Firewall logs

[ed.j]

Where do you see firewall logs? In the log centre? I can't see anything relating to firewall in there, does this mean it has never blocked anything?

I got the impression NAS users were constantly under attack from hacking attempts so I feel like I'm missing something. If it's just the hacking, that's fine

 

[jeyare]

iptables or default Linux firewall doesn’t have logs (dropped, rejected, …) enabled by default (also in DSM).

When you like to use iptables logging feature, you need to be sure of what are you doing. Otherwise, you can block entire your system - it's a powerful firewall.
Because you are asking such a question, it will be more likely that you do not understand this domain. I'm not writing this to embarrass you. This domain is difficult to understand at all what you will find in these logs. Then there is another point of view - if such logs are improperly enabled, you can overwhelm your CPU. Be careful.

First:
default location for enabled iptables logs is: /var/log/messages
you can test, that there you can’t find these logs:

cat /var/lo/messages | grep “ipt denied:”

You can understand how iptables works. Start here:

How to setup firewall in Linux? - GeeksforGeeks

A Computer Science portal for geeks. It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions.

www.geeksforgeeks.org

or here:

Iptables Tutorial - Securing Ubuntu VPS with Linux Firewall

Iptables is a powerful firewall tool for Linux. Read our Iptables tutorial and learn everything you need to know to secure your server.

www.hostinger.com

And if you still want to look at how to make logs, this will help you:

How to Log Linux IPTables Firewall Dropped Packets to a Log File

This article is part of our ongoing Linux IPTables series of articles. When things are not working as expected with your IPTables rules, you might want to log the IPTables dropped packets for troubleshooting purpose. This article explains how to log both incoming and outgoing dropped firewal...

www.thegeekstuff.com

In any case (my approach):
you can mount DSM /var/log to your computer to be more flexible


A few recommendations:
1. MANDATORY - make a backup of the existing iptables:

iptables-save > <path to your backup>

2. always test only one rule with logging

3. gradually add other log rules (or remove unnecessary ones)

4. at any time you can restore the backup of the iptables:

iptables-restore > <path to your backup>

Here is a better option to start with:

NtopNG - docker container

Deployed and tested NtopNG container First touch feelings: 1. running w/o a significant impact on NAS host (it was my worries) 2. Useful to fast preview of the network status before you will use Wireshark 3. you can create pools for a clustered preview or exact host interface flow check 4...

www.synoforum.com

NAS-based tool for detailed network traffic monitoring

I am looking for a (Synology-based) tool (package?) that would allow me to precisely monitor in- and outgoing network traffic from and to the NAS. I would, for instance, like to know how much traffic is going in and out right now for the individual packages installed. Do you know of any such...

www.synoforum.com

For a forensic search purposes, it is more appropriate to use tcpdump, which you can also save in realtime to a defined file, which you can have mapped to Wireshark on your computer. Of course, you will only see the current status.

More about NAS security (related) you can find here:

Info - Security and your DSM setup

I spent the day tightening security up significantly. Thank you for raising these red flags for those of us that struggle with all these settings.

www.synoforum.com

about Docker containers security (related) here:

Docker daemon eating up disk I/O

I'm asking this question on behalf of someone from another (Dutch) forum. Anyone seen this before and have any idea what is causing this? User is only running this container, and this disk activity only seems to hapen when this container is started: GitHub - qdm12/gluetun: VPN client in a...

www.synoforum.com

 

[ed.j]

Thanks @jeyare

No offence taken re this being too complex for me - it most likely is. It seems odd though that you can set up the firewall etc very easily (and really it is mandatory) but then unless you have a phd in forensic computing there's no way to know if the firewall is actually working.... unless it's not and something bad happens.

This all looks like rainy week/end kind of project, so thanks for the links and info, will go through it all at an opportune moment.

--- unless there are packages/docker apps that manage it for you - will need to research....

 

[jeyare]

unless it's not and something bad happens

NAS firewall must be the last possible instance.
More powerful must be the first line (router with integrated firewall or independent firewall) with defined policies for WAN (in/out) LAN (in/out) and router interfaces as well.
Then hardening of DNS handling (DNScrypt, DNSsec) to hide DNS records outside your infrastructure).
Reverse Proxy is also one of the security instance. With NPM you can limit inbound traffic better than just Country IP range (it’s really soft rule).
…

You need understand principles of the traffic, then you will understand IPTables, then you will exercise, then you will harden your infrastructure.

finally you will create an infrastructure that will be invisible from WAN.
inexperienced users who trust NAS gurus like this one link should consider whether they will continue to search for his recommendations. They are playing with fire. Because only an inexperienced user exposes his NAS to the Internet by this way.

