16

I've noticed, based on the logging of my NAS, that my IP address is targeted by a hacker. I already took action by automaticly ban the IP address permanently after five unsuccesful login attemps.

Unfortunately, the hack is being processed by using multiple different IP adresses, so to me this security attempt is not valid as it only works till the hacker runs out of IP addresses or when he gets the right username/password combination. Which sounds rather tricky to me, and I don't want to wait till one of these two events will happen.

I googled some of the IP adresses which are banned and they show up on several 'hacker' sites as hacker IP adresses. Should I do something and are my worries justified?

Peter Mortensen
  • 877
  • 5
  • 10
user007
  • 263
  • 1
  • 2
  • 7
  • 23
    Why have you attached your NAS to the internet? – Lucas Kauffman Sep 15 '14 at 20:21
  • 2
    Hey there! a hint from a random guy, if you use a SYNOLOGY NAS, you can give users 2-factor auth codes, which will require a phone/tablet, i have the same on my NAS, it makes it alot safer, also, NAS's are wanted targets by hackers, try to make sure you update your NAS's OS/Software as soon as they get reeased! – Lighty Sep 16 '14 at 10:19
  • 4
    I have attached my NAS to the internet so I can access the webserver it is running and so I can browse the files remotely (app). – user007 Sep 16 '14 at 10:35
  • Just as an idea, could you whitelist your IP? – TMH Sep 16 '14 at 13:22
  • 3
    @LucasKauffman consumer NASes from companies like Synology or QNAP have heavily expanded from only being file servers to include streaming media server, light web server, and "personal cloud" features to differentiate themselves from their cheaper competition. – Dan Is Fiddling By Firelight Sep 16 '14 at 21:12
  • 2
    @DanNeely Ah yea sorry, I forgot, that's a complete valid reason to drop security. – Lucas Kauffman Sep 17 '14 at 05:12
  • 4
    @LucasKauffman my point is that although they still brand their products as NASes; personal internet server that also serves files is a more accurate description of what they've turned into. That's a device that needs to be connected to the internet for most of what it's designed to do. – Dan Is Fiddling By Firelight Sep 17 '14 at 12:36
  • sometimes changing the ports from the default is a way to stop most attacks targetting well-known ports – Alvin Wong Sep 17 '14 at 16:26
  • I had the same problem on synology nas. If you don't use it, close telnet and ssh. Hack come from it. – user3356365 Sep 16 '14 at 19:46

7 Answers7

43

As for anything attached to public networks:

  1. Reduce your attack surface - can you remove the NAS from the Internet? Can you limit the IPs that are allowed to connect?
  2. Increase cost of attack - lockouts are great, but also make sure that you have a complex password and that you change it regularly
  3. Monitor access - keep your eye on who successfully logs in
  4. Treat the risks - have a plan for the event when someone actually breaks in. Can the NAS be used to access the rest of your network? Is there anything on it that would be a risk if it fell into the wrong hands? Do you have backups?
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    In the case of a brute force #2 is most important. Consider the bit strength of your password. Do not use password made of words or any known constants(such as fibinachi sequence). It should be as random as possible. In a brute force attack, the main factors that limit the attack are the strength of your password and the speed at which they can issue login attempts. Well design software addresses the latter, you must address the former. – AaronLS Sep 16 '14 at 21:38
6

From what you describe it is possible that you have been targeted from bots which are searching IP with specific ports and trying to brutal force them with default passwords of all kind of FTPs, NAS:s or just from a specific wordlist. My advice to you: close the NAS port in your router for now.There are several methods to avoid those attacks. A method is to build a virtual private network (vpn) at home and access your NAS from it.

You should not be worried about it because there are tons of chinese, french and other countries bots that trying to do the same thing. Usually you become a target when you are using some kind of DNS which points to your IP, like noip.com.

