Synology Security Issue and How-to Harden your NAS


It’s quit busy in Synology forum about a coin miner started on 2014/2/8 by Joakim Lotsengard on Synology Page in Facebook. Someone use CVE-2013-6955 and CVE-2013-6987 to insert a coin miner program running in the background. It takes all CPU resource and slow down your access to NAS.

You may see the the press from Synology if you want to learn more about this issue. Please follow the instruction to remove the unwanted program by reinstall DSM and update manually.

UPDATE @ 2014/8/6SynoLocker use the same vulnerability to encrypt files and ask for money. Y-Combinator has a threaded discussion. You need to upgrade your DSM manually. It is not found by auto-update. Please refer to Downgrade Synology DSM for detail instructions.

I am going to show you how to check yourself and harden your NAS covering Asustor ADM, QNAP QTS, Synology DSM and ThecusOS 6.

UPDATE @ 2015/4/1 – Add security on ThecusOS 6.

How to Tell if I got Hacked

Well, a good hacker knows how to hide himself. It is not a good idea to trust what you see from built-in monitor tools which might already been rewrite

You may follow the instruction in Linux Processor Viewer with Thread Support and install tools like htop to check yourself. If there is any suspicious process you have never seen, google it.

Please don’t trust the build-in monitor tools because it might already been hacked. You won’t able to get the right information with infected tools.

htop running on Atom D2701-based QNAP NAS with four logical threads.
htop running on Atom D2701-based QNAP NAS with four logical threads.

How Worse it Could Be

Well, very bad, especially if you keep files on NAS and rely on RAID 1 for protection.

Because this hacker get the rights to execute programs, he could execute the encryption program on your files and ask for ransom. You may google news for “ransomware encryption”.

How to Protect Myself

If you are interested in security, you may find some useful introduction in McAfee Publications. It covers many topics to protect not only from intrusion but also network access control, user behavior, data loose prevention, SQL injection, cross site scripting, and etc.

Most of us doesn’t have the budget to invest on enterprise-level security device and consulting service but there are something we may do.

The strategy is to make it more complex to hack into your system by slow down his behavior. The basic assumption is time is money. If it takes too much time to hack, he will move to easier targets.

Slow it Down

ADM

In ADM on Asustor, open [Settings]→[ADM Defender]. In [Network Defender] tab, it may prevent from brute-force intrusion. More related tools can be found in the [Bruce-force your Password] section in Find out more Available Service by your NAS. You may also add a black list to ban forever.

Network Defender Settings in ADM 2.1 Beta.
Network Defender Settings in ADM 2.1 Beta.

QTS

In QTS on QNAP, open [Control Panel]→[System Setting]→[Security]. The [Network Access Protection] tab provides more fine tune for individual service but I am not sure if it includes every service.

Network Access Protection Settings in QTS.
Network Access Protection Settings in QTS.

DSM

If your are using DSM from Synology, in 4.3, a similar feature may be found in [Auto Block] in [Network Service] group in [Control Panel] as below. You may specify black and white list in tabs, too.

Auto Block Settings in DSM 4.3.
Auto Block Settings in DSM 4.3.

For DSM 5.0 Beta from Synology, it is moved to [Auto Block] tab in [Control Panel]→[Connectivity]→[Security] as below. But the black list feature has been removed, it might be a problem if you want to ban certain IP.

Correction by Nicholas Polydor on 2014//4/11: Synology change the name from “Black List” to “Block List”. Both may bang IP in the list. I apologize for my miss leading.

Auto Block Settings in DSM 5.0 Beta.
Auto Block Settings in DSM 5.0 Beta.

Close the Door

I use inetd and TCP Wrappers in Mandrivia 6.0 in 1999 to simplified port management. You may set policy to control to control program execution.

Firewall is more advance to control inbound and outbound packets. But it it more difficult to manage policies, you need to have basic network knowledge.

ADM

In ADM on Asustor, open [Settings]→[ADM Defender]. In [Firewall] tab, you may create your own rules by specifying rule name, IP or IP range, ports from build-in service or customize protocols. Conscious and detail.

Firewall Rules Settings in ADM 2.1.
Firewall Rules Settings in ADM 2.1.

QTS

In QTS on QNAP, open [Control Panel]→[System Setting]→[Security]. In [Security Level] tab, use it to restrict access from specific IP. You cannot specify port-level policy. In plain English, you need to know who is attacking you rather than add a lock on your safe case.

[Security Level] and [Network Access Protection] together is similar to [Network Defender] in ADM on Asustor and the 4.3 of DSM from Synology.

All the settings are written into ipsec.conf, ipsec_allow.conf, and ipsec_deny.conf in folder [/etc/config/]. More configuration files may be found in QNAP QTS Configuration and Executable Files.

Unfortunately, it is also reported, these policies doesn’t work on 4.0.2 and 4.0.3.

IP-specific Security Level Settings in QTS.
IP-specific Security Level Settings in QTS.

I test with iptable in command line. It seems they didn’t enable kernel compiling for iptable. You need to read to follow this discussion thread and install it yourself.

