Info Security and your DSM setup

Currently reading
Info Security and your DSM setup

2,486
840
NAS
Synology, TrueNAS
Operating system
  1. Linux
  2. Windows
follow my short research:
45 588 Syno NASes accessible from WAN by standard HTTP (5000) port
54% of them have opened UPnP
7% of them have opened FTP

and people are crazy with SMB1, look here

check your IP and what “they” know about you at Shodan.io

Our mission here is providing a knowledge how to avoid such issues. More you can find in the Security part of this forum
 
and this is just a tip of the iceberg

when you check your public address with NAS port:
HTTP:
http://your-public-ip-address:your-NAS-port/ssdp/desc-DSM-eth0.xml

you will get info like this:

XML:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
<deviceType>urn:schemas-upnp-org:device:Basic:1</deviceType>
<friendlyName>NAS_DS218j (DS218j)</friendlyName>
<manufacturer>Synology</manufacturer>
<manufacturerURL>http://www.synology.com</manufacturerURL>
<modelDescription>Synology NAS</modelDescription>
<modelName>DS218j</modelName>
<modelNumber>DS218j 6.2-24922</modelNumber>
<modelURL>http://www.synology.com</modelURL>
<modelType>NAS</modelType>
<serialNumber>xxxxxxxxxxxx</serialNumber>   ...this was hidden by me
<UDN>uuid:73796E6F-6473-6D00-0000-001132b9c632</UDN>
<serviceList>
<service>
<URLBase>http://192.168.0.17:5000</URLBase>
<serviceType>urn:schemas-dummy-com:service:Dummy:1</serviceType>
<serviceId>urn:dummy-com:serviceId:dummy1</serviceId>
<controlURL>/dummy</controlURL>
<eventSubURL>/dummy</eventSubURL>
<SCPDURL>/ssdp/dummy.xml</SCPDURL>
</service>
</serviceList>
<presentationURL>http://192.168.0.17:5000/</presentationURL>
</device>
</root>

When your security "engines" work well (router in first, NAS firewal in second), you will never send such info outside from the NAS. Never.
 
and you can change ports as you can from standard 5000 to 8000
they will catch you

HTML:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
<deviceType>urn:schemas-upnp-org:device:Basic:1</deviceType>
<friendlyName>RS1219 (RS1219+)</friendlyName>
<manufacturer>Synology</manufacturer>
<manufacturerURL>http://www.synology.com</manufacturerURL>
<modelDescription>Synology NAS</modelDescription>
<modelName>RS1219+</modelName>
<modelNumber>RS1219+ 6.2-24922</modelNumber>
<modelURL>http://www.synology.com</modelURL>
<modelType>NAS</modelType>
<serialNumber>xxxxxxxxxxx</serialNumber> ....hidden by me
<UDN>uuid:73796E6F-6473-6D00-0000-001132c36514</UDN>
<serviceList>
<service>
<URLBase>http://114.xxx.xxx.xxx:8000</URLBase> ....hidden by me
<serviceType>urn:schemas-dummy-com:service:Dummy:1</serviceType>
<serviceId>urn:dummy-com:serviceId:dummy1</serviceId>
<controlURL>/dummy</controlURL>
<eventSubURL>/dummy</eventSubURL>
<SCPDURL>/ssdp/dummy.xml</SCPDURL>
</service>
</serviceList>
<presentationURL>http://114.xxx.xxx.xxx:8000/</presentationURL> ....hidden by me
</device>
</root>
 
I will check mine out, thanks. First thing I did was bin the router my ISP gave me. Whole network is Synology based, NAS, Router and Mesh. Everything runs rock solid and has been really tested now that I am working from home.

Most of my colleagues have had network issues but, knock on wood, none of that in my house 👌
 
and here is the underwater part of the glacier

the biggest number is number of DSM located in their DB.

1590060983412.png
 
I will check mine out, thanks. First thing I did was bin the router my ISP gave me. Whole network is Synology based, NAS, Router and Mesh. Everything runs rock solid and has been really tested now that I am working from home.

