Werner

Yes, I had forwarded DynDns to Synology via Swisscom so that I don’t have to go via Synology’s QuickConnect, but directly via my own line.

@Hauseunteuth11

The DynDNS is not the problem, but making the Syno’s unencrypted web interface accessible directly from the Internet via port 5000 is of course a direct invitation for every young hacker kid.

The bots that are constantly searching for open ports on the Internet can currently find something like this within minutes and the first attempts at penetration usually begin within the first hour.

So it could very well be that someone used a password cracker program to get past the login on your NAS and thus gain full access to your NAS, so your NAS would then be considered completely compromised.

The first thing I would do is think about what confidential data is or was on there, and whether you should take any damage prevention measures such as blocking other accounts or credit cards, or depending on what data may have been stolen.

In order to be able to estimate the risk of a possible hack with the additional possible data theft, it is best to assume the worst case scenario, namely that all of your data has been completely copied and can now be misused at will by criminals who you will never meet .

I checked the access and everything in the protocol was correct.

In addition, I have login protection included; if you use the wrong password 5 times, you will be blocked indefinitely.

I also blocked certain IP areas across the board.

This means that unwanted access from unknown connections is very limited.

And as an addendum:

If the log was still available on your Syno and it hadn’t already been deleted by your previous “correction attempts”, I would examine the log to see whether there are any user logins that couldn’t possibly have come from you.

This would of course help with a risk assessment of the damage caused.

Making the web interface of a router or a NAS publicly accessible directly from the Internet is an absolute no-go in terms of security, and that is why, for example, web access to the Internet box is already absolutely blocked in the firmware and you can really You can only access the IB web interface from the Internet via an additionally secured VPN connection.

This is exactly how you should handle the web interface of a NAS.

The fact that you didn’t notice anything in the log itself doesn’t give you any certainty about what exactly happened, because with full access to the NAS, you can of course delete any suspicious log entry immediately.

I have personal things on my computer, such as the NAS, but nothing from the “can harm me” category.

So bank details etc.

It might not be nice to have unwanted access, but it wouldn’t be dramatic.

Short feedback:

Everything was newly set up yesterday.

According to the current usual safety standards.

Everything should be relatively safe now.

Hi @Hauseunteuth11

I hope that by current standards you mean access via VPN - and not port 5001? 😉

It doesn’t really matter to me whether I, as an attacker, exploit a security hole via HTTP or HTTPS. 😁

LG

r00t

In addition to the VPN connection already mentioned by @r00t, what is also recommended for the basic security of the Syno:

- replace the preinstalled user “admin” with your own personal user

- Additional security of the Syno administration GUI by switching on 2FA, e.g. by entering an additional code from the Google authenticator

- If not already activated, activate Syno’s own firewall and limit permitted access to the necessary minimum

The same thing has been happening to us for the last 3 months. Without any support, at least we were provided with your router. But the problem is still not solved. With the annoying phones we are only ever told that we have a faulty device, but after extensive searching and testing this is not correct. So what’s the point of all this just because an AI sees it that way and doesn’t react and claims it’s down to the customer. Sorry, that’s not possible.