[/etc/config] # iptables -L
modprobe: could not parse modules.dep
iptables v1.4.12: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

DSM

If your are using DSM from Synology, in 4.3, a more complete firewall feature may be found in [Firewall and QoS] in [Network Service] group in [Control Panel] as below. You may specific by ports, IP, and take action. For protocols, it is in the [Custom] dialog in Ports.

Firewall Rules Settings in DSM 4.3.
Firewall Rules Settings in DSM 4.3.

If your are using DSM from Synology, in 5.0 beta, it is similar to 4.3 and may be found in [Firewall] tab in [Control Panel]→[Connectivity]→[Security] as below. You may specific by port, protocol, IP, and take action.

Firewall Rules Settings in DSM 5.0 Beta.
Firewall Rules Settings in DSM 5.0 Beta.

ThecusOS

You need to manually download Access Guard or from [Control Panel]→[Application Server]→[Official NAS application] directly. After installed, you may manage your firewall rules from [Control Panel]→[Application Server]→[Access Guard] as below. You may specific by MAC, port, protocol, IP, and take action.

Firewall Rules Settings in Access Guard.
Firewall Rules Settings in Access Guard.

Double Check

Please use nmap or other port scan service to double check your firewall setting. Use THC-Hydra to test if un-authorize access will be block.

In Find out more Available Service by your NAS, I demonstrate how to use nmap in Scan for Available Service section. Then use THC-Hydra to hack for root password in Brute-force your Password section.

You may also use netstat -tulpn to see which process is listening upon a ports. Here is a same result from Asustor AS-602T running ADM 2.1 Beta.

root@AS602T:/volume1/.@root # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      25335/sshd
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      9985/cupsd
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      27031/myhttpd
tcp        0      0 0.0.0.0:3260            0.0.0.0:*               LISTEN      29285/iscsi-scstd
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      25192/lighttpd
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN      25192/lighttpd
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      9959/mysqld
tcp        0      0 :::21                   :::*                    LISTEN      31699/proftpd: (acc
tcp        0      0 :::22                   :::*                    LISTEN      25335/sshd
tcp        0      0 :::631                  :::*                    LISTEN      9985/cupsd
tcp        0      0 :::3260                 :::*                    LISTEN      29285/iscsi-scstd
tcp        0      0 :::8000                 :::*                    LISTEN      25192/lighttpd
tcp        0      0 :::8001                 :::*                    LISTEN      25192/lighttpd
tcp        0      0 :::80                   :::*                    LISTEN      9955/apache2
udp        0      0 0.0.0.0:8888            0.0.0.0:*                           26526/hostmand
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           10295/avahi-daemon:
udp        0      0 0.0.0.0:53277           0.0.0.0:*                           10295/avahi-daemon:
udp        0      0 0.0.0.0:38966           0.0.0.0:*                           1059/dhclient
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1059/dhclient
udp        0      0 :::29428                :::*                                1059/dhclient

Never Ending Story

These are something you can do with the web admin interface in Asustor ADM, QNAP QTS, Synology DSM and ThecusOS 6. to harden your NAS. It should keep you away from some intrusion.

But you still need to check for vulnerabilities, patch regularly, and monitor process / resource usage, always be prepared for the next attack.

For Asustor ADM users, use [System Information] → [Dr. ASUSTOR] tab → [Security] section to get advice and quick links to security settings.

From the Net

I also got a comment from Clas Mehus, an Journalist at IDG Magazines Norge AS. I think his comment is useful and have his permission to quote it here for your reference.

He also recommends PCWorld: Asus, Linksys router exploits tell us home networking is the vulnerability story of 2014 if you are interested in the security issue.

I belive will see a lot of issues with NAS-units now. There are several things that worries me.

– People don’t update their firmware. I believe automatics updates are needed to roll out critical firmware updates. Look at the “Asusgate”-issue related to the NAS-services on their routers – AiCloud-issue known since last summer. Very few have updated the firmware and for a long time there will be open units. Same with the open FTP-issue for Asus-routers.

– UPnP worries me when it comes to security for NAS-solutions. I believe that some users thinks some services only will be available on their local network. What we see now is a lot of NAS-units – Qnap included – that has smb exposed to the internet. And since people believe smb is only for the local network, they don’t use access management for the shares.

– More and more services on these products… and you don’t get a good overview of whats enabled. The information related to some of the services ain’t good either – some users don’t understand what they are doing and expose services and their data. There are quite many that are running with open ftp servers on their NAS-units – Qnap included – and shares everything basically with everyone.

– Services like Shodan changes the game. Finding NAS-units with open smb, open ftps and running with known security holes can be done by everyone. You don’t have to be “a hacker” at all – very basic knowledge is needed now to steal huge amount of data from open NAS units. More services like Shodan will come. We already have a service that only scans for services/units on norwegian ip-adresses. I know a Swedish service is under construction. Making such services, based on nmap/zmap data, is from what I understand not that difficult. And I have to say that I like these services – yes, they will cause that more people will be “hacked”, but at the same time they make change how products such as NAS are made more secure.

