New NAS and some advice...

[Sly870]

Hello all

I have recently set up my new DS920+, very chuffed and happy with it. Just looking for a bit of security advice please?

1) I have run a "port check" on my IP and can't see my NAS exposed.
2) I have also changed the HTTP and HTTPS port away from the 5000 range.
3) Do I need to leave the default admin account enabled if I have mine? Or create a second backup admin account?
4) What's the best way to get the NAS exposed for me to use remotely?
5) Whats the best way to get some sort of SSL going as right now, there is none
6) Should I enable the Synology firewall option, if so, what must I NOT do to make sure I don't block myself out my own NAS?

 

[Telos]

1: Good news
2. Security is a bunch of layers. This is a small one, but it will keep the script kiddies away.
3. The “official” line is to create a new admin account, and disable the default. Personally, I kept the default account active (with an extremely complex password) and created a new admin account for my NAS administration needs. More importantly, create a “user” account for yourself for your everyday use (photos/music/streaming/file sharing/etc). Use an administrator account sparingly… and only for NAS administration.
4. The most secure way is to run Synology's VPN server, and connect externally to that. Alternately, you can use a personal domain, or DDNS. These approaches require that you open a port to access your NAS. To reduce my open port needs, I am moving from the VPN server to Tailscale, which allows me to access my NAS remotely with VPN security (WireGuard, specifically).
5. For SSL, create a Let's Encrypt certificate for your domain, or DDNS. It's free and easily handled through Control Panel/Security/Certificate.
6. I would do this last. Be sure to whitelist your entire LAN IP range. If you are using a VPN Server, you'll need to whitelist the VPN port, and country of origin. Then Deny all else. Firewall rules are read “top-to-bottom” … so the Deny rule should be last. But if you do block yourself, you can recover by a “mode 1” reset, which is a minor inconvenience.

 

[fredbert]

3. The “official” line is to create a new admin account, and disable the default. Personally, I kept the default account active (with an extremely complex password) and created a new admin account for my NAS administration needs. More importantly, create a “user” account for yourself for your everyday use (photos/music/streaming/file sharing/etc). Use an administrator account sparingly… and only for NAS administration.

I disable both default accounts 'admin' and 'guest'. I have two new administrator accounts:

1. Everyday newadmin1 has less guessable name, strong password and 2FA enabled.
2. Emergency newadmin2 has an unguessable name, very strong password but no 2FA.

You can also apply access by IP to be sure to limit to LAN and via VPN access. As a matter of course I don't login as an administrator from the Internet: if I have to then I use my normal user to establish a VPN session and then access the NAS with the administrator account through the tunnel. Don't use administrator access from a device you don't trust, as the endpoints are the most likely to be compromised.

If I decide I need to provide Synology Support access then I have a separate account for that and it is disabled when not needed.


4. .... If you are going to allow direct access to the NAS and enable SFTP for file sharing then you should change the TCP port so that it does not share the same port as SSH. I would not allow direct Internet access to SSH.

 

[Sly870]

Thank you @fredbert @Telos

Lots of reading up I need to do. For now I don't have a need to access any files remotely but I would like to get it to a stage where I can access it if I need to, for whatever reason. For now I am just using my newly created admin account and have left the other accounts to defaults.

Any recommended guides on how to get started setting up SSL and VPN and that please?

 

[Rusty]

Any recommended guides on how to get started setting up SSL and VPN and that please?

Maybe this will help out: VPN, or how to access your data securely, the right way

 

[Sly870]

Maybe this will help out: VPN, or how to access your data securely, the right way

Cheers bud

I have set it up via duckdns but I can also enable/disable ports remotely from my HA but for now I have left it closed to the internet, don't think I need access to anything remotely yet

Thanks for everyone's help!

 

[Sly870]

Hey all,

So, really enjoying my NAS and my new unifi gear, very happy I went with the DS920+ out the bat.
I am looking into my setup and making sure it's as streamlined as possible.

How I want to use my NAS is store my pictures, documents and important "stuff" in a shared folder (that only I have access to) that is then backed up to my Dropbox 2TB account (which is currently setup) and am using "Cloud sync" and then the other folders are just shared folders I store my stuff in. Is that right?

I also came across hyper backup, what is the difference?

I am just installing Synology Drive and will use that to access the various files and folder and see how that goes, is there any "best method" on how I should be using this? I do have the cloud sync option disabled so that if I delete anything locally, it doesn't remove from the cloud.

Just wondering what is the best way to go about this as well as what others are using etc

Thank you!

 

[Rusty]

using "Cloud sync" and then the other folders are just shared folders I store my stuff in. Is that right?

For DB sync that’s the way to go

came across hyper backup, what is the difference?

HB is Synology’s NAS backup tool that unlike cloud sync is not a synchronization tool. It’s a scheduled backup tool.

So if you want sync method towards a cloud you use cloud sync, if you want scheduled backup you use HB. Also, HB is the only tool that offers backup to their own C2 cloud platform.

Synology Drive and will use that to access the various files and folder and see how that goes, is there any "best method" on how I should be using this?

This is one more backup tool that also offers Dropbox-like behavior between your Drive client and server (NAS). So one thing it does is sync data between the top and another is that it can backup file/folder structure from the drive client to the NAS (scheduled backup).

More details on various backup options in Syno world can be reviewed here: Info - About backups (desktop, mobile, NAS, sync, cloud)

 

[Sly870]

For DB sync that’s the way to go


HB is Synology’s NAS backup tool that unlike cloud sync is not a synchronization tool. It’s a scheduled backup tool.

So if you want sync method towards a cloud you use cloud sync, if you want scheduled backup you use HB. Also, HB is the only tool that offers backup to their own C2 cloud platform.


This is one more backup tool that also offers Dropbox-like behavior between your Drive client and server (NAS). So one thing it does is sync data between the top and another is that it can backup file/folder structure from the drive client to the NAS (scheduled backup).

More details on various backup options in Syno world can be reviewed here: Info - About backups (desktop, mobile, NAS, sync, cloud)

Thanks Rusty! As always..

Find myself getting quite into this whole network stuff, next thing is to look at is how to setup VLAN's for dummies..