this post was submitted on 10 Nov 2024
172 points (97.3% liked)

Technology

1373 readers
119 users here now

Which posts fit here?

Anything that is at least tangentially connected to the technology, social media platforms, informational technologies and tech policy.


Rules

1. English onlyTitle and associated content has to be in English.
2. Use original linkPost URL should be the original link to the article (even if paywalled) and archived copies left in the body. It allows avoiding duplicate posts when cross-posting.
3. Respectful communicationAll communication has to be respectful of differing opinions, viewpoints, and experiences.
4. InclusivityEveryone is welcome here regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
5. Ad hominem attacksAny kind of personal attacks are expressly forbidden. If you can't argue your position without attacking a person's character, you already lost the argument.
6. Off-topic tangentsStay on topic. Keep it relevant.
7. Instance rules may applyIf something is not covered by community rules, but are against lemmy.zip instance rules, they will be enforced.


Companion communities

[email protected]
[email protected]


Icon attribution | Banner attribution

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 13 points 5 days ago (2 children)

If you’re using one of these models, it’s highly recommended that you replace your NAS system with one that’s still receiving patches from the manufacturer. If that isn’t possible right now, Netsecfish suggests restricting access to your NAS settings menu/interface to only trusted IP addresses. You could also isolate your NAS from the public internet to ensure that only authorized users can interact with it.

Emphasis mine, regardless of this incident, even with a brand new supported model, it shouldn't be exposed to the internet. Half the reason these security issues are such a big deal is because manufacturers wanted to make things simple and designed it to sit on the open internet, so they wouldn't have to deal with support requests. Now their customers are exposed because of poor recommendations and the lack of updates.

[–] [email protected] 5 points 5 days ago

Exactly!

If you need external access, use an external access infrastructure that's designed for that purpose, with controls and monitoring.

[–] [email protected] 3 points 5 days ago (2 children)

who the fuck even still has an exposed IPv4 address anyway, those are fucking expensive since we ran out. I couldn't expose my network if I tried.

[–] [email protected] 1 points 3 days ago

Its free, so why the fuck not? Why the hassle with ddns, wich funnily enough is also free with my hoster/registra

[–] [email protected] 4 points 5 days ago (2 children)

Dynamic DNS has solved that for 20+ years. Just need a domain name, and a utility to update the IP when it changes.

That said, my IP hasn't changed in over 5 years now.

[–] [email protected] 4 points 5 days ago

Dynamic DNS is useless if you're on CGNAT.

[–] [email protected] 1 points 5 days ago

Still though, Dynamic DNS points to an external IP address, which you'd have your NAS exposed on a public port. This is the flaw in the design which allows remote execution of this exploit.

If you need remote access to the NAS, it should not be publicly exposed and should require a VPN to access. That way if there is an issue or misconfiguration, everyone on the internet can't exploit it easily.