Most of my colleagues have had network issues but, knock on wood, none of that in my house 👌
my FFTx ONU (fiber transciever/router) is in bridge mode. No need a devastation of my security from ISP.
 
and this is just a tip of the iceberg

when you check your public address with NAS port:
HTTP:
http://your-public-ip-address:your-NAS-port/ssdp/desc-DSM-eth0.xml

you will get info like this:

XML:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
<deviceType>urn:schemas-upnp-org:device:Basic:1</deviceType>
<friendlyName>NAS_DS218j (DS218j)</friendlyName>
<manufacturer>Synology</manufacturer>
<manufacturerURL>http://www.synology.com</manufacturerURL>
<modelDescription>Synology NAS</modelDescription>
<modelName>DS218j</modelName>
<modelNumber>DS218j 6.2-24922</modelNumber>
<modelURL>http://www.synology.com</modelURL>
<modelType>NAS</modelType>
<serialNumber>xxxxxxxxxxxx</serialNumber>   ...this was hidden by me
<UDN>uuid:73796E6F-6473-6D00-0000-001132b9c632</UDN>
<serviceList>
<service>
<URLBase>http://192.168.0.17:5000</URLBase>
<serviceType>urn:schemas-dummy-com:service:Dummy:1</serviceType>
<serviceId>urn:dummy-com:serviceId:dummy1</serviceId>
<controlURL>/dummy</controlURL>
<eventSubURL>/dummy</eventSubURL>
<SCPDURL>/ssdp/dummy.xml</SCPDURL>
</service>
</serviceList>
<presentationURL>http://192.168.0.17:5000/</presentationURL>
</device>
</root>

When your security "engines" work well (router in first, NAS firewal in second), you will never send such info outside from the NAS. Never.
Why would anyone wanna have http port open in the 1st place?
 
I get that, but are you sure that they will know about /ssdp/desc-DSM-eth0.xml? That's my question. Those people are unaware of things like that, and anyone who is aware should have take steps to prevent this in the 1st place, not advertise that they will check it out later... mho.
 
agree, they (unskilled users) don't need to care about it. No doubt.
Majority of the car drivers don't care about setup of airbags. What is also OK.
They believe, that their car producer will care about it. What is also OK.

But in the NAS market for home users no one from the NAS vendors care about such security and they transfer the responsibility to the unskilled users. What isn't OK.

A Virtual assistant for general NAS setup, based on qualified segments (share, photo, ...) can cover such generic issues.
Based on simple NAS owner choice:
- I need file share in my home network for my: Mac, iOS, ... and rule based system can create all necessary steps, include guide for the client side.
- I need connection from Internet to my photos .... also system can create general Quick-connect account, ...
- I need save some movies into NAS and watch them on my TV .....
... etc.
this is not about AI. It's simple rule based system (part of DSM) connected to maintained DB of devices (Synology service). Just for 10Euro per installation (paid by card) - as added value services from Synology side, directly for their new/installed base. Just for the beginners. Free setup for skilled as is now.
Smart people called it "monetization" of the installed base. look for the Game industry and In-game purchasing.

Also for SRM. .... specially for security features when you need create new Admin account and delete previous :cool: . For beginners it's really hard to achieve. But here is a discussion about mass market. Not about special appliances for skilled professionals.

And this is the NAS vendors responsibility. Even better - better market capture strategy. Or change of their R&D behavior.
 
What has changed in the world of Synology users in 16 months?

New NASes have been added to operation: + 1,341,741 to current 2,386,990 which users completely exposed their NASes in front of the door.
If only half of them buy disks from Synology for their small DS lines, Synology will make good money

1630343935854.png
 
to be Synology's head of marketing, so I'll list every single IP address from this list, associate it with Synology's registration email, and create an interactive process on how to change it on the web to YT. For free. Because if anyone goes for it, there will be a real rumble.
-- post merged: --

check the first post
 
and this is just a tip of the iceberg

when you check your public address with NAS port:
HTTP:
http://your-public-ip-address:your-NAS-port/ssdp/desc-DSM-eth0.xml

So if I do that with my public IP followed by my custom NAS dsm port and get an "unable to connect" message from my internet browser, then I'm doing something right?
 
So if I do that with my public IP followed by my custom NAS dsm port and get an "unable to connect" message from my internet browser, then I'm doing something right?

this is the most trivial test, if you pass it successfully ("unable to connect"), it does not mean that you are 100% safe.

But it is true that you do not belong to this large list of owners of Syno NASes (above) - they can also attach a glass of beer and juicy steaks right next to that NAS; when they offer so much.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Try adding them one-at-a-time, saving, logging out, restarting* your computer, then logging back in until...
Replies
12
Views
1,191
I receive the reports monthly, just actually got them on 2/1 and verified for some reason this is still...
Replies
4
Views
707
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
573
My auto-block was always set to block after multiple attempts. Since this login stuff was happening once...
Replies
15
Views
1,920

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top