Access Control Profile still allowing remote login attempts

Currently reading
Access Control Profile still allowing remote login attempts

14
4
NAS
DS912+,DS220+,DS212
I have my firewall set to forward 5000-5001 for DSCam application access (and restrict based on GEO-IP) but want to deny access to the web based login pages for not only File Station and SS but also DSM, except from internal LAN.

I have set my Access Control Protocol, and set this profile to be used for FS and SS applications. However I'm still getting repeated hits on my DSM login page. I do NOT have any reverse proxies defined.

The auto-block (useless for random IP) and auto-lock have been set as a precautionary measure, along with 2FA, but I'd prefer to avoid these hits altogether.

Where is this functionality hiding (to block external access)?

Thanks in advance.

1673059993110.png


1673060099619.png




1673060310927.png
 
Solution
FIXED.

Turns out through the process of learning the settings/system, I inadvertently left the Access Control profile set to deny external web access to DSCam :rolleyes:

I'm now able to ONLY forward the S.Station Application ports through my firewall, while disabling DSM access. Thanks for the help!
I have my firewall set to forward 5000-5001
By this you mean you have those ports forwarded on your router, like "port forward"? Or just on the FW level? Guessing they are forwarded if you are getting hits.

If those are forwarded, then you will need to use DSM or a router firewall to block access to those destinations other than the local subnet. Access control rules will not help in this case as those will work if you have defined custom domains/applications running on public domain names (reverse proxy as well).
 
Upvote 0
By this you mean you have those ports forwarded on your router, like "port forward"? Or just on the FW level? Guessing they are forwarded if you are getting hits.

If those are forwarded, then you will need to use DSM or a router firewall to block access to those destinations other than the local subnet. Access control rules will not help in this case as those will work if you have defined custom domains/applications running on public domain names (reverse proxy as well).
Thanks for the response. I think the problem or question has become how to deny remote access to everything (including DSM login webpage) while only permitting DSCam app remote access. There seems to be no way to disable remote web access to (default) 5000/5001 without breaking other apps. I can, and have changed the ports the Surveillance Station (SS) uses (and NAT forwarded it through router), however DSCam still seems reliant on 5000/5001 for connection/certs. Hoping this makes sense.

I'm using a unified security gateway for all my routing/firewall policies. I'd really just like to lock down inbound ports to only DSCam app connections. No SS web access either. This NAS is strictly for surveillance station usage.
 
Upvote 0
You can use Control Panel/Login Portal to assign dedicated ports to DSM applications, or/and a unique fully qualified domain name (FQDN).

Assign these for only Surveillance Station and not other packages/DSM would allow you to set specific port forwarding just for SS. Maybe the FQDN for SS would be the way to go?

Did you add the port number to the server name in DS cam?

I would also change the default DSM ports from 5000/5001 as these are well known and will be on hacker scripts when doing exploratory scans, like the default ‘admin’ account, which you should disable after creating a new administrator account. You should be using a non-administrator account for your day-to-day usage of the NAS.
 
Upvote 0
Last edited:
Yes to all. I have (already) changed DSM's port from the default 5000/5001. Let's say I used 5500/5501 for this example.

I re-tested this all tonight to hopefully clarify.

To baseline, I cleared out all custom Application ports in the Login Portal page. I then assigned only a custom ports 5500/5501 to DSM. I setup port forwards and firewall rules in my router + specified this custom DSM port in DSCam phone app, all works. I'm using HTTPS.

I next defined custom Application ports for S.Station (and specified that new Application port in DSCam phone app). Repeated steps above otherwise for forwarding/firewall. DSCam phone app does not connect. (Won't connect at all via HTTP). With HTTPS it states the SSL cert is not trusted. Does not let me pass go (only offers an 'OK' button)

If I switch the phone app address back to 5500/5501, DSCam phone app still works for ref. So I have issues with certs when using the custom Application ports. I am using the self-signed Synology certs for all apps (not expired, I checked).
-- post merged: --


If I connect my phone to my LAN wifi, I can connect to the custom S.Station application port (still complains about cert not being trusted, but allows me to trust/proceed). Weird.

PS thank you kindly for both your help thus far!
 
Upvote 0
So I have issues with certs when using the custom Application ports. I am using the self-signed Synology certs for all apps (not expired, I checked).
Well https error will continue to be an issue if you are using a public domain name (valid one) then you will need a valid cert as well, and not a self-signed one.
 
Upvote 0
Well https error will continue to be an issue if you are using a public domain name (valid one) then you will need a valid cert as well, and not a self-signed one.
Sorry for being a bit dense on this topic, I always struggle with the topic of certs. But I have trouble understanding why DSCam will connect to the DSM defined ports, but not to the custom Application ports. The certs are associated with the site, not the ports, correct?

I previously temporarily opened/forwarded port 80 to the Synology in order to retrieve a LetsEncrypt cert. However even when I tried to specify that cert for S.Station it didn't make any difference.
 
Upvote 0
The certs are associated with the site, not the ports, correct?
correct

But I have trouble understanding why DSCam will connect to the DSM defined ports, but not to the custom Application ports
Does this mean you are running with a custom domain name? If so, have you tried to use domainname.com:port format inside the DSCam address field?
 
Upvote 0
Yes, I'm using a ddns service, so the public facing address I'm using in DSCam phone app is:

example.ddns.net:9901 (or tried 9900)
Sorry for asking again, but do you have those ports also forwarded on your router? Can't be sure from your previous answers or at least I can't see if you have mentioned them before.
 
