Question Have you ever tried randomly viewing the Synology DDNS names?

Currently reading
Question Have you ever tried randomly viewing the Synology DDNS names?

Geeked

NAS Hosted
Subscriber
139
64
nashosted.com
NAS
DS918+, DS218+(2), RS820+
Operating system
  1. Linux
  2. macOS
  3. Windows
Mobile operating system
  1. iOS
A while back when I was assigning my NAS a DDNS, the names I was choosing were all taken. So naturally I pop them into the browser xxxxxx.synology.me. I was shocked to see so many insecure plex and emby installs. And some even had their port 5000 open! I guess I shouldn’t be that surprised.
 

Rusty

Moderator
NAS Support
2,495
752
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
That's how Synolocker got the best of most users out there a while back.
 
1,515
648
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
I believe a lot of users think what’s available is only a synology.me domain, while there is more in the drop down menu.
I had a synology.me and then changed it. It’s too obvious.
 

Geeked

NAS Hosted
Subscriber
139
64
nashosted.com
NAS
DS918+, DS218+(2), RS820+
Operating system
  1. Linux
  2. macOS
  3. Windows
Mobile operating system
  1. iOS
That's how Synolocker got the best of most users out there a while back.
I was thinking the same thing. This is like fishing in a barrel for hackers.
 
15
13
github.com
NAS
DS218J + APC Back-UPS BX700U-GR - Win10/RPi user
Lucky me my DDNS name (surname) was still available.
But it's horrible shocking indeed how many people have their network stuff wide open.
I'm not a it expert nor is it my income source but over the years self-taught a lot.
One thing i always keep in mind is to shut the door.
Have to admit as i just started a webserver which is the only thing open from outside my network.
Even then it's auto ported to HTTPS and protected as advised for DDOS/DOS/spamers/firewall rules ect ect.
Don't know what else i can do to protect.
Everything else i always do with VPN to connect to my home network.
 

Geeked

NAS Hosted
Subscriber
139
64
nashosted.com
NAS
DS918+, DS218+(2), RS820+
Operating system
  1. Linux
  2. macOS
  3. Windows
Mobile operating system
  1. iOS
Lucky me my DDNS name (surname) was still available.
But it's horrible shocking indeed how many people have their network stuff wide open.
I'm not a it expert nor is it my income source but over the years self-taught a lot.
One thing i always keep in mind is to shut the door.
Have to admit as i just started a webserver which is the only thing open from outside my network.
Even then it's auto ported to HTTPS and protected as advised for DDOS/DOS/spamers/firewall rules ect ect.
Don't know what else i can do to protect.
Everything else i always do with VPN to connect to my home network.
That’s best practice really.
 

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
Don't know what else i can do to protect.
Use DSM's firewall as well as the Internet router's firewall.

You can add rules to the DSM firewall that restrict the source locations of requests, such as:
  • deny from countries A, B, and C. And add multiple of these rules due to the 15 country per rule limit. or
  • if you only want your country, two rules in this order:
    • allow from my country
    • deny from all
It can be a bit 'belt and braces' but you can have a policy on both firewalls. You can even make the DSM firewall policy more restrictive, even to block LAN accesses for some services (such as from IoT devices: if you reserve IPs in DHCP and group IoT in a range ... that can be covered in one firewall rule).

And you could block you DSM admin account from access except from LAN/VPN IP. Only use standard accounts for day-to-day activities.

Oh and I don't allow my admin accounts to use VPN either... create the tunnel with standard users (actually I use a separate group of users managed by the LDAP server) and then access as admin down the tunnels.
 
15
13
github.com
NAS
DS218J + APC Back-UPS BX700U-GR - Win10/RPi user
Yep, DSM firewall is up aswell as the one on my router.
Router is DDOS protected and NAS and Raspberry also.
Firewall rules are also set as picture below.
Tide up false login attempts, Home network only accessible by VPN, everything else gets blocked.
Hope you can read Dutch, whahaha

rule 1, allow everthing from my local network
rule 2, allow everything from my WAN IP (VPN)
rule 3, allow everything only from my home country
rule 4, allow 80/433 from the entire world to visit my homepage
rule5, deny everything else
 

Attachments

  • Naamloos.png
    Naamloos.png
    233.2 KB · Views: 11

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Fair enough then!

Only thing then is don't use admin accounts when off the LAN ... to minimise any small chance of exposing these credentials. Same goes for your router ... manage it from the LAN.
 
127
34
NAS
DS918+, DS1815+
Operating system
  1. Linux
  2. macOS
Mobile operating system
  1. Android
I have a own domain name and this is with ssl connected to my Nas. Domain host at dynu and this works goods and all my subdomains are encrypted.
 
15
13
github.com
NAS
DS218J + APC Back-UPS BX700U-GR - Win10/RPi user
Fair enough then!

Only thing then is don't use admin accounts when off the LAN ... to minimise any small chance of exposing these credentials. Same goes for your router ... manage it from the LAN.

Your right,
Fact is my phone which i occasionally use to log into DSM or my Home Automation is always connected to VPN when not using WiFi.
Main reason for it to be always VPN connected is to route my DNS via PiHole.
I know it can be maybe a wrong thought but via VPN i don't worry to leak my credentials.

@jphermans
Yep, at the moment i use xxxxxxx.synology.me for my website which is automatic ported to https (no port 80) and the cert is created via Let's Encrypt.
Do have my own domain name also but not suited for my current website try out.
 
127
34
NAS
DS918+, DS1815+
Operating system
  1. Linux
  2. macOS
Mobile operating system
  1. Android
Yep, at the moment i use xxxxxxx.synology.me for my website which is automatic ported to https (no port 80) and the cert is created via Let's Encrypt.
Do have my own domain name also but not suited for my current website try out.
You can have more then 1 domain name. For the 10€ each year you have a .com domain name. Just the ssl certificate was more expensive because let's encrypt gives still not secured warnings in the browsers I have tested. (in het nederlands -> voor het kleine bedrag moet je het niet laten).
 
15
13
github.com
NAS
DS218J + APC Back-UPS BX700U-GR - Win10/RPi user
You can have more then 1 domain name. For the 10€ each year you have a .com domain name. Just the ssl certificate was more expensive because let's encrypt gives still not secured warnings in the browsers I have tested. (in het nederlands -> voor het kleine bedrag moet je het niet laten).

For external domain it's indeed a no go with ssl cert by let's encrypt.
For my synology.me no problems, which i currently use as my main domain name for my website.
Costs aren't high and i could get a cert by my domain name provider for a few bucks.
For now .synology.me and let's encrypt cert works flawless without errors in the browser and suites my needs for now.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top