Info Security and your DSM setup

Currently reading
Info Security and your DSM setup

Last edited by a moderator:
Interesting/terrifying/confusing !
I found out my public IP v4 address. Searched for it in shodan.

Results:

80 / tcp​


nginx

HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Sun, 17 Oct 2021 17:10:57 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Keep-Alive: timeout=20
Location: http://xxx.xxx.xx.xx:5000/

5001 / tcp​

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Oct 2021 15:44:01 GMT
Content-Type: text/html; charset="UTF-8"
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
Cache-control: no-store
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Security-Policy: base-uri 'self'; connect-src ws: wss: *; default-src 'self' 'unsafe-eval' data: blob: https://*.synology.com 群晖科技 Synology Incorporated font-src 'self' data: https://*.googleapis.com https://*.gstatic.com; form-action 'self'; frame-ancestors 'self' Connecting... http://gofile.me; frame-src 'self' data: blob: https://*.synology.com 群晖科技 Synology Incorporated img-src 'self' data: blob: https://*.google.com https://*.googleapis.com http://*.googlecode.com https://*.gstatic.com; media-src 'self' data: about:; script-src 'self' 'unsafe-eval' data: blob: https://*.synology.com 群晖科技 Synology Incorporated https://*.google.com https://*.googleapis.com; style-src 'self' 'unsafe-inline' https://*.googleapis.com;
Set-Cookie: id=;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/


Synology DiskStation Manager (DSM):
Version: 6.2.4-25556
Hostname: xxxxxxxx
Custom Login Title: xxxxxxxx

SSL Certificate Certificate:
Data:
Version: 1 (0x0)
Serial Number:
c7:03:6d:75:xx:xx:xx:xx
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=TW, L=Taipei, O=Synology Inc., CN=Synology Inc. CA
Validity
Not Before: Apr 24 18:35:20 2019 GMT
Not After : Jan 9 18:35:20 2039 GMT
Subject: C=TW, L=Taipei, O=Synology Inc., CN=synology.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9d:23:c5:a0:ba:cf:44:c7:3a:e9:0f:a3:55:74:
98:36:10:a6:28:b2:52:9a:bc:14:0c:73:09:8e:83:
3d:73:8e:bf:b1:c9:e3:3d:bc:cc:c4:d4:1b:f2:cc:
74:c2:81:68:ac:87:a0:cc:0a:d3:10:ec:d1:a8:19:
87:e4:3e:47:cc:6d:90:8e:fa:20:54:4e:26:f3:e5:
0f:ed:e6:0d:11:94:9c:b1:9d:c2:69:bc:2a:a7:6b:
ac:b1:0d:a5:f5:0f:b1:4e:6f:3d:1f:76:24:f2:22:
ca:07:6f:88:76:eb:a7:c3:59:35:8a:5d:2b:1e:9a:
AND THE OTHER HALF
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
cb:46:1a:a9:33:40:fe:4f:54:81:d9:21:63:12:2c:6f:bc:f9:
2d:30:2d:6f:ad:fe:3e:cb:4a:7c:3a:d6:32:6b:81:93:d2:1d:
8d:56:89:ac:a5:f9:4c:58:7c:95:d5:65:b9:f6:05:05:80:3c:
7d:23:9d:d5:92:f7:b4:05:38:77:48:dd:c7:f5:b0:57:c4:c1:
a7:50:09:4c:d0:72:b5:f6:cd:99:5a:5c:ca:66:1a:6e:e6:9c:
b4:9c:04:0f:e9:c7:e1:97:03:e8:35:4b:6d:c2:96:d6:6d:e5:
AND THE OTHER HALF


Anything of concern in here? i think not?
 
@ed.j
1. Open your router and stop UPnP
2. in Firewall settings: block port 1900/UDP and 5000/TCP to WAN
3. NAS Firewall - you can find lot of advices in this forum. Use Search
4. Stop Port forwarding into your NAS IP and set Reverse Proxy instead
… just for the first stage
 
@jeyare - thanks very much for the tips.

1. According to my router, UPnP is off. Why does it look on to you?
2. Block on my router or NAS? NAS right?
3. I have this set up as attached, i thought this was more or less the correct way to have it (given that other people in the UK need to access it) ?
4. God damn I only just really worked out port forwarding :ROFLMAO: I'll get researching!
 

Attachments

  • dsm fw.JPG
    dsm fw.JPG
    47.6 KB · Views: 63
@ed.j
first bad thing is - Video Station - All ports - All sources

it means, that you have opened:
1900 (UDP), 5000 (HTTP), 5001 (HTTPS), 9025-9040, 5002, 5004, 65001 (reason of your record in Shodan)
for anyone from WAN
you can prepare also a glass of beer for them

2. @Telos question is right. No need to enable All ports for anyone from Dark-net who will use UK Proxy (appears to be from the UK but is from North Korea).