Christos
  • 97
  • 4
  • Should NOT be worried that there is an army banging down his door? – schroeder Sep 15 '14 at 21:06
  • I don t understand what you mean with that question schroeder. – Christos Sep 15 '14 at 21:09
  • You state that the OP should not be worried that there are many, many bots trying to break in. Such a situation would increase my worry, not decrease it. Can you explain why the worry should be reduced? – schroeder Sep 15 '14 at 21:14
  • 3
    I feel that you're overreacting now.Bots are targeting everyone.All of us are targets every second.They scan for specific ports and when they get a response for open port they brutal force.Just because you don t see them that does't been they don't exist.When you have a NAS open to the internet you should wait for those actions.I know that those bots have short wordlists and the only thing they can brutal force is default passwords.After what i read from OP, the person seems to have basic knowledge about it and i suppose it exists an approved password who can't be brutal forced from such bots. – Christos Sep 15 '14 at 21:37
  • 4
    You're saying that the OP should not be worried because they haven't been successful yet? Bots are too simple to break security? I run my own private honeypots. I KNOW those bots inside and out. You simply cannot tell people that once they are in the sights of a botnet, that there is nothing to worry about: it's dangerous and wrong on the facts. Yes, some use wordlists of default passwords, but others DO NOT. – schroeder Sep 15 '14 at 21:56
  • Botnets? Now I think that you say whatever it comes in your head to try argument your thoughts. I am not going to continue this. – Christos Sep 15 '14 at 22:06
  • 3
    I think we have a language barrier here. I'm neither emotional nor irrational. I'm asking for clarification because I have never heard anyone before suggest that the presence of bots should not cause worry. You brought up bots as a subject. Bots share information. Bots are part of networks called 'botnets'. Some are simple, some are not. Either way, the OP should act to protect himself, perhaps even as you suggest, but your last paragraph is odd. – schroeder Sep 15 '14 at 22:15
  • 5
    @schroeder the paragraph is quite clear - the evidence doesn't show any targeted attacks nor anything special or unusual. "my IP is targeted by a hacker" is false and misleading - all IPs are 'targeted' that way. You should worry exactly as much as if you hadn't looked at your logs, the logs gave no new information - a NAS connected to public internet will get brute force password attempts, just as the sun rises in the east. The OP should act to protect that NAS in the exact way as [s]he should have acted in the first place before connecting it there. – Peteris Sep 16 '14 at 11:49
  • 1
    @Peteris you are correct that there is 'background radiation' of the Internet and things get scanned and probed as a matter of course. But, persistent brute force attempts are another matter and should not be brushed aside. Do we need to panic? No, but it does need to be handled. – schroeder Sep 16 '14 at 14:14
4

As someone who has occasionally needed to review Security Event Information Monitoring (SEIM) data I can tell you that being port scanned is nothing unusual. It can happen as often as daily.

Connecting to the internet is like having a front door onto a busy street. You will get people knocking at your door. And some of them might be interested in stealing your stuff.

I have no idea why you have chosen to connect your NAS to the Internet. I would not have done so but you may have good reason. If you are going to do so, reduce your attack surface by limiting what ports and IPs you allow through your router, and then lock down the NAS itself as much as you can, for example by not running services you don't use. Also make sure your router is running the latest firmware to minimise the risk of someone using a known exploit.

DodgyG33za
  • 765
  • 3
  • 6
  • the OP seems to suggest that it isn't just a port scan, but login attempts. – schroeder Sep 16 '14 at 02:26
  • Yeah, I guess I should have read the question properly. Good job I have already given your answer +1 – DodgyG33za Sep 16 '14 at 02:51
  • 4
    The people on his street are not just knocking, but are actively jiggling door handles and trying random keys looking for one left unlocked or locked in a less than secure manner... :-) – Brian Knoblauch Sep 16 '14 at 16:29
3

In my opinion, you should definitely disallow any direct connections to your NAS from Internet (including port forwarding).

However, it depends on the data you have there. So there are 2 options:

  1. If it is meant to be a kind of public server, that you and your friends/other people are intended to use, then fine, keep it connected and concentrate on making it more secure.

  2. But if you store there any kind of confidential data, and loss of confidentiality, availability or integrity could be harmful for you - just disconnect it immediately. Immediately means right now, cause the risk your NAS could be hacked and your data leaked could be too high (again, depends on your own evaluation on what will happen to you if your data stored on NAS is leaked/modified/deleted, and how bad it is for you).

