Webserver public in Synology, security?

Hi,

I have a Synology with a webserver (port 80)and other applications like mailserver at other ports which I would like to make public.I have a firewall router on which ports 80 and others are forwarded to my Synology (192.168.0.9) and all works fine.
However, I worry about security though. There was some ransomware targeting Synology a while ago and hackers are everywhere.
(How )can I safely put my Synology out in the open?

J.
janhoedtAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Somehow you opened 5 duplicates of this question.

Answering them all here.

You'll never put your Synology out in the open as this is a disk subsystem.

You'll expose other systems, like Apache + your SMTP server on public ports. Just be sure to secure these with SSL certs + you'll be good.

Now... next point, which may be bad news.

Most residential + business ISPs have clear references in their TOS (Terms of Service) which state they disallow any listening servers (like Apache + SMTP) + they reserve the right to throttle or disable your account, till you disable these services.

Also, ISPs assign IPs at random + these can change each time, so you can't really point DNS to your local IP + expect it to work continuously.

If you somehow have deployed a Synology device via a colo (co-location) hosting company great.

If not, best not to expose any servers on your local IP.

Best to run services like Apache + mail via public hosting companies or provisioning companies like OVH, if you do your own admin.

That said, you can create an ssh tunnel from your local machine to a hosted machine somewhere on the net + interact with your Synology device easily. This means you can run massive local storage (for $0/month) + allow your public machines to access it.

You'll require initiating your tunnel from your local machine to your remote machine, so your connection is outgoing, rather than listening.

Refer to the many ssh tunnel guides for how to do this.
1
btanExec ConsultantCommented:
Repost from other duplicated qns that is going to be deleted.

====================
You probably have to check if there is NIPS capabilities for detecting intrusion and malware by the firewall. Traditional ones are just port and IP based only. Note that secure channel like https will also blind the deep inspection. So unless you have some sort of SSL decryption and do the checks, this is one blind spot.

Nonetheless build defence in depth. Some suggestion.

1. Access Control.
Create new administrator and disable the system default admin account.

2. Enforce Password policy.
Complexity of password is needed and not allow simple ones.

3. Restrict suspicious IP addresses with auto block.
Blocking after a pre defined failed login threshold. Such failed login attempts include via SSH, Telnet, rsync, Network Backup, Shared Folder Sync, FTP, WebDAV, Synology mobile apps, File Station, or DSM.

4. Avoid unnecessary service open to Internet and opt for secured ones.
Disable and avoid vulnerable service that tends to be exploited by hacker like WebDAV. Ensure SFTP is used. Note Secure FTP by default when you enable the FTP service. Verify that.

5. Strong authentication using 2FA.
Enable 2-step verification is enabled, you will need to enter your password in addition to a one-time verification code when logging into DSM. The code comes from authentication apps (e.g. Google Authenticator) installed on your mobile device.

6. Secure channel for access.
HTTPS connection is enabled, connecting to DSM, Web Station, Photo Station, File Station, Audio Station, and Surveillance Station will be encrypted using TLS.

7. Validation testing and exercise regime.
Always review regularly the account, setting hardened, audit trail available and notifications setting are in proper and not tampered. Check for anomalies in the log trail and have notification email on correlate events such as error or violation. Review the point starting from (1) onwards again.

Plan out in event of outage or infection, the contingency actions to kick in so that business have minimal impact. You may not want to put all your egg in one basket. Segregate critical data to other NAS which is not exposed to Internet. Have additional backup and backup media for the extra assurance on critical data used for core business. If you cannot afford losing or rebuilding those data, they would be your "critical data"

https://originwww.synology.com/en-us/knowledgebase/DSM/tutorial/General/How_to_add_extra_security_to_your_Synology_NAS
1
janhoedtAuthor Commented:
>That said, you can create an ssh tunnel from your local machine to a hosted machine somewhere on the net + interact with your >Synology device easily. This means you can run massive local storage (for $0/month) + allow your public machines to access it.

How that is done? I don' thave public hosting (yet) and don't actually need it. I could buy just for this purpose. Should I, then which one and how to setup the tunnel & is it a stable solution?
0
btanExec ConsultantCommented:
Also to share as they are worthwhile in reading from experience though rather old post but still very much relevant to tap onto the wisdom at large.

keep your Synology updated. So far, in both the dogecoin malware and Synolocker ransonware attacks it seems attackers were able to use known exploits in the DSM 4.3-3810 builds – a build that’s nearly 9 months old and has seen 6 updates to the DSM 4.3 builds alone. That’s NOT counting the newer DSM 5.0 builds and updates.

Update your stuff man! I know in DSM 5.0 you can actually make the NAS look for updates and notify you when there are updates available.
several people enable and leave enabled SSH. There shouldn’t be any reason to leave SSH open all the time. If you need to do something via command line, enable it and do your work then disable when finished.
Located in the Synology package center is an app called “Antivirus Essentials“, which I’d also recommend installed on your NAS as you can have it scheduled to scan files as often as you like.
CrashPlan is very affordable, encrypts the backups and provides file versions which is great if you get hit by Synolocker as you’ll be able to wipe the Synology and restore your files from a previous version!
https://miketabor.com/securing-synology-nas/
A potential port to translate on your Synology is port 5001. This port is used to access the Synology console with a web browser on a secure http (https) connection. If you want, for whatever reason, to be able to access this from the internet, you should choose a high port number to access from the internet. (i.e. 54931). NAPT can translate this to 5001 on the inside and passes it through to your DiskStation. With this construction you don’t have to modify anything on your DiskStations configuration. On your local network you have to access the DiskStation on port 5001.
Using geographical restrictions can make you a whole lot safer. If you opened a port for your own purposes only and you live in the southern of Germany, then it is likely that most of the time you’ll stay in Germany. It is very unlikely that you need access to that port from Nigeria, China, Russia, Ukraine, United States of America, Norway, Sweden or whatever other country you can think of. It is a good idea to limit the access to this specific port to Germany.
A big advantage of using a VPN connection is that you can refrain from publishing ports on the internet for services like the DSM desktop. Through a VPN connection you still can access the DSM desktop remotely, but an attacker has to hack himself into your VPN first before he can start attacking your DSM desktop. There also maybe some other services only used by you, you might want to make accessible through VPN only.

You can use the VPN server that can be installed on your DiskStation. You may want to consider using another device that functions as VPN server. When your DiskStation may become compromised, you can’t trust the VPN connection any longer. It might be rerouted without you even noticing it. Some Modem/Routers have VPN functionality built in. Check the manual of your Modem/Router.
https://www.wijngaard.org/hardening-access-to-your-synology-diskstation-and-prepare/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
For author advice
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Home Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.