• @[email protected]
    link
    fedilink
    English
    1324 days ago

    If you’re using one of these models, it’s highly recommended that you replace your NAS system with one that’s still receiving patches from the manufacturer. If that isn’t possible right now, Netsecfish suggests restricting access to your NAS settings menu/interface to only trusted IP addresses. You could also isolate your NAS from the public internet to ensure that only authorized users can interact with it.

    Emphasis mine, regardless of this incident, even with a brand new supported model, it shouldn’t be exposed to the internet. Half the reason these security issues are such a big deal is because manufacturers wanted to make things simple and designed it to sit on the open internet, so they wouldn’t have to deal with support requests. Now their customers are exposed because of poor recommendations and the lack of updates.

    • @[email protected]
      link
      fedilink
      English
      524 days ago

      Exactly!

      If you need external access, use an external access infrastructure that’s designed for that purpose, with controls and monitoring.

    • metaStatic
      link
      fedilink
      324 days ago

      who the fuck even still has an exposed IPv4 address anyway, those are fucking expensive since we ran out. I couldn’t expose my network if I tried.

      • @[email protected]
        link
        fedilink
        English
        424 days ago

        Dynamic DNS has solved that for 20+ years. Just need a domain name, and a utility to update the IP when it changes.

        That said, my IP hasn’t changed in over 5 years now.

        • @[email protected]
          link
          fedilink
          English
          124 days ago

          Still though, Dynamic DNS points to an external IP address, which you’d have your NAS exposed on a public port. This is the flaw in the design which allows remote execution of this exploit.

          If you need remote access to the NAS, it should not be publicly exposed and should require a VPN to access. That way if there is an issue or misconfiguration, everyone on the internet can’t exploit it easily.

      • ÚwÙ-Passwort
        link
        English
        122 days ago

        Its free, so why the fuck not? Why the hassle with ddns, wich funnily enough is also free with my hoster/registra