Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

Trying to harden security, some advice please

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

88
19
NAS
DS920+
Operating system
  1. Linux
  2. macOS
Mobile operating system
  1. iOS
Last edited:
Hi all,


My current setup is:
DS920+ NAS running services, some in Docker i.e. Vaultwarden, and some bare metal i.e. Calendar. As I share some services with family members outside my network, I use Nginx proxy manager as my reverse proxy. I use Cloudflare for DNS and a Lets Encrypt wildcard certificate to keep this all secure. So, services are accessed by something like htttps://service-name.my-domain.com. On my router I have one port forwarded for Plex and another for 443 to NPM (reverse proxy). I have a basic understanding of how this is working, but just to be clear, have only managed to set this up by following guides on the internet and asking for the help of kind people on this site. It might also be relevant to point out that I've not been able to configure Synology's internal firewall for the services running in docker. I believe this might be possible to use the firewall if I use Synology's built-in reverse proxy instead, but for now the internal firewall is off.:oops:

The issue:
I understand that 'best practice' might be to have no ports forwarded in my router, but I need/want to share services with external family. However, the firewall on my router (UDM Pro) is detecting, and blocking, threat attempts from IPs categorised as either CI Army or DShield, trying to access either Plex's or NPM's ports. It's great that these IPs are being blocked, but its making me wonder about how secure my current setup actually is? Perhaps an IP that's not been categorised as a particular threat, could be getting through? My passwords are strong, and I have 2FA enabled on the NAS's admin account, but no password is 100% safe, and then there's always the possibility of exploits right? Or am I just paranoid, is using a reverse proxy secure enough?

So I've been playing with tailscale. I've discovered, by putting my external family members computers and my remote devices (mobile phone etc.) and my NAS, all on the same tailscale network. I can access all the required services without opening any ports (well perhaps just for Plex) on my router. Furthermore, I can turn on my NAS internal firewall too. Is this method any more secure? Or can anyone advise on a better way to do this, or any downsides I need to be aware of? Thanks for any advice you can offer. (y)
 
I have a similar setup and been wondering the same thing. The barrier with tailscale is having to explain/setup tailscale on all of my family members' devices. I haven't made that leap yet. As for Synology's firewall, I have all traffic denied except traffic from my internal network and from my docker network.
 
Upvote 0
Is this method any more secure?
Most type of these networks and VPNs in general are more secure then opening port(s). Saying that, this is a classic "security vs convenience" type of scenario.

By hardening ports, and pushing via reverse proxy you are controlling what you have exposed and what can be detected. The fact that you are going over CF (guessing you are proxied there as well?) will also not expose your IP address but rather CF. So thats also one way to protect yourself.

Finally, 2fa, long passwords, and up today services are all contributing to better security. You just have to stay on top of it and lock down any new issues that might surface.

Staying inside Tailscale network might show some other "issues" but someone else that has invested more time with it might give a better feedback. Personally, its not my cup of tea so I will reserve myself from commenting.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Similar threads

Unless you are a high value target, it's unlikely any of these "security" patches will change your life.
Replies
7
Views
780
It this is for backup, you can use Hyper backup to copy from one NAS to the other and vv. The syno...
Replies
4
Views
829
Try adding them one-at-a-time, saving, logging out, restarting* your computer, then logging back in until...
Replies
12
Views
1,593
Thanks for your response! I had that filled out but I deleted it to see if that advanced screen...
Replies
8
Views
1,088

Thread Tags

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top