Constant login attempts when port forwarding enabled

Using my router, I’ve enable the 5000/5001 port forward to my Synology. I get continually hit with [admin] login attempts. One every three minutes, 24 hours a day. My admin account is deactivated and it has a ridiculously long, complex password anyway. I also made sure that the welcome message on my Synology login screen name doesn’t include an account name like, “Welcome to Bob’s Synology!”. I have disabled emailing log messages of these attempts and I aggressively lockout an IP address after 3 attempts (for 500 days, the max), but I think that whatever bot is behind this changes its IP address continually. I am getting some “IP Address Blocked” log entires, though. (14 today so far) I also implemented 2FA.

Should I be worried about these attempts? Should I close the port forward and use QuickConnect instead, or will I still get these attempts?

You are protected, however you should always change your NAS’ default 5000/5001 ports to other uncommon values as a “layer” of protection when forwarding is necessary. For example, if you need external HTTPS access via DDNS or personal domain, change the 5001 (default) to 17853, and forward that.

I’d also question why you are forwarding the default HTTP port (5000). Do you need to make insecure connections to your NAS from external sources?

Doing this may require you to append the custom HTTPS port number to mobile DS apps… for example… instead of using https://nas1.synology.me as the URL in DSFile, you’ll need to include the custom port number as such …
https://nas1.synology.me:17853.

An alternate approach is to change the way your router forwards to the NAS. Instead of forwarding external traffic from 5001 to 5001, change the external value to 9732 (for example). Then using https://nas1.synology.me:9732 will redirect your external connection request to the NAS’ default 5001 port.

Script kiddies are always attempting to connect to “admin” using weak passwords, dictionary attacks, and password lists captured from other sites. They know that many users leave admin open, and are using the default set up HTTP/HTTPS ports.

2 Likes

Thank you, that’s very helpful.
I took a look at my logs, and a bunch of IP addresses have been blocked, and there have been no login attempts for about six hours, so the IP address blocking seems to be working.

I deleted the port 5000, then I changed the 5001 to a different port, first on my Synology and then on my router. I’ve done this remotely and now I cannot access my Synology. No big deal; I’m flying home tomorrow and I can fix things up once I’m on my LAN at home.

I appreciate your help very much. Thank you.

I had a similar situation as well when I first exposed my Nass even using a different port. Sound like your doing all the right things but I suggest one more depending on what else you have on your network. Depending on what router you have you might want to upgrade it to one that support intrusion detection/prevention. And possibly even setting up a few Vlans to isolate the more risky network devices like IOT & kids machines.

1 Like

Very helpful advice. I have had several episodes of login attempts as well. I ended up cancelling port forwarding at the router until I needed remote access again. But changing default port sounds at least a little more likely to avoid random hits.

1 Like

So this bot net has been around for a while. They have thousands of IPs and are therefor able to skip by auto block. But they are just trolling to see if they can find an admin account still enabled, with a dumb password.

In generally this looks more scary, then it actually is. If you have the admin acount disabled they can’t do anything and guessing the other username is basically like guessing another password.

These are not the things you should worry about. What you should worry about are people who may or may not have found a vulnerability in DSM, rather than just brute forcing with a bot net

1 Like