MyDaily Coding About me

Contents

Blacklist Ip Addresses

   392 words   2 minutes 

Introduction

Recently I received an attack on my NAS and the funny thing is that i found out because the internet connection was slow.

Luck has it that after a while the NAS, even if under attack, was able to send me an email to inform me that user X was unable to log in and that after N attempts he had blocked the IP.

Strange, user X is not present in my NAS…

With difficulty I managed to connect to the NAS and check the LOGS and, from there, I discover that I am under attack.

Just to be fair, the NAS is a Synology.

What was the attack about?

I checked the source IPs and it seems that the attack originated from China or, at least, they were using some infected machine with a Chinese IP address.

The attack was simple: The hackers tried to log in with a set of username\password at their disposal. Evidently, they have a list of known usernames and passwords that are sure to have resulted in other attacks.

Obviously the most used user was admin.

Why couldn’t they get in?

For five reasons:

  1. I had, some time ago, disabled the admin account
  2. I have activated, for all users of the administrator group, the MFA authentication.
  3. I have activated a check that disables the account and\or blocks the IP address if you try to enter the password 3 times within 5 minutes.
  4. I have activated DDos protection
  5. I have activated the Firewall

How did they find me?

Because, after all the precautions I had taken, I forgotten the simplest thing: change the external port number… don’t use the default one provided by Synology.

What have I done?

I promptly unplugged the twisted pair from the router. This way I disconnected all the devices from the network.
The NAS was more unloaded with the CPU and I was therefore able to change the external port number on the NAS and on the Router (remember that by default it is 5000 and 5001).

Subsequently, I started looking for a black list of IP addresses to feed to the NAS Firewall.
Unfortunately I found many files with few addresses and, therefore, I started collecting them all producing a single, huge, file containing more than 23k of IP addresses.

BlackList

So, the result of my work is this list

Updated on 2023-02-07
 HackersFirewallSynology
Back | Home