Please help me understand making my NAS secure.

Currently reading
Please help me understand making my NAS secure.

Synology QuickConnect is the easy way and it’s more secure. However, with limitations.

Would love some technical explanation for this statement. What is it that would make QuickConnect more secure than using DDNS service with reverse proxy running behind FQDN with only one possible attack vector (as opposed to UPNP enabled service like QC with all relevant information about IP and the device stored on some cloud service)?
 
Oh that's just great... instead of using port forwarding it uses "relay sites" that have all relevant data stored (both WAN IP and LOCAL IP as well as port number to communicate). Sure, there's tunneling and port punching and ...

DDNS and reverse proxy leave just one point of entry (one port and one FQDN) and the attacker gets much less data to work with from the start.

Suppose someone steals the data you're providing Synology with by using QC, they get your public IP, local IP and some unique ID. From there they can test if one of your services is running on default port and that is enough to penetrate the network or atleast try to do some nasty stuff.

Btw, just enabled QC on my 211j, and tried connecting via ID, is says:

  • Permissions to access certain services via QuickConnect are not enabled. Please go to Control Panel > QuickConnect > Advanced > Permission and tick one or more services.

Guess what? There is no Advanced option in Quickconnect on DSM 4.3 my 211j is running. ;)

So, even when the QC service states it is connected, it sure as hell isn't connectable. :D
 
Try this one too…
While at home on your WiFi, go to this, copy the IP address (this is the address that you should keep off forums, don’t post this).

Switch your phone to cell only (turn off WiFi), unless you’re already outside using cellular data or the Martian’s Starbucks in Chicago :)

On the browser, paste the address you copied like below:
https://the address you copied:5001
Hit enter
What do you get?


Nothing. It status bar just sits there and eventually times out. I have a call in to the ISP and they're going to look into it. I'll let you know how that turns out.

Could you explain 2FA a little more for me and give any tips on how to best set it up? I'm concerned I'll get locked out if my phone dies, so I'd like to have a backup authenticator, but don't know exactly how that works. I don't honestly know how I set it up the first time, as a synology tech walked me through it quickly. I feel like this post is getting really long and branching out quite a bit, but I hesitate to start a new post because it might be nice for any other rookies to have everything in one place.
 
So even when you turned off the firewall. Nothing?

Honestly, I have not yet turned on the firewall. I tested the creation of the rules last night, but didn't apply the 2 that were available; I was going to wait for the 3rd. I've been following the forum from my phone until just now as I've been out at meetings. Going to put the firewall in place now. The firewall shouldn't have had any effect on blocking the public computer IP address you had me scan though, correct?
 
Sorry I didn’t enable it yet on my DSs. I’m afraid I might find it annoying. So I’d leave that to someone else. Maybe @Rusty.

I have it enabled on my admin account. It’s not annoying at all considering you can set your phone or computer as a remembered trusted device. Same thing with the mobile ds apps.
 
I have it enabled on my admin account. It’s not annoying at all considering you can set your phone or computer as a remembered trusted device. Same thing with the mobile ds apps.

I've wondered about the trusted device. What if someone by chance somehow hijacks my trusted pc either physically or remotely? Wouldn't they then have direct access to my NAS, even with 2FA activated? I'd had my laptop set as a trusted device but then disabled it for concern of this happening.

I also think that it is odd that 2FA allows for authorization by the same device that is requesting authorization. Meaning, I can try to access the NAS from my phone and then use the authenticator on my phone to authenticate the requested access. It seems to me that's not really 2FA anymore.
 
you can set your phone or computer as a remembered trusted device.
I know, however, sometimes I need access from untrusted devices. I’ve also read about something that sometimes get screwed up when on a different zone. Don’t know how true is that though. But I’m on a different time zone almost every other month. I’ve been meaning to look into it and never got to.
 
Last edited:
I've wondered about the trusted device. What if someone by chance somehow hijacks my trusted pc either physically or remotely?

While certainly plausible, they would still need to guess your strong password that you’ve put into place.

It is a matter of convenience over security. Having 2fa in general and a strong password provides more security than not having. The matter of convenience and tolerating having to enter the 2fa codes is something you’d have to weigh. The chances of someone taking control of my mobile phone are pretty slim, yet it’s also a complete pain to try to login from a phone and enter 2fa codes. A computer maybe a little easier to multitask and not have to open this app and then close and switch to another like a phone. Someone can hijack a computer that is on 24/7. If your computer is left on like this, then I probably wouldn’t remember passwords or devices. I happen to use a laptop (thinkpad t420s 🤓) and turn it on off as I need, so I don’t have a concern of my device being hijack since I’m on it while using. If that ever happened I have bigger problems anyway.
 
The firewall shouldn't have had any effect on blocking the public computer IP address you had me scan though, correct?
The one we looked up via the ip locator site is the public IP address assigned to your router by your ISP. This might change if you’re assigned a dynamic IP address or it could be a static IP address that never changes.

On the DS, go to Control panel > External Access
You’ll see the same IP address under DDNS.
That’s how the internet communicate with you.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Unless your home network is CGNAT, Tailscale offers no real advantage over VPN or HTTPS. Keep it simple...
Replies
3
Views
1,180
Thank you for the in depth info. Yes — I had posted the Router & NAS firewall rules. NAS, being behind...
Replies
8
Views
3,588
  • Question
thank you, thank you, thank you followed the link you sent and everything hunky-dory
Replies
5
Views
1,839
  • Question
Turned out I did have a key...so at least not quite as tragic....and..yes...stll disgusted as this was...
Replies
2
Views
2,250
  • Question
PF will help you for sure much more then syno fw
Replies
4
Views
2,934
If you are using Android, just choose "Continue" when screen mentioning "Certificate" appears after sign-in.
Replies
27
Views
6,189
This could be a job for… Renowned, conspiracy theorist at night and international diplomacy expert by...
Replies
32
Views
8,853

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top