Being attacked!

[tekguru]

Okay so like this? (Network addressing always confuses me).....

 

[WST16]

And if that works okay I can delete two rules (inactive) above the last deny rule ?

No need to wait. Delete them now

I don’t know what are the first two rules. I mean where is the traffic coming from? Internal/external?

Your management UI and File Station (don’t know if there’s more) are open for the whole world. Do something about that.

-- post merged: 11. Aug 2022 --

Unless it's meant to be one IP address in each rule, in which case the subnet mask should be 255.255.255.255 for a /32.

Fair point but unlikely that only two hosts on the LAN are allowed (although there are two rules before it that might be for some local hosts).

 

[tekguru]

Okay, rules now adjusted to:

With the NTP service (etc): rule covering:

As far as I know:

• NTP Service has to be on for the NAS to use NTP to correct its time?
• Management UI, File Station, Audio Station, Surveillance Station, Download Station, CMS) is so I can access the NAS remotely via <mynas>.mydomain.com? Or should I disable this as a security risk and access via the LAN only?
• Web Station and Web Mail - so the forum will work? Or can these be turned off and the ports will be enough?

Synoligy Drive Server - needed so the Mac can backup via the Synology drive Client?

 

[WST16]

NTP Service has to be on for the NAS to use NTP to correct its time?

This is a “fetch” operation as far as I know. The NAS will check with the NTP service and read the time. There’s no need to allow NTP. DSM firewall examines inbound traffic only.
Unless I misunderstood what this NTP refers to.

Management UI, File Station, Audio Station, Surveillance Station, Download Station, CMS) is so I can access the NAS remotely via <mynas>.mydomain.com? Or should I disable this as a security risk and access via the LAN only?

That’s ok. You do have forward rules for these on the router, right?
The only thing is that you have the source as ”all”, so the world and its dog can have a try at it. Should limit the source to your country and if you visit other countries add them, preferably before you board the plane and remove them when you’re back
Later you might try creating a reverse proxy (with a port other than the default because the default, 443, is used for the forum).

Web Station and Web Mail - so the forum will work? Or can these be turned off and the ports will be enough?

Web Station and Mail Station (is that what you mean by web mail?) use 80/443
So this is redundant if it’s for your allowed visitors.

What network ports are used by DSM services? - Synology Knowledge Center

Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.

kb.synology.com

Synoligy Drive Server - needed so the Mac can backup via the Synology drive Client?

Is this Mac on the LAN? If so, then this is redundant as it’s covered by 192.168.1.0 / 255.255.255.0


Edit: I should say for access from abroad, I prefer using DSM’s VPN server.

 

[tekguru]

Okay real progress being made now.

• NTP has ben turned off
• Management UI, File Station, Audio Station, Surveillance Station, Download Station, CMS) is so I can access the NAS remotely via <mynas>.mydomain.com - I've left as I have it set and yes port forwards are controlled on the Orbi.
• Web Station and Mail Station have been turned off and I'm using ports 80/443 instead. Seems to be working okay so far.
• Synology Drive has been turned off as the Mac is indeed on the LAN.
• Ref remote access we don't holiday abroad (I don't fly - long story), I just prefer to access the NAS via <mynas>.mydomain.com:port instead of IP Address:port. Plus if I do have to access it I know I can do so. I did look to do it via the VPN last year but had all sorts of reliability issues with the connection.
• Reverse proxy I've read about, still do not understand it, or know how to configure it and am worried I might lock myself out of the NAS [I did say networking was my weak area]

I'm feeling a lot more secure connectivity wise than I was this morning!

 

[WST16]

Management UI, File Station, Audio Station, Surveillance Station, Download Station, CMS) is so I can access the NAS remotely via <mynas>.mydomain.com - I've left as I have it set and yes port forwards are controlled on the Orbi.

Ok. But did you change the source to your country only?

Ref remote access we don't holiday abroad (I don't fly - long story), I just prefer to access the NAS via <mynas>.mydomain.com:port instead of IP Address:port. Plus if I do have to access it I know I can do so. I did look to do it via the VPN last year but had all sorts of reliability issues with the connection.

Thats ok. Then keep the source to your country.

Reverse proxy I've read about, still do not understand it, or know how to configure it and am worried I might lock myself out of the NAS [I did say networking was my weak area]

No worries. The forum can help with that and I’m sure you’ll find it easy –you’re the TekGuru after all

I'm feeling a lot more secure connectivity wise than I was this morning!