In the second case, securing your NAS will not really solve the problem, because it will stay a single point of failure/entrance. Even if you configure it properly, with two- or even three-factor authentication, firewall, etc., and even if your system is up to date there could be still just a zero-day vulnerability of a properly configured and protected service on your NAS. Like Heartbleed (see How to explain Heartbleed without technical terms? and How exactly does the OpenSSL TLS heartbeat (Heartbleed) exploit work?). When Heartbleed was zero-day, and people had web server with SSL (HTTPS) listening, even if it was properly configured - it could be still hacked, without any alerts in the logs and so on, and the attacker does not need to authenticate at all.

Or another example more relevant for NAS maybe: https://www.kb.cert.org/vuls/id/615910. Imagine the time when this vulnerability was zero-day. Then, if you have your Synology NAS with web server connected to Internet, it will "allow a remote unauthenticated user to append arbitrary data to files on the system under root privileges", which implies that the remote attacker could "execute arbitrary code" (http://www.cvedetails.com/cve/CVE-2013-6955/). Even if you restricted an access to your web server in a proper way - it will not help in this case, because it is vulnerability of the server itself.

So what to do?

Place your NAS behind a router, and configure VPN server on the router. Then, to access your NAS, you need (1) to connect via VPN to your home network and (2) to authenticate on the NAS itself. So now, to access your data, someone should first hack your router, and then hack your NAS. If router has different software running, it means that an attacker now needs 2 zero-day exploits instead of 1 if you have configured everything properly and update it regularly. This measure adds one more protection level and makes it much harder to get to your data on NAS for an attacker.

Of course, now it is more complicated to you to access your files as well, but this is a price of higher security. You need to spent both time and money (to buy VPN-capable router, probably pay for static IP address if it is available (or even switch a provider), configure it, etc.). Then you can only connect to VPN if you have a client installed. To make it a little bit easier, you could, however, search for Clientless VPN solutions.

Andrey Sapegin
  • 260
  • 1
  • 2
  • 16
3

The advice given by schroeder above is pretty good I think. But to elaborate on a particular concern of you:

when he gets the right username/password combination

What are the odds of this?

If you use a randomly generated password with 12 characters, upper/lower case and digits, there are about 3*1021 (6212) possible passwords.

If you are connected to the internet with 1GBit/s, theoretically the attacker could send about 12 million passwords of 12 letters each per second, as a brute-force attack. At that speed it would take on average about 4 million years to guess your password. So in my opinion with a good password you are pretty safe even if your are hammered with brute-force attacks from many IPs.

This of course assumes that you use a completely randomly generated password (like with pwgen -s 12 1), and that it is based on a secure Random Number Generator. Also, if somebody intercepts your password (eg. with a trojan horse on your desktop computer, or because you wrote it down and lost the paper, or because you sent it to your friend via IRC ;-) ), the security of the password won't help.

Also, reducing the number of public services is still a good idea, to reduce the possibility for a security bug to be exploited in these services.

oliver
  • 541
  • 4
  • 10
  • 2
    You may want to use an online tool like https://www.grc.com/haystack.htm to get an estimate on how long a brute force attack may take. – Marcel Sep 16 '14 at 10:34
  • Thanks @Marcel, that is excellent advice, headed there now...! – Peter Verbeet Sep 16 '14 at 14:17
  • @Marcel What that website doesn't take in account is hash collision. I bet my password will have a has collision much much sooner than the estimated time. – Alice Sep 17 '14 at 13:32
  • @Alice How should it? That's a parameter of the server, unknown to the legitimate user/online attacker. It would be necessary to know how long the hash, produced by the NAS, is. – Marcel Sep 17 '14 at 14:49
0

A lots of things you can do to protect your NAS : - complicated password pattern, 2 factor login.... - Turn on and strengthen your Router firewall rule-set. - Turn on and strengthen your NAS firewall. - restricted access of TCP port and service from internal segment and internet. - always use https - Use VPN - turn off and block all service that not necessary to expose to internet. - Assign limited application access with an user account to be used over internet (to access your NAS).

alf
  • 1
0

You could try DenyHosts. It collects offending IP numbers from all its users and then you can choose to use this global list of IPs to protect your NAS.

I have used it for 4-5 years without problems, but when I made a reinstallation of my NAS a few months ago, I tried running without DenyHosts for a while. Then the login attempts popped up after less than a week.