ฝัง
- เผยแพร่เมื่อ 23 ก.ค. 2024
- NAS units become easy targets for adversaries who will attempt to gain access and then exploit the NAS for ransom money. The reason that NAS units are targeted so often, is because they, unlike most network devices, use UPNP to open ports on your router. This is done in order to allow you to remotely access your filesystem from outside of your network, however it also opens the door for adversaries to export vulnerabilities on their NAS.
Hire Me! www.spacerex.co/hire-me/
Join the Discord! / discord
Get Early Access to Videos! / @spacerexwill
This tutorial gives over the different ways to secure your Synology NAS, regardless of what you need!
Links:
How to Set up 2 Factor Auth: • How to Secure you Syno...
How to Setup a Reverse Proxy: • Setup Reverse Proxy on...
Encrypt your Hard Drives: • Encrypt Your Data on S...
How to Setup an OpenVPN Server: • OpenVPN Server on Syno...
Generate SSL cert: • Generate Signed SSL Ce...
What is in my Rack: www.spacerex.co/my-rack/
Top Synology Picks: www.spacerex.co/what-synology...
Affilate Links:
Synology Recommendations:
Cheapest you can buy:geni.us/EJz4c
Most powerful 4 Bay: geni.us/pO2pcSJ
6 bays, with performance overhead: geni.us/GPSdKp
Insane Performance!: geni.us/N9BcW
12 Bays in a Desktop!: geni.us/vavmdU
Drives:
Hard drives that I use: geni.us/00RP
SSD I use with Synology: geni.us/2ZxlwE
Going 10GbE:
Synology 10GbE (RJ45) Card: geni.us/SrJZ
Starter 10GbE switch: geni.us/RrhEfj
10GbE ethernet to Thunderbolt 3 adapter: geni.us/Aa5qm
*These are affiliate links, which means that if you purchase a product through one of them, I will receive a small commission (at no additional cost to you). Thank you for supporting my channel! - วิทยาศาสตร์และเทคโนโลยี
If you cut the cable its still a nas, Not Attached Storage.
😂
Put the thumbs up to port 23 for added security
Very nice comment!
@@chriss3154 port scanning should still pick it up
Awesome content, thanks!
Also, I would add the following points for any types of user:
- disable guest account as well
- change default port numbers
- force HTTPS over HTTP
- disable any protocole that you don't need (Telnet, FTP, TFTP, SSH, etc.)
- activate DoS protection
- make sure the firewall is activated
- block IP by country location
- update regularly NAS OS
- disable relay mode if Quickconnect is enabled
- possibly install free / McAfee antivirus
Cheers :)
Thank you for this video. I have been trying to make sure that I am doing enough when it comes to securing my NAS.
Glad you liked it!
Great job. You make it simple for all of us that don't have the tech expertise to secure these devices.
Thanks very much - this is the best security NAS video so far....looking forward to a Firewall dito!!
Agreed. Makes you wonder why Synology doesn't provide tutorials as good as this as a way to ensure confidence in their product.
As usual,,, another great tutorial.
Thank you
Thank you very much for this video! I noticed some things I did not think of and changed the settings!
Glad it helped!
Very well explained.
Thank you brother.
That’s it then, suggestion number one it is! 😄
What do you think about whitelisting local network IPs and adding Geo Block rule to the firewall?
Very interesting video and easy to understand.
Hey thanks! Was worried it was going to be too confusing being talking head the whole time!
Thank you for everything! =)
Great video!
Thanks a lot! Would be great to have a tutorial on how to use your custom domain (any domain) and without a static IP (plus https)!
Thank you so much man!
Cheers mate. Good video 🙂👍
Glad you liked it!
once again a great video with a combination of good common sense and know how
Glad you liked it!
your videos are so so good
Helps me to think about all options. I only go to my NAS over VPN and check the logs. Still will look at the rest. Mr, Synology!! Thank you!
Hahaha thanks!
Thank you!
The’m shirts son!! 💪🏻
I love how you explain the technical terms so clearly in your videos. My question is, can you enable/disable Quick Connect on an as-needed basis? Say you are traveling and know you will need access to your files while gone, but once home, the need is no longer there. Does disabling Quick Connect disable the ability to access the NAS, or is it a case of once it is set up it is always active?
"But I have port 22 open"
Subtle flex lol
Great video!
