Info Security and your DSM setup

Currently reading
Info Security and your DSM setup

jeyare

Subscriber
1,770
581
follow my short research:
45 588 Syno NASes accessible from WAN by standard HTTP (5000) port
54% of them have opened UPnP
7% of them have opened FTP

and people are crazy with SMB1, look here

check your IP and what “they” know about you at Shodan.io

Our mission here is providing a knowledge how to avoid such issues. More you can find in the Security part of this forum
 

jeyare

Subscriber
1,770
581
and this is just a tip of the iceberg

when you check your public address with NAS port:
HTTP:
http://your-public-ip-address:your-NAS-port/ssdp/desc-DSM-eth0.xml

you will get info like this:

XML:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
<deviceType>urn:schemas-upnp-org:device:Basic:1</deviceType>
<friendlyName>NAS_DS218j (DS218j)</friendlyName>
<manufacturer>Synology</manufacturer>
<manufacturerURL>http://www.synology.com</manufacturerURL>
<modelDescription>Synology NAS</modelDescription>
<modelName>DS218j</modelName>
<modelNumber>DS218j 6.2-24922</modelNumber>
<modelURL>http://www.synology.com</modelURL>
<modelType>NAS</modelType>
<serialNumber>xxxxxxxxxxxx</serialNumber>   ...this was hidden by me
<UDN>uuid:73796E6F-6473-6D00-0000-001132b9c632</UDN>
<serviceList>
<service>
<URLBase>http://192.168.0.17:5000</URLBase>
<serviceType>urn:schemas-dummy-com:service:Dummy:1</serviceType>
<serviceId>urn:dummy-com:serviceId:dummy1</serviceId>
<controlURL>/dummy</controlURL>
<eventSubURL>/dummy</eventSubURL>
<SCPDURL>/ssdp/dummy.xml</SCPDURL>
</service>
</serviceList>
<presentationURL>http://192.168.0.17:5000/</presentationURL>
</device>
</root>

When your security "engines" work well (router in first, NAS firewal in second), you will never send such info outside from the NAS. Never.
 

jeyare

Subscriber
1,770
581
and you can change ports as you can from standard 5000 to 8000
they will catch you

HTML:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
<deviceType>urn:schemas-upnp-org:device:Basic:1</deviceType>
<friendlyName>RS1219 (RS1219+)</friendlyName>
<manufacturer>Synology</manufacturer>
<manufacturerURL>http://www.synology.com</manufacturerURL>
<modelDescription>Synology NAS</modelDescription>
<modelName>RS1219+</modelName>
<modelNumber>RS1219+ 6.2-24922</modelNumber>
<modelURL>http://www.synology.com</modelURL>
<modelType>NAS</modelType>
<serialNumber>xxxxxxxxxxx</serialNumber> ....hidden by me
<UDN>uuid:73796E6F-6473-6D00-0000-001132c36514</UDN>
<serviceList>
<service>
<URLBase>http://114.xxx.xxx.xxx:8000</URLBase> ....hidden by me
<serviceType>urn:schemas-dummy-com:service:Dummy:1</serviceType>
<serviceId>urn:dummy-com:serviceId:dummy1</serviceId>
<controlURL>/dummy</controlURL>
<eventSubURL>/dummy</eventSubURL>
<SCPDURL>/ssdp/dummy.xml</SCPDURL>
</service>
</serviceList>
<presentationURL>http://114.xxx.xxx.xxx:8000/</presentationURL> ....hidden by me
</device>
</root>
 

jeyare

Subscriber
1,770
581
this is the real reason why don't use routers from ISPs - because cheap = dangerous.
 
83
52
www.adrianearnshaw.com
NAS
1819+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
I will check mine out, thanks. First thing I did was bin the router my ISP gave me. Whole network is Synology based, NAS, Router and Mesh. Everything runs rock solid and has been really tested now that I am working from home.

Most of my colleagues have had network issues but, knock on wood, none of that in my house 👌
 

jeyare

Subscriber
1,770
581
and here is the underwater part of the glacier

the biggest number is number of DSM located in their DB.

