Please help me understand making my NAS secure.

Currently reading
Please help me understand making my NAS secure.

27
16
127.0.0.1
NAS
DS 211j
Router
  1. RT2600ac
Synology QuickConnect is the easy way and it’s more secure. However, with limitations.

Would love some technical explanation for this statement. What is it that would make QuickConnect more secure than using DDNS service with reverse proxy running behind FQDN with only one possible attack vector (as opposed to UPNP enabled service like QC with all relevant information about IP and the device stored on some cloud service)?
 
27
16
127.0.0.1
NAS
DS 211j
Router
  1. RT2600ac
Oh that's just great... instead of using port forwarding it uses "relay sites" that have all relevant data stored (both WAN IP and LOCAL IP as well as port number to communicate). Sure, there's tunneling and port punching and ...

DDNS and reverse proxy leave just one point of entry (one port and one FQDN) and the attacker gets much less data to work with from the start.

Suppose someone steals the data you're providing Synology with by using QC, they get your public IP, local IP and some unique ID. From there they can test if one of your services is running on default port and that is enough to penetrate the network or atleast try to do some nasty stuff.

Btw, just enabled QC on my 211j, and tried connecting via ID, is says:

  • Permissions to access certain services via QuickConnect are not enabled. Please go to Control Panel > QuickConnect > Advanced > Permission and tick one or more services.

Guess what? There is no Advanced option in Quickconnect on DSM 4.3 my 211j is running. ;)

So, even when the QC service states it is connected, it sure as hell isn't connectable. :D
 
467
90
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
Try this one too…
While at home on your WiFi, go to this, copy the IP address (this is the address that you should keep off forums, don’t post this).

Switch your phone to cell only (turn off WiFi), unless you’re already outside using cellular data or the Martian’s Starbucks in Chicago :)

On the browser, paste the address you copied like below:
https://the address you copied:5001
Hit enter
What do you get?


Nothing. It status bar just sits there and eventually times out. I have a call in to the ISP and they're going to look into it. I'll let you know how that turns out.

Could you explain 2FA a little more for me and give any tips on how to best set it up? I'm concerned I'll get locked out if my phone dies, so I'd like to have a backup authenticator, but don't know exactly how that works. I don't honestly know how I set it up the first time, as a synology tech walked me through it quickly. I feel like this post is getting really long and branching out quite a bit, but I hesitate to start a new post because it might be nice for any other rookies to have everything in one place.
 
467
90
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
So even when you turned off the firewall. Nothing?

Honestly, I have not yet turned on the firewall. I tested the creation of the rules last night, but didn't apply the 2 that were available; I was going to wait for the 3rd. I've been following the forum from my phone until just now as I've been out at meetings. Going to put the firewall in place now. The firewall shouldn't have had any effect on blocking the public computer IP address you had me scan though, correct?
 
593
109
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Sorry I didn’t enable it yet on my DSs. I’m afraid I might find it annoying. So I’d leave that to someone else. Maybe @Rusty.

I have it enabled on my admin account. It’s not annoying at all considering you can set your phone or computer as a remembered trusted device. Same thing with the mobile ds apps.
 
467
90
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
I have it enabled on my admin account. It’s not annoying at all considering you can set your phone or computer as a remembered trusted device. Same thing with the mobile ds apps.

I've wondered about the trusted device. What if someone by chance somehow hijacks my trusted pc either physically or remotely? Wouldn't they then have direct access to my NAS, even with 2FA activated? I'd had my laptop set as a trusted device but then disabled it for concern of this happening.

I also think that it is odd that 2FA allows for authorization by the same device that is requesting authorization. Meaning, I can try to access the NAS from my phone and then use the authenticator on my phone to authenticate the requested access. It seems to me that's not really 2FA anymore.
 
2,186
925
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
you can set your phone or computer as a remembered trusted device.
I know, however, sometimes I need access from untrusted devices. I’ve also read about something that sometimes get screwed up when on a different zone. Don’t know how true is that though. But I’m on a different time zone almost every other month. I’ve been meaning to look into it and never got to.
 
593
109
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
I've wondered about the trusted device. What if someone by chance somehow hijacks my trusted pc either physically or remotely?

While certainly plausible, they would still need to guess your strong password that you’ve put into place.

It is a matter of convenience over security. Having 2fa in general and a strong password provides more security than not having. The matter of convenience and tolerating having to enter the 2fa codes is something you’d have to weigh. The chances of someone taking control of my mobile phone are pretty slim, yet it’s also a complete pain to try to login from a phone and enter 2fa codes. A computer maybe a little easier to multitask and not have to open this app and then close and switch to another like a phone. Someone can hijack a computer that is on 24/7. If your computer is left on like this, then I probably wouldn’t remember passwords or devices. I happen to use a laptop (thinkpad t420s 🤓) and turn it on off as I need, so I don’t have a concern of my device being hijack since I’m on it while using. If that ever happened I have bigger problems anyway.
 
2,186
925
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
The firewall shouldn't have had any effect on blocking the public computer IP address you had me scan though, correct?
The one we looked up via the ip locator site is the public IP address assigned to your router by your ISP. This might change if you’re assigned a dynamic IP address or it could be a static IP address that never changes.

On the DS, go to Control panel > External Access
You’ll see the same IP address under DDNS.
That’s how the internet communicate with you.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Thank you for the in depth info. Yes — I had posted the Router & NAS firewall rules. NAS, being behind...
Replies
8
Views
2,167
  • Question
thank you, thank you, thank you followed the link you sent and everything hunky-dory
Replies
5
Views
551
  • Question
Turned out I did have a key...so at least not quite as tragic....and..yes...stll disgusted as this was...
Replies
2
Views
716
  • Question
PF will help you for sure much more then syno fw
Replies
4
Views
1,445
If you are using Android, just choose "Continue" when screen mentioning "Certificate" appears after sign-in.
Replies
27
Views
4,553
This could be a job for… Renowned, conspiracy theorist at night and international diplomacy expert by...
Replies
32
Views
5,808

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top