Please help me understand making my NAS secure.

Currently reading
Please help me understand making my NAS secure.

Telos

Subscriber
1,858
621
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
Agree 100%, it’s crazy to this method is still being used out there, especially with major financial institutions.
I've run into that and was offered a Symantec app for 2FA. But why? I don't want a separate 2FA device for every website.
 
383
76
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
I've run into that and was offered a Symantec app for 2FA. But why? I don't want a separate 2FA device for every website.

Yup one of my accounts is the same, only Symantec is available. I’ve put in a suggestion to open it up to other 2FA devices. Eventually I think you’ll see 2Fa continue to increase with use and roll out. Even an app like Uber rolled out 2fa for their platform.
 
6
0
NAS
Synology DS218
Firstly can I say thanks for all of this thread. It’s been a great read for a newbie like me.

so to wrap this all up: super-duper passwords, DDNS created, firewall activated, 2FA activated, Account Protection/Auto block enabled, Let's encrypt security key activated, default port changed... probably something else I missed. on a scale of 1-10, 10 being good, how secure am I? would you trust sensitive data on this setup? I realize nothing is 100% secure, but would like to get as close as possible. I guess I inherited some of my that tin-foil hat of my dad's that always drove me nuts as a kid.

How do the above compare to the below setup in terms of security.

super-duper passwords, No DDNS but instead access via QuickConnect with no automatic port forwarding enabled, VPN setup with nordVPN, firewall activated, 2FA activated, Account Protection/Auto block enabled, Let's encrypt security key activated.

I don’t want to mess around with ports if I can avoid it (but will do if the above is deemed loose ish in terms of security).

Many thanks!
 
1,997
846
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
No DDNS but instead access via QuickConnect with no automatic port forwarding enabled
It’s up to your trust level in Synology :)
If I can avoid it, I would.
 
3
0
NAS
DS416play ; DSM 6.2.2-24922 Update 2 (software regularly updated, even if I forget to change my forum profile)
For extra security, I tried setting up the firewall on my DSM as suggested in other forums, for 'All interfaces' as follows:
1. Allow LAN IP range (192.168.1.1 > 192.168.1.255)
2. Allow country (UK)
3. Deny ALL

However doing this broke the DHCP server feature, and devices on my LAN (LAN1) were not being assigned to their correct IP addresses (my DiskStation acts as the DHCP server on my LAN) and thus PCs failed to pick up the network after reboots as they were creating their own random IP addresses. I have turned those firewall options off again, and DHCP is now working again.

I am also running a VPN (NordVPN) on the NAS, but not usually on my other LAN-connected equipment, in case that makes any difference as to how I should be doing this. (AFAIK, LAN traffic should not be going via the VPN anyway)

Any suggestions? Thanks.

Andre
 

jeyare

Subscriber
1,965
641
For extra security, I tried setting up the firewall on my DSM as suggested in other forums, for 'All interfaces' as follows:
1. Allow LAN IP range (192.168.1.1 > 192.168.1.255)
2. Allow country (UK)
3. Deny ALL

However doing this broke the DHCP server feature, and devices on my LAN (LAN1) were not being assigned to their correct IP addresses (my DiskStation acts as the DHCP server on my LAN) and thus PCs failed to pick up the network after reboots as they were creating their own random IP addresses. I have turned those firewall options off again, and DHCP is now working again.

Andre

Andre,
use the fixed IP for each your known LAN connected devices (laptop, phones, printer,etc,...). You can get:
- cleaned IP range for your devices
- then you can better manage connections within the LAN
- then you can better analyze of unexpected activity in your LAN (logs from your router, NAS, etc)
- then you can reduce IP range of allowed IPs to your NAS (controlled by fixed IP range).
It will takes 2minutes/device, but you can get additional level of control.

Re: how to save your health by router setup (for newbies):
- if you have leased router from your ISP (Internet Service Provider) - check the vendor/model & Google - if there is known public admin account (tons of them are available). Try it if yes, contact your ISP to reset this account or change usr/psw (or just psw). Same action for your own router (but directly change the admin usr/psw). Same action for the public known user/guest accounts.
- for strong psw use >20 characters (mixed by Aa,1,#). Good attitude is to write it somewhere (bitwarden, ...)
- up to your router HW/SW, try to switch on the router level firewall (even small level of security is better as zero)
- if your router is too weak (no reset of admin account is possible) or you have irresponsible ISP (frequent situation). Purchase new one - your own. The router price is still under ransomware cost. Still you can use the old one for "bridge" connection (but not for management of your LAN).
 
