D-Link Forums
The Graveyard - Products No Longer Supported => D-Link Storage => DNS-321 => Topic started by: Gumz on November 14, 2009, 11:06:03 PM
-
Not sure what the vulnerability is, but i had the FTP server on my DNS-321 enabled and the port forwarded from my router and someone managed to change the password on my NAS. Not sure how much damage they did but i definitely had an active FTP connection from japan (ip: 219.111.6.132) found it on my router.
This is both a warning (don't port forward your FTP) and a report to developers hoping they find the vulnerability and patch it.
-
How secure were your passwords on the FTP server? If you're not careful, a simple dictionary attack on the server would be all it takes.
That being said, I would like to see the FTP server have a 15 minute lockout for say 3 failed connection attempts, just to prevent such attacks.
-
So your saying they changed your admin login password to your nas? But you only had the FTP port open? It doesn't really make too much sense to me since they are not linked so you are going to have to give more detail. Which firmware are you running?
-
I think you should make a formal security bug report and provide specific details. I don't see how someone breached the FTP server but I'm sure it's possible given the right tools. But if someone was to breach and change the password, did they do something else? Did they add something like fun plug? Is this connected to a home or company system?
I agree with GRJ, a login freeze would be helpful but I'd also like to see a disable option for the FTP server. Mine is always running even though I have no shared directories. It's unsettling not having a disable option.
-Joe
-
The stop FTP button is right there at the bottom of the FTP config page. By default it is stopped until a share is created.
-
ECF beat me to it, my FTP server in the DNS-321 is disabled, I've never configured it. I have the FTP server on the DNS-323 running, but I only open the ports when I want to share some data, I'm not that confident in the security of the FTP server in these boxes.
-
The stop FTP button is right there at the bottom of the FTP config page. By default it is stopped until a share is created.
Just to add to that, it is disabled until a share is added to the FTP SERVER section. It does not enable when setting up network access settings.
-
Well it's odd that there is a Status page that states "Started". Am I the only one that has this? My FTP was never changed from the initial default. I have no shared files so I know it's not sharing those. Also if I click "Stop FTP Server", the status changed to "Stopped". If I reboot the NAS the FTP Server is started again.
So tell me again the FTP server is not running. I'm not trying to be pig headed here but I'll post screen shots if you like. I could be screwed up.
-
I just checked mine and it's stopped. I restarted the DNS-321 and the FTP server is still stopped according to the status page.
Try resetting to factory defaults and reconfiguring, see if that doesn't sort it out.
-
Also try stopping it and log out of the unit. Is it still stopped when you go back to it?
-
Mine is still stopped from when I manually stopped it. I turned off the NAS (shutdown) and turned it back on again. Okay, it's not running. You know I hate that when I'm wrong but I'm going to keep an eye on it because I know I've stopped it several times and it keeps turning itself back on. Maybe I'm doing something somehow to the NAS but really it just sits there day and night. I don't have fun plug or any other applications, just the 1.03 firmware. If it starts itself within the week, I'll post it.
As for the FTP hacker changing the root password, is that possible?
-
Ghosts? :D
-
Ghosts? :D
Got to me. I just checked it and it's been over 24 hours and the server is still stopped. Damn Ghosts ;)
-
Yep, they haunt all electronic devices, and computer related devices are especially vulnerable! :D
-
I don't think it was ghost, he also came into the Forum for assistance. ;D
Not sure what the vulnerability is,
Gumz,
May I suggest to disable UPnP on all devices. Also scan your computer. Also password protect your networked computers. Though maybe, just maybe, someone may have jumped into your network.
-
Does anyone still uses plain old FTP??? It sends passwords open text so it's not a great idea to open it to the world anyway. Use SFTP or FTP/SSL instead. Either way you do it use non-standard 4 digit ports for this as 21 is scanned by every security tool out there.
-
Unless I missed something the DNS-321 does not support SFTP or FTP/SSL. All I have been able to find is plain FTP. If you know how to do the other please let me know because I am not happy with the plain FTP.
Thanks,
Terry
-
I'm sure he's suggesting you install something like FunPlug and then load one of the secure FTP packages available.
