Security advice

[Comy]

Hi all,

Small introduction: Used to be a QNAP user for about 6 months and then I got hit with deadbolt ransomware. Even though I made mistakes in securing my NAS (given the fact I was new to this "world"), QNAP was still hit another 2-3 times this year with the same deadbolt virus, which indicated to me that they had to many 0-day exploits, so I decided to move to Synology.

The past aside, I decided to secure my NAS as best I could, and so, I decided to ask your opinion if what I did is good, or if I should do more things to secure the NAS.

I'll mainly use my NAS DS720+ for PLEX (locally and over the internet for family members and friends) and as a working server for me and 1-2 work colleagues (SMB through OVPN).
I have a static public IP address

Steps I already took:

• made sure default admin account and ssh are disabled and enforced harsh password rules for the users
• for plex I set it up so that it uses internal port 32400 (plex default port) on NAS, and a random external port through router (this port is forwarded)
• checked auto block in Security>Protection and account protection in Security>Account (with default settings)
• changed default ports (5000 & 5001) for DSM Web Services in Login Portal. Made a search for Synology on shodan.io and then looked at the top ports used on synology devices, in order to avoid setting a common port that can be used for possible attacks
• enabled snapshot schedule to run every 1 hour with the following retention settings

- enabled firewall and created a profile with rules that should block all IP's from outside my country (Romania), given the fact that the people who will use PLEX & work are not abroad

----------------------------------------------------------------------------------------------------------------------------
Steps I'm thinking about:

1. I still haven't decided if i should use QuickConnect or set up a DDNS. I understand that QuickConnect is the more secure version because it goes through Synology servers, but at the cost of speed? .
Regarding DDNS, I could go two routes:
a) DDNS with Synology service provider
b) DDNS with my ISP service provider (domain go.ro)
Will the fact that I banned all the IP's from outside Romania, be an issue to the QuickConnect or DDNS through Synology?

2. Should I use two factor authentication, or is it overkill?

3. Given the fact that I set up the firewall, should I install an antivirus from the Package Center, and if yes, what do you recommend?

Thank you

 

[Telos]

Romania... Why "all ports"?

AV is useless placebo. Decide for yourself.

 

[Comy]

Regarding the firewall, I did it according to a tutorial for geoip firewall > Synology: How to Correctly Set Up Firewall on DSM 7.
The only port that is opened / forwarded through the router is the external port for PLEX, but I do see your point.
I should just allow the external port for PLEX, the one for HyperBackup (when my secondary NAS arrives and I can set it up) and the one for OVPN, right?

 

[Rusty]

1. I still haven't decided if i should use QuickConnect or set up a DDNS. I understand that QuickConnect is the more secure version because it goes through Synology servers, but at the cost of speed? .

QC goes over TW Syno server, so some might consider that a threat vs using ddns directly towards your IP.

Will the fact that I banned all the IP's from outside Romania, be an issue to the QuickConnect or DDNS through Synology?

No as your ddns service running internally will push the info of your current IP address towards the outside, and FW was to block incoming traffic.

2. Should I use two factor authentication, or is it overkill?

There is never too much security. IMHO, use it.

3. Given the fact that I set up the firewall, should I install an antivirus from the Package Center, and if yes, what do you recommend?

Never used the AV on any NAS system but that doesn't mean it's not a welcome addition. Still will leave it to someone else to comment on that front.

 

[Telos]

Regarding the firewall, I did it according to a tutorial for geoip firewall

A far better resource...

How to Set Up the Firewall on a Synology NAS

In this tutorial, we will look at how to set up the firewall on a Synology NAS. https://www.youtube.com/watch?v=G3BJo4B1GgU When you set up a Synology NAS, the firewall is a feature that many disregard. The firewall

www.wundertech.net

I avoid the site you linked, as I've had many issues with it's content.

 

[Gerard]

I chose to use DDNS in my setup since it’s a direct connection, not tunneled thru synology (thus I think better secure/private; who knows what they’re tracking), and speed since it’s one less man in the middle.

For firewall I too would tighten up “ALL” on everything but your internal lan, and even with the internal lan you can tighten up too. But honestly the Romania rule shouldn’t be all, tighten that up to only what you use. For me I also have my vpn tightened to just my home country, if leaving the country I’ll tick on the additional country(s) that I’d be traveling to.

I ended up implementing a reverse proxy so it’s one port forward for a few services (http/https only; won’t work with HB that you need dedicated port forward on the router).

If you have other users (or even service accounts) on the nas remove services they don’t need or access (ie smb). As an example I have a user who connects using a vpn only account that account cannot access anything not even dsm login or smb. Once they are vpn’d they then access a remote computer which has a different account with all the data and file syncing.

 

[Comy]

Thank you @Telos for the link (followed a couple of wundertech's videos but it seems I didn't search thoroughly enough).

Thank you @Gerard, I'll tighten the firewall rules to ports for the services I actually use/need.

I also set up DDNS last night and I saw in a wundertech video that there are three ways to access DSM remotely
1. through OVPN
2. forwarding the DSM HTTPS port (5001)
3. reverse proxy
I know that OVPN is the safest option, but I'm thinking that I might need to access DSM remotely for an emergency and I won't have OVPN at my disposal. Out of the remaining options 2 & 3, which would you recommend?
I don't like the idea to expose port 5001 directly (maybe only if it works like PLEX....internal port 5001 (DSM HTTPS default port) on NAS, and a random external port through router...this port being the one forwarded)
With reverse proxy, if I understood correctly how it works, i only need to expose port 443 and then everything requested is being rerouted to the service i use...DSM web service, PLEX etc.

The colleagues accessing NAS smb shares will do it through OVPN

P.S. @Telos i think i saw an older topic you made regarding accessing PLEX through DDNS in the local network for settings. Did you find a solution in the end or you just access it by 192.168.X.Y:32400 ?

 

[Telos]

@Telos i think i saw an older topic you made regarding accessing PLEX through DDNS in the local network for settings. Did you find a solution in the end or you just access it by 192.168.X.Y:32400

I'm unsure of which post that is. On my local network, I use the LAN IP, to connect to Plex without authentication, so if the 'net goes down, I still have media access through Plex. For remote access, I use Tailscale.

I know that OVPN is the safest option,

Just a small quibble... VPN is more about privacy, and less about security per se. And, that privacy comes with latency and bandwidth limitations. HTTPS does fine with that, and guards against man-in-the-middle threats. RP is unrelated other than to the extent it may be used to limit the need for open ports.