Tightening security

[hectop]

This seems to be similar to Robbie's post from May 11th. (Brute Force Password Attack - but NAS has no external access set)
I've posted this on the Synology site but thought I'd post here as well.

In the last 48 hours I’ve had over 6,4000 failed login attempts (from overseas countries) on my DS220+ NAS drive. I haven’t seen this level of activity in a couple of years. I guess I’m more security conscious now.

I’ve always had the admin and guest accounts disabled, use a complex password and have MFA enabled. I do always ensure that latest patches/updates are applied.

Based on the first set of failed logins, I’ve enabled auto-block on my NAS and on my RT6600 router, although there’ no login attempts there. I've also blocked the source IP range on the firewall on both the router and NAS.

I use NAS for WebDav data access.

Some questions:

• Is anyone else experiencing higher unauthorized access attempts recently?
• Is there anything else I can do to increase the level of security?
• I know I’ll need to tighten source IP on WebDave but given that I access the NAS from different locations and devices, what’s a good way of doing this? (Home router IP is relatively static but cottage router IP is dynamic from the provider and I can’t get a dedicated static IP from either. Also, I sometimes need access from my mobile phone.)

TIA for any suggestions.

This post includes affiliate links. As an Amazon Associate, SynoForum.com may earn a commission if you make a purchase — at no extra cost to you.
It helps support our community! Learn more...

 

[Telos]

Have you opened ports 5000 or 5001 or 22?

 

[hectop]

For WebDav, no.
They are open on other items. I think these are part of default settings

 

[Telos]

They are open on other items. I think these are part of default settings

5000/5001/22 should never be opened. Always change the default port settings. Loved by the script-kiddos.

What can I do to enhance the security of my Synology NAS? - Synology Knowledge Center

Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.

kb.synology.com

 

[hectop]

Looking online, there's no guidance on what to change ports to. I'm not that familiar with networking at that level.
So if I have something like the following, how do the remote sites know what to connect to?

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 NAS IP:5001 Home IP:port1 SYN_RECV

tcp 0 0 NAS IP:5001 Cottage IP:port2 ESTABLISHED

tcp 0 0 NAS IP:5001 Home IP2:port3 SYN_RECV

tcp 0 0 NAS IP:5001 Home IP2:port4 SYN_RECV

tcp 0 401 NAS IP:5001 Cottage IP:port5 ESTABLISHED

 

[Telos]

Looking online, there's no guidance on what to change ports to

Any available port. For example, should you change the port 5001 to 8647, then you will need to change the URL you use to reach the NAS. For example, if you connect to the NAS over the LAN by entering:

https://192.168.1.42:5001 then you will need to use https//:192.168.1.42:8647

Similar for external connections ...
https://secret.synology.me:5001 changes to https://secret.synology.me:8647