Trying to harden security, some advice please

Currently reading
Trying to harden security, some advice please

88
19
NAS
DS920+
Operating system
  1. Linux
  2. macOS
Mobile operating system
  1. iOS
Last edited:
Hi all,


My current setup is:
DS920+ NAS running services, some in Docker i.e. Vaultwarden, and some bare metal i.e. Calendar. As I share some services with family members outside my network, I use Nginx proxy manager as my reverse proxy. I use Cloudflare for DNS and a Lets Encrypt wildcard certificate to keep this all secure. So, services are accessed by something like htttps://service-name.my-domain.com. On my router I have one port forwarded for Plex and another for 443 to NPM (reverse proxy). I have a basic understanding of how this is working, but just to be clear, have only managed to set this up by following guides on the internet and asking for the help of kind people on this site. It might also be relevant to point out that I've not been able to configure Synology's internal firewall for the services running in docker. I believe this might be possible to use the firewall if I use Synology's built-in reverse proxy instead, but for now the internal firewall is off.:oops:

The issue:
I understand that 'best practice' might be to have no ports forwarded in my router, but I need/want to share services with external family. However, the firewall on my router (UDM Pro) is detecting, and blocking, threat attempts from IPs categorised as either CI Army or DShield, trying to access either Plex's or NPM's ports. It's great that these IPs are being blocked, but its making me wonder about how secure my current setup actually is? Perhaps an IP that's not been categorised as a particular threat, could be getting through? My passwords are strong, and I have 2FA enabled on the NAS's admin account, but no password is 100% safe, and then there's always the possibility of exploits right? Or am I just paranoid, is using a reverse proxy secure enough?

So I've been playing with tailscale. I've discovered, by putting my external family members computers and my remote devices (mobile phone etc.) and my NAS, all on the same tailscale network. I can access all the required services without opening any ports (well perhaps just for Plex) on my router. Furthermore, I can turn on my NAS internal firewall too. Is this method any more secure? Or can anyone advise on a better way to do this, or any downsides I need to be aware of? Thanks for any advice you can offer. (y)
 
I have a similar setup and been wondering the same thing. The barrier with tailscale is having to explain/setup tailscale on all of my family members' devices. I haven't made that leap yet. As for Synology's firewall, I have all traffic denied except traffic from my internal network and from my docker network.
 
Upvote 0
Is this method any more secure?
Most type of these networks and VPNs in general are more secure then opening port(s). Saying that, this is a classic "security vs convenience" type of scenario.

By hardening ports, and pushing via reverse proxy you are controlling what you have exposed and what can be detected. The fact that you are going over CF (guessing you are proxied there as well?) will also not expose your IP address but rather CF. So thats also one way to protect yourself.

Finally, 2fa, long passwords, and up today services are all contributing to better security. You just have to stay on top of it and lock down any new issues that might surface.

Staying inside Tailscale network might show some other "issues" but someone else that has invested more time with it might give a better feedback. Personally, its not my cup of tea so I will reserve myself from commenting.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Old thread notice: There have been no replies in this thread for quite some time. The last reply was on .
The content in this thread may no longer be relevant. It might be better to open a new thread instead.

Similar threads

Try adding them one-at-a-time, saving, logging out, restarting* your computer, then logging back in until...
Replies
12
Views
954
I receive the reports monthly, just actually got them on 2/1 and verified for some reason this is still...
Replies
4
Views
513
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
346
Why sad Mr. T? I’ve learned much in past 5 years, but last 2…. It’s like someone stepped on the gas! I...
Replies
1
Views
847
QuickConnect is always exposed to Synology. Disabling it removes that exposure.
Replies
5
Views
1,622
I'm not familiar with the router hardware and I don't use OpenWRT but I have seen it enough to trigger a...
Replies
11
Views
2,952

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top