A few security questions about the DS 918+

Currently reading
A few security questions about the DS 918+

Beside each of these its showing Synology.com. On the drop down of each of these I can only choose between Synology.com, MyNas.synology.m and Synology DDNS Certificate (default).

if you’re accessing your services through the synology.me domain , then you need to change the drop down to the my.nas.symbology.me option.
 
Last edited:
Thanks guys for all your help. Merry Christmas!

Once you get the hang of how everything works you can try doing much more advance configurations.

as an example I purchased my own domain name for $12 bucks a year, including ddns (which keeps your domain name updated with your public up address). From there I got rid of most port forwarding rules and simplified it to just open port 443 (Https) for reverse proxy. I now have several subdomain names such as dsm.mydomain.com which reverse proxies to internal port 5001. Then there’s dsfile.mydomain.com which does the same but forwards to the file station app on a web browser.

I got rid of the synology.me domain, for security. The thought is an attacker can look up all the domain names registered on the synology.me domain, and knowing that they could try attacks on specific synology ports because they know it’s a synology device. I’m not saying my own domain name isn’t fool proof, but it just makes me harder to find, attackers will go to the easier ones first.

I didn’t mess around with changing the default ports of 5000 & 5001 because I don’t have those ports open to the public (internet) anyway; that is where the NO-No is. I just have port (443) open, and another custom port for hyper backup which forwards to the default hyper backup port once thru the router.

I have a managed ups, pdu, and a unifi controller in docker. I am able to access all of those thru the same public port of 443. The only thing that I change is the sub domain name, ups.my domain.com, pdu.mydomain.com, unifi.my domain.com, which then will route to the specific devices ip address internally.
 
Most of what @Gerard mentioned regarding reverse proxy is covered a bit more in depth in the thread I posted earlier. It doesn't cover buying your own domain. It is a much better setup I believe, but it is harder to understand. Get comfortable with this setup first and then move on from there.
 
Guys I just learned to walk!
Lol. That's why I said get used to this first. You are maybe 6 months behind where I was when I started in on reverse proxy, and it wasn't something I learned intentionally. I wanted to expand my NAS capability in a different way and things snowballed. Once you learn and understand your current setup, you will start to understand its limitations.
 
Guys I just learned to walk!
It’s ok, take your time “walking”. No hurry in implementing anything as long as you make sure that your setup is as secure as possible during each step.

With all the port forwarding, you should enable and configure the firewall.

At least three rules:
  • Allow your subnet.
  • Allow your country.
  • Deny all.
Later, as the guys said, try to reverse proxy all those services.
 
It’s ok, take your time “walking”. No hurry in implementing anything as long as you make sure that your setup is as secure as possible during each step.

With all the port forwarding, you should enable and configure the firewall.

At least three rules:
  • Allow your subnet.
  • Allow your country.
  • Deny all.
Later, as the guys said, try to reverse proxy all those services.
I heard you can get locked out of your NAS if you dont allow management UI. Is this true?
 
If I use Active backup for business, Photostation, and synology drive, are those the only ones I need to allow in the firewall? What about "Windows file server"?

If you limit access to only one IP, what if your IP changes?
 
Last edited:
does that wipe all settings? Factory reset?
Reset Mode 1 is more or less harmless (Mode 2, as well). Data is unaffected.
DiskStation Manager - Knowledge Base | Synology Inc.

Factory Reset is altogether different.

If I use Active backup for business, Photostation, and synology drive, are those the only ones I need to allow in the firewall? What about "Windows file server"?

If you limit access to only one IP, what if your IP changes?
I use reserved IPs everywhere. But I also range the LAN IP on the firewall just in case for critical connections (ex., DSM).

I rarely use the app categories available through Synology, but just allow my primary PC access to all NAS ports. In that way I don't add a new feature (ex WebDAV) and forget to open the FW.

Lots of different ways to do this... but here's a decent starter...
To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
Last edited:
I heard you can get locked out of your NAS if you dont allow management UI. Is this true?
Yes, you can lock yourself out if you don’t know what you’re doing.

The first rule in the firewall is to allow your subnet. That allows all hosts/clients on your LAN to access the NAS‘ services without any restrictions. If you create this rule, you don’t have to worry about the accessibility of a particular service (e.g. management UI as you said).

Edit: hosts AND clients
 
If I do this while having a deny all at the bottom of the list, it will block my phone on data correct?
No it won’t (if you add all three rules).

The three rules will:
  1. Allow your private subnet (LAN).
  2. Allow any traffic coming in from within your country, so your data (mobile) and any other remote access from within your country will not be blocked.
  3. Block everything else (i.e. the rest of the world).
If you implement rule one and rule three only, then yes, your mobile access will be blocked (along with any remote access from anywhere). The only access allowed is from your LAN (your private subnet).
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
How do I reset my Synology NAS? You can test RAM using Synology Assistant (PC Application) Note...
Replies
7
Views
1,136
Welcome to the forum! No. That FS is no supported on external drives Ofc Using Hyper Backup your can do...
Replies
1
Views
809
There are tools in the synology app store that you can setup to backup to an AWS S3. Back it up to there...
Replies
6
Views
1,413
So I've set up Tailscale for everything, and I'm not sure what I will stick with. It's fine for me, but...
Replies
10
Views
2,684

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top