Will last September when I got my 923+ I went through your setup videos on security when setting up mine, basically word for word. I paused after you mentioned changing a setting, changed it myself, and then continued on the video. Your help is better than the Synology's official help which is usually the case with a hardware company.
That’s because you are not paying for synology support. It’s not something that makes sense for them to provide for free. Will isn’t providing it for free either, he makes money when people view his videos.
Thanks so much for your videos. I recently got a nas after doing some research and your videos convinced me that Synology was the way to go for me because of how comprehensive DSM is. Your setup and security tutorials have been invaluable for me!
Used many of these easier methods on two NASs. One fw 7.2 the other fw 6.2. Virtually no issues on 7.2 from the start but tons of attacks on the 6.2 unit. admin and guest were disabled from the start and the autoblock helped me sleep at night but I had logs of multiple RSYNC attacks from the same IP and then cycling to other worldwide IPs with China and Russia topping lists. The addition of firewall and account protection caused the attacks to cease completely for the past 11 days. Looking at swapping out the remote 6.2 unit for a 7 series soon to further bolster security but for now, all looks quiet. Excellent information much of which I had put into practice already but relatively simple to implement and works very well!
In dsm 7.2 the block list extends to quickconnect so blocked at Synology end and by default doesn't enable portforward via UPNP Also it's quite easy to get list of Synologys that have quickconnect enabled
Good, comprehensive information - thanks. For my NAS clients, I keep remote NAS access disabled, largely for this reason. I only have one client that requires remote access to anything on the NAS, so I have them set up so they have to connect to their office LAN via VPN first, and only then can they access the NAS. This works fine for them largely because they're a small office that doesn't share data directly with anyone else. (And, of course, I keep my NAS clients comprehensively backed up because, well, bad stuff happens...)
Thanks. reminders on good security anre always appreciated. I especially loved the simple firewall suggestions. Adopted. I accidentally typed 196.168 instead of 192.168 and the NAS would not apply the rules because it woul block the computer making the rule change! Quite impressed.
There's one more thing to consider. Reverse proxy, is a great way to limit your exposure down to just one port. This is great if you have multiple services running. Also if you choose a specific LAN interface to configure, instead of all, you have the option to just switch interfaces should you be unlucky enough to lock yourself out playing with the firewall rules.
This is the only acceptable way to do it imo. I still would like to understand why anyone would put their personal/small business nas exposed to the internet.
Part of the problem is that when the computers that were infected with the botnet are located here in the USA and generated from a foreign country, the foreign countries being blocked will be ineffective as they are US IP addresses. They also seem to use VPN. With my UniFi UDM-Pro I took security one step farther. I have utilized all 150 UniFi max of countries to block, but there are 195 countries on this planet so there will always be about 40 unblocked unblocked countries. Working with my UDM-Pro's Security Detections log I have fine tuned the list based on the LOG with the countries that have more than 1 attempt. I also noticed that the CIARMY also uses specific blocks of IP addresses based here in the USA and a majority of attempts are by IP addresses with the same first 2 octets (22.239.0.0/16) of the IP address. I took the UDM-Pro's "Critical Security Detection" log and created a rule that blocks all the traffic from the log's IP addresses within the first 2 octets. Seems to be working fine! Great video.
I'd also point out Synology's Active Insight might be helpful here. That's how I was notified about the ongoing attacks. We got that exact attack from around the beginning of the month. SSH attempts happen fairly often, but this was the first time I saw DSM targetted on that scale. I set aggressive permanent IP blocking, and they all only ever tried the "admin" account. It has been several weeks with no more attempts.
I'm really glad I found this video. I just watched your maintenance video posted yesterday and through that found out I had a botnet attack on my system 2 months ago. I was a little concerned to say the least. I was also confident my system and data were safe. I long ago put all security measures in place that you recommend along with snap shots to save my ass if they did get through and encrypted stuff. Sometimes I forget that DS920+ is even there chugging away in the closet because it's always just "there" when I need it. Every single time. Thing never fails.
Thanks for this great video, I've since enabled Account Protection on both my NAS's as the other options I'd already got enabled. I now feel extra confident my data is secure from attack. It was also interesting to learn how the attacks take place with the multiple IP Addresses etc. I don't comment much, but I've been a subscriber back in the day when you had about 25k,subs so it's really really nice to see you channel growing and doing well. All the best - Neil (UK)
This made me go through all of the protections that I have set and, I'm happy to say that, other than Account Protection, I had everything setup correctly. ( I also had the geo-block setup on my Synology router.) I hadn't realized that Synology had automatically enabled Adaptive MFA at some point so I was a bit shocked one day when I got the email alert. This has been a great exercise and one that we all need to review periodically. As a slight aside, even though I am mucking about in the Control Panel fairly often, I can easily forget what settings that I've changed, when, and why. So, I have gotten into the habit of keeping an Excel spreadsheet on all of this stuff for all of my devices. A bit anal, yes, but very effective. But it keeps things consistent around my network. It would be so nice if some of these devices would allow the export of all of their settings into something like a CSV file. May thanks again Will.
