It’s quit busy in Synology forum about a coin miner started on 2014/2/8 by Joakim Lotsengard on Synology Page in Facebook. Someone use CVE-2013-6955 and CVE-2013-6987 to insert a coin miner program running in the background. It takes all CPU resource and slow down your access to NAS.
UPDATE @ 2014/8/6 – SynoLocker use the same vulnerability to encrypt files and ask for money. Y-Combinator has a threaded discussion. You need to upgrade your DSM manually. It is not found by auto-update. Please refer to Downgrade Synology DSM for detail instructions.
UPDATE @ 2015/4/1 – Add security on ThecusOS 6.
How to Tell if I got Hacked
Well, a good hacker knows how to hide himself. It is not a good idea to trust what you see from built-in monitor tools which might already been rewrite
Please don’t trust the build-in monitor tools because it might already been hacked. You won’t able to get the right information with infected tools.
How Worse it Could Be
Well, very bad, especially if you keep files on NAS and rely on RAID 1 for protection.
Because this hacker get the rights to execute programs, he could execute the encryption program on your files and ask for ransom. You may google news for “ransomware encryption”.
How to Protect Myself
If you are interested in security, you may find some useful introduction in McAfee Publications. It covers many topics to protect not only from intrusion but also network access control, user behavior, data loose prevention, SQL injection, cross site scripting, and etc.
Most of us doesn’t have the budget to invest on enterprise-level security device and consulting service but there are something we may do.
The strategy is to make it more complex to hack into your system by slow down his behavior. The basic assumption is time is money. If it takes too much time to hack, he will move to easier targets.
Slow it Down
In ADM on Asustor, open [Settings]→[ADM Defender]. In [Network Defender] tab, it may prevent from brute-force intrusion. More related tools can be found in the [Bruce-force your Password] section in Find out more Available Service by your NAS. You may also add a black list to ban forever.
In QTS on QNAP, open [Control Panel]→[System Setting]→[Security]. The [Network Access Protection] tab provides more fine tune for individual service but I am not sure if it includes every service.
If your are using DSM from Synology, in 4.3, a similar feature may be found in [Auto Block] in [Network Service] group in [Control Panel] as below. You may specify black and white list in tabs, too.
For DSM 5.0 Beta from Synology, it is moved to [Auto Block] tab in [Control Panel]→[Connectivity]→[Security] as below.
But the black list feature has been removed, it might be a problem if you want to ban certain IP.
Correction by Nicholas Polydor on 2014//4/11: Synology change the name from “Black List” to “Block List”. Both may bang IP in the list. I apologize for my miss leading.
Close the Door
Firewall is more advance to control inbound and outbound packets. But it it more difficult to manage policies, you need to have basic network knowledge.
In ADM on Asustor, open [Settings]→[ADM Defender]. In [Firewall] tab, you may create your own rules by specifying rule name, IP or IP range, ports from build-in service or customize protocols. Conscious and detail.
In QTS on QNAP, open [Control Panel]→[System Setting]→[Security]. In [Security Level] tab, use it to restrict access from specific IP. You cannot specify port-level policy. In plain English, you need to know who is attacking you rather than add a lock on your safe case.
All the settings are written into ipsec.conf, ipsec_allow.conf, and ipsec_deny.conf in folder [/etc/config/]. More configuration files may be found in QNAP QTS Configuration and Executable Files.
Unfortunately, it is also reported, these policies doesn’t work on 4.0.2 and 4.0.3.
I test with iptable in command line. It seems they didn’t enable kernel compiling for iptable. You need to read to follow this discussion thread and install it yourself.
[/etc/config] # iptables -L modprobe: could not parse modules.dep iptables v1.4.12: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
If your are using DSM from Synology, in 4.3, a more complete firewall feature may be found in [Firewall and QoS] in [Network Service] group in [Control Panel] as below. You may specific by ports, IP, and take action. For protocols, it is in the [Custom] dialog in Ports.
If your are using DSM from Synology, in 5.0 beta, it is similar to 4.3 and may be found in [Firewall] tab in [Control Panel]→[Connectivity]→[Security] as below. You may specific by port, protocol, IP, and take action.
You need to manually download Access Guard or from [Control Panel]→[Application Server]→[Official NAS application] directly. After installed, you may manage your firewall rules from [Control Panel]→[Application Server]→[Access Guard] as below. You may specific by MAC, port, protocol, IP, and take action.
root@AS602T:/volume1/.@root # netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 25335/sshd tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 9985/cupsd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 27031/myhttpd tcp 0 0 0.0.0.0:3260 0.0.0.0:* LISTEN 29285/iscsi-scstd tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 25192/lighttpd tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN 25192/lighttpd tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 9959/mysqld tcp 0 0 :::21 :::* LISTEN 31699/proftpd: (acc tcp 0 0 :::22 :::* LISTEN 25335/sshd tcp 0 0 :::631 :::* LISTEN 9985/cupsd tcp 0 0 :::3260 :::* LISTEN 29285/iscsi-scstd tcp 0 0 :::8000 :::* LISTEN 25192/lighttpd tcp 0 0 :::8001 :::* LISTEN 25192/lighttpd tcp 0 0 :::80 :::* LISTEN 9955/apache2 udp 0 0 0.0.0.0:8888 0.0.0.0:* 26526/hostmand udp 0 0 0.0.0.0:5353 0.0.0.0:* 10295/avahi-daemon: udp 0 0 0.0.0.0:53277 0.0.0.0:* 10295/avahi-daemon: udp 0 0 0.0.0.0:38966 0.0.0.0:* 1059/dhclient udp 0 0 0.0.0.0:68 0.0.0.0:* 1059/dhclient udp 0 0 :::29428 :::* 1059/dhclient
Never Ending Story
But you still need to check for vulnerabilities, patch regularly, and monitor process / resource usage, always be prepared for the next attack.
