Please help me understand making my NAS secure.

Currently reading
Please help me understand making my NAS secure.

I happen to use a laptop (thinkpad t420s 🤓)

Thank you for the 2FA comments.. I once had a Lenovo P52s when I first started working from home. I hope you have good luck with your t420. After my P52s debacle, I'll never own another Lenovo. I'll just say that regardless of your opinion of the quality of the respective equipment, Lenovo's customer service is the worst I've ever experienced while Dell's has been amazing.
 
Last edited:
I also think that it is odd that 2FA allows for authorization by the same device that is requesting authorization.

The actual device such as your phone are not the one providing authorization. It is time based, so the codes are generated thru some algorithm I’m guessing (more advanced guys here can probably further explain). This is the reason why you scan the barcode it essentially creates a time sync and an algorithm puts out the codes.

I personally use the app Authy. I started with google authentication when I knew nothing about 2fa, just like you. I then started reading and realizing what would happen if I lost my phone (😜😜aka drop it in the toilet) I would essentially loose my authenticator, there is no backup and there is no other device where you can get the codes. Authy allows for you to turn on multi device, so in my case I’ve added my windows laptop using their desktop app, and then I turn off multi device as an added security measure. This way at least my codes will be in two places that I have most control over. You can also setup a pin to access these apps. Some recently had mentioned some issues in the terms & agreements of Authy and privacy, I’m not exactly sure what that is, but for me I will only use what I am 100% comfortable with. Until I can fully understand an open source method (previously mentioned in a 2fa thread) and it provides usability, I haven’t been able to find anything better, and that’s easy to setup and use than Authy... yet.

It’s actually very good that your reading ahead with 2fa, because it can be a disaster if the authenticator is no longer accessible. I’ve seen and read the horror stories and for me, using something like Authy gives me peace of mind that if my computer crashes or my phone with the authenticator is damaged I have some other way to get in.

I’ve implemented strong passwords, and none of them are re-used; this with the help of last pass as a password manager (also 2fa secured).
 
Thank you for the 2FA comments.. I once had a Lenovo P52s when I first started working from home. I hope you have good luck with your t420. After my P52s debacle, I'll never own another Lenovo. I'll just say that regardless of your opinion of the quality of the respective equipment, Lenovo's customer service is the worst I've ever experienced while Dell's has been amazing.

Fortunately, my first lenovo was T60 which lasted me about 5 years, and this was only because I dropped it and cracked the hinge. It actually probably still works to this day, if I fresh install windows.

My T420s I've had since 2011-12 and I've pumped it up with 16gb of ram and a Samsung SSD, it's my daily driver and power horse. I have a dock where I can also use up to 3 external monitors plus the laptop screen.

On the side I have my own side business relating to technology and similar stuff, this laptop has been awesome to me. Can't forget to mention the feel of keyboard, one of the best keyboards I've ever used.
 
The actual devices such as your phone are not the one providing authorization. It is time based, so the codes are generated thru some algorithm I’m guessing (more advanced guys here can probably further explain). This is the reason why you scan the barcode it essentially creates a time sync and an algorithm puts out the codes.

I know that the app is what is generating the code, but the app is linked to my phone which is essentially another key to the safe. It seems to me that allowing the app on my phone to generate the access code with which I can access the NAS is akin to taping the key to the face of the safe. It just seems odd to me is all.
 
I know, however, sometimes I need access from untrusted devices. I’ve also read about something that sometimes get screwed up when on a different zone. Don’t know how true is that though. But I’m on a different time zone almost every other month. I’ve been meaning to look into it and never got to.

Hm definitely not my expertise. I'm only in different time zones for once every two year vacation, now having a newborn I'm not going anywhere.
 
Fortunately, my first lenovo was T60 which lasted me about 5 years, and this was only because I dropped it and cracked the hinge. It actually probably still works to this day, if I fresh install windows.

My T420s I've had since 2011-12 and I've pumped it up with 16gb of ram and a Samsung SSD, it's my daily driver and power horse. I have a dock where I can also use up to 3 external monitors plus the laptop screen.

On the side I have my own side business relating to technology and similar stuff, this laptop has been awesome to me. Can't forget to mention the feel of keyboard, one of the best keyboards I've ever used.

My replacement for the P52s is a Dell Precision 7520. 32gb ram & Intel i7-7700hq. I had to have the intel for some software I'm running. It is big and clunky and thick compared to the P52, but it runs all the FEA analysis I've thrown at it so far. Have a caldigit dock on it too, so the keyboard hasn't been an issues.
 
I know that the app is what is generating the code, but the app is linked to my phone which is essentially another key to the safe. It seems to me that allowing the app on my phone to generate the access code with which I can access the NAS is akin to taping the key to the face of the safe. It just seems odd to me is all.


Put a pin code on the app.
 
Last edited:
Hm definitely not my expertise. I'm only in different time zones for once every two year vacation, now having a newborn I'm not going anywhere.
I wish I was on vacation every other month ;)
But like you, I have very strong random passwords that are filled by my password manager when I access my DSs. I’ve also enabled auto blocking (one of the DSs auto blocks after 1 wrong try)
And I have notifications turned on, so it’s kind of I know what’s going on with my NASes.
 
ahhh. duh.

There's also a bunch of other methods that probably can be used. Some sites (such as google) you can use what's called a Yubikey. You may even be able to buy a RSA hardware token key with a digital display on it. So the hardware keychain will show random codes as well and its separate from your phone. These can be somewhat expensive, you only have one, and may need to have some more advanced knowledge with setting up, much more common to corporate environments. I find that a google authenticator, authy, or any other software based authenticator some of the more advanced guys here suggest maybe better off. The one thing I stress, especially for a newbie, is to fully understand what you're doing and what could happen if xyz scenario happens.
 
so to wrap this all up: super-duper passwords, DDNS created, firewall activated, 2FA activated, Account Protection/Auto block enabled, Let's encrypt security key activated, default port changed... probably something else I missed. on a scale of 1-10, 10 being good, how secure am I? would you trust sensitive data on this setup? I realize nothing is 100% secure, but would like to get as close as possible. I guess I inherited some of my that tin-foil hat of my dad's that always drove me nuts as a kid.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Unless your home network is CGNAT, Tailscale offers no real advantage over VPN or HTTPS. Keep it simple...
Replies
3
Views
1,180
Thank you for the in depth info. Yes — I had posted the Router & NAS firewall rules. NAS, being behind...
Replies
8
Views
3,588
  • Question
thank you, thank you, thank you followed the link you sent and everything hunky-dory
Replies
5
Views
1,839
  • Question
Turned out I did have a key...so at least not quite as tragic....and..yes...stll disgusted as this was...
Replies
2
Views
2,250
  • Question
PF will help you for sure much more then syno fw
Replies
4
Views
2,934
If you are using Android, just choose "Continue" when screen mentioning "Certificate" appears after sign-in.
Replies
27
Views
6,190
This could be a job for… Renowned, conspiracy theorist at night and international diplomacy expert by...
Replies
32
Views
8,858

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top