It’s quit busy in Synology forum about a coin miner started on 2014/2/8 by Joakim Lotsengard on Synology Page in Facebook. Someone use CVE-2013-6955 and CVE-2013-6987 to insert a coin miner program running in the background. It takes all CPU resource and slow down your access to NAS.
You may see the the press from Synology if you want to learn more about this issue. Please follow the instruction to remove the unwanted program by reinstall DSM and update manually.
UPDATE @ 2014/8/6 – SynoLocker use the same vulnerability to encrypt files and ask for money. Y-Combinator has a threaded discussion. You need to upgrade your DSM manually. It is not found by auto-update. Please refer to Downgrade Synology DSM for detail instructions.
I am going to show you how to check yourself and harden your NAS covering Asustor ADM, QNAP QTS, Synology DSM and ThecusOS 6.
UPDATE @ 2015/4/1 – Add security on ThecusOS 6.
How to Tell if I got Hacked
Well, a good hacker knows how to hide himself. It is not a good idea to trust what you see from built-in monitor tools which might already been rewrite
You may follow the instruction in Linux Processor Viewer with Thread Support and install tools like htop to check yourself. If there is any suspicious process you have never seen, google it.
Please don’t trust the build-in monitor tools because it might already been hacked. You won’t able to get the right information with infected tools.

How Worse it Could Be
Well, very bad, especially if you keep files on NAS and rely on RAID 1 for protection.
Because this hacker get the rights to execute programs, he could execute the encryption program on your files and ask for ransom. You may google news for “ransomware encryption”.
How to Protect Myself
If you are interested in security, you may find some useful introduction in McAfee Publications. It covers many topics to protect not only from intrusion but also network access control, user behavior, data loose prevention, SQL injection, cross site scripting, and etc.
Most of us doesn’t have the budget to invest on enterprise-level security device and consulting service but there are something we may do.
The strategy is to make it more complex to hack into your system by slow down his behavior. The basic assumption is time is money. If it takes too much time to hack, he will move to easier targets.
Slow it Down
ADM
In ADM on Asustor, open [Settings]→[ADM Defender]. In [Network Defender] tab, it may prevent from brute-force intrusion. More related tools can be found in the [Bruce-force your Password] section in Find out more Available Service by your NAS. You may also add a black list to ban forever.

QTS
In QTS on QNAP, open [Control Panel]→[System Setting]→[Security]. The [Network Access Protection] tab provides more fine tune for individual service but I am not sure if it includes every service.

DSM
If your are using DSM from Synology, in 4.3, a similar feature may be found in [Auto Block] in [Network Service] group in [Control Panel] as below. You may specify black and white list in tabs, too.

For DSM 5.0 Beta from Synology, it is moved to [Auto Block] tab in [Control Panel]→[Connectivity]→[Security] as below. But the black list feature has been removed, it might be a problem if you want to ban certain IP.
Correction by Nicholas Polydor on 2014//4/11: Synology change the name from “Black List” to “Block List”. Both may bang IP in the list. I apologize for my miss leading.

Close the Door
I use inetd and TCP Wrappers in Mandrivia 6.0 in 1999 to simplified port management. You may set policy to control to control program execution.
Firewall is more advance to control inbound and outbound packets. But it it more difficult to manage policies, you need to have basic network knowledge.
ADM
In ADM on Asustor, open [Settings]→[ADM Defender]. In [Firewall] tab, you may create your own rules by specifying rule name, IP or IP range, ports from build-in service or customize protocols. Conscious and detail.

QTS
In QTS on QNAP, open [Control Panel]→[System Setting]→[Security]. In [Security Level] tab, use it to restrict access from specific IP. You cannot specify port-level policy. In plain English, you need to know who is attacking you rather than add a lock on your safe case.
[Security Level] and [Network Access Protection] together is similar to [Network Defender] in ADM on Asustor and the 4.3 of DSM from Synology.
All the settings are written into ipsec.conf, ipsec_allow.conf, and ipsec_deny.conf in folder [/etc/config/]. More configuration files may be found in QNAP QTS Configuration and Executable Files. It behavies like a TCP Wrapper.
Unfortunately, it is also reported, these policies doesn’t work on 4.0.2 and 4.0.3.

I test with iptable in command line. It seems they didn’t enable kernel compiling for iptable. You need to read to follow this discussion thread and install it yourself.
[/etc/config] # iptables -L modprobe: could not parse modules.dep iptables v1.4.12: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
DSM
If your are using DSM from Synology, in 4.3, a more complete firewall feature may be found in [Firewall and QoS] in [Network Service] group in [Control Panel] as below. You may specific by ports, IP, and take action. For protocols, it is in the [Custom] dialog in Ports.

