In DSM 5.x, Synology has a feature (under Control Panel->Security->Firewall), where you can set up Firewall rules which can be fairly granular in terms of applications, ports, IP addresses (or ranges) , and even on a country basis, and allow you to specify whether, if the rule is met, access is allowed or denied. And since I'd already done a little work to see which countries the (apparent) access attempts are coming from, I decided to set up a country specific block. Now, I know before I started this that IP addresses can be spoofed, so this is only one meager piece to trying to secure the server, but better than nothing. I found this guide as a starting point, though you'll need to modify for your own circumstances, and, as always, I'm not responsible for any bad things that might happen to your NAS if you follow this process.
I also changed my AutoBlock settings down to allow very few attempts before being blocked.
I'm starting out with very basic firewall settings to see how they work, in combination with the AutoBlock. Even as I write this, I had an attempt to SSH into the server that was AutoBlocked, but not because of the firewall rule.
I had been trying to connect to my site through a series of devices, some on a VPN, some not, so I thought I'd check just to make sure it wasn't me. It wasn't me, but it wasn't one coming from China either (blocked in my Firewall rule). Sigh...
For normal web access to my server, I have two factor authentication enabled, but for access thru SSH, adding the combination of the remote access key, AutoBlock and the Blocklist, will hopefully add more security. And, there is no anonymous FTP allowed.
Shortly after I initially set up my server, I was reviewing the connection logs (you do review yours, right?), and saw repeated anonymous ftp attempts. So I did a reverse IP lookup and found the provider's contact info and sent an 'abuse' report. Probably for the only time this will ever happen, I actually got a response from the user involved and found this site. After I exchanged some emails with the site owner, I was marginally more comforted by their explanation of the site's purpose, but not at all thrilled by it. I hope I'm getting a gradual education in security and not one by virtue of getting hacked. My naiveté is showing. Shodan basically scans the Internet looking for vulnerabilities and open ports.
Now, my link to this site is not intended to bash them, but it's a bit of a scary reminder how easy it can be to find vulnerabilities. I searched, and at least for now, my server isn't listed. Very interesting site. Worth a visit!
No comments:
Post a Comment