OMG watched this video to learn about the Botnet attack. While watching saw that I had used these same firewall rules mention to block access for countries outside the US. No wonder my apps were not working when I traveled. Thanks for the indirect help! You are man!
You mentioned Tailscale when setting up the firewall rules. The built in firewall won't block tailscale as it's an outbound and then established connection. Synology's firewall rules only effect inbound connections.
I am still running an old Synology NAS but I am definitely considering upgrading in the next year. That said I really like your channel Will, it's helping be better informed and more aware of what's going on in the NAS space. So I just want to say thanks.
Please talk about securing the Nas physical. I just realized recently that the buttons on the back can activate and rest the admin password, meaning anyone that can steal your nas physically will have access to all your file. This is really dangerous and there is a solution for that. In the system settings, under "System Reset," there's an option to "Keep Admin Password Unchanged." Activating this option ensures that if someone tries to reset your NAS, they can enable the admin account but won’t be able to reset the admin password. To implement this, you need to change your admin password and select this option. Some might argue that the files are encrypted. However, if you have auto-mounted files and the thief resets the password, they would still have full access to everything. Therefore, taking this additional security measure is crucial to protect your data.
@@jemmrich just make sure to never ever ever forget admin password as you will not be able to rest it if you lose your normal administration account and also forget the admin password that you just changed. I would advise to add it somewhere in your phone or Google cloud or any other cloud so if you forgot you can go back to it. The admin is not visible unless you push that button for 4 seconds. Add it to Google cloud as no one will have access To the admin account unless they steal your nas and hack your Google account.
@@Dragonx21 yes, but if you don't active key manager (auto-mount) every time you restart you have to sign in and mount all the file.... To do what I mentioned is way easier but just don't forget your password ever.
@@hassan_ksu I've never understood people that encrypt their drives and then have them auto-unlock. As you've said it basically doesn't protect you from physical theft at all. My NAS is all encrypted with a passphrase needed at boot. If someone steals my server they aren't getting $#!^.
The Security Advisor app also checks a few key basics. Also useful to let you know what packages (or DSM) have updates. It is a good starting point and then go through the items listed in the video to the extent they apply (beyond the generally applies to everyone items).
Good video Will, it finally prompted me to disable the default 'admin' account and set up a new one......I mean Synology has been nagging me to do that forever!
More incredible content, thanks Will. And the SpaceRex team is hurtling towards 100k subscribers, getting very close now! I wonder how AI will affect their attempts at 'brute focing' thing, or really just tactics for approaching what they are trying to do. As with everything AI supercharges, you'd think it would also be of benefit to them too in some way...
I am sure that AI will soon be used to look at your IP address and check the Dark Web for all the passwords that you have used on prior sites that have been hacked and based on your password structure it will generate a list to use on your other devices. It is just a matter of time
Thanks, I checked the logs on my 920+ I didn't see anything unusual in the logs. I had already disabled admin and guest. Looks like everything is good. Great tutorial!
A proper router with IDS/IPS is a must have these days. In addition to blocking any port scanning on your public IP, it is also critical to block the IP ranges of known attackers, C&C, botnets and scanners like Shodan.
The most obvious one, don't open port 5000 to the internet. While this is the first line of defense, it's not the only one as if you have a compromised device in your network, they can use that to bypass the firewall. But that takes a lot of effort on one specific target. Not the MO of the these botnets..
You had me worried for a moment! Checked my logs and no drama :) As always great content and I had already done most of the things you suggested from previous tips from you!
Another great video Wil! If you change your ports from the default (5000/5001), would that cause issues with existing external services such as Plex users? Most of the stuff you outlined here I've already done because of your past videos but I'm also going to look into geo-blocking as well. Thanks for the info!
Very useful video, thanks Will ! Are you running Graylog as a container on a Synology ? If yes I would be very interested on a video on how to setup a Graylog install 😇 !! Keep on doing what you do (and keep on with the nice shirts) !!!
This is the most common secure settings you need to have. One more level to secure the NAS, is by only allowing it to connect it to your local network, and setup a VPN to get into your network when you're remote. You might need an upgrade on your modem (like Unifi)... This way even the most skilled hackers won't be able to get into your NAS so easy.
Yes, its very very important to have your most valuable personal data to have available 0/24 on the internet. 1: Never allow NAS internet access for any reason. Not in not out. Period. 2: See 1
You scared me with your title. I thought I missed a new threat. Like they were a few years ago. Especially at Qnap. To be sure, I took my 920 offline. This is because I heard the HDD more often than what is normal for my use. Today I had time to watch your video and I saw that almost everything you described was prepared for me. :-) I'm only going to use Tailscale. Completely relieved! Thanks for al your great video's
They do protect your data from being taken as ransom. So they protect you too for not having to pay that ransom. Because zero day hacks are a thing and have happened in the past.
Backups should be a given anyway for any NAS user, but if you have the basics of this video implemented - don't have an administrator account called "administrator", strong passwords on any admin and/or service accounts, 2FA/MFA and change default ports, then you'd be fairly well covered for any unauthorized attempts.