Did you ever make a video about Security Advisor? I have been getting a warning about "Lan service accessible from the Internet". I looked in the Synology community and found some conversations from a few years ago but no solutions as far as I could see. A lot of people guessing. So a video would be helpful. Thanks. Great channel, btw...
thanks i'm learning this stuff before i buy my first nas and try to use it to remote into, I think it's called Audiostation, but also plex possibly.
thanks, very helpful, subscribed and liked, was wandering what camera and microphone you are using, where to buy them.
Forget everything you know about complicated passwords, only the length counts. Thank you for your great Videos.
Well i always have the default admin account disabled, a custom admin account (yes, and synology.me domain...) with a very strong password, 2 step-verification and autoblock (and the options in that "section").
But i have ports opened to use DS File, DS Photo, DS Video and DS Audio when i'm not at home.
So, what do you think? I should just had the VPN option or do i need anything more?
Thanks
Super video! I applauded for $2.00 👏
Wow, thanks!
Another fantastic tutorial. Obviously an older one but I was able to find all the settings in DSM 7. I don't see the Update and Security Center tutorial link in the Description? Mentioned at the end of the video.
Hey Will. Toward the end of the video you mentioned the in house Synology Security Center and leaving a link in the description after you make a video on it. Was this ever done or am I just not finding it?
Good jod, sir!
Thanks! Glad you like the video!
These security practices can also be applied to other NAS's to. And really any server you have set up on your home network.
Very good point! In general most people who dont know what they are doing a ton should really start by just using their own VPN server
I have QuickConnect currently enabled and have tested using it to see it does work. However, in the same tab for QuickConnect, there is Router Configuration. I currently see no rules configuration. But there seems to be a setup for it. Do you have a video on that? As well under Security in DMS 7 do Firewall rules have to also be set? I just have both checkboxes checked, but what rules are they following? Let me know if you also have a video on that to follow for setup?
Thanks
Thank you!
Hi Rex, your videos are very well made, really love them. My question is this, would it make sense to combine group 2 and 3 measures? I would like to access my work files remotely (using VPN) but I also would like some services (Plex server f.i.) to be accessible to some friends remotely. Thanks in advance for your time.
Yeah that's always workable. Keeping as few things out in the open as you need really helps sure things up
Rex, thanks for the videos they are great. I've a question - is there a way to combine two nas at the same location so they work together, like being 1
Unfortunately you cannot
You have greats videos... keep walking. One question, what's your opinion (general terms, security, etc.) about the Synology Router RT2600ac and the SRM that came with it.
I personally loved it! when I moved out I sold it to my roommates to get a unifi to start messing and trying some higher grade enterprise equipment, but honestly I sometimes miss the RT2600, it just worked really well out of the box!
@@SpaceRexWill A video would be great, pro, cons, differences between RT2600ac and unifi... thanks
Why use open vpn on synology vs on a router. Is there a difference? Is there anway to do an open vpn connection without opening ports? Similar to the synology quick connect and using established and related rules on the router.
Would you consider doing a video on setting up the firewall please ?
Honestly 95% of users don’t need a firewall on their NAS, (I do not have mine enabled)
Your router should be your firewall
I bought nas but then I did not use it because of fear of security as I am not a tech person. thanks for the great video
Thanks for the great videos and helping people stay safe. I see there's a comment already on this but I strongly suggest you only access to SSH with a crypto key and disable logging with a password. Crypto keys is much more secure and I would do this regardless of whether you're exposing this via the big bad Internet or just inside the house or via VPN.
Unless your device that has ssh keys gets compromised, which directly leads to compromising ssh device too. With password auth, breaking in by stealing keys is not possible.
You mention a video with setting up SSL, but it's not linked.
One group/option I miss in between, is someone who wants other users to access the NAS, for example for DS Photo or DS Video, or uploading/downloading files, and then using QuickConnect for example.
Ah whoops! Added: th-cam.com/video/AqakuZfPuQo/w-d-xo.html
Also that ends up being in group 3
Great stuff. What about the firewall? It’s not enabled by default on a new ds920+
don't need it. your router should be your firewall
Did i miss the part mentioning two factor authentication? I have my admin account enabled but secured with a strong password and a second factor. Are there security vulnerabilitys i forgot to think about in that scenario?
Greetings from Germany!
I would just disable the account labeled "admin" at the end of the day it is just the first thing anything will guess. Maybe call it myadmin or something like that just to change it
I go over 2FA here: th-cam.com/video/MBD7D_6MLtY/w-d-xo.html
Thanks for watching!
