Discussion in 'Article Discussion' started by Gareth Halfacree, 5 Aug 2014.
NAS files encrypted, ransom demanded.
I feel sorry for anyone with a Synology but for other reasons quite happy about this. Its good to see a peg being plucked from beneath a large company like this. The crash to reality to improve customer relations that will follow will hopefully be what is needed. The breach leading to a financial implication is a bit crap though.. These ransom like virus need die a death already
I don't have a Synology NAS, but from everything I understand, Synology is very good about support and customer relations.
So I don't know why you are "quite happy" about this. It is apparently an unknown vulnerability, not something they've known about and ignored. This is unlike wifi routers where most manufacturers let known vulnerabilities exist for ages, because they provide very little aftermarket support for their products. Synology is very good about supporting their products for years after sales.
Some criminal finds an unknown exploit in the system of what actually seems like a pretty decent company, uses it in order to attack their customers data and blackmail their users, and you're "quite happy about this". Jeez
It's like seeing a car crash and saying you're quite happy it happened because it will ultimately improve car safety.
Syslogys support is great. They helped me rebuild a lost drive remotely a whiles back.
People used to try and remote access my NAS all the time. I doubt it'll help with the vulnerability but I set a very strong password and blocked ip's after 2 failed login attempts.
My NAS is currently switched off. I only use it for 1 specific purpose anyway.
My home server has SSH exposed to the 'net on the standard port. You wouldn't believe how many brute-force login attempts I get each day. Thankfully, barring any serious holes in the software, it's unlikely anyone's getting in: I use fail2ban to block brute-force attempts at the firewall, logins require a keypair rather than a password, and any login not from a trusted IP address requires two-factor authentication. I also have watchdog daemons running, just in case there is a zero-day in the SSH server, alerting me to unusual activity. Paranoid? Perhaps. Safe from things like CryptoLocker and its variants? Oh, yes.
Then, of course, there's the multiple-redundant off-site backups...
It's a lot of fun doing cat /var/logs/messages when there has been lots of brute force attempts though. hope you got big buffers
Less so with fail2ban; each IP only gets five entries before they're blocked...
I didn't know it was a thing, though looking at it now it seems like a great thing. I will speak to some of my clients who's webservers I look after about implementing that, as there are a few that get brute force on their ssh ports ALL the time. (not literally all the time, but it's quite a thing for them.). Thanks for the top tip linux man
You can do the same thing with iptables directly, but fail2ban is so incredibly easy - and can be extended to protect other services, too. Also check out Duo Security - that's the two-factor authentication service I use, and it's free for fewer than ten users (and cheap for more than ten). Works like a charm - and as well as protecting SSH it has plugins for WordPress, most common VPNs, and a bunch of other stuff, as well as an API you can access to use it with bespoke systems if you pay for the (still surprisingly cheap) enterprise account.
I currently use a obscure port which stopped the brute force attempts but the fail2ban and Duo Security look good as well.
Thanks for sharing
I'd love to see a guide based around your setup Gareth. Perhaps bit-tech would buy it as a feature article?
I'll pitch it to the powers that be - although its Linux focus means it's a bit niche for a site like Bit. That said, editors that normally wouldn't touch Linux with the proverbial ten-foot pole go ga-ga if you s/Linux/the Raspberry Pi/g...
Do it unofficial in the software section Would float my boat!
There are million various backup schemes and strategies.
My personal backup scheme is - install a rsync server on every OS i want to backup (for Windows i use Cygwin with cygrunsvr, rsync server). Then i have my local server, that runs rsnapshot which does backup via rsync. Then my remote server at completely different location does a daily rsnapshot against my daily.0 folder on the local server. You could of course extend this to any length or number of computers as you wish.
And why rsnapshot ? Because it is something inbetween the incremental and full backups - if there is a previous backup, then the previous backup is rolled from hourly.0 to hourly.1 (and every folder with higher number in same category is rolled to a higher number, the oldest one is of course removed), new hourly.0 folder is created, all files from the old folder are copied over as hard links (so no extra disk space is used up) and then new or modified files replace the copied over files. With every backup, the cycle is repeated, and every time only the space requirement increases for new & modified files only. You can set up your own rotation scheme (i have a backup every hour, then every day, every week of a month, every month for last 12 months on my main server). That means i will have hourly.0-23 folders, daily.0-7, weekly.0-3, monthly.0-11 folders.
For example 5 daily backups of 29GB data on my remote backup site use 36GB in total. 24 hourly and 7 daily backups on my main server ? 53GB.
I think they're specifically after the security aspect, not the backup aspect.
No surprises there. The internet has a raging nerd-on for pi's.
Indeed I am. But the backup stuff is all gravy too.
I'd be interested in both tbh...
Have been half expecting this in the netapp space for a while now.... Shows the vulnerabilities of centralised mass storage
I must say this news has me slightly worried. Could anyone's Synology NAS be targeted or is it like other viruses where you need to do something stupid first (dodgy sites etc)? I have been toying with replacing my NAS with a linux server and this kind of thing just wants me to push my timetable forward.
As an additional note I must say that Synology has started getting their act together a bit. I have started getting security related emails from them recently about updates and patches.
Separate names with a comma.