Synology Cloud Station Uploaded Folders but Not Files

Wow, then this commodity was impetus enough for me to get key-based SSH working correctly on my Synology. Of curiousity, I looked in my Synology'due south GUI for the logs, and find y'all can export them to CSV (Organization Logs > Connections). I have _a lot_ of this sort: Warning,Connectedness,2014/08/03 21:10:17,SYSTEM,User [root] from [111.74.239.52] failed to log in via [SSH] due to authorization failure. Curious how many distinct IPs, cutting/grep/sed/sort: cut -d ' ' -f 5 ~/Downloads/connection.csv | grep -E '[0-9.]+' | sed 'south/\[//' | sed 's/\]//' | sort -u | wc There are 143 distinct IPs, in the 111.x.y.z, 202, 210, 222, etc. ranges: ... cutting -d '.' -f -2 | sort -u 111.74 115.230 115.239 ... 220.177 222.186 222.187 I punched a few into (http://www.whereisip.net/index.php) and they're mostly in China (except a 23.ix... in Rochester, NY). All the successful log-ins are from myself, at least ( grep 'logged in' ...).

Open the Control Panel, then select Security (under "Connectivity"), and then the "Auto Block" tab and check "Enable auto block". Kiddies will scan, this blocks their IP numbers subsequently N (by default 5) failed attempts to connect to a number of services, including SSH. My synology has blocked big parts of the internet over the by few months. :) (only my SSH port is open up to the outside then that my laptops can synchronize with my Synology via unison over SSH when I'one thousand on the route.)

Our deject ssh gateway gets literally thousands of hits like this a twenty-four hours to users like root, mysql, oracle, etc. If you've got an ssh host open up to the internet at large, always disable root login and password based authentication.

Does obfuscation aid with security? Or does it at least assistance with identification in some style?

I made the error of leaving a copy of my wallet.dat file on a Synology box that had port 5000 open to the net for the Surveillance Station app. Pro tip: don't do that.

A yr or and then ago, my Synology NAS got hacked by a Bitcoin mining virus. I only discovered it considering a tech blogger tweeted well-nigh information technology and I happened to meet information technology. My Synology was out of date and the virus must have exploited a vulnerability without whatever action on my function. Without knowing what to look for, the virus was effectively invisible. Given that I'g probably in the top ane% of tech savvy people, imagine how many others must accept gotten infected! (I contacted Synology tech support and suggested that they send out an e-mail to their users, but they never responded.) Unfortunately, last I checked, it's still impossible to have a Synology NAS automatically update itself.

That was a kinda "funny" virus. I got it too. How did I notice about it? The fans kept spinning. Ordinarily my syno is really quiet, you can only hear the drives. But that mining exploit made the cpu > 90% and the fans had to do their task. So after a quick search, I discovered what information technology was all nigh, and some days later on Synology released a nice update that got rid of it. Y'all tin can't auto update, that'due south true, but you can receive email alert for each new release of the DSM. You can also do that for each package installed. So, all in all, that good for me: I don't want my NAS to auto update when I'thousand not there, as I likewise usually look a week or two before updating.

I was just most to post something similar. Although I was lucky not to have the Cryptolocker or Synolocker. My syslog shows a few people have accessed my NAS this month. This is worrying.

Why is it open to the net? Don't practise that. Y'all say information technology was "backside your router" just I think y'all've specifically opened ports to your NAS (or you have some sort of NAT and the NAS has done it) Restrict admission (if you lot must open it to the cyberspace, open to only specific IP addresses) or better yet disable information technology, and use an ssh port-forrad if you lot really have to get to it.

I don't have any Synology products, just I have a few things on my home network that I like having access to remotely, and my solution has been to put a Raspberry Pi running dyndns and OpenVPN betwixt my home network and the open up internet. This manner I just need to make certain the Pi is up to date and that OpenVPN is configured and hardened properly, and my potential attack surface expanse doesn't modify no affair how many things I add to my network that I want to access remotely.

So you abet to purchase a NAS and so disconnect it from the Internet, for security reasons? Might just besides turn information technology off completely, if your use case is similar to mine. Is it really to much to enquire to use the Internet every bit it was intended? We should consider these products broken.

Was it straight connected to the internet? Do yous know how they got access? I am at present worrying nigh my synology, but I am abroad from home for the adjacent few days.

Information technology was behind my router. My quick scan on log from 2011 shows i had no such problem, until recent months when they started to attack on Synology and turning them into Bitcoin miner.

It probably UPnP'ed itself out. (Edit) Or it might've been checking for updates, got redirected elsewhere via a DNS hijack, downloaded something funny, didn't bother to check if it'south authentic and installed information technology.

