Brute forcing attempts on disabled account

Currently reading
Brute forcing attempts on disabled account

A

atakacs

50
10
All the sudden I'm geting many alerts from my NAS

Code: 
There has been 5 failed attempts to sign in to your account [admin] on xxxxx from untrusted devices within the last 1 minutes.
As a precaution, you can now only sign in to your account from trusted devices that you have successfully signed in from previously.

This has started a few days ago... and sure enough the admin account is disabled on the NAS (actually the first thing I did). Why would I ever get these notification ?
 
Synology works that way. The admin account is still an account... even if disabled. You would have to delete it to avoid the notifications.
 
atakacs said:
All the sudden I'm geting many alerts from my NAS

Code: 
There has been 5 failed attempts to sign in to your account [admin] on xxxxx from untrusted devices within the last 1 minutes.
As a precaution, you can now only sign in to your account from trusted devices that you have successfully signed in from previously.

This has started a few days ago... and sure enough the admin account is disabled on the NAS (actually the first thing I did). Why would I ever get these notification ?
Click to expand...
In the past 24h, there has been an extensive brute-force attack towards a long list of syno devices. Even if your account is disabled these warnings mean that someone is knocking on your nas via an open port.

Make sure to have all default ports changed, or closed if possible, and use VPN to get access back to your NAS or harden it enough so you are not that exposed.

Syno HQ is actively looking into this attack but not much can be done other than for users to protect themselves. This is cybersecurity month after all, and real-life testing is at hand. Syno will look into this just to make sure that no exploits are being used, but other than that, close down, and harden your NAS, that's it.
 
I see. Was a bit surprised as this NAS was Internet accessible for almost 2y without being attacked in that way.
 
I noticed on my Draytek syslog a shed load of blocks via my Country filters, as I did have a old DS118 exposed on a port for SS (Cameras), yes I know! Wasnt too worried as thats the only thing it was for as SS host on a CMS setup. Mainly from what I can see China and Vietnam IP's. TBH I forgot all about it still open as I wireguard into home now when away. Anyway closed that hole and obviously been fine since.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

SynoMan
Info Synology® Investigates Ongoing Brute-Force Attacks From Botnet
Taipei, Taiwan—August 4, 2021—Synology PSIRT (Product Security Incident Response Team) has recently seen...
Replies
0
Views
1,449
SynoMan
SynoMan
L
IP blocked due to multiple failed login attempts
Thanks for your response. You are correct. When I initially tried what you advised, the screens were...
Replies
2
Views
827
lemondrop9344
L
M
Firewall rules to prevent hacking attempts
I have now yea, seems like it was the docker network element that was the issue and these don't offer...
Replies
3
Views
1,689
Mootsj
M

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top