A simple firewall rule to help reduce attacks on Synology Diskstation

I have a little web server to run this site which I decided to have at home rather than co-location so I have full control to tinker, mess up and generally learn more about how it operates.  I also have an email server to collect D3Pixel emails.
Now this is a low key personal website hardly worth the time for anybody to attack but I have recently noticed an increase in attacks from the UE.  That’s Ukraine.  Maybe they want to make my little diskstation part of a botnet or people out there are automating sweeps across the net for service and port vulnerabilities, but it was a concern that I should address.

My initial setup was to block an IP after a few incorrect attempts using Synology Auto Block but in the last 7 days I have had 100+ failed login attempts to my mail server from the Ukraine O.o.  So IP blocking is working but not a long term solution.  I also understand that if somebody wanted to get on my system then they probably could, even security experts get hacked and they lock down everything. But there is something you can do to reduce the quantity of attempts on your server.

Block an entire country.  Also called Geo Blocking.  This can be done in Diskstation quite easily.

Step by Step

  1. Login to your DSM admin area on the Synology Nas
  2. Click the main menu link in the top left and select Control Panel from the icons
  3. Click Security and select the FireWall tab

4. Click Edit Rules

5. Click Create and setup a new rule like this:

You can check as many countries in this list as you want.  China, Russian Federation etc…

Once you have saved your new rule, drag it to the top most item in your rules list so it becomes the first item before the “allow” items.  Now your diskstation should timeout whenever a country in this list tries to access your running services.

Of course this will stop people/bots/crawlers from these countries viewing anything on your server which might be undesirable.  If you want to allow certain services (e.g. your web server) through worldwide then make sure Ports=ALL is not selected on the rules page and select the ones that matter.

Or, if you want to allow, for example, just USA traffic onto your diskstation services you would setup the same rule above but with an ALLOW and a new rule underneath that is DENY for all+all.  You probably want to add your local IP range (e.g. 192.168.x.x) as an ALLOW too.

Check it works

Now you need to test if the rule is actually working.

I found this website which allows you to test your website from inside China:
http://www.websitepulse.com/help/testtools.china-test.html
you need to wait about a minute for the test to timeout if all is set correctly.  Also, make sure you select “Show HTTP Headers” before running the test.  You will also need China as a country in your DENY ruleset for this to actually work.

Result:

Screen Shot 2016-11-08 at 11.52.38

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In addition to the firewall rule.  Make sure you go through the other tabs for Protection and Auto Block enabling the DoS protection and Auto Block.  Also, check your firewall rules for any rogue ports that you do not recognise.  Some DSM packages leave rules behind which should be cleared if you have removed those services.

Final notes:

I imagine any hacker out there that REALLY wants access would use an anonymous VPN to route attacks via another country so this rule is only a partial solution to securing your diskstation.

Also, if you prefer to delve into .htaccess you can generate the htaccess code using this tool:
http://www.ip2location.com/free/visitor-blocker

I would also recommend you set Security Advisor to run daily (advanced).  This tool alone checks your Diskstation to make sure system files have not been tampered with, malware and many other exploits and vulnerabilities are not at risk. You can find Security Advisor by clicking the Menu icon in the top left corner of the DSM admin screen.

Screen Shot 2016-11-08 at 13.11.20

Screen Shot 2016-11-08 at 13.08.49

What it checks:

secAdvisor

  • Jim Copeland

    I’m not sure how old this article is, but this is some helpful information! I can’t seem to find the security advisor though. Is that package that has been removed from the current version of DSM?

    • Sylvain Dansereau

      in DSM 6.1 it is available in the main menu