Really, there aren't that many means to gain admission. Two main and likely methods: ane) Weak passcode. 2) Security exploit in DSM. The fixes are piece of cake; meliorate passcode, and turn off remote access to the device until whatever flaw(s) can be patched.

you would notwithstanding need to take ports forwarded to the NAS from the internet, a compromised router, or the NAS connected directly to the open internet. All of which are a bad thought.

If the device is vulnerable to a CSRF, then couldn't it exist compromised but by some browser on the LAN ending upward on an unfortunate site that does some javascript hijinks to Mail service to likely, internal, IP addresses for a NAS? No open WAN ports needed. As well, wasn't at that place a remote root exploit for samba4 patched only days ago?

Information technology would exist very interesting to know how this happened, I guess this is the downside of using wide spread products.

Usually these types of machines have a spider web interface so that you lot can connect to your backups remotely. In one case you plug information technology into a router or a abode network it sits there waiting for someone to log-in. And as the proverb goes, anything that'southward connected to the Internet will somewhen be hacked. Either information technology was misconfigured or there is an exploit in the wild.

You exercise realize that the NSA and it's ilk are armed forces organizations, correct? We're (supposed to exist) a nation of laws with due process: it's extremely worrisome to a free and open society to have the military go after criminals. That should be handled by police enforcement and the judicial arrangement. You know what would actually be useful though, since we're talking about taxpayers reaping benefits from the government? How about a non-armed forces authorities bureau that does computer security research, only instead of hoarding all the exploits, they share them with the public through well-financed and organized open source projects?

Information technology'due south not really the NSA's jurisdiction to handle crimes like this. You lot're better off contacting the FBI, still it'due south probably wayyyy down on their listing of stuff to worry about.

Actually the FBI and the NSA 'handle' such crimes, they commit them themselves equally we all know thanks to Edward Snowden … Some examples: https://en.wikipedia.org/wiki/NSA_ANT_catalog (We can of grade pretend that they will get only afterward the bad guys and nosotros have zilch to fear, perhaps the only way to stay sane?!)

I've take my synology hooked up to the net and take seen a LOT of attempts in the past few weeks to log into root / sh from what looks to be Chinese IPs.

This is pretty normal for Whatever device continued to the net. I configure all my servers (including my synology box) to only allow ssh logins from sure IP addresses.

I had sever running on a bare ip on AWS accost that was never publicised and only ran ssh and a custom node.js server I saw tones of dodgy attempts from Russian and Chinese ip.

Just a warning, watch which Twitter accounts you lot click on in that stream - some very graphic Gaza/Syrian arab republic imagery in there.

As a first response, stop the port forwarding on your router. And so expect for more info from Synology. I generally don't connect mine to the internet (entering). I don't like the risks involved.

I wonder how many tech-savvy users have a complete reporting firewall, controlling in/out connections at dwelling as opposed to a router with a custom countersign fastened online.

I've been pondering the thought of a more feature rich router/firewall device for my dwelling connection. Something that would practice like you say study, log, audit, etc. Whatsoever suggestions for specific model or models to look at?

I happily run OpenBSD as my firewall. Information technology's developed past competent people who care virtually what they are doing and who accept pride in their piece of work. Merely it's general purpose Unix, it's not just a firewall or router. Which means that information technology's more than work to administer than something developed as a defended router or firewall. Too I'm running on a generic x86 figurer. I pay about $1/yr per watt drawn 24x7, which means my firewall costs me virtually $80/yr just in electricity. A smaller "appliance" type firewall would certainly take much lower operating costs. Sorry I don't accept any suggestions more tailored to your asking. I'm just letting you lot know what works for me.

I run a beaglebone black, which draws nearly $4.82 dollars of electricity a year once I've plugged in all the externals (at $0.11c/kwh).

8760 hours = ane year So... a i Watt device running 24x7 = eight.760 kWh billed at well-nigh $0.40/kWh [includes both generation and commitment and normal for NE USA - ain't deregulation great?!] ~ $3.l per year. In order to get to $one.00, total price per kWh must be about $0.114 ...

me1010 beat me to it, I didn't know that HN keeps people from posting besides oftentimes. It imposes a timeout! I know now! Anyway, here'due south my post, same cost info as he has. Only I also had a discussion of ability in various areas: Portland Oregon metro surface area. Unfortunately for pricing the utility is Portland Full general Electrical. Some places in the area have "people'southward utility districts", i.e. publicly endemic. Those get preferential pricing from the govt, i.due east. Bonneville Power. And the price per kWH is of course variable like in most communities (e.one thousand. because of lifeline pricing). Overall I'thousand paying about $0.12 per kWH. There are 24x30x12 hours in a year = 8640 hours. Therefore a kilowatt costs $1037 per year. Approximately. I'k relatively happy, all things considered. Information technology would suck to live in the People's Republic of California. My understanding is that peak pricing in some communities there could exist 3x or more what I'1000 paying.