@@Shocker99 I said they protect you from having to pay ransom. The whole idea of a ransom attack is to take your data as hostage and pay them money to decrypt it. If you have a backup you protect yourself from being a victim of a successful attack. Zero day hacks can happen anytime no matter how well you set up your security. A back up protects you from all unforeseeable events that can happen. Even a fire and other natural disasters if you follow the 3 - 2 - 1 rule. Some hacks or loss of data are unpreventable and back ups are the only thing that can protect you from losing your data. Loss of data is what you are trying to avoid.
Have closed the firewall for traffic coming from e.g. China and similar countries, with autoblock enabled and admin account disabled. Ports 25 and 5001 are actually open for my mailserver and friends and family logging into my server without VPN and haven't had a malicious login attempt for weeks. PS the blocklist from Marius Hosting also helps a bunch I guess.
Basic Preventive measures (posting before watching the video): 1) Disable the default admin account on a synology (create a different user with Admin access) 2) Enable 2FA for any accounts with admin priviliges 3) Do not forward port 5000-5001 to your NAS. If you want to access DSM remotely install the VPN service and first connect to your Synology over an OpenVPN connection. 4) Turn on Account Protection in the Security Options 5) Only forward ports you specifically need to be able to access from outside of your LAN to your NAS. (Should be obvious but I'm sure there are people who have forwarded the entire range of available ports to it) Now lets see if there are any important ones I missed.
Crazy to be opening up such an important device to the internet when a VPN server is so easy to setup. I access everything on my home network through a VPN. The only port I have exposed externally is for the VPN and I trust Wireguard security much more than I do Synology and other common services. Also having completely offline backups allows you to recover from a ransomware attack if it happened.
Comes down to the clients use case A work with a ton of photographers / videographers who want to use it to send clients videos. And you can’t do that over a VPN Really just comes down to use case / how sensitive the files are
All depends on use case. If you have multiple family members and friends that have access to certain features in the NAS, VPN's won't cut it. It's far too cumbersome to setup and maintain vs direct access to the NAS
@@SpaceRexWill Yeah, that's an interesting use case I hadn't considered and I can see how it drives the need to expose it to make life easier for everyone involved. I use Tailscale to join a NAS I have at a family members house as it requires less network configuration at their end but I appreciate that isn't going to work at scale for the use case you've highlighted. If I had a need to expose it then I'd be taking steps to reduce the threat of an attacker traversing through the network if the NAS was compromised, but appreciate that comes with trade offs between functionality and security too. Like you've said the main risk is if a zero day comes out affecting DSM, however if you're responsible for them and can patch them in good time then it mitigates the risk considerably. Thanks for responding 🙂
Great and absolutely essential video again Will. What I'd add is to set a high security profile in Security Adviser, it takes some time to get all the green checks but well worth it. (-;
The better solution is : don't open any ports from Internet to your DSM . Use a separate firewall who will do VPN! Install the VPN client on your machine and then connect to your LAN via VPN.. This is the most secure option if you want to have access from the Internet to your DSM, and the only one I recommend.
I already did everything else, except for the firewall rule and changing the port number. I tested on my smart phone and made sure I am able to access the NAS.
same thing about SSH.... don't allow it to be open to the net or change the port to something less obvious OR don't give the internet access to your files, if you don't want it stolen and used on the internet, keep it off the internet
Hi Will thanks for this awesome Tipps. Just found out DSM 7.2 will show you it is up to date but when you actually check on their Website I could update to 7.2.1 😮. So I did this imediately. Also you could mention to have Backups, just in case.
How many more Synology and Qnap vulnerabilities do you people have to have before you stop using their overly vulnerable operating systems or in house apps.
When I added the country rules, I could not get in with my DDNS subdomain, only local IP. I had to allow Taiwan in addition to USA, and then it worked. Since the Google-Squarespace domain sale, I've had to use Synology's DDNS service, which server is based in Taiwan...
Ah, I noticed that happening to my new one at home. Just sad little brute force attempts. I set it to fuck up twice, banned. It went on for about a week and then stopped altogether.
What news outlet are you using? Of course, I'm aware. that there are always attacks going on, but I'm not finding an article right now about a massiveogy. Could you please share the link?
I solved my synology slowness problem by shutting down the server, moving the drives to another server box, and installing Unraid while adding a 10g Nic and switch. My Synology was a 420j and was getting old.
of course blocking Admin account, but then, adding reverse-proxy, adding geofence and banning IPs which try to login for some users like 'admin', and try to login a few times, or even if requests results in 4xx errors. Is it enough then ? Helpful vid ! thanks !
Thanks for great information. A quick question about the FW rules. I use portainer (as I think you do to 172.16.0.0 ?). When I have more stacks/networks inside portainer, do I need to add the additional networks to the FW ruleset as well? (Ie. 172.18.0.0 - 172.20.0.0 ...)
The firewall rules that I wrote here will cover the entire 172.16.0.0 - 172.31.255.255 private address range. It's the way that subnets work. 172.16/12 means the exact same thing as above. RFC1918 are you local LAN addresses: netbeez.net/blog/rfc1918/ (you would not want to create a 172.33.0.0 subetnet for docker as this would be a public IP)
A NAS should never be internet facing... its considered a critical piece of hardware in every scenario. no amount of built in feature to the synology will protect you if the right CVE comes out. If you truly need access to your synology outside of your network create a wireguard VPN using something as small as a raspberry pi and use that to access your internal resources. Sincerely a network engineer with a focus on edge security.