After following your setup video and this one, I noticed there is "Antivirus Essential" in the Package Manager, which I installed. The virus definitions won't update even if I push Update Now, and keep saying Expired (dated a year ago). Hopefully it's a temporary problem.
Nicely explained in true 1&SpaceRex fashion. 😁
Would it be overkill if (I belong to Group 1) the firewall of both my Synology router (RT2600) and my Synology DS220 was enabled?
So your firewall on your Router should 100% be enabled, and then after that realistically the DSM firewall is not critical. Though its good piece of mind if you can block stuff you just don't need!
@@SpaceRexWill Yep, all services (FTP, etc) are disabled, I use SMB to connect to my Mac seeing that AFP is deprecated. (though still works), wouldn't dare touch SSH like you warned and Quick Connect, while configured, is off too. Thanks for the guidance. :)
@@SpaceRexWill Another question in that category: Would it be best to setup the VPN in the Synology Router or on the Synology NAS?
Thank you for your video. But, making your password expire makes it really easy to guess.
Just ask yourself what that perpetually “changing” password would be. Most users will change one digit or letter each time that need to change the password. So now your password ghyshd*&t45ght1 will change to ghyshd*&t45ght2 and then to ghyshd*&t45ght3 and so on. Easy to guess after some time.
Can i ask when I turn on the VPN, will it affect the other network traffic besides my connection to my NAS? The reason I am also using the quickconnect is because it is easy to connect to the mobile apps. Is there alternate way to connect to mobile apps by VPN? Thank you so much!!
What you can do is untick the setting "send all traffic" when you are setting up your VPN on your phone. Doing this will cause it to send only local traffic (like to your NAS) over the VPN but your other traffic directly to the sites
Can I open illustrator files on my computer accessing them from the NAS? Or should I download the file, work on it and then upload it again to the NAS? I'll appreciate your response. Thank you!
SMB is completely fine for a local network! That’s what makes a NAS a NAS (so yes)
I did this setup. My Drive Client backup to the NAS on my Win10 PC then needed to be unlinked and then I needed to reconnect and was forced to do a backup again. I hope my C2 backup does not need a another full backup. I suspect it will need one. Did I do something wrong to make my system to re-backup my files?
If you are trying to backup a windows PC then you should just use active backup for business
I cut the NAS cable and I never get hacked, best advice !
When I disable admin I loose the NFS fuctionallity since I have to set the folder permission to 'map all users to admin' to get it to work. Any(body) a thought on this? I recently stumbled upon your channel and have learned a ton. Thanks!
That is really weird. I have mine disabled and have squashed the permissions to admin in the past and have no issues whatsoever...
Please Sir if it is possible I wanted to know if I add my Movies wich I have downloaded on The Synology NAS ds220 will I be Tracked by goverment and get Fined from state .. Thank you please 🙏 Any answer will hel
Your channel is a gold mine, thank you so much! Can I ask, after I set up a VPN server, should I be going through that to log into SMB while I'm on my local work machine? (Rather than simply typing Cmd K right in the Finder)
If you are on a local network (the one with your synology) you do not need to use the VPN. Only use the VPN when you are not home
@@SpaceRexWill Ok perfect, that's what I thought. Thank you so much!
so for a home user who wants to use synology as personal cloud instead of google or amazon or other services, level 2 security with vpn is enough? like always accessing your network from your own devices (phones, tablets and laptops) instead of public computers but with advantage of global access....exactly like cloud services.
VPN's are incredibly secure. I have not heard of an instance of a VPN being 'hacked' but I have heard of thousands of passwords being leaked
Thanks for the video! Opening a L2TP VPN server requires to open UDP ports 500, 4500 and 1701 on our router. Is that a risk?
That is totally ok, L2TP is a VPN and designed for the internet
If admin account is disabled, you get "Your account has expired" in SSH, so it's not true that you can still log in to SSH while account is disabled and thus "it's not a bad idea to change blank password". Anyway, you can't login to SSH with blank password either.
For users that don't need outside access, is it possible to schedule when the NIC is disabled and enabled? For example, if you want to backup your server and want to schedule a back up at certain time of the day, the NIC would automatically be enabled at the time of the backup. Is that a feature that sinology brings? I think it could be a good feature for security purposes.
There is not a way to do this and honestly it’s overkill. What I would do is just block all incoming traffic on your firewall instead.