Aha. The storage decisions I brand will have to exist a bit unlike given that I'm paying around $0.31 per kWH. Thanks for that.

Peradventure a ZyWall? The trouble with more advanced routers is that they are a pain to prepare and that you volition most likely use features in comparison to a consumer router.

Carambola 2 + OpenWRT or FreeBSD (if you lot are very tech savvy). Then using remote syslog to log everything on another device (RPi?). There yous could run analytics.

I'g guessing this only affects yous if you accept their EZ-Internet service enabled that exposes the NAS to the public internet. Or if yous exposed information technology yourself on your firewall. I've had a Synology NAS for nearly a year now. I actually similar the UI, but the software stack they're using under the hood (Apache, PHP, MySQL, etc.) has a massive attack surface, if non routinely kept up-to-appointment. Here'south an nmap trace from my Synology DiskStation: amber@leysritt ~ % nmap -A <redacted> Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-03 23:06 BST Nmap scan study for <redacted> Host is up (0.011s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.8p1-hpn13v11 (protocol 2.0) | ssh-hostkey: | 1024 <redacted> (DSA) | 2048 <redacted> (RSA) |_ 256 <redacted> (ECDSA) 80/tcp open up http Apache httpd |_http-generator: Mistake: Script execution failed (use -d to debug) |_http-methods: No Permit or Public header in OPTIONS response (status code 301) |_http-title: Did not follow redirect to http://<redacted>:5000/ 111/tcp open rpcbind two-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 two,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3,iv 2049/tcp nfs | 100005 i,two,3 892/tcp mountd | 100005 1,2,three 892/udp mountd | 100021 1,3,iv 33154/tcp nlockmgr | 100021 1,3,four 38187/udp nlockmgr | 100024 i 44039/tcp status |_ 100024 ane 53309/udp status 139/tcp open up netbios-ssn Samba smbd iii.X (workgroup: REDACTED) 161/tcp open snmp? 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: REDACTED) 515/tcp open printer 548/tcp open afp Netatalk ii.two.3 (proper name: redacted; protocol 3.3) | afp-serverinfo: | | Server Flags: 0x8f79 | | Super Client: Yes | | UUIDs: Yep | | UTF8 Server Name: Yes | | Open Directory: Yes | | Reconnect: No | | Server Notifications: Yes | | TCP/IP: Yes | | Server Signature: Yes | | ServerMessages: Yes | | Countersign Saving Prohibited: No | | Password Changing: No | |_ Copy File: Yes | Server Proper name: redacted | Auto Blazon: Netatalk2.two.three | AFP Versions: AFP2.2, AFPX03, AFP3.one, AFP3.2, AFP3.3 | UAMs: Cleartxt Passwrd, No User Authent, DHX2, DHCAST128 | Server Signature: redacted | Network Address 1: redacted |_ UTF8 Server Name: redacted 631/tcp open ipp CUPS ane.5 | http-methods: Potentially risky methods: PUT |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-title: Not Found - CUPS v1.5.4 2049/tcp open up nfs two-4 (RPC #100003) 3689/tcp open daap mt-daapd DAAP 0.2.four.1 5000/tcp open http Apache httpd |_http-generator: Fault: Script execution failed (use -d to debug) |_http-methods: No Permit or Public header in OPTIONS response (status lawmaking 302) | http-robots.txt: 1 disallowed entry |_/ |_http-title: Did not follow redirect to https://redacted:5001 5001/tcp open ssl/http Apache httpd |_http-generator: Fault: Script execution failed (use -d to debug) |_http-methods: No Permit or Public header in OPTIONS response (condition lawmaking 301) | http-robots.txt: 1 disallowed entry |_/ |_http-title: Did not follow redirect to https://redacted/webman/alphabetize.cgi | ssl-cert: Subject: commonName=synology.com/organizationName=Synology Inc./stateOrProvinceName=Taiwan/countryName=TW | Not valid earlier: REDACTED |_Not valid after: REDACTED |_ssl-date: REDACTED | tls-nextprotoneg: | spdy/3 | spdy/2 | http/1.ane |_ x-modern-spdy/0.nine.4.two-465a04f Service Info: OS: Unix Host script results: |_nbstat: NetBIOS proper name: redacted, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-bone-discovery: | OS: Unix (Samba iii.vi.9) | Reckoner proper noun: redacted | NetBIOS computer name: | Domain name: | FQDN: redacted |_ System time: redacted | smb-security-mode: | Business relationship that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, merely default) |_smbv2-enabled: Server supports SMBv2 protocol Service detection performed. Please written report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host upward) scanned in 40.47 seconds It's deplorable that about of the open up-source NAS solutions are then bad compared to their commercial counterparts. FreeNAS (and related forks) sacrifice too much flexibility and don't offer anything that y'all tin't easily practice yourself with a Linux/BSD server distro. I'd beloved to work on an open-source, security-oriented, user-friendly DSM "clone" with the right kind of people. If this sounds like fun or it sounds similar something you're currently working on - shoot me an e-mail: amber@fastmail.jp I as well wish there was such a thing as a overnice, inexpensive ARM board (~$100) with plenty of SATA ports and upgradable RAM (so you tin can run huge ZFS pools on information technology) that you can install your own Os on...

