What to do with a working Synology NAS that has reached end of life (no longer receives updates)?

Currently reading
What to do with a working Synology NAS that has reached end of life (no longer receives updates)?

14
6
NAS
DS213, DS224+
Operating system
  1. Windows
Mobile operating system
  1. Android
Hi,

I'm new here and not sure where to put this thread. Happy for a mod to move it if I've chosen an unsuitable section.

I'm still using a basic 10-year old Synology NAS (DS213). All I really use it for is simple file serving on home network via SMB and as a backup target for machines within home network, so I've never felt the need to upgrade. As it can't be updated to DSM 7 it will stop receiving security patches when DSM 6.2 reaches end of extended life phase in about a year's time.

I may finally upgrade to a newer NAS (or just switch to using a standard PC as a "NAS") but being thrifty by nature I'm just curious if there is anything I can do to extend the life of this machine even further? I've installed lightweight Linux distros on a couple of my old Windows PCs and I'm wondering if I can do anything similar with my NAS (i.e. install a lightweight open source NAS OS)? Alternatively is there a way to just turn it into a DAS enclosure?

Or some other interesting thing I could do with it instead of sending it to the recyclers?
 
Welcome.

It will probably be useful as a secondary NAS if you get a new one for some time. As long as the compatibility will be met it will work.

Also as a pure storage device using popular protocols that will also be an option.

Regarding alternate OS. That will be difficult. Best to leave it in its current state (updates) and use it as best you can.

Can it be a DAS, no. Well you can directly connect it via its ethernet post to another device/computer on a dedicated port and use it that way but again, you will need an ethernet port/cable, no USB option.
 
Upvote 0
Last edited:
Thanks for response.

It will probably be useful as a secondary NAS if you get a new one for some time. As long as the compatibility will be met it will work.

Also as a pure storage device using popular protocols that will also be an option.

Isn't there an issue with connecting it to my network once it stops receiving security updates? As I still have a use for it I still have an old Windows XP machine but I wouldn't connect it to my network due to no longer receiving security updates. I'm assuming I should take the same precaution with a Synology NAS that is no longer receiving updates?
 
Upvote 0
If possible I would restrict the NAS's access to the Internet and definitely the Internet to it. So still allow it to access Synology to check for updates, but it doesn't need lots of other access. This assumes you have network controls in your router, etc., that applies per device policies. If you get a newer NAS and it runs CMS then it could be possible to use that to monitor and update the DS213: this is what I do with my DS215j from the DS1520+.

Speaking of the DS215j, this is just run as a Time Machine destination using SMB, version 2 as minimum. In fact you can also use the DSM firewall to limit LAN device access, so any device [e.g. IOT] that has no reason to access it you can be certain it doesn't.
 
Upvote 0
Thanks for suggestions.

Regarding suggestions to continue using it on my network purely for local access/storage - this would be useful to me but is there not a security issue of doing this once it stops receiving security patches even if I block the NAS from directly connecting to the internet?

I've always avoided connecting regular desktop/laptop computers with OSs that have passed end-of-life onto my network, even with internet access on those machines disabled (hence why I'm seeking extra clarification). Or am I just being unnecessarily cautious with this approach?

Buy newer one, copy all the data to new and sell old one while it still works.
I actually didn't even look into selling it as I assumed no one would buy a 10-year old NAS which will soon stop receiving updates, and on which there doesn't seem to be a route to installing alternatives OSs. But I've just looked on eBay and it turns out some people are still buying this model. Why????
 
Upvote 0
I actually didn't even look into selling it as I assumed no one would buy a 10-year old NAS which will soon stop receiving updates, and on which there doesn't seem to be a route to installing alternatives OSs. But I've just looked on eBay and it turns out some people are still buying this model. Why????
'coz it's cheap?
'coz it still works....
....various reasons...

Not everoyne needs NAS to be online, if is just in your local network serving as backup/file server/photos/videos, does it matter if is getting updates or not in that case ?
 
Upvote 0
Not everoyne needs NAS to be online, if is just in your local network serving as backup/file server/photos/videos, does it matter if is getting updates or not in that case ?

I don't know - this is why I'm asking the question. I've always been under the impression its bad practice to connect potentially vulnerable devices (i.e. those no longer receiving security updates) to networks. If that impression is wrong, ideally I'm hoping for an explanation as to why its wrong.
 
Upvote 0
Last edited by a moderator:
This would be useful to me but is there not a security issue of doing this once it stops receiving security patches even if I block the NAS from directly connecting to the internet?

I've always avoided connecting regular desktop/laptop computers with OSs that have passed end-of-life onto my network, even with internet access on those machines disabled (hence why I'm seeking extra clarification). Or am I just being unnecessarily cautious with this approach?
In order to answer this you have to start thinking about the specifics of how any security exploits actually occur. An EOL'd piece of s/w just means that in time the s/w will remain unpatched for new exploits. But those new exploits still have to find a way onto your network and into the EOL'd device in some way. The device doesnt suddenly pull an exploit out of thin air just because it's EOL'd.