 

[ed.j]

OK lot's more reading to do there...

inexperienced users who trust NAS gurus like this one link should consider whether they will continue to search for his recommendations. Th

If you have the right ports closed off, and all user accounts have strong passwords and 2FA, is it really an issue to have your DSM open in this way?

 

[jeyare]

If you have the right ports closed off, and all user accounts have strong passwords and 2FA, is it really an issue to have your DSM open in this way?

When is DSM exposed directly to WAN? all lights will be in red.

• strong PSW for NAS and 2FA is great for the web interface. Other channels do not need 2FA.
• An IP address can be traced through free DNS records unless it is shielded.

To be sure
I pointed out this particular user (11 days ago) that:

• there are several exposed ports
• including that such DSM settings contradict the Synology Security Advisory guidelines (and common professional approach).
• in addition, I tried to point out that he has exposed services through which it is possible to identify the DSM system he is using accurately. Since then, it has been possible to exploit known vulnerabilities.

Not to mention that this user takes on the role of a well-known educator in using NAS systems for newbies. Unfortunately, it seems that the king is naked.

Take this example as an illustration - because it is really dangerous to leave the DSM system exposed directly to the Internet - without a VPN, ... and all recommendations written in this forum.

 

[Deleted member 5784]

If you have the right ports closed off, and all user accounts have strong passwords and 2FA, is it really an issue to have your DSM open in this way?

Approach this Q from the other perspective, ie as a potential hacker; what do I already know about @jeyare 's potential target above?

• I know that there is a real machine at that IP address.
• There is a web server running on port 5001 at that address.
• The web server is an Nginx server (http headers). What known recent vulnerabilities can I try against Nginx webservers?
• I know that this machine is a Synology NAS, and not, say, an IP camera or a netgear router or an HP server.
• I know that this Synology NAS is running at least DSM v7 (the user interface tell me this). What recent vulns have been disclosed re DSM7?
• I know the model is a Syno DS1621+ (he's told me on the log in page)
• As there's a Synology DS1621+ NAS w/ DSM7.x at that IP address, I'll speculate that there are other services running on other ports at that IP address. A mail server? A DNS server (eg BIND - as used by Syno DNS package)? I bet he's running a few docker containers behind that IP...lets have a look for recent known vulns in common docker packages, eg NextCloud / pihole / Sonarr etc etc...
• Now that I've found an IP with a specific machine and OS version behind it, I can point all my automated vuln scripts at that IP address for more targetting exploration & see what comes up.
• I can also bombard that IP address with thousands of brute force login attempts in case he hasn't got 2fa turned on, or auto blocking enabled. Even if he has, I can burn through some of his bandwidth & CPU cycles by bombarding him until I get bored and move on.

...you get the point. As vulnerabilities in common OS software are being disclosed all the time, you are giving the hacker a huge head start by exposing so much to the public internet.

If you put all this behind a VPN, all that a hacker's scan would show up is an open VPN port at a given IP address. No hint of what machine, OS or other services are there. Just a VPN port. I only have to worry about newly discovered vulns in that 1 package - the VPN server - rather than the multitude of services I may be running as per above.

 

[jeyare]

I know that this Synology NAS is running at least DSM v7 (the user interface tell me this). What recent vulns have been disclosed re DSM7?

even worse, you can get more information by SSDP call:

• NAS LAN IP address + Port (or fqdn) ... just imagine
• UUID useful for some kind of attack
• the exact DSM version & build number running on the NAS. Then 3rd party can use an attack by known vulnerabilities related to the build discovered.

Final stage:
NEVER, NEVER, NEVER expose directly/unshielded your NAS to WAN.

 

[Deleted member 5784]

even worse, you can get more information by SSDP call:

...another good reason to disable UPnP at the router.

 

[jeyare]

here I have summarized the keyholes in the DSM native settings, including how to avoid them:

Info - Security and your DSM setup

follow my short research: 45 588 Syno NASes accessible from WAN by standard HTTP (5000) port 54% of them have opened UPnP 7% of them have opened FTP and people are crazy with SMB1, look here check your IP and what “they” know about you at Shodan.io Our mission here is providing a knowledge...

www.synoforum.com

I tried to explain this to Synology Product Security Incident Response Team (PSIRT) over a year ago.
Result: disinterested