Synology DSM is a GNU/Linux distro. It runs the exact same stuff as whatever other distro, including the kernel and all services and the filesystem. The simply differences between building your ain NAS with a skillful server distro like Debian 'stable' and running a "commercial" Synology box are: 1. The client interface to the NAS. ii. The 'deject' services. Only #1 is really a deliverable with the Synology NAS. And #two presents a terribly cleaved privacy policy... For myself, I'd much rather be running something that I know is updating from an authenticated and keyyed repo than something which is attempting to brand the user believe that somehow the "commercial" NAS is magically different than running a regular GNU/Linux distro...

Information technology would be good if that was the only divergence, merely unfortunately NAS boxes usually lack the competent security updates and the automatic commitment mechanism for them.

Compared to a practiced (i don't really consider Debian "practiced", since the 2006 OpenSSL screwup) Linux distro: you command your ain software, y'all can make certain it's kept upward-to-engagement and the binaries come from a trusted source (and you lot can build them yourself, if you want to).

He didn't say that he was a Debian maintainer or planning to annotate out the two lines and send it in a distro, misdescribed what he was commenting out, and didn't provide plenty context to get in clear that he'd misdescribed it. (Even knowing what functions the lines he was commenting out were in would probably have been enough to ring alarm bells.) There'south a limit to how much effort the OpenSSL developers should have to put into stopping people from shooting themselves in the human foot, and tracking downwardly lines of lawmaking identified only past their line number in an unspecified version of OpenSSL to make sure they do what some random guy on the mailing list thinks they do is way over that limit.

I'thou upset that in the yr 2014 we yet call up that having the package maintainers patch ancient software instead of providing latest upstream versions is a proficient thought. I'm a big fan of the *BSD bundle direction model - they requite you lot a stable core, y'all selection your ain (upstream, mayhap bleeding-edge) versions of everything else.

I'g not sure what you lot mean... Are you comparing the Synology GNU/Linux distro to Debian or some generic [non-Debian] distro to Debian? If y'all are comparing Synology to Debian, and then the "trusted" source statement is entirely flawed. The source, meaning both source code and source of software, of software running on Synology hardware is not Synology. Synology only makes the GUI customer that runs on your automobile that locally interfaces to the NAS box. As to the Debian 2006 SSL trouble... stuff happens... Apple had some silly security problems too, much more recently than 2006. And Android is so full of holes, it'due south a wonder the platform works at all... Notwithstanding, when the generalized public buys a NAS product -- the vendor should indicate the potential security problems regarding "deject" connections in big bold messages on the box and in the manual and accept a large ruddy alarm that pops up in the user interface. My estimate is most users wouldn't intendance, but information technology really is extremely risky to connect these devices to the wild wild due west open Internet.

I think I trust my compiler to generate clean assembly more than I trust a commercial company like Synology to write secure software

I've hacked my own Synology through it'southward "cloud services" setup, to the point where I uploaded a privlege escalation exploit (for the actually old kernel). Information technology was frighteningly easy, so now information technology'southward firewalled off on my local network :(

Someone already had, I didn't observe the vulnerability on my own. I just played with it to see how bad it was

If they read their own customer forums, they're aware. If they don't, they're almost criminally negligent, then you wouldn't want to purchase from them anyhow.

I am currently running FreeNAS for my domicile storage, was is it that you are missing? I used to run as unproblematic Ubuntu server with NFS, but realised I just want the simplicity of a spider web interface over doing information technology over ssh.

IMO ARM is kind of a wash when it comes to NAS - with modern chipsets most of your power goes to keeping the disks spinning. My C2550D4I file server build I only completed uses about 60W in idle. Past my calculations ~40 or then of that is the ability used past the 8 disks plus SSD kick drive. x86 fries are more than then suitable for the application since you're no longer in "ultra ultra low power" territory (and for ZFS, are benign considering you want those checksum calcs to cease fast).

