RT2600 & MR2200 Emerging Threat Analysis

Currently reading
RT2600 & MR2200 Emerging Threat Analysis

3
0
NAS
DS412+, DS216Play, DS1817+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
Mobile operating system
  1. iOS
Does anyone know if when the Router reports the medium threats if the packets are dropped or is this for information only?

Event Type: Attempted Information Leak
Signature: ET SCAN MS Terminal Server Traffic on Non-standard Port
Severity: medium
Source IP: 195.154.92.15
Destination: <RT2600 External>

Sometimes the Destination is my Synology NAS on the internal IP, a port scan reveals the ports that are open on my NAS and these need to be open.

Should I be doing anything else to secure my network?
 

fredbert

Moderator
NAS Support
Subscriber
1,694
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I have changed all theses rules to Drop:
  • ET CINS Active Threat Intelligence Poor Reputation IP group NN ... i.e. all of them
  • ET SCAN NETWORK Incoming Masscan detected
  • ET SCAN MS Terminal Server Traffic on Non-Standard Port
  • ET WEB_SERVER WebShell Generic - wget http - POST
As far as I can tell this hasn't been detrimental to device performance on my LAN.

I often see multiple dropped 'ET SCAN ZmEu Scanner User-Agent Inbound' from the same IP and searching TP events for the IP will reveal an alerted [non-dropped] event, like a suspicious web request. I'll put these IP into the SRM Block List and/or add a firewall deny rule for their class A or class B subnet (depending how I'm feeling towards that range). The firewall's hit counter will show if they are active: sometimes they reappear on others they just stop and I deactivate the rule but keep the blocked IP in the list.

A good place to check the suspicious IP / URL is AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a time

The best thing you can do is to set firewall rules to deny access from countries that you never expect to have inbound connections. There are two ways to do this:
  1. If you only ever expect inbound from your own country then you can set firewall rules with source IP from your country and have one rule to deny from all countries at the end of the rules.
  2. Due to a limit fo 15 countries in any one rule: create multiple deny rules at the top of the firewall rulebase. I have rules based on continents, e.g. Asia #1.
I found that blocking USA stopped my work Android phone being able to access Google Play store for updates. Oh well.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top