For Asustor ADM users, use [System Information] → [Dr. ASUSTOR] tab → [Security] section to get advice and quick links to security settings.
From the Net
I also got a comment from Clas Mehus, an Journalist at IDG Magazines Norge AS. I think his comment is useful and have his permission to quote it here for your reference.
He also recommends PCWorld: Asus, Linksys router exploits tell us home networking is the vulnerability story of 2014 if you are interested in the security issue.
I belive will see a lot of issues with NAS-units now. There are several things that worries me.
– People don’t update their firmware. I believe automatics updates are needed to roll out critical firmware updates. Look at the “Asusgate”-issue related to the NAS-services on their routers – AiCloud-issue known since last summer. Very few have updated the firmware and for a long time there will be open units. Same with the open FTP-issue for Asus-routers.
– UPnP worries me when it comes to security for NAS-solutions. I believe that some users thinks some services only will be available on their local network. What we see now is a lot of NAS-units – Qnap included – that has smb exposed to the internet. And since people believe smb is only for the local network, they don’t use access management for the shares.
– More and more services on these products… and you don’t get a good overview of whats enabled. The information related to some of the services ain’t good either – some users don’t understand what they are doing and expose services and their data. There are quite many that are running with open ftp servers on their NAS-units – Qnap included – and shares everything basically with everyone.
– Services like Shodan changes the game. Finding NAS-units with open smb, open ftps and running with known security holes can be done by everyone. You don’t have to be “a hacker” at all – very basic knowledge is needed now to steal huge amount of data from open NAS units. More services like Shodan will come. We already have a service that only scans for services/units on norwegian ip-adresses. I know a Swedish service is under construction. Making such services, based on nmap/zmap data, is from what I understand not that difficult. And I have to say that I like these services – yes, they will cause that more people will be “hacked”, but at the same time they make change how products such as NAS are made more secure.
I think I kinda would like to see a “lockdown mode” on the NAS-units. A choice that better can make sure that only local network traffic is allowed. Disables everything else – a lot of users only used the storage shares for local network access. Limit it to this.
Qnap, Synology, Netgear, Zyxel, Thecus, Asustor etc etc. all have to start thinking more about security and give a GUI with better info so that user don’t make mistakes.
Change Web Admin Port
Some people might want to change the port number of the web administration. It is not as helpful as security settings mentioned above. Hackers can still scan for it.
In ADM, the port number may be changed from 8000 to whatever in [Management] tab in [General] pf [Settings].
In QTS, open [Control Panel]→[System Setting]→[General Settings]. Change the [System port] as you wish.
In 4.3 of DSM, it is hidden in [HTTP Service] tab of [DSM Settings] in the [System] group of [Control Panel]. The default port if 5000. But it has been moved to [Advanced] tab in [External Access] in the [Connectivity] group of [Control Panel], seems I might get lost switching between 4.3 and 5.0 in the future.
iptables and firewall
Both ADM and DSM have build-in iptables in Linux kernel and is configurable. None of them provide deep packet inspection which will exam the content of each packet. Stateful vs Deep Packet Inspection provides good comparison on them.
In short, stateless firewall check the IP, packet filtering firewall checks IP + protocol, stateful firewall checks IP + protocol + port and status, deep packet inspection checks IP + protocol + port and status + content. The more it checks, the more memory and computer power it consumes.
- Asustor: ADM
- Asustor: AS-602T
- Clas Mehus
- Downgrade Synology DSM
- Facebook: Synology: 2014/2/8 by Joakim Lotsengard
- Find out more Available Service by your NAS
- FreeBSD.org: 14.4. TCP Wrappers
- FreeBSD.org: 28.2. The inetd Super-Server
- htop – an interactive process viewer for Linux
- LinkedIn: QNAP: Recently Synology Coin Miner Issue remind me to check the security setting in my NAS
- Linux Processor Viewer with Thread Support
- LinuxQuestions: iptables and inetd?
- McAfee Publications
- nixCraft: 20 Linux Server Hardening Security Tips
- nixCraft: Linux: Find Out Which Process Is Listening Upon a Port
- National Vulnerability Database: Vulnerability Summary for CVE-2013-6955
- National Vulnerability Database: Vulnerability Summary for CVE-2013-6987
- PCWorld: Asus, Linksys router exploits tell us home networking is the vulnerability story of 2014
- QNAP: QTS
- QNAP NAS Community Forum: iptables
- QNAP NAS Community Forum: security level->deny connections from list-not working 4
- QNAP QTS Configuration and Executable Files
- Synology Forum: hacked ressource Monitor
- Synology: DSM for Business
- Synology: Press: Synology Continues to Encourage Users to Update
- Synology: Synology Fixes Vulnerability in DiskStation Manager
- Thecus: NAS App Center: Access Guard
- ThecusOS 6
- Toolbox.com: Packet filtering firewall
- University of South Wales: Course Notes
- Wiki: Deep packet inspection
- Wiki: inetd
- Wiki: iptables
- Wiki: Standard RAID Levels: RAID 1
- Wiki: Stateful firewall
- Wiki: TCP Wrapper
- Y-Combinator: My Synology NAS has been hacked by ransomware calling itself Synolocker (twitter.com)
- Zen.co.uk: Stateful vs Deep Packet Inspection