I hold, but I can buy ii entry-level Synology DiskStations for the price of one C2550 CPU+MB parcel. I really like that CPU and I would buy information technology in a heartbeat to supplant my Synology, if the price didn't include the "GenuineIntel revenue enhancement".

When I bought it, my HP MicroServer cost less than whatever equivalent ARM NAS, information technology has ECC RAM too.

Aforementioned. I went that road because a NAS of whatever appreciable capacity was going to cost more for the box and no disks then my entire setup put together.

Can the disks spin down at all in your gear up up? I've been looking at those processors for a while (Intel Avoton C2550). Was there any reward to going up a few models in that series?

I have a impaired question: How are they using ZFS on these? I idea ZFS was incompatible with GPL, which was a stumbling block for implementing it in linux. Don't tell me they're using FUSE. Or do these NAS machines all run some BSD variant?

There's http://zfsonlinux.org/ The ZFS license prohibits it from beingness distributed as part of the kernel binary, but at that place is nothing prohibiting source code or a binary for a ZFS kernel module from existence distributed separately. But I take no idea if they use it or not.

You can use it nether Linux, only distribution is more involved, at to the lowest degree according to some people. Utilise FreeNAS if you want ZFS on a NAS though, information technology is well supported.

Uh... why was your reletively cheap "nas-in-a-box" exposed to the public internet? I don't even let my NAS as the office be exposed to the net! - Likewise, for what information technology is worth, FreeNAS is amazing, and is open up source.

It'southward a worrying meme that y'all shouldn't even expect your cyberspace-connectible devices to survive the internet, and when they interruption its your fault. If a consumer device speaks IP and is not designed to survive in a reasonable internet-connected home network, there should exist huge alert labels all over it and it should become to some safety-way with only diagnostic functionality if it detects internet connectivity.

> "It'due south a worrying meme that you shouldn't fifty-fifty wait your internet-connectible devices to survive the internet, and when they interruption its your fault." This has been the go-to techie reaction to security bug since the time of dial-upward modems. It'due south a bad attitude [1], only it'south non a "meme". It's the only successful strategy an unabridged generation of technologically-minded people have constitute and preached in response to a generation'south-worth of terrible software security, ho-hum/absent/can't-be-arsed software providers and under-educated users. Should things be different? Certain. Attitudes should exist improve and the software should be amend. But so long equally the latter isn't reflected in reality, at that place isn't much hope for the former. [1] Information technology's a bad attitude because blaming the user puts them on the defensive and reduces the chance of any progress existence fabricated.

You can't have your cake and eat it too. If you desire to buy an off-the-shelf "home appliance" you volition get simply that -- a product where y'all cannot update firmware/software, reconfigure security and firewall settings, etc. Maybe it'south secure the day you buy it -- simply in 5 years? With no updates? No way. If you buy something more enterprise form -- or, the best option, curl your own with some of the very good options similar FreeNAS or OwnCloud, then you will exist able to go on it secure and up-to-appointment. But this takes more attempt - and is likely the reason the OP did not opt for one of these very fine options. > "It's a worrying meme that y'all shouldn't even expect your cyberspace-connectible devices to survive the internet, and when they break its your error." That's not true -- you have an ethernet/network capable device; not an cyberspace capable device -- nowhere on the box does it say "Plug this directly into the open public network in front of your firewall or inside a DMZ. You need to be responsible with your devices. Just because information technology can serve a web page does not hateful information technology should exist accessible over the internet! This is true even with enterprise course gear. Maxim you lot want to not worry nigh security at all merely still want to put devices on the public internet that need protection is like maxim you desire to have a auto but don't desire to ever modify it's oil. Sure, y'all as an private can avoid irresolute oil -- hire a technician. Same goes with your domicile network. So no, information technology's not a bad mental attitude -- it's irresponsible and/or ignorant habitation users.

> That's not truthful -- you have an ethernet/network capable device; not an internet capable device -- nowhere on the box does information technology say "Plug this directly into the open up public network in front of your firewall or within a DMZ. It pretty much does exactly that. It'due south marketed and designed for you lot to open ports directly to information technology for its various first-party packages, like PhotoStation, CloudStation, WebDAV, etc. I remember it's reasonable to expect that those packages, which are major selling points for this system, should be reasonable capable of working on the public Internet.