Thinking in this way, if the EOL'd device isn't on the open public internet, and you aren't introducing an exploit into it by other means (by plugging in an infected USB key, for eg) and the rest of your network that does connect to the internet is appropriately protected, then its hard to see how an exploit that targets an unpatched bug on the device could be run against the device. I mean, there'll always be someone who can concoct a highly specific scenario where a device could be exposed to an exploit, but there's a significant difference between 'could' and 'is likely'.

Security in reality is rarely an absolute, but is a knowing and calculated trade-off between risk and convenience / cost. So you're better served thinking about this in terms of what is the risk, rather than in terms of absolutes like 'never connect an EOLd device to any network'.

Fo me, I'd be happy to continue using a perfectly-functional-but-EOL'd-NAS on my otherwise reasonably secured home LAN, but i'd limit it's internet access to known trusted sites (eg Synology's) as people have stated above.

hth
 
Upvote 0
As i said already, you don't need to give NAS internet access. It can perfectly fine be just local file sharing device for various usage..

In my neighbourhood I know on old DS412 which is still on DSM 5.x, they (client) uses it just as centralized file server so all computers (10-15) can access/save project files and nothing else...
 
Upvote 0
In order to answer this you have to start thinking about the specifics of how any security exploits actually occur. An EOL'd piece of s/w just means that in time the s/w will remain unpatched for new exploits. But those new exploits still have to find a way onto your network and into the EOL'd device in some way. The device doesnt suddenly pull an exploit out of thin air just because it's EOL'd.

Thinking in this way, if the EOL'd device isn't on the open public internet, and you aren't introducing an exploit into it by other means (by plugging in an infected USB key, for eg) and the rest of your network that does connect to the internet is appropriately protected, then its hard to see how an exploit that targets an unpatched bug on the device could be run against the device. I mean, there'll always be someone who can concoct a highly specific scenario where a device could be exposed to an exploit, but there's a significant difference between 'could' and 'is likely'.

Security in reality is rarely an absolute, but is a knowing and calculated trade-off between risk and convenience / cost. So you're better served thinking about this in terms of what is the risk, rather than in terms of absolutes like 'never connect an EOLd device to any network'.

Fo me, I'd be happy to continue using a perfectly-functional-but-EOL'd-NAS on my otherwise reasonably secured home LAN, but i'd limit it's internet access to known trusted sites (eg Synology's) as people have stated above.

hth

Thanks. This helps me understand.
 
Upvote 0
One other thought, by way of perspective; you probably already have other devices on your network that, although are not officialy 'unsupported', are in reality not being patched for new vulnerabilities and never have been.

Cameras, blue-ray players, smart speakers, maybe even your ISP-supplied router...lots of these things get released and are never patched again by their manufacturers, yet are never declared 'EOL'. All these devices are likely more vulnerable than a recently EOL'd Synology NAS, yet we continue to run them on our networks.
 
Upvote 0
My view is: limit the risk and keep using it, but plan to replace with something that meets your future needs. Sign up for Synology security alert emails.

Limiting the risk would mean to reduce access from the Internet, while patching is still maintained: though Synology are slower to patch DSM 6 than DSM 7. Eventually, block access from the Internet. Likewise, reduce access that the NAS makes to the Internet: really what does it need to run as a file server? This should protect the NAS from direct threats, as best you can.

The matter of indirect threat would come from a compromised LAN device. So use the DSM firewall: assign reserved IPs in your DHCP server to the devices that need NAS access, create firewall rules to allow them and block all other IP addresses.

Check the DSM security settings, tie them down. Other things:
  • For SMB, limit the minimum version to 2 or above: v1 has been exploited.
  • Disable Guest account.
  • Create a new administrator account, and disable 'admin'.
  • Change DSM ports to be other than 5000 and 5001.
  • Change SSH and SFTP, if you use them, to from TCP 22 to two different ports.
  • Use a standard account for daily tasks, reserving the administrator account for infrequent management usage.
  • Don't run packages and services that you don't need.
 
Upvote 0
I don't know - this is why I'm asking the question. I've always been under the impression its bad practice to connect potentially vulnerable devices (i.e. those no longer receiving security updates) to networks. If that impression is wrong, ideally I'm hoping for an explanation as to why its wrong.
A little late to the party, but I have a lot to add on this topic since almost all of my nas units (synology and others) are eol.

In theory, you are absolutely correct if you want to 100% eliminate an attack vector. Because something is older and potentially has 'known' attack vectors that are not mitigated, allowing any new traffic to find that device via another device on your network is a potential attack vector. (This is used all the time in cybersecurity attacks--a 'lateral move' through a network before hitting their main target.)

However, with this being said, you can have a completely separate network, not wired to the first and not wired to the Internet where this NAS can serve all the other eol systems. The entire network is then 'air gapped' from any other attack vector and is completely safe, even if nothing gets updates.

