Ports 5000 and 5001 and DS-Apps

Currently reading
Ports 5000 and 5001 and DS-Apps

50
21
NAS
DS218+
On my iPhone and iPad I have several DS apps: photo, file, audio, video, finder. My router is a BT Smart Hub, although I think this is not important, as such. I can access the router via xxxx.synology.me - i.e. externally rather than internally via Wifi for this post. Additionally, again probably not important here, is the use of 2 step verification ia the LastPass Authenticator app.

I understand the DS apps use ports 5000 and 5001, of which I believe 5001 is secure (HTTPS). For security, do I need to have port 5000 enabled in my router? I enabled originally but have now disabled 5000 and all seems OK. It seems to me that the two ports are like an open door (5000) and a locked door (5001); it seems sensible just to use 5001 and block 5000 unless I am missing something important.... (Obviously some other apps, e.g. non-DS, may not handle 5001.)

Btw, I have read that some people have moved 5000/5001 to other port numbers. This seems to me to gain little as a port scanner will find the new ports, even though it may take a bit more work to verify that the new numbers simply correlate to the old numbers.
 
1,106
362
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
do I need to have port 5000 enabled in my router

I would not forward the HTTP port unless a DSapp won't work under HTTPS (DSVideo may have issues).

I have read that some people have moved 5000/5001 to other port numbers. This seems to me to gain little as a port scanner will find the new ports

True. However, it does keep the script kiddies from banging on your door all night long. I would just leave 5000/5001 alone and use port forwarding redirection on the router... for example...

25001>5001.

A small downside of changing ports is that you will need to add the port number to the URL the DSapps use.
 
50
21
NAS
DS218+
Thanks Telos. I will take your advice and change the port number. Cannot do any harm and can do good
 
50
21
NAS
DS218+
Something to note from above: DS Photo uses port 443 and not 5001 as used by the other DS apps I listed.
 
326
125
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
"It seems to me that the two ports are like an open door (5000) and a locked door (5001)".

So, I'm not sure what you mean by this. Using 5001 (the SSL port) does NOTHING to protect the server, or to secure the server (except that the login and password is sent from the client to the server encrypted rather than in the clear, so someone sniffing traffic between the client and server can't discover the login and password).

The purposes of SSL are to ensure that communications between the server and client are encrypted, and to assure the client that they are talking to the server they think they're talking to (and not some other server masquerading as the intended server). But using SSL does not present a "locked door" in any way.

If you want to protect the server from unauthorized access over the internet, your best bet is probably to use two factor authentication, and/or close it to the internet entirely, except for a VPN connection established through your router.

The latter would require that, prior to using the Synology apps on the phone, you connect the phone to the router using VPN, e.g., OpenVPN or, if you have a Synology router, VPN Plus.
 
50
21
NAS
DS218+
Thanks. Good point. My analogy was incorrect. It is the ‘communication’ which is encrypted, rather than the port itself.

2 step authentication already implemented.
 
96
27
Thanks. Good point. My analogy was incorrect. It is the ‘communication’ which is encrypted, rather than the port itself.

2 step authentication already implemented.
Best practice is to learn yourself not to open and forward to much ports in the router. Try to do everything through VPN.

I’ve setup VPNServer on my NAS and OpenVPN client on all the mobile devices and laptops that needs to connect from the outside to the NAS. Also I have regional blocks in the firewall for extra security on the open ports. This way I hope to minimize a security breach not 100 percent waterproof but better than opening a lot of unnecessary ports.
 
50
21
NAS
DS218+
Thank you for your comment. Currently down to only 2 ports open.

>>VPNServer on my NAS and OpenVPN client
I know very little, apart from the total basics, about VPN; so I think that it is a good time to start learning.

Am I correct in understanding that, in your use, the OpenVPN client is simply being used as the client - i.e. you have no need for an OpenVPN account?
 

Shadow

Subscriber
552
177
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Am I correct in understanding that, in your use, the OpenVPN client is simply being used as the client - i.e. you have no need for an OpenVPN account?

Correct. When you login via OpenVPN that is running on your NAS, you'd login with an account you created on your NAS (considering you've also givin it OpenVPN permissions).
 
50
21
NAS
DS218+
Installing the VPN server, etc. was fairly straight forward. VPN is now up and running.

A couple of points, which will be totally obvious to everyone else, but in case anyone wonders I thought I would post them here.

1) I am using DDNS (e.g. ####.synology.me), but all the info for editing the Synology VPN Server/ OpenVPN Config file (VPNConfig.ovpn) suggests an IP address, but with DDNS I do not have an IP address as such. One just uses the DDNS address (e.g. ####.synology.me)

2) VPN showed itself up and running on my iPhone with the VPN symbol along the top of the screen. How to access it caused me to think but then I realised that I was trying to make it too complex. In the Synology VPN Server setup is the IP address 10.8.0.1, which is what is used.

BTW, can this IP address, 10.8.0.1, have a name or is that the only way to address it? (I assume probably not, as with my iPhone Wifi off, trying OpenVPN simply took me through my mobile link to the OpenVPN website.)
 

Shadow

Subscriber
552
177
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
BTW, can this IP address, 10.8.0.1, have a name or is that the only way to address it? (I assume probably not, as with my iPhone Wifi off, trying OpenVPN simply took me through my mobile link to the OpenVPN website.)

Don't exactly know what you are saying here.

I've long moved on to Synology VPN that is avaialble in SRM. Back when I was using OpenVPN, I could also get to the NAS using the internal IP (I do everything with DNS name actually). This did require to allow access to the LAN (setting on the OpenVPN server), and to add the OpenVPN subnet as a static route in the router of your network (otherwise, devices in the perimiter network won't know how to communicate with OpenVPN connected devices).
 
50
21
NAS
DS218+
Thanks Shadow.

As per BobW above >> 'I’ve setup VPNServer on my NAS and OpenVPN client on all the mobile devices '

which seemed a good way to start. (As I mentioned previously, I have not done anything with VPNs before, but I found some useful youtube installation guides.)

I am not using the OpenVPN Server, simply their client, on my iPhone and the server is Synology's. As for LAN access, that can wait and may not be needed.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top