Please help me understand making my NAS secure.

485
98
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
As my name implies, I'm a NAS newbie. Working on getting my 918+ setup to store both home business and personal files. I want to be able to store copies of information such as tax forms and such on it, but I want to make sure that it is secure as possible, and I want to understand what my vulnerabilities are.

I realize that to make it as secure as possible I could restrict it to my local network only, but then it appears that I am greatly restricting its overall capability as a personal file sharing platform.

I worked with a synology chat tech last week on enabling features such a 2-factor authentication and setting up DDNS to run through the 5001 port, but I don't know how secure that truly makes me. I don't have encryption enabled on any of my drive folders. Does encryption protect against threats like ransomware, or can they still over-encrypt my encryption?

If I were to post a shared link from my Moments gallery to a public website instead of using a service like flickr, does that provide any avenue for a hacker to penetrate my system?

How secure does 2-factor authentication really make my system? I fear I might have made a mistake by checking the "remember this device" box at login, as that would essentially cancel out the advantages of 2-factor authentication if someone happened to be able to access the remembered device, correct?

These are just some of the concerns I can think of right now, and I'm sure there's more that I'm not thinking of because I don't know what I don't know. Any advice is appreciated. Thanks.
 
Last edited:
Hi,

Welcome to the forum :)

You started by mentioning briefly what you want, but if it’s possible, elaborate more on your needs (a summary), it might be helpful.

Just think:
Who’s accessing the NAS? Yourself, family, friends, clients, business associates, etc…
What are they accessing? (What are you sharing?)
From where? Inside your home, outside, same city/country or the rest of the world?
What will they be using (desktops/mobile)?
And anything else I’ve missed. It’s too early in the day, brain cogs are still squeaky :D

Once we understand more, we might be able to suggest ideas and solutions.

I’d also suggest that you check the resource “securing your deskstation” at the right side under “latest resources” on the home page. It’ll give you an idea –and gather your thoughts– about security.
 
Hi,

Welcome to the forum :)

You started by mentioning briefly what you want, but if it’s possible, elaborate more on your needs (a summary), it might be helpful.

Just think:
Who’s accessing the NAS? Yourself, family, friends, clients, business associates, etc…
What are they accessing? (What are you sharing?)
From where? Inside your home, outside, same city/country or the rest of the world?
What will they be using (desktops/mobile)?
And anything else I’ve missed. It’s too early in the day, brain cogs are still squeaky :D

Once we understand more, we might be able to suggest ideas and solutions.

I’d also suggest that you check the resource “securing your deskstation” at the right side under “latest resources” on the home page. It’ll give you an idea –and gather your thoughts– about security.

Yes, I should have done that, sorry. Please see this thread for an explanation of how I currently have the NAS set up: Best backup method for home personal/home business files? .

Initially, it will just be my family accessing the NAS, although I hope to be able to expand that to business associates or public discussion forums in the future. I just want to understand how to make the business associate and public access links as secure as possible and how to make sure they only see what I want them to see. For myself and family personal access, there could be business plans and tax information, but I want to make sure that is 100% secure before I place any of the data on a platform like this. Business associate data will primarily be 3d models of machinery that I design.

As for access location, 80% of the access will probably be myself from home, 10% will be family/friends within the US, and maybe 10% of access will be to business associates/public within the US. I don't see any need at this point to make it accessible globally. Desktops/Laptops, tablets, and phones will hopefully all be used to access.

As for what type of access I want available, I want to be able to use the mobile synology apps to access the drive from my phone, and I want to be able to use it as a dropbox-style server where I can access files from anywhere. I like the ability of Moments to share unique links to albums that don't allow for editing, but I am concerned about how secure they are. I'd like to be able to use those links similar to how I'd use flickr links to share pics on forums that don't allow for photo hosting.

In the future, I might like to use it as a dropbox-style server where I can send a link to others to a file that is too large to email. I also hope to eventually connect some cameras to it and make use of Surveillance Station. Thanks for any advice you might have.
 
Yes, I should have done that, sorry. Please see this thread for an explanation of how I currently have the NAS set up: Best backup method for home personal/home business files? .

Initially, it will just be my family accessing the NAS, although I hope to be able to expand that to business associates or public discussion forums in the future. I just want to understand how to make the business associate and public access links as secure as possible and how to make sure they only see what I want them to see. For myself and family personal access, there could be business plans and tax information, but I want to make sure that is 100% secure before I place any of the data on a platform like this. Business associate data will primarily be 3d models of machinery that I design.

As for access location, 80% of the access will probably be myself from home, 10% will be family/friends within the US, and maybe 10% of access will be to business associates/public within the US. I don't see any need at this point to make it accessible globally. Desktops/Laptops, tablets, and phones will hopefully all be used to access.

As for what type of access I want available, I want to be able to use the mobile synology apps to access the drive from my phone, and I want to be able to use it as a dropbox-style server where I can access files from anywhere. I like the ability of Moments to share unique links to albums that don't allow for editing, but I am concerned about how secure they are. I'd like to be able to use those links similar to how I'd use flickr links to share pics on forums that don't allow for photo hosting.

In the future, I might like to use it as a dropbox-style server where I can send a link to others to a file that is too large to email. I also hope to eventually connect some cameras to it and make use of Surveillance Station. Thanks for any advice you might have.
All this can be done with almost all Syno models so there is no worries on that front.
 
You’ll need to work on subsets of the whole task. Currently you’re all over the place running in different directions.

I’m assuming that you have already set a fixed or a static IP address on the NAS.

I’d say as first steps:
  • Create a new admin user and disable the default one.
  • Make sure passwords are long enough and random (especially for admin account).
  • Change the default ports. In your case if you are not using 5000, just change 5001 to something above 1024. Note that you’ll need to specify this port when entering the address to access DSM.
  • If you’re familiar with router port forwarding, do that. Otherwise, use QuickConnect at this time until you work on port forwarding. This is for external access.
  • Enable the firewall (but read about it first so you won’t lock yourself out). If not sure, ask when you get to this step.
Depending on what you accomplish, we’ll decide what to do next.
This is what I have in mind. Other members may add or correct the above.

Let’s work on the that. Search, read, ask :)
 
You’ll need to work on subsets of the whole task. Currently you’re all over the place running in different directions.

I’m assuming that you have already set a fixed or a static IP address on the NAS.

I’d say as first steps:
  • Create a new admin user and disable the default one.
  • Make sure passwords are long enough and random (especially for admin account).
  • Change the default ports. In your case if you are not using 5000, just change 5001 to something above 1024. Note that you’ll need to specify this port when entering the address to access DSM.
  • If you’re familiar with router port forwarding, do that. Otherwise, use QuickConnect at this time until you work on port forwarding. This is for external access.
  • Enable the firewall (but read about it first so you won’t lock yourself out). If not sure, ask when you get to this step.
Depending on what you accomplish, we’ll decide what to do next.
This is what I have in mind. Other members may add or correct the above.

Let’s work on the that. Search, read, ask :)

I have a synology.me ddns set up to run thru port 5001. I have also already disabled the default admin account. I don't know what you mean by port forwarding. When you talk about the firewall, kis the a specific ds918 firewall to enable, or is that part of a security app I need to download for it? Thanks again.
 
Last edited:
Just to clarify. With Synology, there are two ways to access your NAS from outside your LAN.
  1. Using Synology QuickConnect relay.
  2. Using DDNS.
Synology QuickConnect is the easy way and it’s more secure. However, with limitations.

Which one of these do you think is enabled on your DS?

I am using DDNS; a Synology chat tech helped me set it up. I can currently access it from my phone using mobile data with wifi turned off, and it did asked for the 2FA that I had turned on.
 
Great. So how did you forward port 5001 on your router to your DiskStation?
Did you go to your router’s interface, logged in as administrator and configure it?

Or do you have UPNP on the DiskStation doing that?

Because, we would like to change that default port to something else. Every DSM has this (port 5000 and 5001) as it’s default.

On the router that connects your LAN to the big bad internet through you ISP modem the ports are closed by default to block access from outside into the LAN (home network). To gain access, we have to open the ports that we want. According to you, this has been accomplished at least once. How? Because we want to do it again :)
 
Great. So how did you forward port 5001 on your router to your DiskStation?
Did you go to your router’s interface, logged in as administrator and configure it?

Or do you have UPNP on the DiskStation doing that?

Because, we would like to change that default port to something else. Every DSM has this (port 5000 and 5001) as it’s default.

On the router that connects your LAN to the big bad internet through you ISP modem the ports are closed by default to block access from outside into the LAN (home network). To gain access, we have to open the ports that we want. According to you, this has been accomplished at least once. How? Because we want to do it again :)

The router is owned by my internet provider, and they have the admin locked down. I had to call in and have them configure it for me. It wasn't a big deal, and I can probably get it changed if I need to. I debated getting a different router too, but I've already spent enough $$ this month between the NAS and the UPS I bought.
 
I've already spent enough $$ this month between the NAS and the UPS I bought.
I know the feeling :)

No problem. So they forwarded port 5001 to your NAS IP address.

If you don’t mind, can you go here, to the bottom of the page where it says custom port and test
5000 and 5001
Doing this while you’re on your home network of course.
 
I know the feeling :)

No problem. So they forwarded port 5001 to your NAS IP address.

If you don’t mind, can you go here, to the bottom of the page where it says custom port and test
5000 and 5001
Doing this while you’re on your home network of course.

It says both are open.

Quick question - what's the best way to disable internet connection to the NAS until we finish implementing all the security features? Or, do I need to leave that access available as we step through your analysis phase?
 
The quickest way is to disable those ports. But in your case you’ll have to call the concierge :)

2nd fastest way is to enable the firewall and block them. But it’s ok, you have 2FA enabled anyway.

So let’s leave them as is for now. Can you confirm what is your internal subnet?
Most likely should look something like this 192.168.x.x
 
The quickest way is to disable those ports. But in your case you’ll have to call the concierge :)

2nd fastest way is to enable the firewall and block them. But it’s ok, you have 2FA enabled anyway.

So let’s leave them as is for now. Can you confirm what is your internal subnet?
Most likely should look something like this 192.168.x.x

Yes, I can see it but am leery of posting it on a public forum as I don't know what risks that entails.
 
It’s ok. This is internal IP address. The big bad internet doesn’t care about or route this. It’s in every home.
For example my two DSs are 192.168.1.170 and 192.168.1.171
My iPad has an IP address of 192.168.1.112 right now.

Alrighty then. 192.168.10.250. I still feel like my tin-foil-hat-wearing dad would have a heart attack if he saw this... :p
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Asking people. The guy was very much afraid to tell but we asked him with great care and then he told...
Replies
10
Views
2,261

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top