I think I kinda would like to see a “lockdown mode” on the NAS-units. A choice that better can make sure that only local network traffic is allowed. Disables everything else – a lot of users only used the storage shares for local network access. Limit it to this.

Qnap, Synology, Netgear, Zyxel, Thecus, Asustor etc etc. all have to start thinking more about security and give a GUI with better info so that user don’t make mistakes.

From LinkedIn: QNAP: Recently Synology Coin Miner Issue remind me to check the security setting in my NAS

Other Notes

Change Web Admin Port

Some people might want to change the port number of the web administration. It is not as helpful as security settings mentioned above. Hackers can still scan for it.

In ADM, the port number may be changed from 8000 to whatever in [Management] tab in [General] pf [Settings].

In QTS, open [Control Panel]→[System Setting]→[General Settings]. Change the [System port] as you wish.

In 4.3 of DSM, it is hidden in [HTTP Service] tab of [DSM Settings] in the [System] group of [Control Panel]. The default port if 5000. But it has been moved to [Advanced] tab in [External Access]  in the [Connectivity] group of [Control Panel], seems I might get lost switching between 4.3 and 5.0 in the future.

iptables and firewall

iptables can be configured as both a packet filtering firewall and stateful firewall. The course notes from University of South Wales provides very detail explanation.

Both ADM and DSM have build-in iptables in Linux kernel and is configurable. None of them provide deep packet inspection which will exam the content of each packet. Stateful vs Deep Packet Inspection provides good comparison on them.

In short, stateless firewall check the IP, packet filtering firewall checks IP + protocol, stateful firewall checks IP + protocol + port and status, deep packet inspection checks IP + protocol + port and status + content. The more it checks, the more memory and computer power it consumes.

Reference

  1. Asustor: ADM
  2. Asustor: AS-602T
  3. Clas Mehus
  4. Downgrade Synology DSM
  5. Facebook: Synology: 2014/2/8 by Joakim Lotsengard
  6. Find out more Available Service by your NAS
  7. FreeBSD.org: 14.4. TCP Wrappers
  8. FreeBSD.org: 28.2. The inetd Super-Server
  9. htop – an interactive process viewer for Linux
  10. LinkedIn: QNAP: Recently Synology Coin Miner Issue remind me to check the security setting in my NAS
  11. Linux Processor Viewer with Thread Support
  12. LinuxQuestions: iptables and inetd?
  13. McAfee Publications
  14. nixCraft: 20 Linux Server Hardening Security Tips
  15. nixCraft: Linux: Find Out Which Process Is Listening Upon a Port
  16. nmap
  17. National Vulnerability Database: Vulnerability Summary for CVE-2013-6955
  18. National Vulnerability Database: Vulnerability Summary for CVE-2013-6987
  19. PCWorld: Asus, Linksys router exploits tell us home networking is the vulnerability story of 2014
  20. QNAP: QTS
  21. QNAP NAS Community Forum: iptables
  22. QNAP NAS Community Forum: security level->deny connections from list-not working 4
  23. QNAP QTS Configuration and Executable Files
  24. Synology Forum: hacked ressource Monitor
  25. Synology: DSM for Business
  26. Synology: Press: Synology Continues to Encourage Users to Update
  27. Synology: Synology Fixes Vulnerability in DiskStation Manager
  28. Thecus: NAS App Center: Access Guard
  29. ThecusOS 6
  30. THC-Hydra
  31. Toolbox.com: Packet filtering firewall
  32. University of South Wales: Course Notes
  33. Wiki: Deep packet inspection
  34. Wiki: inetd
  35. Wiki: iptables
  36. Wiki: Standard RAID Levels: RAID 1
  37. Wiki: Stateful firewall
  38. Wiki: TCP Wrapper
  39. Y-Combinator: My Synology NAS has been hacked by ransomware calling itself Synolocker (twitter.com) 
  40. Zen.co.uk: Stateful vs Deep Packet Inspection

4 thoughts on “Synology Security Issue and How-to Harden your NAS

  1. “For DSM 5.0 Beta from Synology, it is moved to [Auto Block] tab in [Control Panel]→[Connectivity]→[Security] as below. But the black list feature has been removed, it might be a problem if you want to ban certain IP.”

    Is it not at the bottom of the [Auto Block] tab page?

    “Create and manage an allow list to add IP addresses that you trust, or a block list to prevent certain IP addresses from logging in.

    Allow/Block List”

    Liked by 1 person

    • Dear Nicholas,

      Thank you for correction. You are right. Synology change the name from “Black List” to “Block List”. Both may bang IP in the list. I apologize for my miss leading.

      Thank you very much!

      Best regards,

      Amigo

      Like

  2. “Because this hacker get the rights to execute programs, he could execute the encryption program on your files and ask for ransom. ”

    Looks like someone thought this was a great idea and actually did it. Synolocker

    Liked by 1 person

    • Dear jmez,

      Yes, unfortunately﹍

      But I wonder if this is just a small test before the real attack, they know how fast it spread, how long it takes to see official response from Synology, how many people are willing to pay, and many useful information. We might see real or more attack begin on Friday morning in ASIA next time.

      Have a nice day!

      Best regards,

      Amigo

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s