most of them are going to be guessing admin admin and so it's it's really not like your real risk it's more scary than anything else but that is just one thing to know the mail service ones once again only if you're running a mail server and you know what you're doing big ol absolutely knots of AFP and SMB and then FTP also no NFS absolutely not web DAV if you know what you're doing is a pretty good way it's way better than uh SMB over the internet the last one I'm going to go ahead and add in is Synology Drive server Port 6690 that is used and is super powerful if you're using Synology Drive client and want to get faster speeds that's the number way to do it that is okay it is designed for the internet and is secured for that and finally any of the vpns right here are all safe to do pretty much I would honestly only do openvpn and just change a random Port but all of those are vpns and designed for the internet other than that there's nothing else here that really should be opened up to the Internet other than SSH if you choose to do that and you do know how to open up sh to the internet securely most people though should not all right so that is the introduction on the ports ports are by far the most common way people get themselves in trouble because anytime you're forwarding a port you are always opening up something to the internet and so the fewer ports you open and more specifically the more secure things you open the better security is pretty much a weakest link in the chain if you have an open VPN server running and then you also open up SMB to the internet well you're not getting any protection from the open VPN server because you've got this massive gaping hole in your firewall and so those are the things to kind of focus on and making sure you know if any ports are open why they're open and what is accessible on them all right so those were the key settings to check out for making sure your Nas is secure we're now going to switch over to going on the other side where if you do get hacked how you can very easily recover from it and that is using a phenomenal package called snapshot replication snapshots do not take the place of a backup I'm going to say that again I'm going to say 100 times you should be back up your Nas but if you don't at least this is a little bit on the right direction still if you can at least get an external hard drive to back up your ass I will say that over and over again until the end of time please back up your Nas especially your critical files but what we're going to do is we're going to install Snapshot replication and if you don't have it it's likely because your Nas does not have a BT RFS volume you need a btrfest volume to use btrfest snapshots we'll just go ahead and install them it's also going to pop up when you do it the first time you need to do a replication service don't worry about that just say yes I'm just going to go ahead and delete these two guys here really quick these were from the last video I just filmed so now snapshot replication is phenomenal because it allows you to get hacked and still protect your files there are two different ways it actually protects you the most common way which I mentioned earlier was a computer on the network gets a virus and starts encrypting files that it has access to that's a pretty common attack and it's something that's very hard for you to protect against yourself because now everybody's computer is a threat and that is very very difficult the hardest part about it security is doing that what snapshot replication does is it allows that to occur and it allows you to go back to how things work instantly this is not only valuable for ransomware protection it's valuable for anything it essentially allows you to go back to how your files were at any given time all incredibly quickly and without taking up a bunch of space I get very common questions about how this works and it is hard to understand fundamentally it's a bit of Blackmagic Voodoo kind of stuff where it just kind of works I'm not going to go over it in a super in-depth here but effectively btrfest is what's called a copy on right file system so every single time btrfs makes a change to any file say you edit it say you encrypt it say you delete it it doesn't actually delete edit whatever the actual data on disk instead what it does is it takes that change and saves it on a different part of the hard drive and just points to that next time that is really useful for consistency that's why they came out but because of some really cool properties that also allows you to essentially look back in time at exactly how your files were and recover them it allows you to browse That Word document that you edited how it was three and a half hours ago all without taking up a ton of space so what snapshots will allow us to do is snapshots will allow us to get a computer on our Network to encrypt every single file on the nas that it has access to and it will then allow us to have a one-click undo to go back to exactly how the files were two hours ago the reason for this is the snapshots are stored as read only and actually with DSM 7.2 if you've got one that has immutable snapshots they can actually be non-modifiable and non-deletable even by the root administrator user until a certain expiration date very powerful feature so if that virus does happen and that computer starts encrypting all the files it has access to it will not be able to touch the previous versions instead you'll just be able to come back and say boom restore to how the files were two hours ago I've covered this in a lot of videos but we'll go over and set it up here so right now my volume is btrfs if we go into storage manager we can see volume 1 is btrfs if you've got a plus model and you just click through the regular settings you almost certainly have a btrfs volume I would highly recommend it so now we just come in here and we can choose to create snapshots on all of our folders and we should create snapshots on all of our folders the easiest thing to do is just shift select and add some settings and I do want to say there's a couple of folders you may or may not want to snapshot time machine folders and security camera folders are the two ones that are debatable on what you want to do in general with time machine folders I will snapshot once a week and keep the last two snapshots so that way if something does happen I can at least go back and security cameras it's up to you for most people they don't care if they lost their security camera footage if something wild happened but that is up to you on if you'd like to these settings are going to be really for your regular office file server kind of files so we're going to go ahead and we've selected everything and we're going to go into settings and we are going to create a new schedule easy place to start that pretty much anybody can handle is all the time take a snapshot every two hours then if you've got a model that supports immutable snapshots you'll see this guy right here and you can enable immutable snapshots I do not enable immutable snapshots on video production houses NASA's because they are people who quite often will fill up their entire National 100 and need to delete files ASAP if you do enable immutable snapshots in this case seven days you will have to wait