17:00: How about you ONLY change the port forwarding rules? You can make the NAS appear on 8980 / 8981 to the world through port forwarding while keeping ports 5000 / 5001 internally. Seems a lot simpler to me. 1. You only need to change your firewall settings, which you have to touch anyway to implement a port change - whether you change the ports on the NAS or not. 2. The NAS is still appearing on the default port on your local network, so the change is transparent to local clients.
When I get a NAS, I'm going to set it up where I can connect with it through wi-fi, but no one from the internet can connect to it. As I'd just want to be able to allow my local computer to do daily system backups, but I'll never use the internet to connect to it.
Set up a NAS VLAN and create a rule for local access only. Then add a Private VPN to your home and you will then be able to access remotely using the Private VPN. nice and secure. Works GREAT!
With geo-blocking, will this prevent Synology tech support from remotely logging in (if they are from a different country)? Or do you need to remember to disable that first before requesting support?
What should I do if i allready used the admin for several years (Cloud Station for example). What do I have to do that my Cloud Station works with my new admin account? Can I just rename the default admin insteat to be save?
Thank you for putting this together. Can you respond to the comment below (Hassan-ksu) about physical attacks and using the Update & Restore -> System Reset -> Reset Option -> Keep admin password unchanged? ALSO: I am using DSM 7.1 which is recommended. When will DSM 7.2 be recommended? (To get the Adaptive MFA).
thing is nobudy need to have full nas with more than 1tb facing the internet , just block the main nas , and have it only local , if you realy need cloud storage , just get second small nas
Hi need help After change my phone i don't have access to Synology by quick connect . The Secure Signin code gave me error if i disable from account app still ask for code and code didn't work.
Make sure you haven't enabled DMZ on your router and don't setup router under external access in dsm Dsm7 accepts any username and password when 2fa is enabled so they won't know if they have a valid username or not (always make sure 2fa is enabled as number of people have had there nas encrypted because 2fa wasn't enabled) don't use email code generation use push or MFA code generator (use authy as it allows syncing between phones/tablets)
Not very network savy but wondering why you have 3 different ip address on your local network when blocking outside countries. Is there something That I need to look for when setting mine up?
So those three subnets are the local subnets. Basically any of those, can not come from the internet, they had to come from the local network. So if you dont know about subnets, add all three, because your network will be one of them
Hasn't this been going on for years now? I remember when I had my Synology back in 2015, I would get tons of attempted logins from mostly China and Russia.
Will last September when I got my 923+ I went through your setup videos on security when setting up mine, basically word for word. I paused after you mentioned changing a setting, changed it myself, and then continued on the video. Your help is better than the Synology's official help which is usually the case with a hardware company.
That’s because you are not paying for synology support. It’s not something that makes sense for them to provide for free. Will isn’t providing it for free either, he makes money when people view his videos.
Thanks so much for your videos. I recently got a nas after doing some research and your videos convinced me that Synology was the way to go for me because of how comprehensive DSM is. Your setup and security tutorials have been invaluable for me!
Used many of these easier methods on two NASs. One fw 7.2 the other fw 6.2. Virtually no issues on 7.2 from the start but tons of attacks on the 6.2 unit. admin and guest were disabled from the start and the autoblock helped me sleep at night but I had logs of multiple RSYNC attacks from the same IP and then cycling to other worldwide IPs with China and Russia topping lists. The addition of firewall and account protection caused the attacks to cease completely for the past 11 days. Looking at swapping out the remote 6.2 unit for a 7 series soon to further bolster security but for now, all looks quiet. Excellent information much of which I had put into practice already but relatively simple to implement and works very well!
In dsm 7.2 the block list extends to quickconnect so blocked at Synology end and by default doesn't enable portforward via UPNP
Also it's quite easy to get list of Synologys that have quickconnect enabled
Good, comprehensive information - thanks. For my NAS clients, I keep remote NAS access disabled, largely for this reason. I only have one client that requires remote access to anything on the NAS, so I have them set up so they have to connect to their office LAN via VPN first, and only then can they access the NAS. This works fine for them largely because they're a small office that doesn't share data directly with anyone else. (And, of course, I keep my NAS clients comprehensively backed up because, well, bad stuff happens...)
Thanks. reminders on good security anre always appreciated. I especially loved the simple firewall suggestions. Adopted. I accidentally typed 196.168 instead of 192.168 and the NAS would not apply the rules because it woul block the computer making the rule change! Quite impressed.
The Synology firewall rules are actually really good about that kind of stuff! I have always been pretty impressed by how well they work
There's one more thing to consider. Reverse proxy, is a great way to limit your exposure down to just one port. This is great if you have multiple services running.
Also if you choose a specific LAN interface to configure, instead of all, you have the option to just switch interfaces should you be unlucky enough to lock yourself out playing with the firewall rules.