-
Right. It doesn't support those. It's exactly my point. Personally I don't consider this NAS box (or any other device with embedded os other than specifically designed for this purpose) safe enough to be exposed directly to the Internet. My solution is to use a dedicated server with regular security updates serving as secure ftp, www, mail and whatever else I need exposed to outside. That's the only point that has ports forwarded to it through the router.
-
I agree without add-ons that the DNS-321/323 probably isn't safe to expose to the Internet.
-
I agree with you guys but my problem the that I am not a guru with this add-on stuff. Would any of you guys who have done it give us novices a detailed outline on how to do it. When you start typing command line stuff I kind of get lost and I have read the install procedure but it is written for people who have experience with Linux which I am not. But if I have a list of things to follow I can do that. Any help would be appreciated.
Thanks,
Terry
-
Terry,
Do a google search for fun plug. There are a few tutorials on this item and it's failry easy. I don't recall if R-Sync is part of it but if so, that would greatly help out your backup issue as well.
Oh, and even though I say it's easy, it still requires several hours of reading before you take the plunge. Also, if you do want to try out fun plug, I recommend you remove your real hard drives, install a single test drive, load fun plug and test it out. You can always put back your old drives. Also save your configuration before you start.
-Joe
-
I wouldn't recommend messing with the plug etc. for novice user.
The simplest setup for windows person would probably be something like this:
- have a windows machine on your network that you keep up to day with security patches etc. Ideally this would be a dedicated machine (even old cheap low power would do). But you can also use your desktop or laptop if you leave them on. They just under more risk of getting crap when browsing on internet.
- set up this machine with static IP address
- install Filezilla FTP server. It's a free secure server that supports all the stuff you can dream of.
- depending how secure you want your shares inside your network either leave it wide open on dns-321 or create a share for some user and remember it's password.
- if you chose to protect share with the password create user with the same name/password on the windows box and make sure Filezilla service runs as this user
- in Filezilla share this share as \\yournas\share (you cannot map it as a drive since service would run even when noone has logged on).
- map ports on your router to this windows machine.
You'll have to figure out which ports, especially if you want to run this in passive mode (that's where it becomes fun, especially with SSL stuff). I'd recommend opening some port like 7921 and map it to port 21 of your windows box.
Now this is just an outline of the setup, but it would get you started. I ran something like this for years before I turned to linux server with more serious setup.
-
One of the attractions of the NAS FTP is the low power operation. Even a low power machine will use 100 watts, if you have the electric rates we do here in SE-PA, you can do the math. I figure for a minimal configuration I'd be paying $13-14/mo, that's the price of a new NAS box in less than a year!
I think there are real benefits to solving this security issue for the DNS-321. :)
-
I fully agree with GRJ, it's nice to use as little power as possible if you can get away with it.
Again, check out fun plug. It has secure FTP but when you first install it, the normal FTP in fun plug will be active. The tutorials will have you disable that after you enable the secure FTP and test it out. If you don't like fun plug, just delete the directory on the drive.
Let us know what you decide.
-Joe
-
I agree on power consumption, just trying to suggest alternatives to someone not likely messing around with command line. BTW you can safely use a netbook for this sort of stuff, so power consumption should be much lower than a desktop.
-
I agree on power consumption, just trying to suggest alternatives to someone not likely messing around with command line. BTW you can safely use a netbook for this sort of stuff, so power consumption should be much lower than a desktop.
That presumes you already own a Netbook. ;)
-
The DNS-321 should get the same treatment as the DNS-323 1.08 firmware on its FTP server, meaning TLS/SSL only connections, passive port range configurations and any other changes I missed. I just can't give an eta on that =P.
-
That's good news, I'd like secure connections on the box.
-
DLM,
Can you also include a faster processor and more RAM in the next firmware update ;D
Hey, seriously, I'm glad TSL/SSL will be included in the next firmware update.
-
DLM,
Can you also include a faster processor and more RAM in the next firmware update ;D
Hey, seriously, I'm glad TSL/SSL will be included in the next firmware update.
*waves magic forum wand* nope nothing, wand might need a firmware upgrade too.
-
*waves magic forum wand* nope nothing, wand might need a firmware upgrade too.
Really? Seemed to work here, my 321 now has an i970 and 6 gigs of RAM in it. ;) ;) ;D