If your are using DSM from Synology, in 5.0 beta, it is similar to 4.3 and may be found in [Firewall] tab in [Control Panel]→[Connectivity]→[Security] as below. You may specific by port, protocol, IP, and take action.

ThecusOS
You need to manually download Access Guard or from [Control Panel]→[Application Server]→[Official NAS application] directly. After installed, you may manage your firewall rules from [Control Panel]→[Application Server]→[Access Guard] as below. You may specific by MAC, port, protocol, IP, and take action.

Double Check
Please use nmap or other port scan service to double check your firewall setting. Use THC-Hydra to test if un-authorize access will be block.
In Find out more Available Service by your NAS, I demonstrate how to use nmap in Scan for Available Service section. Then use THC-Hydra to hack for root password in Brute-force your Password section.
You may also use netstat -tulpn to see which process is listening upon a ports. Here is a same result from Asustor AS-602T running ADM 2.1 Beta.
root@AS602T:/volume1/.@root # netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 25335/sshd tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 9985/cupsd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 27031/myhttpd tcp 0 0 0.0.0.0:3260 0.0.0.0:* LISTEN 29285/iscsi-scstd tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 25192/lighttpd tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN 25192/lighttpd tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 9959/mysqld tcp 0 0 :::21 :::* LISTEN 31699/proftpd: (acc tcp 0 0 :::22 :::* LISTEN 25335/sshd tcp 0 0 :::631 :::* LISTEN 9985/cupsd tcp 0 0 :::3260 :::* LISTEN 29285/iscsi-scstd tcp 0 0 :::8000 :::* LISTEN 25192/lighttpd tcp 0 0 :::8001 :::* LISTEN 25192/lighttpd tcp 0 0 :::80 :::* LISTEN 9955/apache2 udp 0 0 0.0.0.0:8888 0.0.0.0:* 26526/hostmand udp 0 0 0.0.0.0:5353 0.0.0.0:* 10295/avahi-daemon: udp 0 0 0.0.0.0:53277 0.0.0.0:* 10295/avahi-daemon: udp 0 0 0.0.0.0:38966 0.0.0.0:* 1059/dhclient udp 0 0 0.0.0.0:68 0.0.0.0:* 1059/dhclient udp 0 0 :::29428 :::* 1059/dhclient
Never Ending Story
These are something you can do with the web admin interface in Asustor ADM, QNAP QTS, Synology DSM and ThecusOS 6. to harden your NAS. It should keep you away from some intrusion.
But you still need to check for vulnerabilities, patch regularly, and monitor process / resource usage, always be prepared for the next attack.
For Asustor ADM users, use [System Information] → [Dr. ASUSTOR] tab → [Security] section to get advice and quick links to security settings.
From the Net
I also got a comment from Clas Mehus, an Journalist at IDG Magazines Norge AS. I think his comment is useful and have his permission to quote it here for your reference.
He also recommends PCWorld: Asus, Linksys router exploits tell us home networking is the vulnerability story of 2014 if you are interested in the security issue.
I belive will see a lot of issues with NAS-units now. There are several things that worries me.
– People don’t update their firmware. I believe automatics updates are needed to roll out critical firmware updates. Look at the “Asusgate”-issue related to the NAS-services on their routers – AiCloud-issue known since last summer. Very few have updated the firmware and for a long time there will be open units. Same with the open FTP-issue for Asus-routers.
– UPnP worries me when it comes to security for NAS-solutions. I believe that some users thinks some services only will be available on their local network. What we see now is a lot of NAS-units – Qnap included – that has smb exposed to the internet. And since people believe smb is only for the local network, they don’t use access management for the shares.
– More and more services on these products… and you don’t get a good overview of whats enabled. The information related to some of the services ain’t good either – some users don’t understand what they are doing and expose services and their data. There are quite many that are running with open ftp servers on their NAS-units – Qnap included – and shares everything basically with everyone.
– Services like Shodan changes the game. Finding NAS-units with open smb, open ftps and running with known security holes can be done by everyone. You don’t have to be “a hacker” at all – very basic knowledge is needed now to steal huge amount of data from open NAS units. More services like Shodan will come. We already have a service that only scans for services/units on norwegian ip-adresses. I know a Swedish service is under construction. Making such services, based on nmap/zmap data, is from what I understand not that difficult. And I have to say that I like these services – yes, they will cause that more people will be “hacked”, but at the same time they make change how products such as NAS are made more secure.
