Lock down

[floppydisk]

Hi,

While I'm toying with a number of ideas, currently the only thing happening on my NAS is my internal home WIFI network filesharing of just the NAS USB Port (no other files shared or stored, NAS drive just has OS). The only reason it's connected to the internet is for updates. I connect to the DSM console via http/https only from internal home WIFI.

Please what firewall recommendations should I do to lock it down so the ONLY internet access it allows, is for auto updating?

Please does anyone have other recommendations or a good URL giving instructions for other things eg. blocking SSH; 2FA; SSL certificates [do I still need one for scenario above?]; Disabling unused services; or similar?

This is my first NAS and I only wanted it for file sharing a USB. I now realise the NAS can do so many things, I may use it for other things in the future, or get another NAS to do those things.

Thanks

 

[Rusty]

If your NAS has internet access that's fine for updates, but as long as you don't open any ports on the router or configure QuickConnect for that matter, your NAS will not be visible on the Internet.

 

[floppydisk]

Thanks for the reply @Rusty, just to confirm and that I understand:

• I have never installed QuickConnect
• I have not enabled any special port config for NAS on the home router

You're describing that the default DSM is locked down sufficiently as it is?

My browser complains about the current SSL cert and the connection is not secure. I understand this is of limited, perhaps no, consequence on a home network?

The geek in me sees the option to install a free LetsEncrypt cert and thinks somehow this might be good thing to do - it's probably a little learning exercise & potentially increases some security. Also it might give me little more knowledge/experience if I have a more serious need in the future.
Does the process of obtaining and installing a certificate either LetsEncrypt or a low cost purchased cert, result in the need for publishing details about this setup on the internet i.e. is it better/more secure to not have a certificate for now?

Thanks

 

[Rusty]

I understand this is of limited, perhaps no, consequence on a home network?

Correct. Accessing your nas locally over HTTPS for example without a valid SSL cert will report a problem, ofc but that has nothing to do with outside access.

The geek in me sees the option to install a free LetsEncrypt cert and thinks somehow this might be good thing to do - it's probably a little learning exercise & potentially increases some security. Also it might give me little more knowledge/experience if I have a more serious need in the future.

Fair point, but again, running a LE cert on a local network will not give you anything special, especially if you will accessing your nas using its IP address.

Does the process of obtaining and installing a certificate either LetsEncrypt or a low cost purchased cert, result in the need for publishing details about this setup on the internet i.e. is it better/more secure to not have a certificate for now?

If you want your NAS to grab a LE cert, you WILL HAVE to open ports on your router (80/443) and allow direct access to your NAS over the Internet. In that case, you will have to harden your NAS top to bottom to close it down.

So again, if you really want to keep your NAS access local, there is no point in going "out".

 

[floppydisk]

That all makes good sense, thank you for explaining clearly @Rusty

This next question is related but is more a general security question than about Synology. I'd like to clarify the differences and implications of SSL setup if I'm the only one using the server (ie. just a single person logging into the server via HTTP or HTTPS sevices over the internet). Three scenarios:

1. Server has a valid browser recognised SSL certificate (e.g. LE, or one like a bank website uses etc)
2. Server has a non browser recognised certificate (i.e. uses self issued certificate, HTTPS but browser complains like described above)
3. Server only using HTTP (no SSL)

My limited understanding of certs is that 2 is perhaps as good as 1 - since I'm the only one using it, and if I trust the cert, SSL is running, it's good right? I appreciate that bank quality SSL certs might offer a bit extra, but fundamentally the core SSL is good right?

Then with scenario 3 the server is a running a service which isn't SSL, no certs involved, just HTTP. This is super risky for an internet server isn't it?

The reason I ask is both out of general curiosity, and I previously had an expereince with a very good web host who'd been asked to provision a secure linux server & they said hey, all done, login with admin credentials here:

http://example.com

To me that seemed crazy. I raising my concerns with the manager, who denied any accussation of poor security, and offered to install a certificate. I didn't continue using their service. Am I misunderstanding something about how certs work and implications of having/not having an SSL?

Thanks

 

[Rusty]

Am I misunderstanding something about how certs work and implications of having/not having an SSL?

No, you are spot on.

That's what I spoke about before. If you will be closed in your LAN there is no reason to push for HTTPS, really. If at any point in time for whatever app/service you need to open up to the internet, you have to use HTTPS with a valid SSL cert (not the self-signed).

 

[floppydisk]

No, you are spot on.

That's what I spoke about before. If you will be closed in your LAN there is no reason to push for HTTPS, really. If at any point in time for whatever app/service you need to open up to the internet, you have to use HTTPS with a valid SSL cert (not the self-signed).

OK thank you @Rusty

It just leaves me really confused about that web host. They have an excellent reputation. I though they were trustworthy. Their provision of a secure server with no SSL makes no sense. Unless I learn something new, providing a non SSL solution seems to completely invalidate their credibility for security.
I still can't fathom it. They are experienced Linux web hosting specialists...?! If anyone else reads this and has a different angle I'm interested to hear.

Thanks

 

[Rusty]

Unless I learn something new, providing a non SSL solution seems to completely invalidate their credibility for security.

I can only say I agree with you on this.