Add a scheduling to QuickConnect?

Currently reading
Add a scheduling to QuickConnect?

46
11
NAS
DS918+ DS218 (for replication only)
I've tried everything I can think of to secure my NAS:
  • Disable admin account
  • Set up 2FA for account and use complex passwords.
  • Access my NAS via https using a valid ssl certificate (Let's Encrypt)
  • Change default ports to something else
  • Redirect Http to Https port
  • Enabled DoS protection
  • Enable Auto-Block
  • Use firewall (and geo option) to limit the locations in the world you allow access to your nas and services.
  • Install Important DMS updates automatically
  • Enable Snapshots and replications onto a second NAS (and this backup NAS is turned on only for that one hour replication window (scheduled))
  • etc.
Now, I love QC (VPN style, easy, secure enough for me, not that fast but I can live with that)
But I'd rather it was disabled all the time when I'm home, and enabled only when I'm out.
How would one go about that?
 

Telos

Subscriber
2,004
666
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
Install Important DMS updates automatically
While well intended, I'm inclined to do quite the opposite, preferring instead to wait 1-2 months to ensure updates are "safe" and will not interfere with my NAS use.

Re: QC... if you have allowed external access to your NAS, why do you need QC. If you have no external access to your NAS, then some of these changes offer no real advantage.
 
2,076
878
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
I believe Johnny wants to use QC instead of DDNS but he’d like to schedule its availability. Not in addition to. That’s what I understood.
 

Rusty

Moderator
NAS Support
4,601
1,327
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
How would one go about that?
Not sure you can do it considering that its not just a setting to turn on, it’s a feature that needs a few configuration steps. Haven’t used QC so not sure if this is something that has a schedule option, but to my knowledge, I think it can’t be done. Maybe via a custom script.
 
398
81
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
There are some routers out there that may allow you to have ports open/closed based on a timed schedule. Unfortunately, I don’t know of anything out of the box that would trigger allow access while away, and no access when returned. You’d need some geo-fence capability in addition to the custom scripting as Rusty mentioned.
 

fredbert

Moderator
NAS Support
Subscriber
3,102
1,233
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
QC is open!!! Get round his house and burgle it, he's not in 😱
 
2,076
878
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Now, I love QC (VPN style, easy, secure enough for me
If you don’t mind me asking and since you’ve enabled all the necessary security requirements and took all the precautions associated with opening the ports and using DDNS, did you face any real threats that made you decide that it’s safer to use QC (relative to your current situation with DDNS of course)?
 

Rusty

Moderator
NAS Support
4,601
1,327
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
If you don’t mind me asking and since you’ve enabled all the necessary security requirements and took all the precautions associated with opening the ports and using DDNS, did you face any real threats that made you decide that it’s safer to use QC (relative to your current situation with DDNS of course)?
I use DDNS as well all the time and have had 0 problems.
 
46
11
NAS
DS918+ DS218 (for replication only)
If you don’t mind me asking and since you’ve enabled all the necessary security requirements and took all the precautions associated with opening the ports and using DDNS, did you face any real threats that made you decide that it’s safer to use QC (relative to your current situation with DDNS of course)?
Actually I've decided not to open any port on my router, that's what I like about QC (it punches out ports as needed only when the communication is established, from what I understand). No I haven't actually been in a threatening situation, but a permanent outside link is still a possible door that can be use for any attempts. That's why I would I like to limit the time the "door" is accessible (like in the middle of the night where of course I won't mostly never want to remotely access my NAS). I think it's another way of limiting possible damage: by setting a window of a couple hours of access time as opposed to 24h a day.

I've done exactly that scheduling my snapshot replications to a second local NAS that only turns on 1 hour a day, then shuts itself off for 23h per day, so it's less likely to be "seen" if some hacker gets into my LAN in that 23h window. And because of that, I'm pretty sure that any ransomeware attack won't "touch" that backup NAS since it will not even show up on my LAN.

Of course I've already have backups on Cloud and on two rotating backup drives that I get to the bank every month...

Call me paranoid if you want ;)
 
2,076
878
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Call me paranoid if you want ;)
It’s ok. Welcome to the club :)

Your best option could be what @Gerard mentioned. A router with port scheduling. I’ve only seen a screenshot of something like that. I don’t even know what’s the brand. They’re out there though.
 

fredbert

Moderator
NAS Support
Subscriber
3,102
1,233
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I'm guessing you've all read this Synology_QuickConnect_White_Paper.pdf

From reading this there is an amount of trust that we have to place in Synology for the QuickConnect Web Portal. The process after deciding that direct LAN and WAN access is not possible then falls to how you are trying to access the NAS. Using Synology apps then the Relay Service is used (if hole-punching doesn't work), but for browser access then it QuickConnect Web Portal.

There is decryption within this portal in order to realign the NAS's web access to that acceptable to the browser: e.g. if a corporate firewall is blocking lots of outbound ports and the NAS is firewalled from incoming requests.

Since we have to trust Synology to provide secure hardware and software, in general, and that it provides at least one end of the SSL protected tunnel in any of these QC methods (i.e. it has the ability to sniff traffic before in gets encrypted) then we should place reasonable trust in QC Web Portal. Though it would be good for it to be independently assessed and tested. If anything is shown to breach this trust then Synology would have a PR disaster and potentially be dead.
 

Telos

Subscriber
2,004
666
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
No I haven't actually been in a threatening situation, but a permanent outside link is still a possible door that can be use for any attempts.
Most compromises are from the inside out. Foolish behavior on the part of the user. It is unlikely any of us are specifically targeted. Instead, we allow file execution to occur or interconnected LAN devices do us in.

Even without open ports the NAS still will receive updates. When these are compromised we die. Consider the Asus updater news recently.
 
32
10
NAS
DS218+ DSM 6.2.2-24922-4
Router
  1. RT2600ac
Hey,

This need testing.

- Config your quickconnect.
- Go to Task scheduler.
- Created a user defined script.
- Config your time,.....
- To stop quickconnect, use
Code:
synoservice --stop synorelayd
- To start quickconnect, use
Code:
synoservice --start synorelayd
- Hit OK
 
46
11
NAS
DS918+ DS218 (for replication only)
Hey,

This need testing.

- Config your quickconnect.
- Go to Task scheduler.
- Created a user defined script.
- Config your time,.....
- To stop quickconnect, use
Code:
synoservice --stop synorelayd
- To start quickconnect, use
Code:
synoservice --start synorelayd
- Hit OK

I've deployed your solution and it's wonderful: I start the quickconnect service at 8am (example) and stop it at 9am using the scheduler and the above command lines. This reduces to 1 hour per day of external "exposure" and thus reduce the risk of a possible unwanted access the rest of the day (for 23h), but it leaves a nice window open (that only I know about) that still enables me to remote access my NAS each day. Of course as I said I've already deployed a bunch of other countermeasures on top of this to protect my NAS, as listed at the beginning of this post.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Greetings all! The problem: Without port forwarding, I couldn't connect to anything remotely, so I...
Replies
0
Views
572
1618267350 Many thanks for your response. Will look into these options
Replies
2
Views
624
@Rusty @fredbert Guys thank you both very much for the comprehensive replies above - some good stuff to...
Replies
26
Views
43,143

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top