> similar PhotoStation, CloudStation, WebDAV, There are secure ways to run things and insecure means to run things. It's very possible to setup a postfix or exim smtp server as an insecure open relay running on port 25. It's likewise possible to have either running securely on port 25... And an open up port is meaningless by itself. It's the security options applied by the system and application running a service on the port that matter. The examples you give are but applications that run over http or https... https requires an SSL cert from a trusted CA, and http is a very bad thought for annihilation that you log into, or that has free access to your dwelling network from the Internet. I imagine about users skip this footstep... http://docs.qnap.com/nas/4.0/en/security.htm?zoom_highlights... Notation, the SSL document instructions... Y'all can upload a secure document issued by a trusted provider. After uploading a secure certificate, users can connect to the administration interface of the NAS by SSL connection and at that place will not be any warning or error bulletin. ... The error bulletin referred to here is the web browser message indicating that the SSL document doesn't lucifer a trusted CA, and therefore your "secure" NAS connection might be Man-In-The-Middle attacked... And if you don't upload an SSL cert - and connect via http externally - information technology means that the most apprentice of "bad guys" already has your xxx character username and your 45 digit/character/special character password...

You're right, but I'one thousand not sure that we're maxim different things. (FWIW, I actually bought an SSL cert just for my Synology DS412+.) Nosotros don't take enough information to even guess at what the root trouble might be, but I fence that this item piece of hardware is designed for and meant to live on the open up Internet. Yep, that's a very scare place. But it's non unreasonable to think that an upwards-to-date Unix server should be capable of the job, specially when it's vendor explicitly sales it on the ground that it is. I'g strongly hoping that the vulnerability turns out to be something already patched in a software update and non a 0-twenty-four hour period. That would go a long fashion toward making me feel better nearly the situation.

> Just it's non unreasonable to recollect that an up-to-date Unix server should exist capable of the task You are right, an up-to-date Unix/Linux server is capable of the job (but still requires routine security maintenance to continue secure!) -- even so, this home appliance is far from being up-to-date... by blueprint. My CentOS boxes at the part update almost every few days... how often does this appliance update? Once a year? Possibly twice if yous are lucky. And then how many users are actually applying all updates? Probably very few. I would further argue that a nas-in-a-box like this tin can never exist secure. The vendor isn't going to update it frequently enough -- not plenty users will actually update -- they are likely using erstwhile out-dated/insecure versions of various open source projects or worse, crudely hacked together proprietary projects to run the webserver, webui, ssl layer, authentication, etc. By now, the manufacturer has probably already back-burnered this device and moved onto newer models, or will be soon -- completely abandoning all the current users who volition get stuck with a swiss-cheese-in-a-box. I'll go further and content the only condom and secure way to practise this is to go with something like FreeNAS or OwnCloud. Both are current projects with massive user-bases. Both are FOSS projects, and both accept a corporate backing if you demand back up or more than enterprise features. Both stay very upwards-to-engagement with bugfixes, security fixes, and new features rolling out often. Both take upgrade paths from older versions, etc. Basically, they are much more secure and will stay that way for the life of the project.

> how ofttimes does this apparatus update? Once a year? About in one case a month: http://world wide web.synology.com/en-global/releaseNote/model/DS412+ Synology uses the aforementioned base distro across all their devices, so everyone gets updates at about the same fourth dimension. The device emails me when a new software version is available. I go what you're saying, merely in this example it's totally wrong. They're very active about providing updates to add functionality (even to onetime systems!) and set up stuff. So back to my original position: this is not an unreasonable matter to expect to exist able to run on the Internet. It's a modern Linux box that gets monthly updates, designed with the explicit intention of providing secure services over the public Net. It would admittedly suck if that proved not to be the case.

IDK what world you alive in, merely in my world I'k not getting actively MITMd past "amateur bad guys". If that was the case, my NAS would be the last thing I'd be worrying nigh. Also, what security do y'all wait SSL to provide on a device with copious remote lawmaking execution vulns?

I've been running FreeNAS since 8.i... non sure what this person is referring to, I take several jails running on the same machine with all sorts of wonderful services making my life overnice and wonderful (huginn, sickbeard, rtorrent, owncloud, subsonic)

I run a similar setup, it provides VPN access for me (by and large to secure connections in public wifis) and runs a TOR node. As yous said, it is cheap, power consumption is ok and it is set up to go later on you plug it in.

How does one lock downwards their Synology? I sadly don't have extensive experience with linux.

No need for extensive Linux experience: Use a secure password for DSM, plow off "EZ-Net" and other DynDNS-like services, make sure it's continued to your router and not directly to the Cyberspace, don't forwards any ports, don't enable DMZ or similar functionality on your router, keep up-to-date with DSM updates, make sure other computers on your network are malware-free (there could be a piece of PC malware exploiting synology devices found on the local network), go on multiple backups in different locations (online and offline) of your nearly valuable information. These are just best practices, since nosotros don't know anything about this detail piece of malware yet. They should embrace well-nigh threats and worst-example scenarios. If you demand access to your Synology device from outside your home network, use a VPN or an SSH tunnel.

