Add a scheduling to QuickConnect?

Currently reading
Add a scheduling to QuickConnect?

71
16
NAS
DS918+ DS1522+
Router
  1. MR2200ac
  2. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
I've tried everything I can think of to secure my NAS:
  • Disable admin account
  • Set up 2FA for account and use complex passwords.
  • Access my NAS via https using a valid ssl certificate (Let's Encrypt)
  • Change default ports to something else
  • Redirect Http to Https port
  • Enabled DoS protection
  • Enable Auto-Block
  • Use firewall (and geo option) to limit the locations in the world you allow access to your nas and services.
  • Install Important DMS updates automatically
  • Enable Snapshots and replications onto a second NAS (and this backup NAS is turned on only for that one hour replication window (scheduled))
  • etc.
Now, I love QC (VPN style, easy, secure enough for me, not that fast but I can live with that)
But I'd rather it was disabled all the time when I'm home, and enabled only when I'm out.
How would one go about that?
 
Install Important DMS updates automatically
While well intended, I'm inclined to do quite the opposite, preferring instead to wait 1-2 months to ensure updates are "safe" and will not interfere with my NAS use.

Re: QC... if you have allowed external access to your NAS, why do you need QC. If you have no external access to your NAS, then some of these changes offer no real advantage.
 
How would one go about that?
Not sure you can do it considering that its not just a setting to turn on, it’s a feature that needs a few configuration steps. Haven’t used QC so not sure if this is something that has a schedule option, but to my knowledge, I think it can’t be done. Maybe via a custom script.
 
There are some routers out there that may allow you to have ports open/closed based on a timed schedule. Unfortunately, I don’t know of anything out of the box that would trigger allow access while away, and no access when returned. You’d need some geo-fence capability in addition to the custom scripting as Rusty mentioned.
 
Now, I love QC (VPN style, easy, secure enough for me
If you don’t mind me asking and since you’ve enabled all the necessary security requirements and took all the precautions associated with opening the ports and using DDNS, did you face any real threats that made you decide that it’s safer to use QC (relative to your current situation with DDNS of course)?
 
If you don’t mind me asking and since you’ve enabled all the necessary security requirements and took all the precautions associated with opening the ports and using DDNS, did you face any real threats that made you decide that it’s safer to use QC (relative to your current situation with DDNS of course)?
I use DDNS as well all the time and have had 0 problems.
 
If you don’t mind me asking and since you’ve enabled all the necessary security requirements and took all the precautions associated with opening the ports and using DDNS, did you face any real threats that made you decide that it’s safer to use QC (relative to your current situation with DDNS of course)?
Actually I've decided not to open any port on my router, that's what I like about QC (it punches out ports as needed only when the communication is established, from what I understand). No I haven't actually been in a threatening situation, but a permanent outside link is still a possible door that can be use for any attempts. That's why I would I like to limit the time the "door" is accessible (like in the middle of the night where of course I won't mostly never want to remotely access my NAS). I think it's another way of limiting possible damage: by setting a window of a couple hours of access time as opposed to 24h a day.

I've done exactly that scheduling my snapshot replications to a second local NAS that only turns on 1 hour a day, then shuts itself off for 23h per day, so it's less likely to be "seen" if some hacker gets into my LAN in that 23h window. And because of that, I'm pretty sure that any ransomeware attack won't "touch" that backup NAS since it will not even show up on my LAN.

Of course I've already have backups on Cloud and on two rotating backup drives that I get to the bank every month...

Call me paranoid if you want ;)
 
I'm guessing you've all read this Synology_QuickConnect_White_Paper.pdf

From reading this there is an amount of trust that we have to place in Synology for the QuickConnect Web Portal. The process after deciding that direct LAN and WAN access is not possible then falls to how you are trying to access the NAS. Using Synology apps then the Relay Service is used (if hole-punching doesn't work), but for browser access then it QuickConnect Web Portal.

There is decryption within this portal in order to realign the NAS's web access to that acceptable to the browser: e.g. if a corporate firewall is blocking lots of outbound ports and the NAS is firewalled from incoming requests.

Since we have to trust Synology to provide secure hardware and software, in general, and that it provides at least one end of the SSL protected tunnel in any of these QC methods (i.e. it has the ability to sniff traffic before in gets encrypted) then we should place reasonable trust in QC Web Portal. Though it would be good for it to be independently assessed and tested. If anything is shown to breach this trust then Synology would have a PR disaster and potentially be dead.
 
No I haven't actually been in a threatening situation, but a permanent outside link is still a possible door that can be use for any attempts.
Most compromises are from the inside out. Foolish behavior on the part of the user. It is unlikely any of us are specifically targeted. Instead, we allow file execution to occur or interconnected LAN devices do us in.

Even without open ports the NAS still will receive updates. When these are compromised we die. Consider the Asus updater news recently.
 
Hey,

This need testing.

- Config your quickconnect.
- Go to Task scheduler.
- Created a user defined script.
- Config your time,.....
- To stop quickconnect, use
Code:
synoservice --stop synorelayd
- To start quickconnect, use
Code:
synoservice --start synorelayd
- Hit OK
 
Hey,

This need testing.

- Config your quickconnect.
- Go to Task scheduler.
- Created a user defined script.
- Config your time,.....
- To stop quickconnect, use
Code:
synoservice --stop synorelayd
- To start quickconnect, use
Code:
synoservice --start synorelayd
- Hit OK

I've deployed your solution and it's wonderful: I start the quickconnect service at 8am (example) and stop it at 9am using the scheduler and the above command lines. This reduces to 1 hour per day of external "exposure" and thus reduce the risk of a possible unwanted access the rest of the day (for 23h), but it leaves a nice window open (that only I know about) that still enables me to remote access my NAS each day. Of course as I said I've already deployed a bunch of other countermeasures on top of this to protect my NAS, as listed at the beginning of this post.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Thank you Rusty that worked so you've saved me some time and effort :)
Replies
4
Views
319
  • Question
Now go to your Synology account and see if you can unlink the quick connect id. Afterward can you create a...
Replies
3
Views
1,618
  • Question
I had something similar on phones at local Hospital’s Rec Center with DS APPS on Rec Centers WIFI. Also at...
Replies
2
Views
1,506
This way I can get to any device when away from home. Was gonna post this before, but we’ve been visited...
Replies
5
Views
1,999
https://global.download.synology.com/download/Document/Software/WhitePaper/Firmware/DSM/All/enu/Synology_Qu...
Replies
2
Views
2,402
Thanks. That has been my opinion as well for built in apps, but now that I am using more docker apps, if...
Replies
2
Views
5,470

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top