Synology Security Issue and How-to Harden your NAS


It’s quit busy in Synology forum about a coin miner started on 2014/2/8 by Joakim Lotsengard on Synology Page in Facebook. Someone use CVE-2013-6955 and CVE-2013-6987 to insert a coin miner program running in the background. It takes all CPU resource and slow down your access to NAS.

You may see the the press from Synology if you want to learn more about this issue. Please follow the instruction to remove the unwanted program by reinstall DSM and update manually.

UPDATE @ 2014/8/6SynoLocker use the same vulnerability to encrypt files and ask for money. Y-Combinator has a threaded discussion. You need to upgrade your DSM manually. It is not found by auto-update. Please refer to Downgrade Synology DSM for detail instructions.

I am going to show you how to check yourself and harden your NAS covering Asustor ADM, QNAP QTS, Synology DSM and ThecusOS 6.

UPDATE @ 2015/4/1 – Add security on ThecusOS 6.

Continue reading

Contents in Secure External HDD is Encrypted


Buffalo HD-LX2TU3 is my first secured external HDD box. Because I am not comfortable with the high operation temperature and the small power adapter, I decide to open the case, move the hard drive to QNAP TS-112, and use the SATA to USB 3.0 bridge as a quick connector.

I use the bridge to clone the hard drive in my Lenovo C440 AIO to a new SSHD. When I swap them, it never boot up.

Continue reading

Secure wp-config.php and Restrict database privileges to protect your database


It is easy to setup and run your WordPress Site but difficult to protect from hackers and spam. That’s why I choose to adopt the free WordPress.com which helps me to focus on contents.

When I setup WordPress for my customers, I will secure wp-config.php and limit the database account to current WordPress database only. It prevent access to the WordPress configuration file which contains the database account and password in non-encrypted format. Even if they get the file, the database user account is limited to access the WordPress database.

Continue reading