> , plow off "EZ-Internet" and other DynDNS-similar services, make sure > it's connected to your router and non directly to the Internet, > don't forward whatsoever ports, don't enable DMZ or similar functionality on > your router, Best practices only if you do non desire to access your data outside of your local network – and that is probably no longer the standard example since data you lot cannot access from mobile devices etc. is pretty useless. And for compliance and security reasons, many users and companies cannot legally employ cloud services and accept to therefore to use a 'private deject', i.e., some local server, for example a NAS accessible from the Cyberspace. A manual configuration is of course recommendable merely in the cease, a 'private cloud' has to be exposed to the Internet and you have to trust your software vendor. The virtually yous can usually practise is to protect your LAN by putting your 'individual cloud' in a DMZ (although for consumers, that is usually non an option since consumer routers practice not offering a real DMZ).

Every bit a private user, the all-time solution I found was to go through BTSync gear up on a express prepare of document folders. Information technology doesn't demand to forward ports or expose the login system. The BTSync server is still a vulnerability, but it's under information technology's own user and should give less exposure than the other services like the DSFile that check the login/password. Potential amercement on a uncomplicated breach (i.east. the sharing key leaked or was guessed) should be limited to the shared folders. I promise.

I don't have a device, so I cannot verify. But wouldn't an ssh tunnel accomplish the goal of penetrating your NAT externally while still not exposing it to the public internet? Granted that is probably not within attain of almost users without a tutorial.

How can I make sure that apps accessing a NAS only apply VPN connections? Past default, such configuration is not available for Bone X and iOS. On iOS, you can use profiles I guess but that is not a standard function.

I hate to run into things like this. I feel horrible for anyone who has to face the realization that there going to actually have to pay a online-terrorist money to get their data back. Hither's to hoping this will only make the tech manufacture invest more into security, peculiarly for consumer products which are often neglected. Sad that stuff similar this needs to happen, simply it's the cost we pay.

I don't understand how he got hacked. Anyway, there is a service like fail2ban on the Syno.

Wow, I was only almost to buy a Synology this coming week and at present I have 2nd thoughts. Now more than ever I'm sure that having only Drobo/Synology is not a good backup solution, but having a backup of the backup is every bit important.

i. Never expose it to the internet... Use a VPN if you have to access from outside your network. Near home routers support vpn;southward so there is no reason not to 2. You should ever have 3 copies of data, 1 working, one local back and 1 geo various fill-in (i.east a spideroak, crashplan, or even a friends house) About people forget the 3rd but what happens if your firm burns down? 3. You should accept a completely cold backup of important data, this could be a external hard drive that is only plugged in when backups are done, DVD's, Record Drive, or something else, simply what e'er it is it should non be accessible to the system with out manual intervention, this will prevent scripts from deleting everything.

We have this trouble at our company where the fastest internet our company can possibly get is 20mbps down/4mbps up - and we make ~20GB of backups each twenty-four hours. Absolutely impossible for united states to upload all of it to a server offsite overnight.

They wouldn't really have anything to concur ransom. Router'due south usually take hardware reset switches in the dorsum too. Not saying it'southward not possible, but little to gain past holding it randsom. If they hacked the router, they'd be doing the kind of things they WON'T inform you about, like human being in the middle attacks stealing everything from all your user/passwords to credit/bank/personal info.

Well, the reset switch normally causes the bootloader to reformat the volatile partition of the flash. But at that place'due south naught to stop an attacker from rewriting the "write protected" areas like e.g. a firmware update does. Consider that many routers these days come with NAS or MediaServer functionality... and thus are a valid target for hackers. Furthermore, they are oftentimes directly connected to the Net, and at that place have been numerous remote-root exploits for inexpensive chinese knock-offs too as for highly praised manufacturers like AVM.

Again, the unsafe part isn't belongings it hostage, it'southward what they can exercise to information technology without you noticing. They can intercept all your network traffic, redirect websites you visit to a server they control, etc.

If you lot have a hard drive plugged into your router, they tin can perform the same crypto-lock set on being discussed hither. They can likewise use your router to launch attacks against the residue of your hardware.

If mod routers are delegated to router duty merely, this wouldn't be a problem. All the same, routers these days are for all intents and purposes, specialised domicile servers with shared media streaming and the similar besides. These are value-added functionalities ISPs use to entice new users and I'thousand sure a fair number of them utilise these to shop photos, connect their USB drives - mine is likewise a print server for utilize with non-wifi network printers.

> like man in the eye attacks stealing everything from all your user/passwords to credit/bank/personal info. If y'all're logging in or sending fiscal data over unsecure (non-SSL) connections, y'all already have a problem.

