Please help me understand making my NAS secure.

Currently reading
Please help me understand making my NAS secure.

NAS Newbie

Subscriber
449
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
I happen to use a laptop (thinkpad t420s 🤓)

Thank you for the 2FA comments.. I once had a Lenovo P52s when I first started working from home. I hope you have good luck with your t420. After my P52s debacle, I'll never own another Lenovo. I'll just say that regardless of your opinion of the quality of the respective equipment, Lenovo's customer service is the worst I've ever experienced while Dell's has been amazing.
 
1,899
797
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Just got a call from the ISP. ports 5000&5001 were somehow disabled again. He turned them on and I'm up and running. this might get old...
That’s too bad! I hope it was a one-off incident. What if you need access remotely and the soup nazis decide to update or whatever they did and screwup the ports again!
 

NAS Newbie

Subscriber
449
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
fortunately for me, it'll be rare that I need critical remote access. If it keeps happening I might have to get myself a new router.
 
367
74
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
I also think that it is odd that 2FA allows for authorization by the same device that is requesting authorization.

The actual device such as your phone are not the one providing authorization. It is time based, so the codes are generated thru some algorithm I’m guessing (more advanced guys here can probably further explain). This is the reason why you scan the barcode it essentially creates a time sync and an algorithm puts out the codes.

I personally use the app Authy. I started with google authentication when I knew nothing about 2fa, just like you. I then started reading and realizing what would happen if I lost my phone (😜😜aka drop it in the toilet) I would essentially loose my authenticator, there is no backup and there is no other device where you can get the codes. Authy allows for you to turn on multi device, so in my case I’ve added my windows laptop using their desktop app, and then I turn off multi device as an added security measure. This way at least my codes will be in two places that I have most control over. You can also setup a pin to access these apps. Some recently had mentioned some issues in the terms & agreements of Authy and privacy, I’m not exactly sure what that is, but for me I will only use what I am 100% comfortable with. Until I can fully understand an open source method (previously mentioned in a 2fa thread) and it provides usability, I haven’t been able to find anything better, and that’s easy to setup and use than Authy... yet.

It’s actually very good that your reading ahead with 2fa, because it can be a disaster if the authenticator is no longer accessible. I’ve seen and read the horror stories and for me, using something like Authy gives me peace of mind that if my computer crashes or my phone with the authenticator is damaged I have some other way to get in.

I’ve implemented strong passwords, and none of them are re-used; this with the help of last pass as a password manager (also 2fa secured).
 

NAS Newbie

Subscriber
449
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android

Any suggestions as to what ports I should be pointing to? I tried searching online for the ransomware port to know what to avoid, but google just sucks at finding useful data (it might be me, but I'm gonna blame google)...
 
367
74
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Thank you for the 2FA comments.. I once had a Lenovo P52s when I first started working from home. I hope you have good luck with your t420. After my P52s debacle, I'll never own another Lenovo. I'll just say that regardless of your opinion of the quality of the respective equipment, Lenovo's customer service is the worst I've ever experienced while Dell's has been amazing.

Fortunately, my first lenovo was T60 which lasted me about 5 years, and this was only because I dropped it and cracked the hinge. It actually probably still works to this day, if I fresh install windows.

My T420s I've had since 2011-12 and I've pumped it up with 16gb of ram and a Samsung SSD, it's my daily driver and power horse. I have a dock where I can also use up to 3 external monitors plus the laptop screen.

On the side I have my own side business relating to technology and similar stuff, this laptop has been awesome to me. Can't forget to mention the feel of keyboard, one of the best keyboards I've ever used.
 

NAS Newbie

Subscriber
449
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
The actual devices such as your phone are not the one providing authorization. It is time based, so the codes are generated thru some algorithm I’m guessing (more advanced guys here can probably further explain). This is the reason why you scan the barcode it essentially creates a time sync and an algorithm puts out the codes.

I know that the app is what is generating the code, but the app is linked to my phone which is essentially another key to the safe. It seems to me that allowing the app on my phone to generate the access code with which I can access the NAS is akin to taping the key to the face of the safe. It just seems odd to me is all.
 
