Please help me understand making my NAS secure.

Currently reading
Please help me understand making my NAS secure.

367
74
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
so to wrap this all up: super-duper passwords, DDNS created, firewall activated, 2FA activated, Account Protection/Auto block enabled, Let's encrypt security key activated, default port changed... probably something else I missed. on a scale of 1-10, 10 being good, how secure am I? would you trust sensitive data on this setup? I realize nothing is 100% secure, but would like to get as close as possible. I guess I inherited some of my that tin-foil hat of my dad's that always drove me nuts as a kid.

Use admin accounts for admin only, and create a separate user account for yourself. I used to work for a huge corporate company, and we would have two user names:

nasnewbie
nasnewbiehp

I think the hp part at the end of the user name stood for higher privileged or higher power. I've kept the same philosophy where I have two user names, one is for general use as a standard user and the other is an admin account.
 
1,898
796
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
don't worry, its the same pin I use for everything else, bank account, irs accounts etc... :sneaky:
That’s not secure. If someone knows this pin you’re done for.
Here’s a cliche’ “your security is as strong as it’s weakest link” or something to that effect.
See, it never ends. I think you’ll be my neighbor in the next cave.
 
367
74
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
That’s not secure. If someone knows this pin you’re done for.
Here’s a cliche’ “your security is as strong as it’s weakest link” or something to that effect.
See, it never ends. I think you’ll be my neighbor in the next cave.

While true, but they would have to defeat your fingerprint or facial recognition on your phone first. I don't know about you guys, but I also don't have government classified information. Therefore the bad guys are going to look and go after the weakest link first, that being those who use 1234 as a password, those who don't have passwords implemented at all, and those that don't put in place some security measures such as 2fa, complex passwords, change of default ports, https protocol, certificate authority.
 

NAS Newbie

Subscriber
449
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
That’s not secure. If someone knows this pin you’re done for.
Here’s a cliche’ “your security is as strong as it’s weakest link” or something to that effect.
See, it never ends. I think you’ll be my neighbor in the next cave.
Yeah, I know. I was being a smart-ass, but I see I've asked too many dumb questions that my sarcasm is being taken seriously... :ROFLMAO:
 
1,898
796
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
so to wrap this all up: super-duper passwords, DDNS created, firewall activated, 2FA activated, Account Protection/Auto block enabled, Let's encrypt security key activated, default port changed... probably something else I missed. on a scale of 1-10, 10 being good, how secure am I? would you trust sensitive data on this setup? I realize nothing is 100% secure, but would like to get as close as possible. I guess I inherited some of my that tin-foil hat of my dad's that always drove me nuts as a kid.
You should be ok. Turn on notifications, to know what’s going on when something goes on.
 
1,898
796
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
While true, but they would have to defeat your fingerprint or facial recognition on your phone first. I don't know about you guys, but I also don't have government classified information. Therefore the bad guys are going to look and go after the weakest link first, that being those who use 1234 as a password, those who don't have passwords implemented at all, and those that don't put in place some security measures such as 2fa, complex passwords, change of default ports, https protocol, certificate authority.
I’m just pressing Nas Newbie’s buttons. He should be ok :D

With all what he’s implemented now, hackers will find bigger fish to fry rather than target the house that almost got the fiber connection :D
 
27
16
127.0.0.1
NAS
DS 211j
Router
  1. RT2600ac
Anything else. I'm here to learn. I don't know what I don't know and appreciate the help.

OK then, let's start basics.

DiskStation Manager or DSM is accessed by your web browser meaning your device is running a web server which is listening on some TCP/UDP port (by default those are 5000 for HTTP and 5001 for HTTPS access).

You gain entry by either typing:

1. http(s)://local.ip.address.of.your.device: portnumber (usually it is 192.168.x.x) - when the device you are connecting from is in the same network (connected to the same router) as your Diskstation
2. http(s)://some.domain.name: portnumber (i.e. mynas.synology.me or some other DDNS service depends on the provider you are using) - when the device you are connecting from is outside your local network

Both are fine actually but you need to know which port you are using (not a problem) and be sure that the networks are allowing the communication on that port (that could be and usually is an issue, since you do not control other networks).

Since all networks are monitored for one reason or another, using ports that are not well known (those are above 1024) can make the owners suspicious and they can and usually close those, which is why you got the timeout message when connecting via https://some.domain.name:5001 and when you did contact the ISP they opened the port 5001 for you. What happens when you change your location and try to access from it while on some other network (i.e. public hotspot like that Martian KFC you guys keep referencing to, or some fancy camp in North Korea)?

