Threat Prevention Protecting Docker application

Currently reading
Threat Prevention Protecting Docker application

8
0
NAS
DS720+
Router
  1. RT2600ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hello

I am very new here and have already found some information. I have been using Synology NAS since 2015.

In Docker runs an application that must be accessible from the outside via HTTPS and ReversProxy (port forwarding 443). This means that anyone who knows the DynDNS address can access the login page. I have set up the application in question with a strong password, a complicated user name and the 2FA.

The firewall in the Synology is set up quite well with a few rules (as far as I can tell) and also provides some protection.

My understanding is that the possible DSM security settings - besides the firewall - are not effective for applications running in Docker. Especially those that prevent the IP from being blocked after several failed attempts to log in.

An unused RT2600ac is still available. My idea is to use it in bridge mode - as a switch, so to speak - and place the Synology behind it.

The question is, does this increase security at all if the "Threat Prevention" app possible on the RT2600ac is active? For example, would this provide protection against brute force/rainbow table attacks?

I am familiar with "Fail2Ban". But the installation is beyond my skills.

Best regards

And yes, I use deepl.com for the translation from German. :)

Translated with www.DeepL.com/Translator (free version)
 
This means that anyone who knows the DynDNS address can access the login page. I have set up the application in question with a strong password, a complicated user name and the 2FA.
Would using a reverse proxy access list be something that you can configure in order to further harden your security for that app?
 
Would using a reverse proxy access list be something that you can configure in order to further harden your security for that app?
That sounds interesting. I will find out more about this topic. I think I might be able to do it. Thank you very much for the suggestion.
 
This is something I do to limit access to some of my reverse proxies and virtual hosts (Web Station). For these I have created an Access Control Profile that allows access from my LAN and VPN subnets, then denies from everywhere else.

For example, just the LAN:
1645001107770.png



Using the RT2600ac in bridge mode is interesting, as I've not done it, and if it works would turn it into an inline IDPS. Failing that what I would consider is:
  1. Use the RT2600ac in router mode (WiFi can be disabled)
    1. WAN port on the home LAN.
    2. LAN side has a new subnet.
  2. On the DS720+use the second 1GbE interface
    1. Connect it to the RT2600ac LAN.
    2. Configure it to have an RT2600ac LAN interface.
  3. At the Internet router, NAT inbound TCP 443 to the RT2600ac.
  4. At the RT2600ac NAT TCP 443 to the NAS's 2nd interface IP.
  5. LE certificates, if creating and using them from within Control Panel, will probably need TCP 80 similarly NAT'ed.
  6. Consider making the NAS's second interface the default, so its default route to the Internet is always via the RT2600ac.
You could do this for other exposed ports too. This should still allow LAN devices to access the NAS using the first 1GbE interface, which means any discovery services (e.g. Media Server, etc.) will still work.

I've probably missed something but it is how I would start testing out if this is a viable solution.
 
Using the RT2600ac in bridge mode is interesting, as I've not done it, and if it works would turn it into an inline IDPS. Failing that what I would consider is:
  1. Use the RT2600ac in router mode (WiFi can be disabled)
    1. WAN port on the home LAN.
    2. LAN side has a new subnet.
  2. On the DS720+use the second 1GbE interface
    1. Connect it to the RT2600ac LAN.
    2. Configure it to have an RT2600ac LAN interface.
  3. At the Internet router, NAT inbound TCP 443 to the RT2600ac.
  4. At the RT2600ac NAT TCP 443 to the NAS's 2nd interface IP.
  5. LE certificates, if creating and using them from within Control Panel, will probably need TCP 80 similarly NAT'ed.
  6. Consider making the NAS's second interface the default, so its default route to the Internet is always via the RT2600ac.
You could do this for other exposed ports too. This should still allow LAN devices to access the NAS using the first 1GbE interface, which means any discovery services (e.g. Media Server, etc.) will still work.

I've probably missed something but it is how I would start testing out if this is a viable solution.
Thank you for the explanation. I'll have to take a look at it and understand it. I have one question. If I proceed in this way, can I get through to the NAS (in Subnet) via WLAN (not that of the RT2600c) without any problems?
 
The idea would be that the current LAN devices would still access via the NAS interface 1, which would still be on the LAN. Any inbound connections to the NAS would be responded back via the same interface, so if to LAN port 1 it would reply back by LAN port 1. The only thing would be the broadcast discovery services, would they only use the default interface, or both? I don't know the answer.

The intention would be to use NAS LAN port 2 as the Internet facing interface, so traffic will come to it this way. Leaving NAS LAN port 1 as a local interface for the home LAN.

As I said, it's what I would try hoping it works. But there's not guarantee it will be 100% successful, probably a compromise, or maybe not. Make a plan and include steps to roll back.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top