Please help me understand making my NAS secure.

Currently reading
Please help me understand making my NAS secure.

27
16
127.0.0.1
NAS
DS 211j
Router
  1. RT2600ac
Synology QuickConnect is the easy way and it’s more secure. However, with limitations.

Would love some technical explanation for this statement. What is it that would make QuickConnect more secure than using DDNS service with reverse proxy running behind FQDN with only one possible attack vector (as opposed to UPNP enabled service like QC with all relevant information about IP and the device stored on some cloud service)?
 
1,817
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Would love some technical explanation for this statement.
I don’t think QC requires any UPNP. You don’t need to open any ports for It to work.
The connection is initiated from the DS. Check this, Daddo.
 
1,817
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
@Daddo, maybe you’re referring to External Access (in control panel), not QuickConnect?!

Because that one uses UPnP to open the ports on the router without you doing it manually.
 
27
16
127.0.0.1
NAS
DS 211j
Router
  1. RT2600ac
Oh that's just great... instead of using port forwarding it uses "relay sites" that have all relevant data stored (both WAN IP and LOCAL IP as well as port number to communicate). Sure, there's tunneling and port punching and ...

DDNS and reverse proxy leave just one point of entry (one port and one FQDN) and the attacker gets much less data to work with from the start.

Suppose someone steals the data you're providing Synology with by using QC, they get your public IP, local IP and some unique ID. From there they can test if one of your services is running on default port and that is enough to penetrate the network or atleast try to do some nasty stuff.

Btw, just enabled QC on my 211j, and tried connecting via ID, is says:

  • Permissions to access certain services via QuickConnect are not enabled. Please go to Control Panel > QuickConnect > Advanced > Permission and tick one or more services.

Guess what? There is no Advanced option in Quickconnect on DSM 4.3 my 211j is running. ;)

So, even when the QC service states it is connected, it sure as hell isn't connectable. :D
 
1,817
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
There you go @Daddo. Not everyone knows or considers what you’ve said above.
It remains an option and a selling point for Synology to the less technically inclined.
 

NAS Newbie

Subscriber
446
91
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
Try this one too…
While at home on your WiFi, go to this, copy the IP address (this is the address that you should keep off forums, don’t post this).

Switch your phone to cell only (turn off WiFi), unless you’re already outside using cellular data or the Martian’s Starbucks in Chicago :)

On the browser, paste the address you copied like below:
https://the address you copied:5001
Hit enter
What do you get?


Nothing. It status bar just sits there and eventually times out. I have a call in to the ISP and they're going to look into it. I'll let you know how that turns out.

Could you explain 2FA a little more for me and give any tips on how to best set it up? I'm concerned I'll get locked out if my phone dies, so I'd like to have a backup authenticator, but don't know exactly how that works. I don't honestly know how I set it up the first time, as a synology tech walked me through it quickly. I feel like this post is getting really long and branching out quite a bit, but I hesitate to start a new post because it might be nice for any other rookies to have everything in one place.
 
1,817
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
So even when you turned off the firewall. Nothing?

Could you explain 2FA a little more
Sorry I didn’t enable it yet on my DSs. I’m afraid I might find it annoying. So I’d leave that to someone else. Maybe @Rusty.
 

NAS Newbie

Subscriber
446
91
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
So even when you turned off the firewall. Nothing?

Honestly, I have not yet turned on the firewall. I tested the creation of the rules last night, but didn't apply the 2 that were available; I was going to wait for the 3rd. I've been following the forum from my phone until just now as I've been out at meetings. Going to put the firewall in place now. The firewall shouldn't have had any effect on blocking the public computer IP address you had me scan though, correct?
 
357
67
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Sorry I didn’t enable it yet on my DSs. I’m afraid I might find it annoying. So I’d leave that to someone else. Maybe @Rusty.

I have it enabled on my admin account. It’s not annoying at all considering you can set your phone or computer as a remembered trusted device. Same thing with the mobile ds apps.
 

NAS Newbie

Subscriber
446
91
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
Aside from learning how to better use 2FA and activating the firewall, is there anything else I should be doing?
 

NAS Newbie

Subscriber
446
91
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
I have it enabled on my admin account. It’s not annoying at all considering you can set your phone or computer as a remembered trusted device. Same thing with the mobile ds apps.

I've wondered about the trusted device. What if someone by chance somehow hijacks my trusted pc either physically or remotely? Wouldn't they then have direct access to my NAS, even with 2FA activated? I'd had my laptop set as a trusted device but then disabled it for concern of this happening.

I also think that it is odd that 2FA allows for authorization by the same device that is requesting authorization. Meaning, I can try to access the NAS from my phone and then use the authenticator on my phone to authenticate the requested access. It seems to me that's not really 2FA anymore.
 
1,817
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
you can set your phone or computer as a remembered trusted device.
I know, however, sometimes I need access from untrusted devices. I’ve also read about something that sometimes get screwed up when on a different zone. Don’t know how true is that though. But I’m on a different time zone almost every other month. I’ve been meaning to look into it and never got to.
 
1,817
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Aside from learning how to better use 2FA and activating the firewall, is there anything else I should be doing?
A Let’s Encrypt certificate and change the default port.
 

NAS Newbie

Subscriber
446
91
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
You mean besides not using quickconnect service and a port that has documented ransomware attack on the device? ;)

Anything else. I'm here to learn. I don't know what I don't know and appreciate the help.
 
357
67
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
I've wondered about the trusted device. What if someone by chance somehow hijacks my trusted pc either physically or remotely?

While certainly plausible, they would still need to guess your strong password that you’ve put into place.

It is a matter of convenience over security. Having 2fa in general and a strong password provides more security than not having. The matter of convenience and tolerating having to enter the 2fa codes is something you’d have to weigh. The chances of someone taking control of my mobile phone are pretty slim, yet it’s also a complete pain to try to login from a phone and enter 2fa codes. A computer maybe a little easier to multitask and not have to open this app and then close and switch to another like a phone. Someone can hijack a computer that is on 24/7. If your computer is left on like this, then I probably wouldn’t remember passwords or devices. I happen to use a laptop (thinkpad t420s 🤓) and turn it on off as I need, so I don’t have a concern of my device being hijack since I’m on it while using. If that ever happened I have bigger problems anyway.
 

NAS Newbie

Subscriber
446
91
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
A Let’s Encrypt certificate and change the default port.

I already have a Let's Encrypt certificate. When you talk about changing the default port, do you mean to something other than 5000/5001?
 

NAS Newbie

Subscriber
446
91
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
So even when you turned off the firewall. Nothing?

Just got a call from the ISP. ports 5000&5001 were somehow disabled again. He turned them on and I'm up and running. this might get old...
 
1,817
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
The firewall shouldn't have had any effect on blocking the public computer IP address you had me scan though, correct?
The one we looked up via the ip locator site is the public IP address assigned to your router by your ISP. This might change if you’re assigned a dynamic IP address or it could be a static IP address that never changes.

On the DS, go to Control panel > External Access
You’ll see the same IP address under DDNS.
That’s how the internet communicate with you.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top