3. Same for the VPN. No need such wide range

4. OMG. Try to disable FTP and use just SFTP. Same for the wide range.

Try to tune your existing rules. And don’t forget for the Reverse proxy!
 
Last edited by a moderator:
Bloody hell I had no idea I'd done it so wrong. I'm getting a 920+ tomorrow so will stick the above int LAN mode only and build the new one up properly.

I think part of the problem is that I'd tried to set up a VPN on it (and failed) but have messed around with the settings and not realised really what I'd done.

Thanks for opening my eyes @jeyare , much appreciated.
 
1900 (UDP) is the port of UPnP - the reason for my suggestion: "stop the UPnP" based on your Shodan record
because:
SSDP is the basis of the discovery protocol of UPnP, and the SSDP is the basis of your "nice" record in the Shodan db

You also need to check your router setup.

to better understand why is the SSDP vulnerable, you can read more here:
or here:
or here:

The problem with most Synology NASes, they have this port natively enabled for WAN, not only from the point of view of DSM but also from the point of view of native Synology APPs (e.g. VideoStation, Media Server, Audio station). Thus, even by user-defined firewall setup, as seen in the example of @ed.j firewall setup.

It is pure Synology responsibility to allow this kind of setup for unskilled users.
It's like making a car with an engine that doesn't have a thermostat to process the heated coolant = each driver has to monitor and regulate it manually (skilled and unskilled). And when the stuck engines appear, they will play possum.

One of the reasons it is not sustainable is to provide a single DSM GUI for newbies, advanced or enterprise.
 
As was written by me here 2y ago, when some expect that newbies will use the NAS, there is necessary a wizard mode for them. No one for them can understand what does mean firewall, even WAN, don't speak about ports, ...
 
Germany's cybersecurity agency says the country faces a grave and growing threat as society becomes more digitally connected and criminals more sophisticated. The BSI said threat levels had reached red alarm levels.

and here is almost 3M army of potential botnets, Syno doesn't care about it.
 
the static IP address is public?
Y: just wait for the next Shodan scan round :) , they will catch you. In the best case with the 443 controlled by your firewall
N: no worries
 
Last edited:
range of the IP addresses is defined by IANA
4.3B of IPv4
0.6B reserved and can’t be used for a public routing
there is also known allocation and assignement set for the IPv6
for both of them there is also known H/HD ratio

then create automated script scenarios in Py to achieve an useful collecting of “active” IPs content isn’t a rocket svience. For a brute force attitude of companies like Shodan it is a peanut.

This is really not about the Schrödinger's cat...
because company like Shodan will scan entire internet always and always and always.
In right hands the Shodan DB is really useful tool. Yes, what is right for me isn’t the same for hackers from XY group. Access to this service behind proxy is one of the smert rules, how to use it. Incl. registration to view more from their DB - don’t use your primary email (OMG).
Same reason why not everyone can get on a plane and drive it immediately and securely.

more:

-- post merged: --

btw, guys from Anonymous found record in Shodan re publicly accessible beta-host for the Truth/Trump new tragedy.

according to:

Truth Social’s website currently allows users to sign up for a waiting list and also advertises an iPhone app, produced by a company known as “T Media Tech LLC,” that is available for preorder.

Armed with the app developer’s name, the hacker told the Daily Dot that they were able to utilize Shodan, a search engine that locates servers exposed to the open internet, to track down the company’s digital footprint.
 
and it's growing

1635262022825.png


when just 10% of them are able to cover "hidden" scanning of the rest of the internet it's about:

305ths devices x just 50 of full ssdp/port scans (another targeted IPs) per day = 2.783B of records per half of year into darknet DBs regarding "first check"

what is 65% from total IPv4 pool = 2˄32 = 4,294,967,296 addresses
ofc, there is also a growing IPv6 pool

... it is a brutal force.
 
almost month ago I sent description of this problem to Syno security team.
silence

… two weeks ago I sent personal message to some person in the EU Syno HQ.
He tried contact colleagues from central HQ.
silence

tic, tac, tic, tac
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Since I dismissed the ones about crontab's they haven't come back. I just check and the idrive backups...
Replies
3
Views
2,922
Try adding them one-at-a-time, saving, logging out, restarting* your computer, then logging back in until...
Replies
12
Views
1,014
I receive the reports monthly, just actually got them on 2/1 and verified for some reason this is still...
Replies
4
Views
548
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
439
  • Question
Unless your home network is CGNAT, Tailscale offers no real advantage over VPN or HTTPS. Keep it simple...
Replies
3
Views
1,180
Why sad Mr. T? I’ve learned much in past 5 years, but last 2…. It’s like someone stepped on the gas! I...
Replies
1
Views
899

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top