• bamboo@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    13
    ·
    13 days ago

    If you’re using one of these models, it’s highly recommended that you replace your NAS system with one that’s still receiving patches from the manufacturer. If that isn’t possible right now, Netsecfish suggests restricting access to your NAS settings menu/interface to only trusted IP addresses. You could also isolate your NAS from the public internet to ensure that only authorized users can interact with it.

    Emphasis mine, regardless of this incident, even with a brand new supported model, it shouldn’t be exposed to the internet. Half the reason these security issues are such a big deal is because manufacturers wanted to make things simple and designed it to sit on the open internet, so they wouldn’t have to deal with support requests. Now their customers are exposed because of poor recommendations and the lack of updates.

    • BearOfaTime@lemm.ee
      link
      fedilink
      English
      arrow-up
      5
      ·
      13 days ago

      Exactly!

      If you need external access, use an external access infrastructure that’s designed for that purpose, with controls and monitoring.

    • metaStatic@kbin.earth
      link
      fedilink
      arrow-up
      3
      ·
      13 days ago

      who the fuck even still has an exposed IPv4 address anyway, those are fucking expensive since we ran out. I couldn’t expose my network if I tried.

      • BearOfaTime@lemm.ee
        link
        fedilink
        English
        arrow-up
        4
        ·
        13 days ago

        Dynamic DNS has solved that for 20+ years. Just need a domain name, and a utility to update the IP when it changes.

        That said, my IP hasn’t changed in over 5 years now.

        • bamboo@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          1
          ·
          13 days ago

          Still though, Dynamic DNS points to an external IP address, which you’d have your NAS exposed on a public port. This is the flaw in the design which allows remote execution of this exploit.

          If you need remote access to the NAS, it should not be publicly exposed and should require a VPN to access. That way if there is an issue or misconfiguration, everyone on the internet can’t exploit it easily.

      • ÚwÙ-Passwort@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        12 days ago

        Its free, so why the fuck not? Why the hassle with ddns, wich funnily enough is also free with my hoster/registra