Personally, I run my old NAS units basically as 'lan only' units with no access to the Internet via firewall rules, so no updates, no phoning home, nothing. And I only use them all as plain nas units, so they will keep functioning like this indefinitely.

And hence this is why older units are still being bought. Many times it's because people don't really know--they see synology and just buy it to find out later that it's limited. But for those of us that do know--the older units are great as a backup to another unit, or as just plain lan based storage. And if you put ssds in them, they can easily max out gigabit so they can be fast too.

So if you ever want to recycle your unit, please let me know as I will glad recycle it in the best way possible--reuse. :)
 
Upvote 0
With air-gapped networks there's a need to have enough kit and specific use case that makes doing it worthwhile. Where once OT (Operational Technology) networks and systems would be isolated (they may not have the most secure nor up to date devices but cost huge amounts to update/replace, plus could require production lines to go offline), it now needs specific layered security topologies, intrusion systems, controlled management access systems, etc. to enable these to be connected to IT networks and to some extent the Internet.

Most home users will struggle to find an easy situation to run a couple of older devices securely. It's one reason I didn't mention air-gaps. Using firewalls and any other protection mechanisms should allow for controlled access from the minimum number of devices for the minimum number of services.
 
Upvote 0
Hi,

I'm new here and not sure where to put this thread. Happy for a mod to move it if I've chosen an unsuitable section.

I'm still using a basic 10-year old Synology NAS (DS213). All I really use it for is simple file serving on home network via SMB and as a backup target for machines within home network, so I've never felt the need to upgrade. As it can't be updated to DSM 7 it will stop receiving security patches when DSM 6.2 reaches end of extended life phase in about a year's time.

I may finally upgrade to a newer NAS (or just switch to using a standard PC as a "NAS") but being thrifty by nature I'm just curious if there is anything I can do to extend the life of this machine even further? I've installed lightweight Linux distros on a couple of my old Windows PCs and I'm wondering if I can do anything similar with my NAS (i.e. install a lightweight open source NAS OS)? Alternatively is there a way to just turn it into a DAS enclosure?

Or some other interesting thing I could do with it instead of sending it to the recyclers?
Sell it and get a new one :D. I have upgraded 3 of that way. Of course I sweeten the deal by setting it up for whoever. I wait until they are on sale and get it .. then wait until drives are on sale etc. I still run DSM6 on my 2 because I dont like a few things. They killed NFS4.1 multipathing that I use for an ESX cluster. I know you can turnit/hack it back on .. but it was a pretty dick move. I also liked the service panel where you could put a checkmark on something or take it off to start and stop them. EDS1821+ with dual port 10G NIC and DS1817+ with the same. Zoom Zoom.

If they are in your network .. hitting your NAS you have bigger problems. I turn the redirect off, change the ports, make the ip on a different subnet or take out the gateway so it cant get out, block its internet access on your router. Etc. Dont open any firewall/router ports. Funny story, I had a Ubiquiti firewall and i put it on a seperate subnet with a machine so I could play with it. Within 20 min I had someone hitting the RDP ports on that machine 1000’s of times. I dont use that no more.

Or use it as a honeypot with weak credentials. Turn on notifications so if someone starts hitting it hard you know you need to lock your stuff down/investigate the breach. I do the same thing with some email accounts etc. With non critical information. Or create a second account etc. That way you know people are hitting your stuff or there is a breach before they tell you … they hit the low hanging fruit first :D.
 
Upvote 0
Sell it and get a new one :D

I am sort of leaning that way now that I know there are people who still buy these older machines, so will be able to offset some of the cost. But it seems to me I need to first determine if there is anything I will use it for beyond what I already use it for (simple local file sharing and backup target). I know there are tons of additional things I can do with it so the question is more whether I will actually make use of any of those things. If not, I guess its probably not worth upgrading and I should just keep using the existing one with the various security precautions mentioned in this thread :unsure:
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

FYI: W7-64 Latest FF: 115.2.0esr (64 Bit) Synology Assistant fine to 3x NAS and 2600 Router
Replies
2
Views
1,021
  • Question
You can only have one backup task configured in the Mac/PC Drive client. Since I’ve never done it, I can...
Replies
1
Views
450
Thank you, Rusty, for your reply. I especially appreciate the photo of the HDD brackets with 2.5” drives...
Replies
4
Views
506
  • Question
I was trying to say not in the incompatible list, that’s linked from the compatibility list.
Replies
6
Views
451
  • Question
How do I reset my Synology NAS? You can test RAM using Synology Assistant (PC Application) Note...
Replies
7
Views
1,132
Reuse in matter or minutes. New container on the new device with docker using the existing volume. BW will...
Replies
12
Views
1,471
I think I'm trying to ask how is the Drive desktop agent 'safe'. I know how VPN works and why to use it. I...
Replies
8
Views
1,310

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top