This is the only acceptable way to do it imo. I still would like to understand why anyone would put their personal/small business nas exposed to the internet.
Part of the problem is that when the computers that were infected with the botnet are located here in the USA and generated from a foreign country, the foreign countries being blocked will be ineffective as they are US IP addresses. They also seem to use VPN. With my UniFi UDM-Pro I took security one step farther. I have utilized all 150 UniFi max of countries to block, but there are 195 countries on this planet so there will always be about 40 unblocked unblocked countries. Working with my UDM-Pro's Security Detections log I have fine tuned the list based on the LOG with the countries that have more than 1 attempt. I also noticed that the CIARMY also uses specific blocks of IP addresses based here in the USA and a majority of attempts are by IP addresses with the same first 2 octets (22.239.0.0/16) of the IP address. I took the UDM-Pro's "Critical Security Detection" log and created a rule that blocks all the traffic from the log's IP addresses within the first 2 octets. Seems to be working fine! Great video.
I'd also point out Synology's Active Insight might be helpful here. That's how I was notified about the ongoing attacks. We got that exact attack from around the beginning of the month. SSH attempts happen fairly often, but this was the first time I saw DSM targetted on that scale. I set aggressive permanent IP blocking, and they all only ever tried the "admin" account. It has been several weeks with no more attempts.
I'm really glad I found this video. I just watched your maintenance video posted yesterday and through that found out I had a botnet attack on my system 2 months ago. I was a little concerned to say the least. I was also confident my system and data were safe. I long ago put all security measures in place that you recommend along with snap shots to save my ass if they did get through and encrypted stuff. Sometimes I forget that DS920+ is even there chugging away in the closet because it's always just "there" when I need it. Every single time. Thing never fails.
Thanks for this great video, I've since enabled Account Protection on both my NAS's as the other options I'd already got enabled. I now feel extra confident my data is secure from attack. It was also interesting to learn how the attacks take place with the multiple IP Addresses etc. I don't comment much, but I've been a subscriber back in the day when you had about 25k,subs so it's really really nice to see you channel growing and doing well. All the best - Neil (UK)
This made me go through all of the protections that I have set and, I'm happy to say that, other than Account Protection, I had everything setup correctly. ( I also had the geo-block setup on my Synology router.) I hadn't realized that Synology had automatically enabled Adaptive MFA at some point so I was a bit shocked one day when I got the email alert. This has been a great exercise and one that we all need to review periodically. As a slight aside, even though I am mucking about in the Control Panel fairly often, I can easily forget what settings that I've changed, when, and why. So, I have gotten into the habit of keeping an Excel spreadsheet on all of this stuff for all of my devices. A bit anal, yes, but very effective. But it keeps things consistent around my network. It would be so nice if some of these devices would allow the export of all of their settings into something like a CSV file. May thanks again Will.
A diff analysis tool (current vs default) is a feature that sadly is missing in most equipment.
OMG watched this video to learn about the Botnet attack. While watching saw that I had used these same firewall rules mention to block access for countries outside the US. No wonder my apps were not working when I traveled. Thanks for the indirect help! You are man!
You mentioned Tailscale when setting up the firewall rules. The built in firewall won't block tailscale as it's an outbound and then established connection. Synology's firewall rules only effect inbound connections.
Brilliant video. You covered a lot of ground with just the right amount of detail. Excellent.
I am still running an old Synology NAS but I am definitely considering upgrading in the next year. That said I really like your channel Will, it's helping be better informed and more aware of what's going on in the NAS space. So I just want to say thanks.
Really appreciate it!
@@SpaceRexWill 🙏
Please talk about securing the Nas physical. I just realized recently that the buttons on the back can activate and rest the admin password, meaning anyone that can steal your nas physically will have access to all your file. This is really dangerous and there is a solution for that.
In the system settings, under "System Reset," there's an option to "Keep Admin Password Unchanged." Activating this option ensures that if someone tries to reset your NAS, they can enable the admin account but won’t be able to reset the admin password. To implement this, you need to change your admin password and select this option.
Some might argue that the files are encrypted. However, if you have auto-mounted files and the thief resets the password, they would still have full access to everything. Therefore, taking this additional security measure is crucial to protect your data.
Great advice! I had no idea that feature existed, I found it in Control Panel > Update & Restore > System Reset
@@jemmrich just make sure to never ever ever forget admin password as you will not be able to rest it if you lose your normal administration account and also forget the admin password that you just changed.
I would advise to add it somewhere in your phone or Google cloud or any other cloud so if you forgot you can go back to it. The admin is not visible unless you push that button for 4 seconds. Add it to Google cloud as no one will have access To the admin account unless they steal your nas and hack your Google account.
Encrype your shared folder. Folder won't mount without the password
@@Dragonx21 yes, but if you don't active key manager (auto-mount) every time you restart you have to sign in and mount all the file.... To do what I mentioned is way easier but just don't forget your password ever.
@@hassan_ksu I've never understood people that encrypt their drives and then have them auto-unlock.
As you've said it basically doesn't protect you from physical theft at all.
My NAS is all encrypted with a passphrase needed at boot. If someone steals my server they aren't getting $#!^.