@@SpaceRexWill Got it! Do you think its overkill for personal use only or for both, personal and business?
How do I get into the NAS operating system without the quickconnect on a browser?
So all I have to do to secure my Synology NAS drive is just cut the ethernet cord? I didn't realize it was so simple
actually the best way to secure your whole network is to unplug the power cable. get with the times chad.
@@AlexRapada-ft6tm Specifically the power cable to one of your monitors. Gibbs power move!
Change port's 5000 and 5001 to something different. I kept getting login attempts then I did this and haven't gotten a single attempt since.
In trying to secure my Synology, I have created a standard user that only has access to one of the file folders in the NAS. I deleted the Network share icon that I created originally in Windows Explorer and created a new share with the new login to only that one folder. However, I can still type in the \\192.168.1.2 into Windows Explorer and all the folders show up even without a login popup. It's remembering that I had access before with my admin username and password. How do I stop this?
Are you able to see the subfolders or just the shared folders?
@@SpaceRexWill I can see all my folders and all my files and can open any one of them.
I found that if I change the password on my Synology that was originally used to set up the share, then it now asks the username and password to get into those folders. So, it is fixed now.
Hi, you haven't mentioned quick connect. Is this not a good way to access the NAS??
So quick connect falls into the third category, it really ends up trusting how securely Synology has implemented it. I would really recommend using a VPN if at all possible as it is so much more secure, however its not a glaring security hole if you have to use it. Just make sure to use strong passwords for everyone and follow everything else in this video!
@@SpaceRexWillThank you :)
Don’t you have to be an admin to disable another admin account? Is the purpose of disabling the default admin account so that you can make a separate account with a different name and give it admin permissions? Can’t you just change the admin user name to something different. We’re assuming password has been changed and MFA turned on.
A custom domain may improve security, but it's really only through obscurity.
Nice video. The face morph thing you use to cut different footage together is really distracting. A jump cut would be better. e.g. at 14:23
hmmmm! I believe I am the only person to have noticed the video morphing you accomplished in between cuts.
Can't you just rename the default administrator name to something else instead of disabling it and adding a new one?
I would honestly just not use the default admin account. Really easy to add and gives peace of mind.
I do not have a reason not to off the top of my head but I would say it’s not worth the risk
Instead of using VPN, would Tailscale be just as secure?
Yes it is a VPN
Group 1: No Remote Access - 2:37
Group 2: Remote with VPN - 4:35
Group 3: Exposing DSM Services - 6:00
I only want to acces my NAS on local and Vpn use but I have the VPN on my router
In that case you would need your VPN provider to either allow you to connect to other clients on your VPN account or you would have to have them open up a port on their router for your vpn to run
@@SpaceRexWill I am using openVPN on a Asus router. and now I can connect via a my puplic adress. But I want to block that so I can connect with my VPN on my router so I can connect localy with my NAS
As a noob with quick connect enabled I really tried to learn something. But, as a 30yo unsure if loosing hair for the last 5 years I was distracted by your hair thickness
ssh is needed for the Github.
You can run git over a VPN or at least https
Group 1 is where 99% of NAS users should be the 1% is for business users that Really Need it.i am in Group 1 and still use a firewall on router AND the NAS bound to local subnet.
If you are decently tech savvy a VPN is an incredibly secure way to connect back without worry
My dude stays poppin percs or xannys
IMPORTANT: Watch the whole video first and then secure your drive rather than following along step by step.
It would have been better, if we can see you doing everything you talked at the same time..
You could have just unplugged the network cable and not needed pliers. ;)
I want a refund! I just used my pliers to cut the network cable off and now i cant use it anymore
I hope that cable was faulty
To be fair, it can still be stolen or hacked locally.
Your forgot physical access so with the cable cut it can still be hacked, just not remotely.
Thats why I gave the disclaimer that this video did not cover any physical security such as being on the LAN / stealing drives
i am here because my synology has been attacked by dovecat crypto-miner mal ware, consuming 90% of the cpu
Did you enable a 'unofficial' package? that sucks!
Only thing I disagree with is expiring passwords. Just force good strong ones with a decent minimum length. Each additional character creates a MUCH stronger password.
I have all mine set to random 30 character strings in a password manager for instance.
Expiring passwords should be consigned to history. Even the original NIST author of the advice from way back in the 1990s regrets the advice today. Microsoft has also recently stopped advising password expiry too.
www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry