Please help me understand making my NAS secure.

Currently reading
Please help me understand making my NAS secure.

NAS Newbie

Subscriber
456
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
Ok.

Here we go.
We’ll enable the firewall and as a start configure 3 rules
1. Allow your internal lan access
2. Allow your country (U.S. you said) access
3. Block everything else

You have located the firewall in control panel under security, right?

Go, do not check enable firewall yet and edit


Well I'm back for a bit. First 2 rules are created. Ready for #3 whenever you are. Off-topic question: I cannot access my NAS via my synology.me DDNS right now, but I can still access the mounted folders and can access via its direct IP address. How do I find out if the synology.me server is down right now?
 
1,997
846
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
@WST16
Do you normally use an admin account in accessing DSM at home and outside?
Hi Subie,

I rarely use my admin account to access my DSs, only when I need to do or check something that requires admin privileges.

Most of the time I use my ID that has access to my home folder. Under my home I have all the stuff that I deal with everyday. For example, 2 apps that I use very often on my iPad (and I’m on the iPad most of the time) are Pages and Numbers and they support the WebDAV protocol. WebDAV is enabled on the NAS. So working with such documents becomes possible wherever I am and they’re all in one place. It’s so convenient and seamless.

By now, I have almost everything I need and everything that’s worth keeping, on the NAS. And it’s backed up according to the 321 rule (I think it was Guy Kawasaki who coined the term by the way).

So in a nutshell, reduce your use of admin.

Rule 3 will follow below…
 
1,997
846
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Rule number 3 is the easiest to create, but it’s the mightiest of them all. It denies access to your NAS. Period.

93



Please, make sure that the end result (this is for Nas Newbie user) is what’s below. Verbatim. Other users should mind their subnet and geolocation for this to work. If in doubt please ask.

94


Once you’re sure, enable the firewall by ticking it and clicking apply.
 
1,997
846
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
I cannot access my NAS via my synology.me DDNS right now, but I can still access the mounted folders and can access via its direct IP address. How do I find out if the synology.me server is down right now?
Are you doing this while at home?
If so, can you try accessing it remotely. Use your cell phone after turning phone WiFi off (if you’re at home) and try your xyz.synology.me.
 
1,997
846
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
95



What we’ve created above are 3 simple rules, however, they are quite powerful because now access is only allowed from your country.

Let’s go through them one by one. Once you have an understanding of how this works, you’ll be able to create more rules very easily.

Here goes…
If you are on your LAN (inside your house) and you try to access your NAS
The firewall will start examining the rules. It’ll find that the first rule applies. It will grant you access and QUITS going down the list. Note that the router is not involved here. And by the way, 192.168.10.0 means the whole subnet (yes, it’s that zero at the end). So any device inside the lan can access the NAS.

If you’re anywhere In the U.S. coming through WAN. The router will forward your request to the NAS, the firewall starts examining the rules. The first one does not apply, the 2nd rule applies, It grants you access and QUITS going down the list.

Some lowlife Martian sitting in a Starbucks on the dark side of the moon, tries accessing your NAS. The router forwards the request to the NAS, the firewall starts examining the rules. The first rule does not apply, the second one does not apply, the third one says deny all. It blocks him.

Did you notice that when the firewall finds a match it quits going down the list?
This is a very important observation to make and concludes that the order of the rules in the list is important too.

There’s room for refinement even with the above 3 simple rules. for example, at the moment, we are accepting all ports, we are not worried though because your router as of now is not forwarding other than 5000 and 5001 (as I understood). However, it’s something to keep in mind when you open more ports on the router.

I hope this helps with glueing everything together.
 

NAS Newbie

Subscriber
456
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
Are you doing this while at home?
If so, can you try accessing it remotely. Use your cell phone after turning phone WiFi off (if you’re at home) and try your xyz.synology.me.

Can't access it remotely either. I scanned the 5001 port with the website you showed me earlier, and it timed out. I assume that isn't due to any changes we've made, and that my internet provider pushed out some update or something that closed the ports?
 

NAS Newbie

Subscriber
456
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
Some lowlife Martian sitting in a Starbucks on the dark side of the moon, tries accessing your NAS. The router forwards the request to the NAS, the firewall starts examining the rules. The first rule does not apply, the second one does not apply, the third one says deny all. It blocks him.

I hope this helps with glueing everything together.

It is starting to come together, but I do have a couple questions.

What if the lowlife Martian is sitting in a starbucks in Chicago? What is the point of the first rule if the 2nd will allow anyone in the US access anyways? I assume the 2nd rule is in place so that I can disable it in the event I want to lock down use to only the vetted IP addresses that would be ok'd by Rule 1? How hard is it to mask your IP address so that the Martian could be on the moon but makes my firewall think he's in Chicago? I've seen enough spy shows that it looks pretty easy... :D
 

Rusty

Moderator
NAS Support
4,378
1,269
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
How hard is it to mask your IP address so that the Martian could be on the moon but makes my firewall think he's in Chicago?
I could be using a VPN service allowing me to present myself from Chicago to bypass that rule, so yes, pretty easy.
 
1,997
846
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Oh my. What a nasty Martian this turned out to be!
Yes, as @Rusty said, one can use a VPN service to be in the U.S. while he’s not.

And yes, by unchecking rule 2 and applying the settings, you’ll only allow your LAN.
It is coming together (y)
Did you try that?

For the above scenario with the nasty Martian, we will use something else.
More reading for you :D
Account protection. Make sure you understand it before applying it.
You’ve already implemented 2FA if I understood correctly. Which is another tool in our tools bag for security.
 

NAS Newbie

Subscriber
456
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
I have not tried disabling rule 2 yet; I wanted to make sure I knew what I was doing first.

I have 2FA enabled through google authenticator, but I'm not sure that's best. Right now my phone is the only device that can be used as the key; what's the best way to have backup authentication? Is there a better authenticator than google's?

Yes, I have Account Protection enabled as well. That one scares me a bit just because I'm terrible at remembering passwords. I see discussions on here about using docker as a password vault somehow, so I'll have to look into that once we finish up here.
 

NAS Newbie

Subscriber
456
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
Also, what if I want to access the NAS remotely but block all other users? Does disabling #2 while leaving #1 enabled allow for this?
 

Telos

Subscriber
1,858
621
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
Yes, as @Rusty said, one can use a VPN service to be in the U.S. while he’s not.
Not NAS related... but a general caution... many sites (particularly bank, commerce, and some social networks) will block your login if your VPN IP is unusual. So if you live in Kankakee IL, and use a Chicago VPN, your bank might lock you out if you attempt to log in.

Facebook is notorious for this. And I've been locked out for weeks since I'm unable to pass their security roadblocks. Amazon hit me once as well, and my bank completely blocked access until I called in and passed quite a few personal questions. In each of these cases, my IP was "in country".
 

fredbert

Moderator
NAS Support
Subscriber
2,869
1,150
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Also, what if I want to access the NAS remotely but block all other users? Does disabling #2 while leaving #1 enabled allow for this?

We log that in the Change Register and process it once the contracted service has been delivered.

Provided you have enough change credits. See the Price Catalogue for purchasing more credits (aka 🍪🍪🍪). :cool:
 

NAS Newbie

Subscriber
456
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
We log that in the Change Register and process it once the contracted service has been delivered.

Provided you have enough change credits. See the Price Catalogue for purchasing more credits (aka 🍪🍪🍪). :cool:

:ROFLMAO: easy now, I didn't (and probably still don't) know where all of this was going when I started. I think my first post of this 50+ post contract pretty well established that... ;)
 
1,997
846
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Also, what if I want to access the NAS remotely but block all other users? Does disabling #2 while leaving #1 enabled allow for this?
I’m afraid not. We’ll need a DiskStation with a crystal ball for the off chance that this might work :)
Your firewall examines the packets coming through the router. It’s looking at the IP addresses and deciding what to do.

If you’re not using a password manager, at least keep the password in the safe (or the cookies jar, whichever is more secure), just in case.

Unless you really pissed off the wrong kind of people (in which case you’ll be on the witness protection program instead of this forum) you should be ok with the standard security precautions you’re implementing now.
If you end up consumed by paranoia you’ll be unplugging your NAS soon.

Hmm, look whose talking :unsure:
 
1,997
846
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Facebook is notorious for this. And I've been locked out for weeks since I'm unable to pass their security roadblocks. Amazon hit me once as well, and my bank completely blocked access until I called in and passed quite a few personal questions. In each of these cases, my IP was "in country".
What a miserable internet life you have @Telos :)
On the other hand, being blocked by FB could be a blessing in disguise.
 

Telos

Subscriber
1,858
621
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
What a miserable internet life you have @Telos :)
On the other hand, being blocked by FB could be a blessing in disguise.
Yea... I get that... The FB account is anon for those times where I have to reach a local contractor, etc.. To make the acct appear active, I added 100+ random global peeps (five languages) that agreed to friend someone they don't know. So when I change IPs, FB gives me a choice of uploading my DL or having me name these "friends" from their photos or adding my phone (seriously?).
 
1,997
846
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
I don’t have a FB account. Never created one.
But in case I go insane and create an account, you’ll be the first one I befriend @Telos. I promise 😇
 
1,997
846
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Can't access it remotely either. I scanned the 5001 port with the website you showed me earlier, and it timed out. I assume that isn't due to any changes we've made, and that my internet provider pushed out some update or something that closed the ports?
It shouldn’t have anything to do with the changes we made. However, you said you can access from home, you can switch off the firewall and try again.

If your router goes through a reset every time the ISP updates it then this is going to be very painful on the long run :(

I’m really interested in knowing what happened.

Are you sure you can’t have admin access to your router? What kind of an ISP is this?! Reminded me of the Soup Nazi.
 
1,997
846
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Try this one too…
While at home on your WiFi, go to this, copy the IP address (this is the address that you should keep off forums, don’t post this).

Switch your phone to cell only (turn off WiFi), unless you’re already outside using cellular data or the Martian’s Starbucks in Chicago :)

On the browser, paste the address you copied like below:
https://the address you copied:5001
Hit enter
What do you get?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
PF will help you for sure much more then syno fw
Replies
4
Views
342
If you are using Android, just choose "Continue" when screen mentioning "Certificate" appears after sign-in.
Replies
27
Views
3,686
This could be a job for… Renowned, conspiracy theorist at night and international diplomacy expert by...
Replies
32
Views
4,970

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top