A few security questions about the DS 918+

Currently reading
A few security questions about the DS 918+

Cobra said:
Beside each of these its showing Synology.com. On the drop down of each of these I can only choose between Synology.com, MyNas.synology.m and Synology DDNS Certificate (default).
Click to expand...

if you’re accessing your services through the synology.me domain , then you need to change the drop down to the my.nas.symbology.me option.
 
Last edited:
Cobra said:
Thanks guys for all your help. Merry Christmas!
Click to expand...

Once you get the hang of how everything works you can try doing much more advance configurations.

as an example I purchased my own domain name for $12 bucks a year, including ddns (which keeps your domain name updated with your public up address). From there I got rid of most port forwarding rules and simplified it to just open port 443 (Https) for reverse proxy. I now have several subdomain names such as dsm.mydomain.com which reverse proxies to internal port 5001. Then there’s dsfile.mydomain.com which does the same but forwards to the file station app on a web browser.

I got rid of the synology.me domain, for security. The thought is an attacker can look up all the domain names registered on the synology.me domain, and knowing that they could try attacks on specific synology ports because they know it’s a synology device. I’m not saying my own domain name isn’t fool proof, but it just makes me harder to find, attackers will go to the easier ones first.

I didn’t mess around with changing the default ports of 5000 & 5001 because I don’t have those ports open to the public (internet) anyway; that is where the NO-No is. I just have port (443) open, and another custom port for hyper backup which forwards to the default hyper backup port once thru the router.

I have a managed ups, pdu, and a unifi controller in docker. I am able to access all of those thru the same public port of 443. The only thing that I change is the sub domain name, ups.my domain.com, pdu.mydomain.com, unifi.my domain.com, which then will route to the specific devices ip address internally.
 
Most of what @Gerard mentioned regarding reverse proxy is covered a bit more in depth in the thread I posted earlier. It doesn't cover buying your own domain. It is a much better setup I believe, but it is harder to understand. Get comfortable with this setup first and then move on from there.
 
Cobra said:
Guys I just learned to walk!
Click to expand...
Lol. That's why I said get used to this first. You are maybe 6 months behind where I was when I started in on reverse proxy, and it wasn't something I learned intentionally. I wanted to expand my NAS capability in a different way and things snowballed. Once you learn and understand your current setup, you will start to understand its limitations.
 
Cobra said:
Guys I just learned to walk!
Click to expand...
It’s ok, take your time “walking”. No hurry in implementing anything as long as you make sure that your setup is as secure as possible during each step.

With all the port forwarding, you should enable and configure the firewall.

At least three rules:
  • Allow your subnet.
  • Allow your country.
  • Deny all.
Later, as the guys said, try to reverse proxy all those services.
 
WST16 said:
It’s ok, take your time “walking”. No hurry in implementing anything as long as you make sure that your setup is as secure as possible during each step.

With all the port forwarding, you should enable and configure the firewall.

At least three rules:
  • Allow your subnet.
  • Allow your country.
  • Deny all.
Later, as the guys said, try to reverse proxy all those services.
Click to expand...
I heard you can get locked out of your NAS if you dont allow management UI. Is this true?
 
If I use Active backup for business, Photostation, and synology drive, are those the only ones I need to allow in the firewall? What about "Windows file server"?

If you limit access to only one IP, what if your IP changes?
 
Last edited:
Cobra said:
does that wipe all settings? Factory reset?
Click to expand...
Reset Mode 1 is more or less harmless (Mode 2, as well). Data is unaffected.
DiskStation Manager - Knowledge Base | Synology Inc.

Factory Reset is altogether different.

Cobra said:
If I use Active backup for business, Photostation, and synology drive, are those the only ones I need to allow in the firewall? What about "Windows file server"?

If you limit access to only one IP, what if your IP changes?
Click to expand...
I use reserved IPs everywhere. But I also range the LAN IP on the firewall just in case for critical connections (ex., DSM).

I rarely use the app categories available through Synology, but just allow my primary PC access to all NAS ports. In that way I don't add a new feature (ex WebDAV) and forget to open the FW.

Lots of different ways to do this... but here's a decent starter...
To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
Last edited:
Cobra said:
I heard you can get locked out of your NAS if you dont allow management UI. Is this true?
Click to expand...
Yes, you can lock yourself out if you don’t know what you’re doing.

The first rule in the firewall is to allow your subnet. That allows all hosts/clients on your LAN to access the NAS‘ services without any restrictions. If you create this rule, you don’t have to worry about the accessibility of a particular service (e.g. management UI as you said).

Edit: hosts AND clients
 
Cobra said:
If I do this while having a deny all at the bottom of the list, it will block my phone on data correct?
Click to expand...
No it won’t (if you add all three rules).

The three rules will:
  1. Allow your private subnet (LAN).
  2. Allow any traffic coming in from within your country, so your data (mobile) and any other remote access from within your country will not be blocked.
  3. Block everything else (i.e. the rest of the world).
If you implement rule one and rule three only, then yes, your mobile access will be blocked (along with any remote access from anywhere). The only access allowed is from your LAN (your private subnet).
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

szueger
  • Question
Synology RS 812+ unresponsive after a few days uptime
Based on the information provided, the Synology RS812+ NAS device is quite old, dating back to 2012. Given...
Replies
6
Views
530
Cen Karter
C
P
First Synology buy, a few questions
Welcome to the forum! No. That FS is no supported on external drives Ofc Using Hyper Backup your can do...
Replies
1
Views
740
Rusty
Rusty
M
Dangerous to repair storage pool if you have a drive with a few bad sectors?
There are tools in the synology app store that you can setup to backup to an AWS S3. Back it up to there...
Replies
6
Views
1,189
Sbrady373
S
oRBIT
Cloudbackup-solutions for a few TB's?
idrive, hidrive
Replies
2
Views
972
EAZ1964
EAZ1964
thebroughfamily
Complete newbie with a few questions.
This is true and can be annoying. Though once logged in, local Plex servers remain accessible by the...
Replies
5
Views
2,565
fredbert
fredbert
tekguru
A few misc Q's.........
no worries - LACP/LAG/Jumbo Frames/MTU is something I spent much of a full weekend implementing in an...
2
Replies
30
Views
4,065
Coop777
Coop777
Chavilan
Third party phone apps - Security concerns
I have DS Manager pro. I think the only calls it makes are to the AppStore and it’s done via Akamai. Might...
Replies
2
Views
1,935
WST16
WST16

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top