In order to avoid that, since you already have a LE certificate set up with some DNS name, what do you say to accessing your device by simply putting https://some.domain.name in your favorite web browser while omitting the port itself? (You are actually saying, ok, just use WELL KNOWN PORT for HTTPS which is surely open on all networks and the number is 443).

If you have trouble understanding any of the above, I would recommend to check how internet works by seeing this movie. Once you do, it will be easier to understand both what and why you should do something and then move to the tutorial @Rusty started about implementing reverse proxy.

That’s too bad! I hope it was a one-off incident. What if you need access remotely and the soup nazis decide to update or whatever they did and screwup the ports again!

You could always go reverse proxy route with LE cert implemented ;)
 
367
74
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
Also, run the built in Security Advisor to see if it picks up anything. You can configure this to run every night and send you reports.

1555451677461.png
 
1,898
796
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
OK then, let's start basics.

DiskStation Manager or DSM is accessed by your web browser meaning your device is running a web server which is listening on some TCP/UDP port (by default those are 5000 for HTTP and 5001 for HTTPS access).

You gain entry by either typing:

1. http(s)://local.ip.address.of.your.device: portnumber (usually it is 192.168.x.x) - when the device you are connecting from is in the same network (connected to the same router) as your Diskstation
2. http(s)://some.domain.name: portnumber (i.e. mynas.synology.me or some other DDNS service depends on the provider you are using) - when the device you are connecting from is outside your local network

Both are fine actually but you need to know which port you are using (not a problem) and be sure that the networks are allowing the communication on that port (that could be and usually is an issue, since you do not control other networks).

Since all networks are monitored for one reason or another, using ports that are not well known (those are above 1024) can make the owners suspicious and they can and usually close those, which is why you got the timeout message when connecting via https://some.domain.name:5001 and when you did contact the ISP they opened the port 5001 for you. What happens when you change your location and try to access from it while on some other network (i.e. public hotspot like that Martian KFC you guys keep referencing to, or some fancy camp in North Korea)?

In order to avoid that, since you already have a LE certificate set up with some DNS name, what do you say to accessing your device by simply putting https://some.domain.name in your favorite web browser while omitting the port itself? (You are actually saying, ok, just use WELL KNOWN PORT for HTTPS which is surely open on all networks and the number is 443).

If you have trouble understanding any of the above, I would recommend to check how internet works by seeing this movie. Once you do, it will be easier to understand both what and why you should do something and then move to the tutorial @Rusty started about implementing reverse proxy.



You could always go reverse proxy route with LE cert implemented ;)
This is good. I don’t know though, I’ve never had my ports closed by my ISP. And I have so many custom ports open. So this is new to me. Of course banks and other sensitive places can block you if your “behavior” changes as @Telos mentioned according to how smart or stupid their algorithms are.

One correction please. The Martian goes to Starbucks not KFC.
 
27
16
127.0.0.1
NAS
DS 211j
Router
  1. RT2600ac
Each open port represents possible attack vector, thus for security reasons you should keep the number as low as possible.

It is not (usually) so much about "sensitive", more like sensible. Monitoring, shaping or inspecting traffic is done more efficiently if you can control both source and destination.

As for that Martian... it doesn't really matter what his(her?) destination is, since both Starbucks and KFC are places of last resort and probably deemed unsafe for all ALF-s. :D
 
1,898
796
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
As for that Martian... it doesn't really matter what his(her?) destination is, since both Starbucks and KFC are places of last resort and probably deemed unsafe for all ALF-s. :D
:ROFLMAO:
I’m just kidding.
 

NAS Newbie

Subscriber
449
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
OK then, let's start basics.

DiskStation Manager or DSM is accessed by your web browser meaning your device is running a web server which is listening on some TCP/UDP port (by default those are 5000 for HTTP and 5001 for HTTPS access).

You gain entry by either typing:

1. http(s)://local.ip.address.of.your.device: portnumber (usually it is 192.168.x.x) - when the device you are connecting from is in the same network (connected to the same router) as your Diskstation
2. http(s)://some.domain.name: portnumber (i.e. mynas.synology.me or some other DDNS service depends on the provider you are using) - when the device you are connecting from is outside your local network

Both are fine actually but you need to know which port you are using (not a problem) and be sure that the networks are allowing the communication on that port (that could be and usually is an issue, since you do not control other networks).

