How do I prevent SSRF attacks on Synology Chat Server?
How do I prevent SSRF attacks on Synology Chat Server?
Details
SSRF (Server Side Request Forgery) is a type of attack where an attacker sends crafted requests from the server of a vulnerable web application. This is carried out to compromise internal systems that are inaccessible from the external network. To protect against SSRF attacks, we recommend setting up a blacklist on Synology Chat Server. This article will guide you through how to add the IP addresses of other servers in your internal network (e.g., MailPlus Server and Synology Drive Server) to the blacklist of Synology Chat Server.
Resolution
Blacklist an IP address
- Sign in to DSM with root permission via SSH/Telnet (Tutorial).
- Enter the following command to add or edit the blacklist of Synology Chat Server:
vi /var/packages/Chat/etc/og_black_list.conf
- Enter
i
to turn on insert mode. - Use CIDR (Classless Inter-Domain Routing) notation to enter the IP addresses you wish to blacklist. For example, an IP address of "10.17.29.22" with a subnet mask of "255.255.255.0" will be written in CIDR notation as "10.17.29.22/24". You can use a CIDR chart or an online subnet calculator to help you get the correct addresses.
- When the editing is complete, press Esc to exit the insert mode.
- Type
:x
and press Enter to save. - Enter the following command to make sure the blacklist will take effect:
chmod a+r /var/packages/Chat/etc/og_black_list.conf