I was trying to use VLC 3.2.2 for iOS to get to a hidden folder on a local network storage device. Some time after 3.2.0, SMBv1 stopped working right, and the VideoLan folks are working on it, but it got me thinking.
The NAS I use has a GUI web interface, and is Linux-based, so it should have some logging, simple or otherwise. Naturally it was disabled by default, because of course it was, and when I enabled it to see what it offered, I was a little surprised.
One of the various tabs showed connection attempts. which is exactly what I wanted to see. I was a bit shocked, then amazed, and puzzled, when every few seconds I saw another entry come up. These entries were from external IP addresses. They were dictionary login names trying to authenticate via SSH to my NAS. Hmm. What the hell.
First, I logged in to my router and looked at the ports I’d had specifically forwarded. Many of these were for services I wasn’t using, mostly attempts to get OpenVPN to work properly. I shrugged and deleted them all, knowing that I could add them later if needed. That didn’t slow things.
Next up I looked at the SSH settings on the NAS and decided that I wouldn’t disable the service, but rather change the port. If I need to get a shell on the NAS in the future, I can always look up the longer number and connect. Bam, that was like closing the door hard.
Relieved, I also still had a bit of a warning that I should keep watching the log and alas I did see some FTP attempts at connections. Click, Apply, and silence.
Not completely satisfied, I did some more research and found that the router I use has some clever UPnP services that automatically let connections through. Ah, okay, this made sense but how was it being….
Oh, the NAS was asking for ports to be opened via UPnP. Click, Apply, sigh.
It seems like my efforts to get OpenVPN working some months ago and default settings on the NAS and router meant that I’d made my NAS vulnerable to external attacks. Now, I’ll admit that I wasn’t super clever in disabling the default admin account and making a super complex password, but it also seems like no complex scripts had successfully connected and found their way in. At least, I hope. Any logs the system had made, if any, were likely not saved. It’s a device that I use somewhat often, and exfiltrating or messing with the system would have run alerts from my internet provider.
Check your devices. Make sure they’re only asking for what they should be given. Look at some logs for an hour or 24. Change your passwords, even on “internal” networks, because they’re only safe if you didn’t accidentally poke holes in your network to make them more public than you wanted.