Your topic prompted me to investigate both my hub and router sub-net. I wrongly thought I needed UPnP on and have now disabled it on both plus other security improvements.
1 Like
TalkTalk routers donāt seem to have the option to disable it. According to their forum, it would appear that a while back, TT would disable it their end if you asked nicely, but donāt anymore
For the latest ADSL2+ router (the 40Mbps one), the setting is under <Network (LAN)>.
Thanks, just double checked, but not there. Mine is the āFAST 5364ā model, currently running at 75Mbps, so is probably model specific.
If you need more convincing ā¦New DeadBolt ransomware targets QNAP devices, asks 50 BTC for master key
It is not a Qnap specific issue eitherā¦
Synology warns of malware infecting NAS devices with ransomware
1 Like
Indeed, however I get the impression Synology are more active than QNAP (& others) with numbers of updates per year that always cover a list of āvulnerablesā. Itās important users install these updates when they become available, set the Synology to auto update.
Re the attached Synology warning link, it talks about enabling Auto Block in Security, DSM-7 has Auto Block enabled as default.
Hi @Mike-B , Do you know if the original minimserver works in dsm7 or do they now insist on the new version 2? I would like to try dsm7 but donāt want to update minimserver incase it alters the sound in any way.
'morning @Mrhappy
Sorry but I have no idea, Iām sure there are some avid Minimserver users on the forum who can advise on this.
That said there is a Minimserver install in DSM-7 Package Center, but as to what version, I canāt tell.
Iām not sure Iāve read that Minim-2 alters the sound, but you shouldnāt hesitate to go to DSM-7.
1 Like
I presume that the in place update from DSM6 to DSM7 is seamless and does not buqqer up the data already on the discs.
When I was fitting brand new drives in NAS1 a couple of weeks ago, I took the opportunity to update 6-7 and got dire warnings along the lines of āall data on your discs will be erasedā, but that may simply be referring to reformatting virgin HDD.
Yes DSM-6 to DSM-7 is seamless & it keeps all your old settings & preferences.
I had no such warning when I installed it
Its different in both looks & some operations, but a little time spent learning the differences & its all OK.
The only thing that does annoy (slightly) is some packages that are pre-installed & are not needed (that I can determine) for just audio replay cannot be uninstalled. I expect Synology have reasons for it. Its no big deal, but its still using CPU & RAM
Just a quick note on UPnP on routersā¦ this should normally be left on unless you know what you are doing or accept some limitations on internet applications. However a key dependency of UPnP on routers is that it assumes you have good and effective hygiene on your internal network, and you have good web hygiene software (malware and virus) on your internal clients like computers / NAS etc. ā¦ and you donāt install non certified software etc.
If one of your computers / NAS is compromised then a malware can open a forwarder through your routerā firewall. Now this could be by UPnP but there are other methods too.
The key thing is use certified software, and malware and virus on anything that can run dynamic code. Disabling UPnP can make it harder for one of your compromised systems to talk with with the outside world, but it doesnāt prevent itā¦ and it can make some things awkward for you tooā¦ unless you want to manually set up port forwarding where it is required. (Which is not as prevalent as it used to be, but usually used in low latency, high speed applications)
So yes in an emergency you can disable UPnP āfire doorā styleā¦ but the key thing would be to disable and address your compromised system and disconnect from your network.
I know perhaps not helpful to the OP, but I have frequently pointed out a NAS should be as straightforward as possible other than being an effective NAS. It really should not be running many other applications. If you want that get a mini serverā¦ a NAS masquerading as a server is asking for challengesā¦ and if you wanted to combine server and storageā¦ get a server with large discs or usb drivesā¦ you know if itās pc or Mac you will have the right control and hygiene.
I suspect not. I think the issue is that DSM 7 wonāt allow installation of the Java package that Minim 0.8 requires. The Minim 2 package includes a Java runtime to get round this problem. I think youāll need to use the Starter version of Minim 2 or pay for a license as I have.
Please note this is my understanding not my experience. For a definitive answer, you could try asking on the Minim forum.
Roger
1 Like
Good to know. Thanks, Mike.
So itās Hey ho, off we go!
I had just switched off UPnP on my hub and sub-net router. I did the hub first - no issues then later the sub-net router - no issues either as yet.
Can you elaborate on why UPnP should be left on and what these limitations may impact. I fear I may be a worst case scenario - I half know what I am doing.
Hi, UPnP on routers is a method whereby defined mappings through the routerās firewall can be requested under an app running in your home network. This allows data to be sent to that app. in some scenarios where the app doesnāt have to make an initial query.
This tends to be in some real time communication applications usually non web protocol related. (Non http / https ports)
So the alternate to using the UPnP protocol and tooling (think dhcp) is to follow the software instructions if supported, to manually set the forwarders up. Again this can be onerous if the app requesting the channel is on a device with dynamic IP addressing.
So if you want to use these sort of apps then UPnP is pretty much required. If however you only really use your internet access for basic web based protocols or polled protocols (web apps, media consumption streaming, mail) then you might find you do not need UPnP and can switch it off.
However my point is it in itself is not a protection to malware by disabling itā¦ itās just if you are compromised itās one of several methods than can be exploited by the malware, hence the importance of certified/reputable code running on devices where possible you run malware and anti virus hygiene code.
1 Like
Any application that requires access to the outside world for certain functions that use non standard ports open for http traffic. UPnP will allow applications to automatically open ports for on your router to allow traffic in/out without user interaction. If its disabled you have to manually configure these ports on your router to allow certain ip addresses through. Gaming is one side that would be affected, if you want remote access to certain servers. Plex for instance has the ability to stream your content outside your home. This requires a specific port to be open and traffic forwarded to and from it if not using UPnP. A malicious app can thus instruct your router to open up a port and allow remote access to your machine and data.
1 Like
I have a script that can be run that uninstalls the extra stuff introduced by DSM7
Interested ā¦ can you post a copy & how to do it
Hi again @Paul_C, if like me you use the NAS just for local streaming, you donāt need UPnP on the BB router, but as been said by Simon & CrystalGypsy, there are other ways to get into your system.
As Iāve posted before, I have a BT Smart Hub 2.
ā¦ UPnP off
ā¦ Extended UPnP Security off
ā¦ DMZ off, I believe this is the BT default setting
Plus on my Synology NAS (I donāt know about other NAS brands) Security>Auto Block is enabled.
It needs a user defined script to be set in task scheduler.
This should only be run once at boot.
Create a new scheduled task
Set user to Root in general.
In task settings copy and paste below script, reboot then disable task.
This is the script to disable all the extra bloatware
synoservice --disable pkgctl-SynoFinder
synopkg uninstall SynoFinder
synoservice --disable pkgctl-ActiveInsight
synopkg uninstall ActiveInsight
synoservice --disable pkgctl-ScsiTarget
synopkg uninstall ScsiTarget
synoservice --disable pkgctl-SecureSignIn
synopkg uninstall SecureSignIn
synoservice --disable pkgctl-Python2
synopkg uninstall Python2
1 Like