3
0
NAS
DS416play ; DSM 6.2.2-24922 Update 2 (software regularly updated, even if I forget to change my forum profile)
Last edited:
Hard-coding the IP addresses of all devices on the network is not really an option, there are at least 50 in my current DHCP mapping on the DiskStation (including family phones, tablets, media equipment, printers, PCs/laptops, etc) - and then there are devices which might be needed ad hoc, such as friend's phones etc (which need to be mapped to spare locations in the valid local range). A few are hard-coded, such as the NAS itself, router, networked printers and media hub.

I have no default 'admin' or 'guest' accounts active on my NAS, but my wireless router (a decent spec Netgear Nighthawk R8000) only supports the username 'admin' (its password has been changed though). My broadband router runs in plain modem mode, and does not have any account name per se, just a login password (which I have changed from the default).

Still would like to set the NAS firewall though, without breaking its DHCP server.

Oh, and just a thought, but would allowing only UK locations (for example) break Synology's Download app for bittorrent operations via the VPN?

Andre
 
383
76
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
For extra security, I tried setting up the firewall on my DSM as suggested in other forums, for 'All interfaces' as follows:
1. Allow LAN IP range (192.168.1.1 > 192.168.1.255)
2. Allow country (UK)
3. Deny ALL

However doing this broke the DHCP server feature, and devices on my LAN (LAN1) were not being assigned to their correct IP addresses (my DiskStation acts as the DHCP server on my LAN) and thus PCs failed to pick up the network after reboots as they were creating their own random IP addresses. I have turned those firewall options off again, and DHCP is now working again.

I am also running a VPN (NordVPN) on the NAS, but not usually on my other LAN-connected equipment, in case that makes any difference as to how I should be doing this. (AFAIK, LAN traffic should not be going via the VPN anyway)

Any suggestions? Thanks.

Andre

Andre,

You have to add dhcp services to the firewall rule. However it cannot be limited to just the local subnet lan of 192.168.1.0/24.

Before a device grabs a dhcp address it may have an address of 0.0.0.0 which technically would be denied by your set of rules to talk to the dhcp server. Additionally, a device may grab what’s called a APIPA address (automatic private ip addressing) before actually being assigned an ip address from the dhcp. In this case you may have seen devices on the 169.254.x.x subnet, windows computers were notorious for this and a reboot would fix it; device would grab a local up. Again this technically would be denied by the firewall since these local ip addresses would be denied according to your current rule set.

This is the reason why dhcp is failing, I had this same issue. Regarding a resolution maybe some here can offer some best practices. However, I just decided to add a rule which would allow all local type of private ip subnets to talk to the dhcp server so that devices can grab an ip address.
 

jeyare

Subscriber
1,965
641
and last - for the router (LAN/NAS) security - definitely disable TR-069 management protocol (if you can find it in router setup).
Reason:
TR-069 is management protocol of CPE (Customer Premises Equipment = any equipment = router/modem) used by customers which can be managed by ISP remote access configuration server.
Here is a reason why: YT link
This protocol has really interesting remote management features, also is leaky as Swiss cheese, especially when ISP will use the remote communication based on plain HTTP (major big European ISPs, not just small local one man show).
 

jeyare

Subscriber
1,965
641
Hard-coding the IP addresses of all devices on the network is not really an option, there are at least 50 in my current DHCP mapping on the DiskStation (including family phones, tablets, media equipment, printers, PCs/laptops, etc) - and then there are devices which might be needed ad hoc, such as friend's phones etc (which need to be mapped to spare locations in the valid local range). A few are hard-coded, such as the NAS itself, router, networked printers and media hub.

Andre

50 devices is pretty small group, don't hesitate in comparison of what you can get

then for the ad-hoc usage - use just DHCP limited range (better way by additional VLAN)
for those, who think about new router - WiFi Hotspot integrated feature (include Captive) is pretty fine option in your "shopping list of features", even for family friends/visitors usage (I don't need care about - who else has password to my WiFi). I like it in my architecture from Ubiquity Unify.
 