The Security Advisor app also checks a few key basics. Also useful to let you know what packages (or DSM) have updates. It is a good starting point and then go through the items listed in the video to the extent they apply (beyond the generally applies to everyone items).
Good video Will, it finally prompted me to disable the default 'admin' account and set up a new one......I mean Synology has been nagging me to do that forever!
More incredible content, thanks Will. And the SpaceRex team is hurtling towards 100k subscribers, getting very close now!
I wonder how AI will affect their attempts at 'brute focing' thing, or really just tactics for approaching what they are trying to do. As with everything AI supercharges, you'd think it would also be of benefit to them too in some way...
I am sure that AI will soon be used to look at your IP address and check the Dark Web for all the passwords that you have used on prior sites that have been hacked and based on your password structure it will generate a list to use on your other devices. It is just a matter of time
Thanks, I checked the logs on my 920+ I didn't see anything unusual in the logs. I had already disabled admin and guest. Looks like everything is good. Great tutorial!
A proper router with IDS/IPS is a must have these days. In addition to blocking any port scanning on your public IP, it is also critical to block the IP ranges of known attackers, C&C, botnets and scanners like Shodan.
Excellent tips. I've been on Synology NAS models for 13 years. Very to see I'm doing the right things to security harden.
Good very learning you.
The most obvious one, don't open port 5000 to the internet. While this is the first line of defense, it's not the only one as if you have a compromised device in your network, they can use that to bypass the firewall. But that takes a lot of effort on one specific target. Not the MO of the these botnets..
You had me worried for a moment! Checked my logs and no drama :) As always great content and I had already done most of the things you suggested from previous tips from you!
Another great video Wil! If you change your ports from the default (5000/5001), would that cause issues with existing external services such as Plex users? Most of the stuff you outlined here I've already done because of your past videos but I'm also going to look into geo-blocking as well. Thanks for the info!
Plex operates on an entirely different port! (32400 by default) so it will not mess this up.
@@SpaceRexWill good to know. Thanks for the reply!
I recommend changing the default port for Plex as well, even though security through obscurity doesn't really work well for targeted attacks.
Thanks for the video. Checked my logs and earlier this month and last month had thousands of attempts on mine. Very scary.
Very useful video, thanks Will ! Are you running Graylog as a container on a Synology ? If yes I would be very interested on a video on how to setup a Graylog install 😇 !! Keep on doing what you do (and keep on with the nice shirts) !!!
I would like to learn too.
This is the most common secure settings you need to have. One more level to secure the NAS, is by only allowing it to connect it to your local network, and setup a VPN to get into your network when you're remote. You might need an upgrade on your modem (like Unifi)... This way even the most skilled hackers won't be able to get into your NAS so easy.
Thanks Will! Excellent video!
Thanks Jeffrey!
Yes, its very very important to have your most valuable personal data to have available 0/24 on the internet.
1: Never allow NAS internet access for any reason. Not in not out. Period.
2: See 1
You scared me with your title. I thought I missed a new threat. Like they were a few years ago. Especially at Qnap. To be sure, I took my 920 offline. This is because I heard the HDD more often than what is normal for my use. Today I had time to watch your video and I saw that almost everything you described was prepared for me. :-) I'm only going to use Tailscale.
Completely relieved! Thanks for al your great video's
I do miss two other very important points that protect your from a hack: Backups and Snapshots with an immutable period configured.
These help recover you from a hack - not prevent it.
They do protect your data from being taken as ransom. So they protect you too for not having to pay that ransom. Because zero day hacks are a thing and have happened in the past.
Backups should be a given anyway for any NAS user, but if you have the basics of this video implemented - don't have an administrator account called "administrator", strong passwords on any admin and/or service accounts, 2FA/MFA and change default ports, then you'd be fairly well covered for any unauthorized attempts.
@@MrCoffis Backups do not protect your data from being taken.
@@Shocker99 I said they protect you from having to pay ransom.
The whole idea of a ransom attack is to take your data as hostage and pay them money to decrypt it. If you have a backup you protect yourself from being a victim of a successful attack. Zero day hacks can happen anytime no matter how well you set up your security. A back up protects you from all unforeseeable events that can happen. Even a fire and other natural disasters if you follow the 3 - 2 - 1 rule.
Some hacks or loss of data are unpreventable and back ups are the only thing that can protect you from losing your data.
Loss of data is what you are trying to avoid.
Have closed the firewall for traffic coming from e.g. China and similar countries, with autoblock enabled and admin account disabled. Ports 25 and 5001 are actually open for my mailserver and friends and family logging into my server without VPN and haven't had a malicious login attempt for weeks.
PS the blocklist from Marius Hosting also helps a bunch I guess.
Thank you for this video, it helps me a lot with the large number of attacks.
Another great video. Thanks Will.
You may have done it already, but if you haven't, please consider creating a video about graylog.
Basic Preventive measures (posting before watching the video):
1) Disable the default admin account on a synology (create a different user with Admin access)
2) Enable 2FA for any accounts with admin priviliges
3) Do not forward port 5000-5001 to your NAS. If you want to access DSM remotely install the VPN service and first connect to your Synology over an OpenVPN connection.
