Security - What do I need to do next?

Currently reading
Security - What do I need to do next?

Huggy

Huggy

Media
88
19
NAS
DS920+
Operating system
  1. Linux
  2. macOS
Mobile operating system
  1. iOS
So I've just read @jeyare's thread that's pinned at the top of this forum. Great post btw, thanks @jeyare. However, like many "unskilled" users It's quite scary and quite overwhelming. I share my NAS with a few family members and might add a couple of friends in soon. I want to make sure all of our data is secure but I'm finding that being responsible for other peoples data is quite an additional responsibility. I've not had my NAS(920+) long but have tried to follow peoples advice on how to set things up securely. Here's where I'm at so far...

I've done everything on this Synology security checklist...
Synology Security Checklist.png


I've also setup reverse proxies with an SSL certificate for accessing the services I have running ie. bitwarden, tautulli etc.
My routers firewall is on and uPNP turned off.
I have 4 forwarded ports for 443, Plex and DSM (NOT 5000,5001). Shields up detects port 443 is open and Shodan detects 80,443 and 32400 as being open.

Photo's are important to me but currently they're backed up to google as well as the NAS. I know I need to sort out off-site backup for things like bitwarden data and users files but not sure how best to do this? (needs to be affordable).

  1. So what's next? - What's the most important thing to start first?
  2. Is a VPN or the NAS's firewall necessary?
  3. I presume it's not possible to secure the open ports any further?
  4. Any recommendations for affordable off-site backup storage?

I've seen lots of people advising to read through the posts on the security forum but when you are dyslexic, reading post after post can be difficult. Also, sometimes it's difficult to know what's relevant and what's a bit outdated. So would really appreciate links or just pointed in the right direction rather than just 'go and read stuff'.

Any advice is gratefully received, thanks.
 
Sort by date Sort by votes
Last edited:
First, I like this approach. (y)

VPN to data operation is a must for all connected to the NAS from WAN.

Re opened ports - here is one of the examples (except external firewall solutions):

I have also hardened some services in RP (Nginx RPM) controlled by access list and enabled just for my selected LAN subnets and fixed or mobile operator IP range.
1639489170539.png

This is an example from one of my home NAS.

You can find the exact range from this list of IP address blocks allocated for each country (country, then operator):

Major IP Addresses Blocks By Country

list of all major IP address blocks allocated for each country
www.nirsoft.net
Click to expand...
Note: For United States, only IP blocks with 65536 addresses or more were added to the list.
Europe is complete here.

When you can't calculate the subnets, use this website:

IP Subnet Calculator for IPv4 | Online Subnet Mask Calculator - Site24x7

Subnet calculator performs network calculations using IP address, mask bits, determines the resulting broadcast address, subnet, and more. Try Site24x7's Online IPv4 subnetting calculator for free.
www.site24x7.com
Click to expand...

an example:
Your operator is O2 CZ, then you will find the first range (plenty of them there):
start with: 80.188.0.0 .... Network Adress Block ... step 1
end with: 80.188.255.255 .... Broadcast Address
IP addresses: 65536 ..... No.of Hosts/Subnet ... step 2
then you need to use CDIR notation value: 80.188.0.0/16 ... for the approved range

1639488879014.png



It is quite better than GEO IP BLOCK in NAS Firewall (allowed entire country), because you can create a more specific range of allowed IP addresses than just "your country".
OFC: it is up to you what kind of service will be covered by what kind of connection.
 
Upvote 0
jeyare said:
First, I like this approach. (y)

VPN to data operation is a must for all connected to the NAS from WAN.

Re opened ports - here is one of the examples (except external firewall solutions):

I have also hardened some services in RP (Nginx RPM) controlled by access list and enabled just for my selected LAN subnets and fixed or mobile operator IP range.
View attachment 5017
This is an example from one of my home NAS.

You can find the exact range from this list of IP address blocks allocated for each country (country, then operator):

Note: For United States, only IP blocks with 65536 addresses or more were added to the list.
Europe is complete here.

When you can't calculate the subnets, use this website:


an example:
Your operator is O2 CZ, then you will find the first range (plenty of them there):
start with: 80.188.0.0 .... Network Adress Block ... step 1
end with: 80.188.255.255 .... Broadcast Address
IP addresses: 65536 ..... No.of Hosts/Subnet ... step 2
then you need to use CDIR notation value: 80.188.0.0/16 ... for the approved range

View attachment 5016


It is quite better than GEO IP BLOCK in NAS Firewall (allowed entire country), because you can create a more specific range of allowed IP addresses than just "your country".
OFC: it is up to you what kind of service will be covered by what kind of connection.
Click to expand...


Hey @jeyare thanks for taking the time to reply in such detail, I really appreciate it. I think I get it and will have a go at tightening things up this weekend.

As my RP is setup through DSM control panel, I presume I can do this via Synology Access Control Profile, or is there an advantage if I download Nginx RPM?

jeyare said:
VPN to data operation is a must for all connected to the NAS from WAN.
Click to expand...
This maybe a stupid question but is this something that can be enforced ie. by running a VPN server on the NAS, users can only connect via VPN?

Thanks again (y)
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

L
Question Need some help to clarify some doubts (about security)
If you are using Android, just choose "Continue" when screen mentioning "Certificate" appears after sign-in.
2
Replies
27
Views
6,335
Telos
Telos
Cyberwasp
Security tab ?
Try adding them one-at-a-time, saving, logging out, restarting* your computer, then logging back in until...
Replies
12
Views
1,090
7Natives
7
Jnm3
*Generated Security Advisor Report* Issues: malformed EMAIL and URL
I receive the reports monthly, just actually got them on 2/1 and verified for some reason this is still...
Replies
4
Views
642
Gerard
G
southerndoc
Syno NAS Security Settings
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
495
southerndoc
southerndoc
J
Security, RP vs VPN (Tailscale?)
Understood, thanks for clarifying.
Replies
13
Views
1,683
7Natives
7
Huggy
  • Question
Trying to harden security, some advice please
Unless your home network is CGNAT, Tailscale offers no real advantage over VPN or HTTPS. Keep it simple...
Replies
3
Views
1,265
Telos
Telos
Jan Janowski
Security updates in past couple years
Why sad Mr. T? I’ve learned much in past 5 years, but last 2…. It’s like someone stepped on the gas! I...
Replies
1
Views
953
Jan Janowski
Jan Janowski

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top