seven days if you have to get your storage back ASAP so that is the one thing it's very powerful but also can mean that you're waiting a few days to do anything if you want to maybe three days it's kind of up to you the immutability is not really really really required for everybody and can sometimes be more pain than it adds but for businesses with critical files and mutable snapshots can mean a authenticated admin user cannot delete the files for X number of days and this is a really cool feature because you can't change the date time and get it to and trick it into unlocking them anytime the NASA is not on the clock stops so there's not much you can do there I have not seen anybody be able to beat it so we will add immutable snapshots here and now the most important piece is the retention settings I normally do a custom policy so we will keep that two hour granularity for 14 days pretty easy to recommend so we'll keep all snapshots for 14 days and so we'll be able to go back to how files were at two hour granularity for the past 14 days and then for a regular user we'll keep dailies for 30 days what this is going to cost us in terms of space it's not going to take up a bunch of extra space on our Nas instead the way snapshots actually take up space if you want to think about it like that is they just don't let you get space back from deleted files for 30 days in this case so the way this is going to work from a space perspective is every single time a file is Snapshot in it's going to be held on to how it was for at least 30 days in this case that means if I delete the file I will the file will be deleted from the file system as far as you can tell but that space will be held on disk for 30 days because it is still referenced in that snapshot and so that's why snapshots only take up space when you're making modification the only time a snapshot will actually take up space and by take up space I mean hold on to space and not let it get back is when you are modifying files and deleting files snapshots will never take up space if you're just adding files because when you add a file you are adding that file to the main file system as well and so the snapshot does not take up any additional space whatsoever these are pretty easy settings to recommend for most people for businesses especially ones who do not have a ton of data I will often set this for 120 days and then weeklies for 104 weeks just because if you've got the space and you're not really having massive space requirements can be incredibly powerful to have the ability to go back to your file system how it was two years ago but we'll go to a very simple this works for just about everybody and now under advanced make snapshot visible if you don't have encrypted shared folders and now just hit okay so now instead of us waiting for the snapshot to occur we can take a manual snapshot here and we can kind of show you exactly how powerful this is I'm now going to go ahead and map this office files over Mac OS finder all right so now right here we are at a place where I've just mapped the Drive via Mac OS binder and we can see that now there is this snapshot folder this snapshot folder is going to be filled with timestamps so this is the time zone I'm in GMT minus five and then it is the date string 2023 0912. then there is the time so these are all the times that these snapshots were taken and so this looks like I've got a ton of copies of my data each one of these looks like the entire file system exactly how it was when that snapshot was taken so it kind of looks like you're taking up 800 copies of your data right you're not it is not taking up much space at all because it's referencing the same space on disk pretty much always unless there's been a modification it's really hard for people to understand because it's a very complex weird thing but you just kind of have to trust that it works and if you're trying to figure out how much space a snapshot's taking you can always come in to snapshots list and calculate the size right here and it will tell you exactly how much space that snapshots are taking in general it's going to be a very very very small on the order of a few megabytes or gigabytes depending on when files have been deleted this is the true power of snapshots let's say I am now acting as a computer virus and I'm going to just start modifying everything that we needed to so the thing that's really tough about viruses is they don't delete the files no because if they delete them they go to the recycling bin they modify them they go in and they change the data to an encrypted file that only they can access so I am essentially going to go ahead and do that do it on just two of them and then what what do you know I say I deleted these so now say I try to do the snapshots I try to open this up and edit one of these snapshots the volumes read only I can't as the virus I can't modify these previous versions of files so they're I'm unable to edit them now all we have to do is we can just go in and undo this this is the case where we got a virus and it encrypted all the files it had access to well now we can just come back to the snapshot replication and go into the recovery menu and recover it so this is that snapshot I took I'm just going to restore to that snapshot by the way it's a great idea to take a snapshot before restoring as well if you do get a virus just so you can kind of undo stuff as required and now once this refreshes Mac OS cannot quite comprehend the the massive change so I just need to remap the folder and voila all my files are exactly how they were back before that happened that is the power of these snapshots and yes it is for ransomware but it's also so powerful for everything else where this can allow you to just undo any changes say you accidentally save over a PDF or Word document or anything like that you can go back to how your document was a few hours ago there are so many powerful features that you can do here and it is incredibly useful to have a few other common questions I get from a ransomware perspective with this is well what happens if they fill up all the data and then they start deleting the snapshots the thing is snapshots cannot be deleted except in DSM and only non-imutable snapshots and even ones that are not immutable can only be deleted by an administrator and so it's not like they can just fill up the space and it's going to delete the snapshots no the snapshots are effectively holding on to that space and will not let the file system fill itself up instead I'll say sorry you're out of room so that is one other common question really it's pretty darn close to being bulletproof from a ransomware perspective when it's all about that cryptovirus making sure you've got your files a backup is still incredibly important to have though these can absolutely work in tandem all right well that's going to be it for this go and leave any of the tutorials you'd like to see me make down the comments below and if you like to hire me for a project there's a link for that down description below alright have a good one bye [Music]
Info
Channel: SpaceRex
Views: 36,023
Rating: undefined out of 5
Keywords:
Id: 9gkSppGRT9w
Channel Id: undefined
Length: 37min 21sec (2241 seconds)
Published: Wed Oct 04 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.