webdav security and Netdrive

Awesome response!  Have you used the Synology VPN services?  Is there a significant decline in data throughput when securing with a VPN connection?

I like Cloudsync but shared folders created on the Synology are not synced by Cloudsync for remote connectivity.  So maybe mix of WebDAV, Cloudsync, and securing WebDAV with a VPN connection is ideal.   Oh, and a solid cloud backup for when data gets compromised or destroyed.

Do you recommend any backup that works well Diskstation to Diskstation?  I currently use iDrive for backing up.

Welp, my client got hacked yesterday in what I can only assume to be webdav service exploit.  The hackers reconfigured the uverse router/modem and placed the Diskstation in the DMZ.  I reset the router to factory defaults but the private network was altered again to a different network address scheme as soon I plugged the synology back in.   Right now, the synology and workstations that need access to it are off the internet grid so they can perform their work while I figure out how to resolve this issue.  I created a log that a couple minutes to produce and sent it over to Synology support.   Normally, the log take just a couple seconds to produce.  Anyway, I have since took any other lingering webdav IT clients and removed their Webdav services.


Synology Tickets request...

"Hi,
The Synology was hacked and today was placed out on the DMZ for half the day. Please review the logs. It hasn’t been the same since. I’ve changed the router private IP from the 192.168.1.x network to 172.16.x.x network. The synology repeatedly obtains IPs like 192.168.117.x or 172.16.117.x or something like that. It took a couple minutes to generate the logs. That usually isn’t the case. Please review the attachment. Thanks!"

WebDAV is not secure as shared or in short file hosting unless you are fronted with web app FW, ddos protection etc measures...regardless, check also the patch level for Synology Diskstation and better to clean it up now as exploit is most lying already uploaded into the storage. I suggest focus on recovery and damage containment now...

- Change all password to still any public facing server and router inclusive.
- Check any default account (that should have been disabled or not using the default password) login access brute force attempts..
- Trace of source IP of hacker likely leads no where since it is private IP (instead of the usual public IP that would gone through anonymiser that lead you no where), instead
- Check for VPN user connection during this hacks and can be infected machine (which client is not aware) conducting lateral spreading and found this WebDAV open to it

As it turned out the slowness of the synology was due to some rogue Ethernet cable randomly was connected during this network debacle.  It just so happened to be coming from the suite next door and handing out IPs.  This doesn't explain how the synology was placed in the DMZ.  The other office suite would have no clue on how to do that.  

Synology support did not see anything obvious in the logs of it being compromised.  I went ahead and did a double button reset to wipe the OS anyway.  Anyway, it may have been some other form of entry like a workstation. With that said, I don't feel confident re enabling WebDAV services.  I'm hoping a sonicwall w intrusion section services plus VPN will help with securing the network and prevent this type of mishap in the future.