Failed Attempts to Log into my Synology NAS

Lee · 20 Nov 2019 at 20:33

Hi, not sure if this is the right section or not.....anyway, my Synology NAS (running latest version of DSM (6.2.2-24922 Update 4)), has alerted me to some failed login attempts on the "admin" account. The "admin" account is disabled. When I look at the source IP addresses (there have been several attempts over the last 2 days), they originate from China.

Should I be concerned about the security of my NAS or anything else on my network ?

Oh Ed not again. · 20 Nov 2019 at 20:36

Have you exposed it to the Internet via port forward?

Any other external facing services?

Asus router per chance?

Lee · 20 Nov 2019 at 20:49

Hi @randal , yes I have the relevant ports forwarded via my Virgin Hub 3 for the DSM photo, file, drive and video services so that I can access them from anywhere. There are some port forward rules that have been added by UPnP on the router and I'm not sure what these are......should this worry me ?

edit.....bizarrely after refreshing these other port forward rules seem to have disappeared.....(maybe old cached info ??)....and no other externally facing services at the moment...although I have dabbled with that in the past

Oh Ed not again. · 20 Nov 2019 at 23:21

Likely one of two things has happened:

1) You've either wittingly (or unwittingly via UPnP) forwarded either HTTPS or SSH to the outside world for remote access, which means the hordes of bot nets and hackers out there combing through residential IP ranges across the world all day and every day have spotted that you're running an SSH/HTTPS server and are now trying to breach it via brute force, or password list type attacks.

2) There's a vulnerability in one of the other services that has allowed an attacker to get access to the the admin login page, either spoofing headers or something like that to get access.

Either way, neither situation is ideal. If you're always accessing the services on your Synology via the same device(s), then I would strongly suggest setting up a VPN to your home setup to minimise your attack surface. Using a VPN means multiple layers of authenticate can be/are required (certificates, preshared keys, user/pass, or even 2FA if you're so inclined) on top of a much smaller and less-common port range needing to be exposed to the outside world.

The other question is: "Do you really need to access that stuff whilst you're away from the house?" If so, secure it with a VPN. If not wait till you get home or use a public service and let someone else do the security for you, then lock down the homestead.

Lee · 21 Nov 2019 at 00:02

So, yes, the management interface on the NAS is an HTTPS web server. It's open to the outside world so that I can stream my media whenever I want and access the Photo collection. Thanks for the advice. There is a 2FA capability, so I'll probably enable that.

Quartz · 21 Nov 2019 at 00:17

Lee said:
Should I be concerned about the security of my NAS or anything else on my network ?

Yes you should. The Chinese are after anything and everything and won't hesitate to use you as a springboard. And yes, UPNP should be disabled.

With regards to port forwarding, remember that the outward facing port can be different from the inward port. For example you could access your router on port 44458 and have that forwarded to port 80 on your NAS.

Quartz · 21 Nov 2019 at 00:18

Lee said:
There is a 2FA capability, so I'll probably enable that.

Good move.

bledd · 22 Nov 2019 at 01:34

Use OpenVPN on your Synology, then VPN in when you want to use things.

snips86x · 22 Nov 2019 at 05:29

bledd said:
Use OpenVPN on your Synology, then VPN in when you want to use things.

Just install on the NAS and leave it running?

bledd · 22 Nov 2019 at 09:24

Yeah.

Or use a Raspberry Pi as the OpenVPN server http://www.pivpn.io/