SSL Strip still works and banks don't care about anything other than providing the illusion of security and standard SSL. Take for example an erstwhile lady down the road who somehow got some futuristic malware on her router. She goes to Bing to search for Wells Fargo to do some online cyberbanking (and you know that there is a huge portion of users who just browse the web this way). Hypothetical malware so just runs SSLStrip over the page from bing.com which isn't served over ssl because Microsoft values their lesser line over your privacy and security, which and so replaces the link to the https site with http, the router acts as a proxy between http and https so wellsfargo.com is none the wiser. Evil hacker now has poor onetime lady'south password and transfers the money in her account to his own foreign banking company business relationship. This hypothetical scenario is achievable even running off of a irksome router while non using many more resources than the parental keyword filtering uses. At no point does SSL always come into play and the top 4 Banks in America (Chase, Citibank, Bank of America, Wells Fargo) don't use HSTS so there's no real fashion to protect their users from SSLStrip unless a browser includes them in some forcefulness SSL listing.

> SSL Strip still works and banks don't care virtually anything other than providing the illusion of security and standard SSL. Speaking as a security officer for a (non-Us) bank, this is not truthful. We use EV certificates (to increment visibility vs. standard certs), deployed HSTS over a year ago on almost of our propierties, forcefulness HTTPS and pin keys wherever we can (i.e. mobile apps). And even if a session is compromised: transactions are screened and verified before execution. Yes, our chief concern remains the lesser line. Pushing for more trust increases our user base of operations. Fighting fraud avoids bounty payments. Building awareness and implementing technical measures aids both of these goals, and then nosotros get to spend a reasonable corporeality on both.

The United kingdom bank I use doesn't even bother to forcefulness HTTPS on most of their site, allow lonely use stuff like HSTS. They helpfully make use of EV certificates for the bits of the site that are secure though (except those even so don't show up differently on many devices).

Does someone have the expertise to set up a Synology Os or DDWRT every bit some type of virtual automobile, run it equally a honeypot, and exercise daily/hourly loftier-level tests for compromise?

I take a Qnap and they are pretty similar to Synology. Wonder if there is a like attack against them. Also curious if this was linked directly to the cyberspace.

Quite possibly. Run an internal and external nmap browse against your device so yous at to the lowest degree know the attack surface.

Looks like you proceeds admission to firewall and other security tools if you upgrade the DSM to the latest version.

I exercise not think Synology has much to do what information technology happen. A weak password, an out-of-date Synology software and/or an incorrect setup are all caused by the user. Synology produces very good products at very affordable prices.

Synology has a vulnerability in their closed downwardly software which allows this... how is this non something they accept control over? Also, this is not the first time this has happened to Synology hardware. Sure, bigger companies attract more attacks, but this is incredibly bad.

Have this proven to accept been the case? ("a vulnerability in their airtight downwardly software which allows this"). Could you lot give me a link? Cheers!

If you are affiliated with Synology you lot should disclose that. I see that your account is simply 19 hours onetime.

No affiliation. I am certain my business relationship is not the but one recently created. Merely a coincidence. I ain a DS411J. Really happy with it.

Y'all are trolling me, yeah? Next you will say Crytolocker is a Windows vulnerability (that is not to say that Windows does non have vulnerabilities).

The problem is that Synology has historically not been very proactive at informing and educating their users near security threats, including very specific ones like this. A company that specializes in selling advanced network appliances to novice users and non-Information technology pros has a certain obligation to those users, IMHO. PayPal has been described as "a fraud detection company that likewise transfers money." That's how Synology needs to recall of themselves.

If a few guys ran a Synology NAS with terabytes of dummy data, permit the ransomware do information technology's job, rinse and repeat, would we exist able to inflict a huge storage pecker on the datanappers? If their storage limit got maxed out, would it stop the ransomware from working?

The ransomware doesn't copy any data off the NAS, it simply encrypts it in place. When y'all've paid up, they send you the key to unencrypt your data.

"they send you the key" If they send the central. If I was a criminal, I would minimise contact with the victims.

I gather that historically at least they almost ever ship the key. At the terminate of the day they're a business similar any other and a few bad reviews will kill their revenue stream. However if they are known to offer fast replies and support, it's a lot easier to convince people to pay upwardly.

Seems so ironic: Bad guys bribe-ware concern dependent on good reviews from 'paying customers' whilst processing back up requests for 'license keys' in a timely manner.

"Quick response and delivery. Decrypted equally listed in the instructions. Would practice business again! 5-stars! Best hackers on eHack."

gehringtince1938.blogspot.com

Source: https://news.ycombinator.com/item?id=8128521

Share this post