Yesterday my Synology reported me that an attempt had been made to get into the Terminal (SSH) and I was shocked. How did they get on my network in the first place. I started investigating the issue.
At first I thought I was really hacked but this was not the case. Synology uses 2 modern features here:
- UPnP – which is the Plug and Play for your local network
- Automatic blocking
UPnP (Universal Plug and Play) is a protocol that allows devices on your network to automatically connect to other devices. A good example of the use of UPnP is for instance DLNA (Digital Living Network Alliance). DLNA allows for streaming video, music, photo’s, etc. on your network.
Automatich blocking is a feature that secures your Synology NAS automatically. Take a look at Configuration –> Security –> Automatic blocking.
We have a subscription with KPN in the Netherlands. In our home the KPN router is installed (KPN Experience H368N). I think I enabled the UPnP IGD myself but it is possible that it was enabled by default.
The Synlogy NAS has UPnP activated by default.
With both devices having UPnP enabled they can talk to each other. The Synology will say to the router: “Hey I would like to open port X to the outside world and map it to my internal port Y”. The router will answer: “Ok, no problem, done”.
The result of this is that several ports of the Synology are opened automatically to the internet. From that moment on the router will send any input for port 443 to the Synology NAS. Below is a list of ports automatically opened in the router by several UPnP devices in my network.
One of the ports being exposed is port 443 which is the SSH port on my Synology. Any hacker on the net will find my IP address and scan for obvious ports like 443 and try to log in with obvious userids and passwords.
So in short: There was nothing hacked in my system. My network was not invaded by anyone. Automatic blocking of the Synology simply blocked the attacker for several hours after 10 attempts (I’ve lowered that to 3 attempts just for now but plan to disable SSH all together in the near future). And that’s what was reported in the first place (‘IP address <nbr> of <internal device name> has been blocked by SSH’). I can sleep peacefully again