4) Turn on Account Protection in the Security Options
5) Only forward ports you specifically need to be able to access from outside of your LAN to your NAS. (Should be obvious but I'm sure there are people who have forwarded the entire range of available ports to it)
Now lets see if there are any important ones I missed.
Excellent video. I subscribed to your channel. Very helpful demonstration and clear explanation. Also you cover evertthing that is necessary.
Crazy to be opening up such an important device to the internet when a VPN server is so easy to setup. I access everything on my home network through a VPN. The only port I have exposed externally is for the VPN and I trust Wireguard security much more than I do Synology and other common services. Also having completely offline backups allows you to recover from a ransomware attack if it happened.
Comes down to the clients use case
A work with a ton of photographers / videographers who want to use it to send clients videos. And you can’t do that over a VPN
Really just comes down to use case / how sensitive the files are
All depends on use case. If you have multiple family members and friends that have access to certain features in the NAS, VPN's won't cut it. It's far too cumbersome to setup and maintain vs direct access to the NAS
@@SpaceRexWill Yeah, that's an interesting use case I hadn't considered and I can see how it drives the need to expose it to make life easier for everyone involved. I use Tailscale to join a NAS I have at a family members house as it requires less network configuration at their end but I appreciate that isn't going to work at scale for the use case you've highlighted. If I had a need to expose it then I'd be taking steps to reduce the threat of an attacker traversing through the network if the NAS was compromised, but appreciate that comes with trade offs between functionality and security too. Like you've said the main risk is if a zero day comes out affecting DSM, however if you're responsible for them and can patch them in good time then it mitigates the risk considerably. Thanks for responding 🙂
Great and absolutely essential video again Will. What I'd add is to set a high security profile in Security Adviser, it takes some time to get all the green checks but well worth it. (-;
U SCARE ME NOW !!! ...thank God in the first minute you calm me down
So timely for me right now. Thank you for this!
Will, great tech advice as always -- and of course, great hair 👍
You’re not weird, not only did I deactivate the admin account I too change the default password for it.
Thank you for that security update.
The better solution is : don't open any ports from Internet to your DSM .
Use a separate firewall who will do VPN! Install the VPN client on your machine and then connect to your LAN via VPN..
This is the most secure option if you want to have access from the Internet to your DSM, and the only one I recommend.
I already did everything else, except for the firewall rule and changing the port number. I tested on my smart phone and made sure I am able to access the NAS.
Thanks Will, where specifically in the DMS Control Panel did you see a Log of the the login attempts at the very beginning of this video?
under logs!
same thing about SSH.... don't allow it to be open to the net or change the port to something less obvious OR don't give the internet access to your files, if you don't want it stolen and used on the internet, keep it off the internet
Hi Will thanks for this awesome Tipps. Just found out DSM 7.2 will show you it is up to date but when you actually check on their Website I could update to 7.2.1 😮. So I did this imediately. Also you could mention to have Backups, just in case.
also a 2nd admin account is helpful in case the primary gets locked up from hacker trying to access it
Realy helpful appreciate your work, thank!
Great video! If I only connect to the NAS outside of my local network via Tailscale VPN do I still need to consider changing the default port?
You sir are a godsend! Thank you so much!
How many more Synology and Qnap vulnerabilities do you people have to have before you stop using their overly vulnerable operating systems or in house apps.
When I added the country rules, I could not get in with my DDNS subdomain, only local IP. I had to allow Taiwan in addition to USA, and then it worked. Since the Google-Squarespace domain sale, I've had to use Synology's DDNS service, which server is based in Taiwan...
Should I enable, "Trust This Device," in control panel? It skips the 2-Step athentication protocol.
Ah, I noticed that happening to my new one at home. Just sad little brute force attempts. I set it to fuck up twice, banned. It went on for about a week and then stopped altogether.
do you have tutorials on creating port forwarding for Synology router to help it to be safe from hackers?
Thank you for the information! As always a great video.
What news outlet are you using? Of course, I'm aware. that there are always attacks going on, but I'm not finding an article right now about a massiveogy. Could you please share the link?
For me I have just been tracking them with my severs that I manage for clients
@@SpaceRexWill Thanks! It was driving me nuts to not find a single threat on the news :)
Thank you.. This is really useful and in an easy and beautiful way
I solved my synology slowness problem by shutting down the server, moving the drives to another server box, and installing Unraid while adding a 10g Nic and switch. My Synology was a 420j and was getting old.
Is it ok to add your home local network IP addresses and subnet mask to the allow list?
Very good information. Question: if you disable admin and admin has tasks, how can you transfer the tasks first to another user?
Thank you, that was very informative.
Du you really need to use Quickconnect if changing the DSM port, to get access to DS audio, DS Cam, and DS cam.?
thanks for the update to best security practises
of course blocking Admin account, but then, adding reverse-proxy, adding geofence and banning IPs which try to login for some users like 'admin', and try to login a few times, or even if requests results in 4xx errors. Is it enough then ? Helpful vid ! thanks !
