5

I am running Synology's DSM torrent client on a NAS. As I have to (?) open and forward one UDP port for DHT and another one (UDP/TCP) for data transmission I am exposing myself to threats originating from the internet. If I don't, I circumvent the purpose of a torrent network and become a leecher.

Although I wasn't able to find any exploit that is targeting Synology's Download Manager, I still don't feel reassured that I can feel "safe" (I am patch happy person btw. and keep all my systems up to date). But a NAS, by definition, holds a lot of data and thinking about some ransomware hitting my NAS via this open torrent service makes me shudder.

Unfortunately the Download Manager can't natively be run in another network segment (DMZ) then the other services hosted by the NAS. Even if it could, the process opening the socket would still run on the same physical hardware.

Long story short. How can I harden a torrent client from being exploited? Is there some passive way of sharing data through a relay service so I can keep my ports closed?

Matthias Güntert
  • 265
  • 2
  • 11

2 Answers2

2

The act of port forwarding itself is unlikely to be a major security issue. Risks would come from the fact that the BitTorrent protocol is very complex, and libraries for it are necessarily complex. Any time you have code parsing complex attacker-controlled data structures, you are risking exploitation.

Using a sandbox

Hardening a torrent client can be done using various forms of sandboxing. Different operating systems have different techniques for this, such as AppArmor on Linux systems, Seatbelt on OSX, and AppLocker on Windows. These are all frameworks for limiting the capabilities of individual programs, called Mandatory Access Controls, or MACs. A confined program is called a subject, and resources it wishes to access are called objects. A subject can be restricted to only accessing certain objects (and even then, performing only limited operations on said objects), or objects can be marked as accessible by only certain subjects. This general technique is useful to prevent a compromised application from doing much harm.

Using a seedbox

Another, more complete, solution is to use a seedbox. A seedbox is a remote server running a torrent client. Torrents to be downloaded are uploaded to the server, and when they are completed, they can be downloaded through a direct connection (often http, ftp, sftp, or rsync). Seedboxes provide the ability to continue seeding and leeching even while your computer is off or your network is down, and are not limited by the bandwidth caps imposed by your ISP. However in this case, they also provide the additional benefit of isolating any compromise of the torrent client to the seedbox itself.

Keeping backups

Having all your data on a NAS does open up the risk of ransomware. It is unlikely that an attacker who just wants to distribute such malware would burn a 0day on a fully up to date torrent client. Such attacks are far more advanced. In order to reduce the risk of ransomware in general, though, you should keep most important backups on offline storage. This is important not only to avoid ransomware, but also catastrophic filesystem corruption (which even RAID would not protect against). You should use the 3-2-1 backup rule. This states that you should keep 3 copies of any data you do not want to lose, 2 on different types of storage media, and 1 offsite.

Community
  • 1
forest
  • 64,616
  • 20
  • 206
  • 257
0

How safe do you feel with the NAS company you trust your data with?

No need to throw them out. Better isolation is always the solution.

However what is the practical solution?

I think harden the NAS OS yourself.

schroeder
  • 123,438
  • 55
  • 284
  • 319
NetworkPro
  • 1
  • 1
    This avoids answering the question. The question is ***how*** to harden. You've just answered "harden it yourself" And no "isolation" is not a solution for this particulr threat. – schroeder May 27 '21 at 15:33