A security question on failed login attempts from unknown IP

databinder · April 26, 2023, 4:04am

I was notified by my Synology DSM that:

The IP address [192.3.111.145] experienced 10 failed attempts when attempting to log in to DSM running on [my DSM] within 5 minutes, and was blocked at 2023-04-24 18:00.

Has anybody seen this before? Should I be concerned? Thanks.

OliOS2 · April 26, 2023, 5:21am

Yes I have seen this before. Not long ago, I had login attempts every few minutes.

But you should not be really concerned, if you created your accounts in a “sensible” way.
These notifications are from bots (small programs) which try to find computers in the internet which are not secured (enough) to capture and use them for their own purposes.

With “sensible” I mean:

Your admin account should not have “admin” as an username. If you look into the protocol you will see, that the most login attempts use “admin”, “root”, “administrator”, and so on, as a user name. So the first thing you want to do is to rename your admin account, if you haven’t done it before.
Use secure passwords (for all of your accounts)

You can get more hints to secure your Synology in the “Security Advisor”. This is an app which was introduced with DSM 7 if I remember correctly.

If these login attempts gets “annoying” you can check from which country they are from and block this country in the firewall settings of your Synology. I have done this with a lot of countries and now, it is relatively quiet.

databinder · April 26, 2023, 1:14pm

Thank you! I appreciate all the tips and advice. I did revisit all the security settings I could find on my NAS as well as my router, changed the admin user passwords, and made sure the NAS admin user was still disabled, also ran the Security Advisor scan to be certain. I also watched Will’s video again. I will be more vigilant about it, but I am not gonna cut the network cable for sure.

mycroft999 · April 26, 2023, 1:59pm

About twenty years ago I set up a temporary FTP server to move some files from home to work. After a few hours, I looked at the log to find dozens of unsuccessful login attempts. It started with IP addresses in the Comcast network for my neighborhood. It was only fifteen or twenty minutes after that when the log showed attempts from Japan and Russia. In an hour or two I was logging penetration attempts from all over the world, mostly from Russia, China, and Japan. It’s crazy how fast news of a potential victim draws the scavengers.

Will · April 26, 2023, 2:19pm

There has been what I can only assume as a botnet going around for the past ~2 months going after Synology’s. The interesting part about this is its actually constantly using different IP address (in a lot of cases) to try common admin logins.

As long as you follow the stuff @OliOS2 wrote out I would sleep well!

I would take it as a time to make sure to kick the tires on your accounts! At the end of the day its just people looking for someone who has left something stupid open!