Thanks for great information. A quick question about the FW rules. I use portainer (as I think you do to 172.16.0.0 ?). When I have more stacks/networks inside portainer, do I need to add the additional networks to the FW ruleset as well? (Ie. 172.18.0.0 - 172.20.0.0 ...)
The firewall rules that I wrote here will cover the entire 172.16.0.0 - 172.31.255.255 private address range.
It's the way that subnets work. 172.16/12 means the exact same thing as above.
RFC1918 are you local LAN addresses: netbeez.net/blog/rfc1918/
(you would not want to create a 172.33.0.0 subetnet for docker as this would be a public IP)
@@SpaceRexWill Ahh, I understand. Thank you!
great important info. always count on being attacked. great tips.
4 years ago I had this with my qnap.. Lucky for good security had all attempts blocked
Thanks for sharing this great information !
A NAS should never be internet facing... its considered a critical piece of hardware in every scenario. no amount of built in feature to the synology will protect you if the right CVE comes out.
If you truly need access to your synology outside of your network create a wireguard VPN using something as small as a raspberry pi and use that to access your internal resources.
Sincerely a network engineer with a focus on edge security.
17:00: How about you ONLY change the port forwarding rules? You can make the NAS appear on 8980 / 8981 to the world through port forwarding while keeping ports 5000 / 5001 internally. Seems a lot simpler to me.
1. You only need to change your firewall settings, which you have to touch anyway to implement a port change - whether you change the ports on the NAS or not.
2. The NAS is still appearing on the default port on your local network, so the change is transparent to local clients.
Ah, so doing this breaks quick connect
Thanks so much Will!
19:18 How do I source the local IP addresses that I would like to include?
Always appreciate your tips 👍🏿
Hey, great video! thanks for the explonation and nice demo.
Do you also have a special discount code or agreement for Europe(Netherlands) Synology?
random question? what is the brand and model of you screens on your desktop?
How you miss to enable Denial of service (DoS protection) ?
No mention of Tailscale?
21:25 @spacerex Question: When locking down NAS to location - would this affect QuickConnect if that is located in the US?
Quick connect follows firewall rules now!
Outstanding post! - Thanx Rex 👍👍👍👍👍
When I get a NAS, I'm going to set it up where I can connect with it through wi-fi, but no one from the internet can connect to it. As I'd just want to be able to allow my local computer to do daily system backups, but I'll never use the internet to connect to it.
Set up a NAS VLAN and create a rule for local access only. Then add a Private VPN to your home and you will then be able to access remotely using the Private VPN. nice and secure. Works GREAT!
@@donaldhoudek2889 Nah, I have zero need for remote access as the computer would be in the same room as the NAS.
With geo-blocking, will this prevent Synology tech support from remotely logging in (if they are from a different country)? Or do you need to remember to disable that first before requesting support?
You would need to get their IP and allow it
Super helpful!
What should I do if i allready used the admin for several years (Cloud Station for example). What do I have to do that my Cloud Station works with my new admin account?
Can I just rename the default admin insteat to be save?
Is there a way to block LAN access from Synology, but allow access from LAN into Synology NAS?
good job I don't use the default admin account, I never use default credentials
What about the Denial-of-Service (DOS) Protection, would that be something that should be enabled?
That is not this. Its if you get ddosd
@@SpaceRexWill yes but should it be enabled as good measure I notice it was not mentioned in the video?
Thank you for putting this together. Can you respond to the comment below (Hassan-ksu) about physical attacks and using the Update & Restore -> System Reset -> Reset Option -> Keep admin password unchanged?
ALSO: I am using DSM 7.1 which is recommended. When will DSM 7.2 be recommended? (To get the Adaptive MFA).
thing is nobudy need to have full nas with more than 1tb facing the internet , just block the main nas , and have it only local , if you realy need cloud storage , just get second small nas
Hi need help After change my phone i don't have access to Synology by quick connect . The Secure Signin code gave me error if i disable from account app still ask for code and code didn't work.
Hello there, I’m gettin SMB attempts? How is that posible? Does it means that I have a mole in my network, who is trying to brutforce my Synology Nas?
It depends heavily on them.
Are they SMBv1? or are they real login attempts?
Make sure you haven't enabled DMZ on your router and don't setup router under external access in dsm
Dsm7 accepts any username and password when 2fa is enabled so they won't know if they have a valid username or not (always make sure 2fa is enabled as number of people have had there nas encrypted because 2fa wasn't enabled) don't use email code generation use push or MFA code generator (use authy as it allows syncing between phones/tablets)
@@leexgx Thanks a lot! I will do it like that.
Great video Thanks So Much!
Thanks for this!
Wait, are you recommending deleting the "admin" user?
No, just disable it
Not very network savy but wondering why you have 3 different ip address on your local network when blocking outside countries. Is there something That I need to look for when setting mine up?
So those three subnets are the local subnets. Basically any of those, can not come from the internet, they had to come from the local network. So if you dont know about subnets, add all three, because your network will be one of them
You're the best dude!
Hasn't this been going on for years now? I remember when I had my Synology back in 2015, I would get tons of attempted logins from mostly China and Russia.