I think I kinda would like to see a “lockdown mode” on the NAS-units. A choice that better can make sure that only local network traffic is allowed. Disables everything else – a lot of users only used the storage shares for local network access. Limit it to this.
Qnap, Synology, Netgear, Zyxel, Thecus, Asustor etc etc. all have to start thinking more about security and give a GUI with better info so that user don’t make mistakes.
From LinkedIn: QNAP: Recently Synology Coin Miner Issue remind me to check the security setting in my NAS
Other Notes
Change Web Admin Port
Some people might want to change the port number of the web administration. It is not as helpful as security settings mentioned above. Hackers can still scan for it.
In ADM, the port number may be changed from 8000 to whatever in [Management] tab in [General] pf [Settings].
In QTS, open [Control Panel]→[System Setting]→[General Settings]. Change the [System port] as you wish.
In 4.3 of DSM, it is hidden in [HTTP Service] tab of [DSM Settings] in the [System] group of [Control Panel]. The default port if 5000. But it has been moved to [Advanced] tab in [External Access] in the [Connectivity] group of [Control Panel], seems I might get lost switching between 4.3 and 5.0 in the future.
iptables and firewall
iptables can be configured as both a packet filtering firewall and stateful firewall. The course notes from University of South Wales provides very detail explanation.
Both ADM and DSM have build-in iptables in Linux kernel and is configurable. None of them provide deep packet inspection which will exam the content of each packet. Stateful vs Deep Packet Inspection provides good comparison on them.
In short, stateless firewall check the IP, packet filtering firewall checks IP + protocol, stateful firewall checks IP + protocol + port and status, deep packet inspection checks IP + protocol + port and status + content. The more it checks, the more memory and computer power it consumes.
Reference
- Asustor: ADM
- Asustor: AS-602T
- Clas Mehus
- Downgrade Synology DSM
- Facebook: Synology: 2014/2/8 by Joakim Lotsengard
- Find out more Available Service by your NAS
- FreeBSD.org: 14.4. TCP Wrappers
- FreeBSD.org: 28.2. The inetd Super-Server
- htop – an interactive process viewer for Linux
- LinkedIn: QNAP: Recently Synology Coin Miner Issue remind me to check the security setting in my NAS
- Linux Processor Viewer with Thread Support
- LinuxQuestions: iptables and inetd?
- McAfee Publications
- nixCraft: 20 Linux Server Hardening Security Tips
- nixCraft: Linux: Find Out Which Process Is Listening Upon a Port
- nmap
- National Vulnerability Database: Vulnerability Summary for CVE-2013-6955
- National Vulnerability Database: Vulnerability Summary for CVE-2013-6987
- PCWorld: Asus, Linksys router exploits tell us home networking is the vulnerability story of 2014
- QNAP: QTS
- QNAP NAS Community Forum: iptables
- QNAP NAS Community Forum: security level->deny connections from list-not working 4
- QNAP QTS Configuration and Executable Files
- Synology Forum: hacked ressource Monitor
- Synology: DSM for Business
- Synology: Press: Synology Continues to Encourage Users to Update
- Synology: Synology Fixes Vulnerability in DiskStation Manager
- Thecus: NAS App Center: Access Guard
- ThecusOS 6
- THC-Hydra
- Toolbox.com: Packet filtering firewall
- University of South Wales: Course Notes
- Wiki: Deep packet inspection
- Wiki: inetd
- Wiki: iptables
- Wiki: Standard RAID Levels: RAID 1
- Wiki: Stateful firewall
- Wiki: TCP Wrapper
- Y-Combinator: My Synology NAS has been hacked by ransomware calling itself Synolocker (twitter.com)
- Zen.co.uk: Stateful vs Deep Packet Inspection
“For DSM 5.0 Beta from Synology, it is moved to [Auto Block] tab in [Control Panel]→[Connectivity]→[Security] as below. But the black list feature has been removed, it might be a problem if you want to ban certain IP.”
Is it not at the bottom of the [Auto Block] tab page?
“Create and manage an allow list to add IP addresses that you trust, or a block list to prevent certain IP addresses from logging in.
Allow/Block List”
LikeLiked by 1 person
Dear Nicholas,
Thank you for correction. You are right. Synology change the name from “Black List” to “Block List”. Both may bang IP in the list. I apologize for my miss leading.
Thank you very much!
Best regards,
Amigo
LikeLike
“Because this hacker get the rights to execute programs, he could execute the encryption program on your files and ask for ransom. ”
Looks like someone thought this was a great idea and actually did it. Synolocker
LikeLiked by 1 person
Dear jmez,
Yes, unfortunately﹍
But I wonder if this is just a small test before the real attack, they know how fast it spread, how long it takes to see official response from Synology, how many people are willing to pay, and many useful information. We might see real or more attack begin on Friday morning in ASIA next time.
Have a nice day!
Best regards,
Amigo
LikeLike