Upvote 0
Sorry for asking again, but do you have those ports also forwarded on your router? Can't be sure from your previous answers or at least I can't see if you have mentioned them before.
No worries, this has been an evolving issue. Yes ports 9900/9901 are (also) forwarded to the NAS IP and associated ALLOW firewall rules.
 
Upvote 0
No worries, this has been an evolving issue. Yes ports 9900/9901 are (also) forwarded to the NAS IP and associated ALLOW firewall rules.
If you use the Login Portal and configure SS to work on custom ports, does that work? Also on your domain name with those ports forwarded.
 
Upvote 0
If you use the Login Portal and configure SS to work on custom ports, does that work? Also on your domain name with those ports forwarded.
No that's what I'm saying, if I define custom ports 9900/9901 for SS in the Applications page (and have associate firewall/forwarding rules set in my router), no good. If I drop back to using the custom DSM ports (normally 5000/5001), that also have said forwarding/firewall rules, it works.
 
Upvote 0
FIXED.

Turns out through the process of learning the settings/system, I inadvertently left the Access Control profile set to deny external web access to DSCam :rolleyes:

I'm now able to ONLY forward the S.Station Application ports through my firewall, while disabling DSM access. Thanks for the help!
 
Upvote 0
Solution
FIXED.

Turns out through the process of learning the settings/system, I inadvertently left the Access Control profile set to deny external web access to DSCam :rolleyes:

I'm now able to ONLY forward the S.Station Application ports through my firewall, while disabling DSM access. Thanks for the help!

Hello, bitbanger!

I'm very sorry but I don't understand the resulted solution.
Am I right that the only way to disable external access to DSM is to block 5000/5001 ports in FW?
There is no way to specify Access Control Profile for DSM, right?
 
Upvote 0
Last edited:
Yes that's true, in the Synology firewall, restrict any DSM access to only the local LAN/subnet you would use to administer the unit. Denying/not port forwarding 5000/5001 on your main network firewall is the primary means to deny, the Synology firewall a secondary layer of security.

By then changing the application ports, ie file station, surveillance station), you can open/allow/forward access to these apps specifically while maintaining the DSM access restriction.
 
Upvote 0
Thank you, @Telos!

Let me summarize what I've learned from you and from the documentation, correct me if I'm wrong, please.

There are two ways one can access services in your NAS:
1. Native applications (desktop or mobile applications, i.e., Photos, Drive and so on), let's call it a native access.
2. Web applications (applications you open in browsers, these applications are listed under Applications tab in Login Portal), let's call it a web access.

The native access can be configured using FW (using port forwarding/port blocking).
The web access can be configured using either Access Control Profiles or FW (for 443 port or any other ports if you configure different ports for each web application in Login Portal).

I have configured public IP and specified different domain names for each web application, so Photos can be access using https://photos.example.com, Drive can be accessed using https://drive.example.com and DSM can be accessed using https://dsm.example.com.

There is one thing I cannot understand.

Suppose I want to allow access to Photos only for some external network, allow access to Drive for some different external network, and DSM must only be accessed only from the third network. Because each web application uses 443 port it is impossible to distinguish them on FW, then here come Access Control Profiles, using them I can restrict access to different web applications for different external networks.

My question is how to apply Access Control Profile to DSM web application (dsm.example.com in my example)?
There is no such option in Login Portal settings:

1674023894600.png
 
Upvote 0
My question is how to apply Access Control Profile to DSM web application (dsm.example.com in my example)
Define DMS access using the Reverse proxy settings in a combination with the Advanced tab not the "Applications" tab.

1st, create the access control profile for the future DSM reverse proxy host record by using the Login portal > Advanced > ACP options.

1674027852155.png


After that, create the DSM reverse proxy record for the DSM and bind the ACP profile to it.

1674027932633.png


You can use the same method for all "apps" and not the "application" tab, but the application tab is there to be a bit more user friendly.

On a different note...

The native access can be configured using FW (using port forwarding/port blocking).
The web access can be configured using either Access Control Profiles or FW (for 443 port or any other ports if you configure different ports for each web application in Login Portal).
"Native apps" also use the same principle in the background as web access. The fact is that you will need port forward and firewall settings in both cases as Native app are just fancy shells that run the "web apps". From networking stand point they are the same. In some cases (Drive app for example) there are ports that are fix and hard coded so in order to use the Drive as a web app you will need certain port forwards (like 44 over reverse), but also specific port if you are using the app. Reason is that app runs on a predefined port (the agent desktop app) so additional config is needed.

Hope it helps.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Well, that was something that happened to people who don't follow best practices and were not up to date...
Replies
13
Views
3,143
  • Question
It sounds that the main focus is a LAN reconfiguration of DHCP and DNS services so that dynamically...
Replies
1
Views
572
Had simelar issue last Thursday. Router and 1 NAS worked, 2 NAS’s didn’t! This occurred as I was adding...
Replies
5
Views
847
  • Question
I guess "my Firewall" is the firewall on the Synology? a step by step tutorial can be found online like...
Replies
1
Views
846
OK at last, worked it out, you have to install Synology app on PC first then add name amd password then...
Replies
12
Views
1,338
There are three MASQUERADE rules* but I cannot see how they relate to the don't NAT name, or anything else...
Replies
45
Views
4,210

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top