Thoughts on Remote Access to a NAS

Currently reading
Thoughts on Remote Access to a NAS

A recent discussion about powering your NAS off Pajczur: ‘Startup DS220j when scheduled shutdown’ and then Telos: ‘You need a current cert for that? O my!’ got me thinking. My NAS setup has a straight forward OpenVPN connection and 2-step via an Authenticator; both on my iPhone.

Supposing I lose my iPhone; it breaks down or whatever: it is out of action and I am way from home and I urgently need a file on the NAS. How would I contact the NAS to get to the file? (The NAS is obviously up and running 24 hrs a day.)

1. My first thoughts were an internet café, but then that would not have the OpenVPN app, let alone the setup config file. Similarly the Authenticator needs to be useable with the NAS as, if I remember correctly, the NAS needs to ‘authorize’ the Authenticator. I doubt that the internet café would allow me to load apps onto their machines.

2. Use a friend’s internet connection. A similar problem to the internet café. Also, would he/ she really like me loading my apps onto their system?

3. I could save a setup or some sort of set of config files on say DropBox or similar, but I feel uneasy about that. If that is a solution, what would be the basics?

4. A preloaded USB dongle with apps/ files installed.

Perhaps there is a very simple solution and I am trying to make it too complicated? (Actually, for myself, my wife’s iPhone and our iPad have duplicate setups so I do have a backup.)



Anyone have any thoughts? I would have thought that for the business users, especially those working as the sole employee for their own business, this could be more serious.
 
How would I contact the NAS to get to the file?
If we assume that only your phone is out and as a result, you lose the 2FA option then your only option to log into your NAS is to disable the 2FA.

Let's assume that VPN works, and that you can tunnel back home from a separate device (that you will have the option to install ovpn and put the ovpn config and cert inside it) for this action alone. This would be a friend's device or somewhere you can in fact install VPN prerequisites.

After you log into VPN you will still face the 2FA problem. To get around this you will need to have SSH enabled beforehand in order to SSH into your NAS and remove the 2FA option for your account. Also, elevate to root account

Code:
cd /usr/syno/etc/preference/admin/
mv google_authenticator

After this, you can access the DSM login page without the need of using 2FA.

Remember that you need SSH active BEFORE you can do this.

The alternative would be to use another "admin" class account that doesn't have 2FA active and uses a long custom pass for an added protection.

If you don't have SSH active for scenario 1, and you lost your phone/don't have access to your VPN configuration, you will have to get back home 1st.
 
Thanks Rusty.
>>The alternative would be to use another "admin" class account that doesn't have 2FA active and uses a long custom pass for an added protection.

An interesting idea for a simple solution assuming no VPN as well as 2FA.
 
Even with a maximum of 127 characters for a password, it did concern me leaving an open access route into the NAS, which is not very nice, but no VPN and no 2FA was the scenario I was trying to envisage.

Perhaps my scenario is too close to the question: 'How would a hacker get in?', which was not my intention. The difference being that the user would know the route, whereas the hacker would not.

Perhaps, as you wrote Rusty, 'you will have to get back home 1st' or SSH, which requires the VPN link to be active.
 
The difference being that the user would know the route, whereas the hacker would not.
Unless you are personally targeted, hackers generally go for the "low-hanging fruit" of open systems, and deprecated protection. With VPN, abusers need your VPN client cert in addition to userid/pwd. You can also firewall off VPN connections geographically, and use a non-standard VPN port to further obfuscate ne'er-do-wells.
 
Thanks Telos - quite agree.

BTW the non-geograpical aspect of a VPN is useful in other ways. I accidentally deleted an app for a museum in Rome when back at home in the UK, but I could only install it in Italy. I used to VPN to connect via Italy and now have the app re-installed. :)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Hello! Chrome Remote Desktop is generally safe, but there are always potential risks. To enhance...
Replies
1
Views
1,049

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top