1590060983412.png
 

jeyare

Subscriber
1,770
581
I will check mine out, thanks. First thing I did was bin the router my ISP gave me. Whole network is Synology based, NAS, Router and Mesh. Everything runs rock solid and has been really tested now that I am working from home.

Most of my colleagues have had network issues but, knock on wood, none of that in my house 👌
my FFTx ONU (fiber transciever/router) is in bridge mode. No need a devastation of my security from ISP.
 

Rusty

Moderator
NAS Support
2,903
882
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
and this is just a tip of the iceberg

when you check your public address with NAS port:
HTTP:
http://your-public-ip-address:your-NAS-port/ssdp/desc-DSM-eth0.xml

you will get info like this:

XML:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
<deviceType>urn:schemas-upnp-org:device:Basic:1</deviceType>
<friendlyName>NAS_DS218j (DS218j)</friendlyName>
<manufacturer>Synology</manufacturer>
<manufacturerURL>http://www.synology.com</manufacturerURL>
<modelDescription>Synology NAS</modelDescription>
<modelName>DS218j</modelName>
<modelNumber>DS218j 6.2-24922</modelNumber>
<modelURL>http://www.synology.com</modelURL>
<modelType>NAS</modelType>
<serialNumber>xxxxxxxxxxxx</serialNumber>   ...this was hidden by me
<UDN>uuid:73796E6F-6473-6D00-0000-001132b9c632</UDN>
<serviceList>
<service>
<URLBase>http://192.168.0.17:5000</URLBase>
<serviceType>urn:schemas-dummy-com:service:Dummy:1</serviceType>
<serviceId>urn:dummy-com:serviceId:dummy1</serviceId>
<controlURL>/dummy</controlURL>
<eventSubURL>/dummy</eventSubURL>
<SCPDURL>/ssdp/dummy.xml</SCPDURL>
</service>
</serviceList>
<presentationURL>http://192.168.0.17:5000/</presentationURL>
</device>
</root>

When your security "engines" work well (router in first, NAS firewal in second), you will never send such info outside from the NAS. Never.
Why would anyone wanna have http port open in the 1st place?
 

jeyare

Subscriber
1,770
581
@Rusty
>80% of NAS owners = unskilled users of their home "nice black box" for their photos and movies.
As you can read from all the Ransomware attack impacts.
 

Rusty

Moderator
NAS Support
2,903
882
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I get that, but are you sure that they will know about /ssdp/desc-DSM-eth0.xml? That's my question. Those people are unaware of things like that, and anyone who is aware should have take steps to prevent this in the 1st place, not advertise that they will check it out later... mho.
 

jeyare

Subscriber
1,770
581
agree, they (unskilled users) don't need to care about it. No doubt.
Majority of the car drivers don't care about setup of airbags. What is also OK.
They believe, that their car producer will care about it. What is also OK.

But in the NAS market for home users no one from the NAS vendors care about such security and they transfer the responsibility to the unskilled users. What isn't OK.

A Virtual assistant for general NAS setup, based on qualified segments (share, photo, ...) can cover such generic issues.
Based on simple NAS owner choice:
- I need file share in my home network for my: Mac, iOS, ... and rule based system can create all necessary steps, include guide for the client side.
- I need connection from Internet to my photos .... also system can create general Quick-connect account, ...
- I need save some movies into NAS and watch them on my TV .....
... etc.
this is not about AI. It's simple rule based system (part of DSM) connected to maintained DB of devices (Synology service). Just for 10Euro per installation (paid by card) - as added value services from Synology side, directly for their new/installed base. Just for the beginners. Free setup for skilled as is now.
Smart people called it "monetization" of the installed base. look for the Game industry and In-game purchasing.

Also for SRM. .... specially for security features when you need create new Admin account and delete previous :cool: . For beginners it's really hard to achieve. But here is a discussion about mass market. Not about special appliances for skilled professionals.

And this is the NAS vendors responsibility. Even better - better market capture strategy. Or change of their R&D behavior.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top