I'm guessing this only affects you if you have their EZ-Internet service enabled that exposes the NAS to the public internet. Or if you exposed it yourself on your firewall.<p>I've had a Synology NAS for almost a year now. I really like the UI, but the software stack they're using under the hood (Apache, PHP, MySQL, etc.) has a massive attack surface, if not routinely kept up-to-date.<p>Here's an nmap trace from my Synology DiskStation:
amber@leysritt ~ % nmap -A <redacted><p><pre><code> Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-03 23:06 BST
Nmap scan report for <redacted>
Host is up (0.011s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1-hpn13v11 (protocol 2.0)
| ssh-hostkey:
| 1024 <redacted> (DSA)
| 2048 <redacted> (RSA)
|_ 256 <redacted> (ECDSA)
80/tcp open http Apache httpd
|_http-generator: ERROR: Script execution failed (use -d to debug)
|_http-methods: No Allow or Public header in OPTIONS response (status code 301)
|_http-title: Did not follow redirect to http://<redacted>:5000/
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3,4 2049/tcp nfs
| 100005 1,2,3 892/tcp mountd
| 100005 1,2,3 892/udp mountd
| 100021 1,3,4 33154/tcp nlockmgr
| 100021 1,3,4 38187/udp nlockmgr
| 100024 1 44039/tcp status
|_ 100024 1 53309/udp status
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: REDACTED)
161/tcp open snmp?
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: REDACTED)
515/tcp open printer
548/tcp open afp Netatalk 2.2.3 (name: redacted; protocol 3.3)
| afp-serverinfo:
| | Server Flags: 0x8f79
| | Super Client: Yes
| | UUIDs: Yes
| | UTF8 Server Name: Yes
| | Open Directory: Yes
| | Reconnect: No
| | Server Notifications: Yes
| | TCP/IP: Yes
| | Server Signature: Yes
| | ServerMessages: Yes
| | Password Saving Prohibited: No
| | Password Changing: No
| |_ Copy File: Yes
| Server Name: redacted
| Machine Type: Netatalk2.2.3
| AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3
| UAMs: Cleartxt Passwrd, No User Authent, DHX2, DHCAST128
| Server Signature: redacted
| Network Address 1: redacted
|_ UTF8 Server Name: redacted
631/tcp open ipp CUPS 1.5
| http-methods: Potentially risky methods: PUT
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Not Found - CUPS v1.5.4
2049/tcp open nfs 2-4 (RPC #100003)
3689/tcp open daap mt-daapd DAAP 0.2.4.1
5000/tcp open http Apache httpd
|_http-generator: ERROR: Script execution failed (use -d to debug)
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Did not follow redirect to https://redacted:5001
5001/tcp open ssl/http Apache httpd
|_http-generator: ERROR: Script execution failed (use -d to debug)
|_http-methods: No Allow or Public header in OPTIONS response (status code 301)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Did not follow redirect to https://redacted/webman/index.cgi
| ssl-cert: Subject: commonName=synology.com/organizationName=Synology
Inc./stateOrProvinceName=Taiwan/countryName=TW
| Not valid before: REDACTED
|_Not valid after: REDACTED
|_ssl-date: REDACTED
| tls-nextprotoneg:
| spdy/3
| spdy/2
| http/1.1
|_ x-mod-spdy/0.9.4.2-465a04f
Service Info: OS: Unix
Host script results:
|_nbstat: NetBIOS name: redacted, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
(unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.6.9)
| Computer name: redacted
| NetBIOS computer name:
| Domain name:
| FQDN: redacted
|_ System time: redacted
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.47 seconds
</code></pre>
It's sad that most of the open-source NAS solutions are so bad compared to their commercial counterparts. FreeNAS (and related forks) sacrifice too much flexibility and don't offer anything that you can't easily do yourself with a Linux/BSD server distro.<p>I'd love to work on an open-source, security-oriented, user-friendly DSM "clone" with the right kind of people. If this sounds like fun or it sounds like something you're currently working on - shoot me an email: amber@fastmail.jp<p>I also wish there was such a thing as a nice, inexpensive ARM board (~$100) with plenty of SATA ports and upgradable RAM (so you can run huge ZFS pools on it) that you can install your own OS on...