Best method for securing your NAS when giving it inbound access?

Currently reading
Best method for securing your NAS when giving it inbound access?

8
3
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hello my dear SynoUsers!

I like to hear everybody’s inputs regarding the best method to secure your Synology giving it inbound access over a domain with a DNS record.
My plan is to grant access to have the ability to use Synology Drive outside of the Network, share external links with External users to have the ability to download files.

My understanding is to change the default ports from 5000 and 5001 to much higher number. Also I already have deactivated all preinstalled accounts, IP blocking and using strong passwords for all users. I am also planning on using 2FA or access over mobile devices for the Admin accounts.

But what is your input?

Thanks
 
Another way to further "get lost" is to not give out URLs with port numbers in them. Considering pushing your services over reverse proxy if you have to give access over an FQDN. Drive platform will work great with this method as well, as you will be able to handle access using a custom subdomain name (drive.domain.com) with no port number at the end over https (with a valid TLS cert).

Forcing 2FA for all those users will boost security for sure, and make sure to harden access for those accounts and limit what apps and services should be accessible.
 
Another way to further "get lost" is to not give out URLs with port numbers in them. Considering pushing your services over reverse proxy if you have to give access over an FQDN. Drive platform will work great with this method as well, as you will be able to handle access using a custom subdomain name (drive.domain.com) with no port number at the end over https (with a valid TLS cert).

Forcing 2FA for all those users will boost security for sure, and make sure to harden access for those accounts and limit what apps and services should be accessible.
I'd like to do this as well. I am using a FQDN with specific higher ports. How do I use a reverse proxy to avoid the need to include the port number?
 
I'd like to do this as well. I am using a FQDN with specific higher ports. How do I use a reverse proxy to avoid the need to include the port number?
You will need to use reverse proxy in order to pass those requests via port 443 that by default does not need to be entered when using https protocol.

The forums Resource section has a number of reverse proxy tutorials. Some use the built in reverse proxy (inside dsm) others use an external one via docker.
 
Last edited:
I like to hear everybody’s inputs regarding the best method to secure your Synology giving it inbound access over a domain with a DNS record.
I was where you are 6 months ago: what strategies to deploy for secure remote access to a Synology DSM 7.1 NAS? So, even though I still consider myself a newbie, I may be able to contribute to this thread.

The overwhelming consensus of those with more experience is to limit the type and number of inbound router port forwards. And if you need a router port forward, don't allow a public IP with port number access to a login (sign in) page. The two security strategies I considered are:
  1. Synology VPN hosting
  2. Synology Reverse Proxy
Each of the above strategies have pluses and minuses. And even though each of these strategies require a router port forward, neither permits access to a login page through a public IP. I chose a Reverse Proxy strategy because I couldn't figure out how to limit access to other LAN devices with VPN access whereas Synology’s Reverse Proxy affords control of NAS services and other LAN devices through sub-domains.

There are many good videos and tutorials on both strategy. Here are a few Reverse Proxy videos worthy of mention:
In the end, I followed the tutorials in the above links and have successfully implemented Reverse Proxy on my NAS. And I have a sub-domain associated with my Synology Reverse Proxy that gives me access to the router login page.
 
Got it working!
Well done. But you are not finished quite yet. I strongly suggest you review each of the devices in your LAN against this checklist...

DIGITAL SECURITY ASSESSMENT CHECKLIST

You will not get a perfect score. But the checklist helps define the areas that are vulnerable and some implementation suggestions.

Here is my short list
  • Change the default port numbers from 5000 and 5001 to numbers within the range 49152–65535.
  • If you have not configured your NAS firewall, do it. The last item on the list should be DENY ALL. But, make sure you allow your LAN before this last entry. This article will help: How to Set Up the Firewall on a Synology NAS
  • Add 2FA for everyone (if you can).
  • Disable Synology default Guest and Admin user accounts. AND change their passwords if you ever need to enable the Synology Admin account in the future (for Synology help).
  • Never log into your NAS with Admin privileges with SMB protocol. SMB should only be used with user accounts (never admin).
  • Consider adding an IP deny list as an added hack deterrent.
  • Never hesitate to install all DSM and package updates.
AND, you must ALWAYS remember that it is not a matter of IF you will get hacked. Rather, the real question is WHAT WILL YOU DO WHEN YOU GET HACKed.

So...
  • Configure Snapshots.
  • And deploy a data and configuration backup strategy (Hyper Backup and Snapshot Replication to a remote location).
 
Great advice and I had already done all of those, based on other online tutorials I followed.

I will say that, beyond being an incredibly useful device, my DS720 is lots of fun to tinker with. I've been in this business since 1982; old dogs can learn new tricks.
 
old dogs can learn new tricks
Indeed. I learned Fortran programming on punch cards in 1973. :LOL:
BSME 1975.

my DS720 is lots of fun to tinker with
I have a DS220+ at home and took the lead on provisioning a DS920+ at church. It has been a fun ride learning a bit of the networking world. :giggle:. It has its own vocabulary. Still more to learn.

The long timers on this forum are a "priceless" resource. Glad I could finally give back a little of what I have learned.
 
Indeed. I learned Fortran programming on punch cards in 1973.
Ahh, someone who can tell you the difference between an 026 keypunch and an 029 keypunch.

My first programs were written in BASIC, typed on an ASR33 teletype connected to Princeton University via 110 baud modem back in 1974. Got a BS in computer science in 1982, never looked back. Most rewarding career I could have asked for. I get paid to play with expensive toys (and now, direct others who do the same). What more can you ask for?
 
When using VPN and such how would you give a external user, for example access to shared file over Synology Drive?
 
VPN over the firewall, in this case OpenVPN.
I keep hearing that we should only use VPN to grant users access from outside of the network.
We understand this is the easiest option when securing it. It also seems a very unpractical for a business environment that needs to share files with external clients.
 
VPN over the firewall, in this case OpenVPN.
I keep hearing that we should only use VPN to grant users access from outside of the network.
We understand this is the easiest option when securing it. It also seems a very unpractical for a business environment that needs to share files with external clients.
Still not clear. Are we talking about incoming VPN (there is a VPN server running on the NAS), or and outgoing VPN, when the NAS is an actual VPN client?
 
The NAS is behind a Firewall, the firewall has a VPN setup with OpenVPN. The term also have a VPN client installed so they can access the serves within our network (On-premises). We like to implement Synology Drive for our team So they can work with files they need. As mentioned we would like to go with the domain option instead of using a VPN.

But if we do decided go with VPN access for our team. How would an external user (client or subcontractor) access the shared out files that our team members generator with Synology Drive?
 
How would an external user (client or subcontractor) access the shared out files that our team members generator with Synology Drive?
Guessing Drive is not publicly accessible in this case then? If not, then create VPN accounts and allow access to specific services, including Drive.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

First - NAS to NAS over LAN backup best scenario to protect backup target NAS: 1. The Backup target must...
Replies
2
Views
2,229
Did you try creating a firewall rule in SRM that blocks primary network from accessing the management TCP...
Replies
3
Views
2,138

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top