Add a scheduling to QuickConnect?

Currently reading
Add a scheduling to QuickConnect?

45
11
NAS
DS918+ DS218 (for replication only)
I've tried everything I can think of to secure my NAS:
  • Disable admin account
  • Set up 2FA for account and use complex passwords.
  • Access my NAS via https using a valid ssl certificate (Let's Encrypt)
  • Change default ports to something else
  • Redirect Http to Https port
  • Enabled DoS protection
  • Enable Auto-Block
  • Use firewall (and geo option) to limit the locations in the world you allow access to your nas and services.
  • Install Important DMS updates automatically
  • Enable Snapshots and replications onto a second NAS (and this backup NAS is turned on only for that one hour replication window (scheduled))
  • etc.
Now, I love QC (VPN style, easy, secure enough for me, not that fast but I can live with that)
But I'd rather it was disabled all the time when I'm home, and enabled only when I'm out.
How would one go about that?
 
1,008
337
NAS
DS418play, DS213j, DSM 7.0.1-14401
Install Important DMS updates automatically
While well intended, I'm inclined to do quite the opposite, preferring instead to wait 1-2 months to ensure updates are "safe" and will not interfere with my NAS use.

Re: QC... if you have allowed external access to your NAS, why do you need QC. If you have no external access to your NAS, then some of these changes offer no real advantage.
 
1,427
617
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
I believe Johnny wants to use QC instead of DDNS but he’d like to schedule its availability. Not in addition to. That’s what I understood.
 

Rusty

Moderator
NAS Support
2,273
682
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
How would one go about that?
Not sure you can do it considering that its not just a setting to turn on, it’s a feature that needs a few configuration steps. Haven’t used QC so not sure if this is something that has a schedule option, but to my knowledge, I think it can’t be done. Maybe via a custom script.
 
201
41
NAS
DS718+
There are some routers out there that may allow you to have ports open/closed based on a timed schedule. Unfortunately, I don’t know of anything out of the box that would trigger allow access while away, and no access when returned. You’d need some geo-fence capability in addition to the custom scripting as Rusty mentioned.
 

fredbert

Moderator
NAS Support
Subscriber
1,473
628
NAS
DS1520+, DS218+, DS215j
Router
RT2600ac, MR2200ac
Operating system
macOS
Mobile operating system
iOS
QC is open!!! Get round his house and burgle it, he's not in 😱
 
1,427
617
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Now, I love QC (VPN style, easy, secure enough for me
If you don’t mind me asking and since you’ve enabled all the necessary security requirements and took all the precautions associated with opening the ports and using DDNS, did you face any real threats that made you decide that it’s safer to use QC (relative to your current situation with DDNS of course)?
 

Rusty

Moderator
NAS Support
2,273
682
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
If you don’t mind me asking and since you’ve enabled all the necessary security requirements and took all the precautions associated with opening the ports and using DDNS, did you face any real threats that made you decide that it’s safer to use QC (relative to your current situation with DDNS of course)?
I use DDNS as well all the time and have had 0 problems.
 
45
11
NAS
DS918+ DS218 (for replication only)
If you don’t mind me asking and since you’ve enabled all the necessary security requirements and took all the precautions associated with opening the ports and using DDNS, did you face any real threats that made you decide that it’s safer to use QC (relative to your current situation with DDNS of course)?
Actually I've decided not to open any port on my router, that's what I like about QC (it punches out ports as needed only when the communication is established, from what I understand). No I haven't actually been in a threatening situation, but a permanent outside link is still a possible door that can be use for any attempts. That's why I would I like to limit the time the "door" is accessible (like in the middle of the night where of course I won't mostly never want to remotely access my NAS). I think it's another way of limiting possible damage: by setting a window of a couple hours of access time as opposed to 24h a day.

I've done exactly that scheduling my snapshot replications to a second local NAS that only turns on 1 hour a day, then shuts itself off for 23h per day, so it's less likely to be "seen" if some hacker gets into my LAN in that 23h window. And because of that, I'm pretty sure that any ransomeware attack won't "touch" that backup NAS since it will not even show up on my LAN.

Of course I've already have backups on Cloud and on two rotating backup drives that I get to the bank every month...

Call me paranoid if you want ;)
 
1,427
617
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Call me paranoid if you want ;)
It’s ok. Welcome to the club :)

Your best option could be what @Gerard mentioned. A router with port scheduling. I’ve only seen a screenshot of something like that. I don’t even know what’s the brand. They’re out there though.
 

fredbert

Moderator
NAS Support
Subscriber
1,473
628
NAS
DS1520+, DS218+, DS215j
Router
RT2600ac, MR2200ac
Operating system
macOS
Mobile operating system
iOS
I'm guessing you've all read this Synology_QuickConnect_White_Paper.pdf

From reading this there is an amount of trust that we have to place in Synology for the QuickConnect Web Portal. The process after deciding that direct LAN and WAN access is not possible then falls to how you are trying to access the NAS. Using Synology apps then the Relay Service is used (if hole-punching doesn't work), but for browser access then it QuickConnect Web Portal.

There is decryption within this portal in order to realign the NAS's web access to that acceptable to the browser: e.g. if a corporate firewall is blocking lots of outbound ports and the NAS is firewalled from incoming requests.

Since we have to trust Synology to provide secure hardware and software, in general, and that it provides at least one end of the SSL protected tunnel in any of these QC methods (i.e. it has the ability to sniff traffic before in gets encrypted) then we should place reasonable trust in QC Web Portal. Though it would be good for it to be independently assessed and tested. If anything is shown to breach this trust then Synology would have a PR disaster and potentially be dead.
 
1,008
337
NAS
DS418play, DS213j, DSM 7.0.1-14401
No I haven't actually been in a threatening situation, but a permanent outside link is still a possible door that can be use for any attempts.
Most compromises are from the inside out. Foolish behavior on the part of the user. It is unlikely any of us are specifically targeted. Instead, we allow file execution to occur or interconnected LAN devices do us in.

Even without open ports the NAS still will receive updates. When these are compromised we die. Consider the Asus updater news recently.
 
31
10
NAS
DS218+ DSM 6.2.2-24922-4
Router
RT2600ac
Hey,

This need testing.

- Config your quickconnect.
- Go to Task scheduler.
- Created a user defined script.
- Config your time,.....
- To stop quickconnect, use
Code:
synoservice --stop synorelayd
- To start quickconnect, use
Code:
synoservice --start synorelayd
- Hit OK
 
45
11
NAS
DS918+ DS218 (for replication only)
Hey,

This need testing.

- Config your quickconnect.
- Go to Task scheduler.
- Created a user defined script.
- Config your time,.....
- To stop quickconnect, use
Code:
synoservice --stop synorelayd
- To start quickconnect, use
Code:
synoservice --start synorelayd
- Hit OK
I've deployed your solution and it's wonderful: I start the quickconnect service at 8am (example) and stop it at 9am using the scheduler and the above command lines. This reduces to 1 hour per day of external "exposure" and thus reduce the risk of a possible unwanted access the rest of the day (for 23h), but it leaves a nice window open (that only I know about) that still enables me to remote access my NAS each day. Of course as I said I've already deployed a bunch of other countermeasures on top of this to protect my NAS, as listed at the beginning of this post.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Trending threads

Top