Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

SSH getting pounded even though it's disabled

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

530
200
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS212, RS816, RS819, DS223, DS920+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
I feel I must be missing something obvoius.
In Control Panel / Terminal & SNMP I have SSH disabled.
I have rsync enabled, but the SSH encryption port is set to a high obscure number.
My connection log in Log Center shows a constant barrage of "User [root] from [random constantly changing IP address] failed to log in via [SSH] due to authorization failure."

How is the attacker even getting to the point of an authorization failure if SSH is disabled?

The machine, which is in a colocation center, must be open to the internet to some extent, as it's running a mail server, and because my NAS's at home back up to it using hyperbackup.

Is there anything I can do to stop these login attempts via SSH? Or am I misunderstanding what's going on?
 
I have rsync enabled, but the SSH encryption port is set to a high obscure number
So you do have ssh enabled. Even if its on a high port, obviously you can detect any ports what protocol is behind it as long as the service is alive. Once you have the identification of it, you can start to brute-force it.

You could sort any rule on the router level or IDS/IPS device to prevent such requests ever reaching the NAS.
 
Upvote 0
SFTP is not enabled.
Hm, so if they found my rsync SSH port, how would I block that at the router, without also blocking rsync/hyperbackup/shared folder sync?
 
Upvote 0
I have no idea, since I have no access to it, but most likely a Cisco.

Some routers may have the ability to use a domain name/ddns as a source rather than ip. Idk Cisco, and with you not having access that posses an obstacle.

*although wouldn’t the rule sit on your local router in which the nas is connected to? What type of router do you have?

I utilize this method on my router, in which even though my remote site has a dynamic ip address the router conducts a name lookup using the ddns name every x amt of seconds and will only allow that ip in. This has worked great for us.
 
Upvote 0
Gerard, I think you're not understanding the situation. The NAS sits in a colocation center, a room the size of a warehouse, on a rack with hundreds of other services owned by other customers of the colocation center, and many hundreds of domain names among them. The router serves all of these hundreds of servers, and is owned by the colocation center.

Obviously, if the NAS were in my home or office, I'd have control of the router, but that's not the environment I'm working with. In any event, I was able to follow Rusty's solid advice and set the NAS's own firewall appropriately to let rsync/SSH packets through only from known subnets.
 
Upvote 0
The machine, which is in a colocation center, must be open to the internet to some extent, as it's running a mail server, and because my NAS's at home back up to it using hyperbackup.

Didn’t you say here, “my nas’s at home?”
I was going off this line in which a machine that runs a mail server (type of machine not specified is in a colo) and your nas at home backs up to it.

Anyway use the subnetting method that would work
 
Upvote 0
Last edited:
You could contact the co-lo service provider and ask what perimeter security they apply, what restrictions to ports, if you have dedicated Internet IP, can it be tailored for your situation etc. This is in no way a criticism of their service but would then allow you to understand their edge security and how it applied to your device. You can then adapt, as best you can, your security features to reduce the exposure to unwanted sources.

You should also ask about internal separation between hosted devices.

Would it be possible to set up VPN Server on the hosted NAS and VPN client tunnels from the source NASs? Then use these to minimise the exposed ports to just VPN Server. Though I'd test that the configuration is robust before switch to VPN-only access, maybe some restricted access enabled for emergencies with 2FA :)
 
Upvote 0
You could contact the co-lo service provider and ask what perimeter security they apply, what restrictions to ports, if you have dedicated Internet IP, can it be tailored for your situation etc. This is in no way a criticism of their service but would then allow you to understand their edge security and how it applied to your device. You can then adapt, as best you can, your security features to reduce the exposure to unwanted sources.

You should also ask about internal separation between hosted devices.

Would it be possible to set up VPN Server on the hosted NAS and VPN client tunnels from the source NASs? Then use these to minimise the exposed ports to just VPN Server. Though I'd test that the configuration is robust before switch to VPN-only access, maybe some restricted access enabled for emergencies with 2FA :)
These are good thoughts; they are able to restrict access to my server to certain IP addresses, but not on a port by port basis, so that does me no good, as one of the NAS's functions is "mail server," so it has to be open to all. (This is also why I can't limit access to VPN-only). And, in any event, I would prefer not to trust my security to the colocation provider.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Similar threads

Apart from the LAN adapter you also need to configure a 10G capable driver for the VM configuration in its...
Replies
1
Views
117
Thanks for your advice, I was able to figure it out. There was two folders located in /var/packages. One...
Replies
2
Views
679

Thread Tags

Tags Tags
ssh

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top