Telos

Subscriber
1,858
621
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
For extra security, I tried setting up the firewall on my DSM as suggested in other forums, for 'All interfaces'
Instead of "All interfaces" create those rules for your LAN, ie, "LAN1". Problem solved.
 
3
0
NAS
DS416play ; DSM 6.2.2-24922 Update 2 (software regularly updated, even if I forget to change my forum profile)
Last edited:
So, I've now set the firewall rules as follows:

1. Allow Applications DHCPv4 and DHCPv6
2. Alllow Applications Download, BT, BT
3. Allow IP range 192.168.1.0 >192.168.1.255
4. Allow location GB(UK)
5. Deny ALL

DHCP seems to be working now, and if I even forget to open a new country when I'm travelling I can always use a VPN on the laptop to fake the UK to get in to change the settings. I assume that replies to outgoing traffic (e.g. my NAS trying to check for updates with Synology's US-based server) don't need to be opened specifically?

Without going too far down the rabbit hole of manual IP addresses or creating VLANs, this seems to solve my initial problem.

Andre
 

fredbert

Moderator
NAS Support
Subscriber
2,869
1,150
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I assume that replies to outgoing traffic (e.g. my NAS trying to check for updates with Synology's US-based server) don't need to be opened specifically?

The firewall in DSM and SRM is a stateful firewall. This means that connections are tracked in a state table and the back and forth packets between the initiating (source) device and destination device are monitored to ensure that the right responses are sent. While TCP is a stateful and obviously trackable in a stateful firewall, UDP is stateless but a stateful firewall will assign a pseudo-state and monitors it because there can be replies. This is why the DSM/SRM firewall rules are only defined for the initial connection (source to destination) and there is no need for a corresponding reverse rule (destination to source).

The, even older technology, packet filter 'firewall' would required both the forward and reverse rules and didn't monitor packets in the same connection session.

There is an exception (from memory when I used to build Check Point firewalls) for some other IP protocols, such as ICMP, which require forward and reverse rules. For example, ping uses two ICMP control messages: echo-request; echo-reply. You need to have rules for both. Having said this, I find I can ping out onto the Internet and get the replies and that implies that some rules are hidden in SRM firewall (and other home routers).
 

jeyare

Subscriber
1,965
641
... and if I even forget to open a new country when I'm travelling I can always use a VPN on the laptop to fake the UK to get in to change the settings.

Without going too far down the rabbit hole of manual IP addresses or creating VLANs, this seems to solve my initial problem.

Andre

... don't forget, that people from dark side of moon can use UK IPs also ...

then router security can help your whole LAN (incl. NAS)
 
154
29
NAS
DS918+, DS414j
Operating system
  1. Linux
  2. Windows
  3. other
Mobile operating system
  1. Android
Last edited:
Hmm, followed this, when I set the Deny rule it stops all my containers from working (I can't connect to them remotely and they stop communicating with eachother). I've set it on all interfaces. Where have I gone wrong? Hmm.. It also seems to stop the containers accessing the internet.
 
1,997
846
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Hi,

I’ve noticed the same when I started using Docker with some containers that define and use their own subnets. My solution was to add them to the firewall with an allow rule, just like I’ve added the NAS’ subnet.

For example, For AdGuard, I’ve added.
All, all, 192.168.11.0/255.255.255.0

There might be another way, I’m not sure. But the above works fine for me.
 
154
29
NAS
DS918+, DS414j
Operating system
  1. Linux
  2. Windows
  3. other
Mobile operating system
  1. Android
Thanks... In case it helps anyone else:
awk 'END{print $1}' /etc/hosts
Will tell you the IP address for a container when run from a bash terminal.

That appears to have solved it. perfectly.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
PF will help you for sure much more then syno fw
Replies
4
Views
342
If you are using Android, just choose "Continue" when screen mentioning "Certificate" appears after sign-in.
Replies
27
Views
3,686
This could be a job for… Renowned, conspiracy theorist at night and international diplomacy expert by...
Replies
32
Views
4,970

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top