That’s good. Still some room for improvement that can be tackled some other time.

 

[tekguru]

To reply to each:

- Yes country limited
- Yes country limited
- Yep Tekguru (except in areas like networking LOL). If I find a clear Tutorial as to what a reverse proxy is, why I need one and how to configure it I guess I can give it a go at some point
- Not much more to do now though I guess as Firewall rules now a lot tighter and the Orbi has been locked down as well.

And as always guys your assistance in tightening things up has been very much appreciated.

 

[Telos]

If I find a clear Tutorial as to what a reverse proxy is

Tutorial - Synology Reverse Proxy

This tutorial will cover a few short steps that you need to know and setup in order to make your apps and services accessible via the internet (or LAN) using a specific domain name and custom (or default) port. It will also help you to avoid...

www.synoforum.com

 

[tekguru]

I just knew this was coming I'll do a bit of a reading session tomorrow. I guess whilst testing it will work alongside of what I have now so nothing to lose..... as log as it won't conflict with myforum.mydmain.com and mynas.mydomain.com.

 

[WST16]

You might also want to take a look at this good resource by @NAS Newbie.

Tutorial - NAS Remote Access for Newbies: Part 1 - LAN Overview & Port Forwarding

Disclaimer: This resource is not meant to be a complete in-depth tutorial on how to set up reverse proxy or port forwarding, although it will have some examples. This is not a narrow tutorial explaining the quickest, best way to create a specific...

www.synoforum.com

 

[tekguru]

Thanks I'll take a look!

 

[tekguru]

Okay I'm looking at setting the reverse proxy, but when I look to get the certificate for the main domain I get the old port 80 problem. I can't remember how to get around this one, port 80 is open in the NAS firewall. It's not been a problem in the past as I've obtained individual certificated for <mynas>.<mydomain>.com & <myforum>.<mydomain>.com.
It's possible that the firewall hardening I did yesterday has messed this up somehow?

The greater concern is that I may have broken auto-renewing of my existent certificates?

 

[tekguru]

It looks like it was a problem with looking to get a certificate for 'mydomain.com', instead I got a separate certificate for 'app.mydomain.com' and the reverse proxy for 'app.mydomain.com' is now working.
I guess eventually I need to convince the CFO (i.e. my good lady wife) that purchasing a full wildcard certificate is worthwhile.
Not too bad price wise via Dynu DDNS...

In any case all my 'port specific' app.mydomain.com NAS access routes have been removed and replaced with reverse proxies.
Thanks guys!

 

[BobW]

Let’s Encrypt support wildcard certificates, why not just use that? Instead of using individual certificates for all the subdomains. Or I could have it wrong.
In any case check this great article from @Rusty about how to install Let’s Encrypt and a wildcard certificate.

-- post merged: 12. Aug 2022 --

It's possible that the firewall hardening I did yesterday has messed this up somehow?

LE need access on port 80 from USA and sometimes some other countries. So if you denied USA access than it will not work! Better use DNS Challenge to renew LE Certs.

 

[tekguru]

Cheers guys I'm looking at the wild card option now, seems I do have to use a free CloudFlare account for that. I used to have one and I'm waiting on a password reset email to come through.
Yep for LE I worked that out re the countries, so have allowed access from the US of A and that seemed to fix it. Using DNS challenge has to be a manual process though and it's something I want to avoid. Why do a manual job if it can be automated?

Okay I ended up setting up a new CloudFlare account (free one), but I'm not going down that route as I don't want to move my nameservers away from Dynu DDNS.

I've also read the rest of the tutorial and I'm not going to install Docker and then start messing around with command lines etc.

So I'll stay as we are I think Definitely a lot more secure than I was 2 days ago......

 

[tekguru]

More good news, since changing to using a reverse proxy to access the NAS I can remove the port forwards which were in place on the Orbi to get to the NAS UX remotely

 

[tekguru]

Thinking on this guys if I want to set up the VPN server again is it best to set it up with port forwarding or look to do it via reverse proxy?

 

[fredbert]

The reverse proxy in DSM is for Web services and OpenVPN and L2TP/IPsec are not. So for these it’s port forwarding.

 

[tekguru]

Ah ha I suspected as much. Thanks for confirming.....

 

[Telos]

You could use Tailscale for NAS VPN and have no port forwarding requirement.

Otherwise for VPN Server you should change the default port from 1194. Security has many layers. Obsfucation is one.