367
74
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
I know, however, sometimes I need access from untrusted devices. I’ve also read about something that sometimes get screwed up when on a different zone. Don’t know how true is that though. But I’m on a different time zone almost every other month. I’ve been meaning to look into it and never got to.

Hm definitely not my expertise. I'm only in different time zones for once every two year vacation, now having a newborn I'm not going anywhere.
 
1,899
797
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Any suggestions as to what ports I should be pointing to?
Check this.
Note that you’ll need to add the port after the IP address when you need to access.
Something like this
https//xyz.synology.me:1234
 

NAS Newbie

Subscriber
449
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
Fortunately, my first lenovo was T60 which lasted me about 5 years, and this was only because I dropped it and cracked the hinge. It actually probably still works to this day, if I fresh install windows.

My T420s I've had since 2011-12 and I've pumped it up with 16gb of ram and a Samsung SSD, it's my daily driver and power horse. I have a dock where I can also use up to 3 external monitors plus the laptop screen.

On the side I have my own side business relating to technology and similar stuff, this laptop has been awesome to me. Can't forget to mention the feel of keyboard, one of the best keyboards I've ever used.

My replacement for the P52s is a Dell Precision 7520. 32gb ram & Intel i7-7700hq. I had to have the intel for some software I'm running. It is big and clunky and thick compared to the P52, but it runs all the FEA analysis I've thrown at it so far. Have a caldigit dock on it too, so the keyboard hasn't been an issues.
 
367
74
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
I know that the app is what is generating the code, but the app is linked to my phone which is essentially another key to the safe. It seems to me that allowing the app on my phone to generate the access code with which I can access the NAS is akin to taping the key to the face of the safe. It just seems odd to me is all.


Put a pin code on the app.
 
1,899
797
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Last edited:
Hm definitely not my expertise. I'm only in different time zones for once every two year vacation, now having a newborn I'm not going anywhere.
I wish I was on vacation every other month ;)
But like you, I have very strong random passwords that are filled by my password manager when I access my DSs. I’ve also enabled auto blocking (one of the DSs auto blocks after 1 wrong try)
And I have notifications turned on, so it’s kind of I know what’s going on with my NASes.
 
367
74
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
ahhh. duh.

There's also a bunch of other methods that probably can be used. Some sites (such as google) you can use what's called a Yubikey. You may even be able to buy a RSA hardware token key with a digital display on it. So the hardware keychain will show random codes as well and its separate from your phone. These can be somewhat expensive, you only have one, and may need to have some more advanced knowledge with setting up, much more common to corporate environments. I find that a google authenticator, authy, or any other software based authenticator some of the more advanced guys here suggest maybe better off. The one thing I stress, especially for a newbie, is to fully understand what you're doing and what could happen if xyz scenario happens.
 

NAS Newbie

Subscriber
449
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
What if you forget the pin? :D
I’m telling you, just yank the cable off that NAS.
don't worry, its the same pin I use for everything else, bank account, irs accounts etc... :sneaky:
 
367
74
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
What if you forget the pin? :D
I’m telling you, just yank the cable off that NAS.

This is why we have robots, home assistants, and AI in our lives now-a-days 🤪
 

NAS Newbie

Subscriber
449
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
so to wrap this all up: super-duper passwords, DDNS created, firewall activated, 2FA activated, Account Protection/Auto block enabled, Let's encrypt security key activated, default port changed... probably something else I missed. on a scale of 1-10, 10 being good, how secure am I? would you trust sensitive data on this setup? I realize nothing is 100% secure, but would like to get as close as possible. I guess I inherited some of my that tin-foil hat of my dad's that always drove me nuts as a kid.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
PF will help you for sure much more then syno fw
Replies
4
Views
116
If you are using Android, just choose "Continue" when screen mentioning "Certificate" appears after sign-in.
Replies
27
Views
3,512
This could be a job for… Renowned, conspiracy theorist at night and international diplomacy expert by...
Replies
32
Views
4,811

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top