Since all networks are monitored for one reason or another, using ports that are not well known (those are above 1024) can make the owners suspicious and they can and usually close those, which is why you got the timeout message when connecting via https://some.domain.name:5001 and when you did contact the ISP they opened the port 5001 for you. What happens when you change your location and try to access from it while on some other network (i.e. public hotspot like that Martian KFC you guys keep referencing to, or some fancy camp in North Korea)?

In order to avoid that, since you already have a LE certificate set up with some DNS name, what do you say to accessing your device by simply putting https://some.domain.name in your favorite web browser while omitting the port itself? (You are actually saying, ok, just use WELL KNOWN PORT for HTTPS which is surely open on all networks and the number is 443).

If you have trouble understanding any of the above, I would recommend to check how internet works by seeing this movie. Once you do, it will be easier to understand both what and why you should do something and then move to the tutorial @Rusty started about implementing reverse proxy.



You could always go reverse proxy route with LE cert implemented ;)

Shucks, I thought this thread was winding down and I'd have to start new ones to display my ineptitude on other topics, and then daddo goes and gives me homework. At least part of it is a movie, those were always the best. :)
 

NAS Newbie

Subscriber
449
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
I'm still going through and wrapping my head around everything you guys have had me do so far, but I wanted to say thanks for walking me through it, especially to @WST16. I'm trying my best to go out and research these questions on my own before bothering you guys here, but there's an almost unfortunate wealth of info available for these things. I appreciate being able to come here and have a smaller handful of experienced users walk me through things.
 
1,898
796
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
@WST16

Is Rule 3 the same as making Deny as the default ? you can change it on the lower left side of the firewall
For rule 3, you just create a new rule and select deny instead of allow. That’s the only thing you do and hit ok. Make sure you have at least #1 created at the very top of the list to allow your LAN, otherwise you’ll be locked out and the only way back is to do a hard reset.
 
1,898
796
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
I have Account Protection enabled as well. That one scares me a bit
Add your local subnet to the allow list so you won’t get blocked in case you enter the wrong credentials while on your LAN.

Go to control panel > security > account tab
Allow/Block list button
Create
Subnet
and in your case add the following:
192.168.10.0
255.255.255.0

However, if you’re blocked, try to use another device to login. What happens is that the IP address of the offending device is denied further access by adding its IP address to the “blocked” list. You can find another device on the LAN and try. Or manually change the IP address and try (as a last resort if you run out of devices).

If you have remote access, you can try that too. The idea is to access with a different IP address. Once you get in, you can go and remove the blocked IP address from the “blocked list”.
 
367
74
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Could you explain 2FA a little more for me and give any tips on how to best set it up?

@NAS Newbie check out this recent article from Pcworld.com regarding 2FA; it’s a pretty decent write up and will help you understand it a little more. Hope you’ve made some progress with your project.

 

fredbert

Moderator
NAS Support
Subscriber
2,585
1,047
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I wouldn't rely SMS 2FA for any important services. Let me rephrase that: I wouldn't use SMS 2FA for anything.

There have been too many incidents of people finding that their mobile phone operator has believed scammers and issued replacement SIM. Once this happens the 2FA PIN gets SMS'ed to the scammer's phone.

Mobile phone customer services are not set up to provide strong authentication support for banks etc.

The 2FA used in DSM uses apps like Google Authenticator to generate a time-base one time password (TOTP).
 

NAS Newbie

Subscriber
449
89
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
@NAS Newbie check out this recent article from Pcworld.com regarding 2FA; it’s a pretty decent write up and will help you understand it a little more. Hope you’ve made some progress with your project.

Thanks. I understand the concept of 2FA well enough I think, I was more wondering as to how to best implement it and what athenticators were best. I switched from google's over to Authy, and like it so far.

I'm getting closer to getting things set up how I want it I think. Still have to figure out how to change the default port, and there's several other little questions I'll probably throw into a separate post in the future.
 
367
74
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
I wouldn't rely SMS 2FA for any important services. Let me rephrase that: I wouldn't use SMS 2FA for anything.

Agree 100%, it’s crazy to this method is still being used out there, especially with major financial institutions.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
PF will help you for sure much more then syno fw
Replies
4
Views
110
If you are using Android, just choose "Continue" when screen mentioning "Certificate" appears after sign-in.
Replies
27
Views
3,507
This could be a job for… Renowned, conspiracy theorist at night and international diplomacy expert by...
Replies
32
Views
4,811

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top