janhoedt
asked on
Webserver public in Synology, security?
Hi,
I have a Synology with a webserver (port 80)and other applications like mailserver at other ports which I would like to make public.I have a firewall router on which ports 80 and others are forwarded to my Synology (192.168.0.9) and all works fine.
However, I worry about security though. There was some ransomware targeting Synology a while ago and hackers are everywhere.
(How )can I safely put my Synology out in the open?
J.
I have a Synology with a webserver (port 80)and other applications like mailserver at other ports which I would like to make public.I have a firewall router on which ports 80 and others are forwarded to my Synology (192.168.0.9) and all works fine.
However, I worry about security though. There was some ransomware targeting Synology a while ago and hackers are everywhere.
(How )can I safely put my Synology out in the open?
J.
Repost from other duplicated qns that is going to be deleted.
====================
You probably have to check if there is NIPS capabilities for detecting intrusion and malware by the firewall. Traditional ones are just port and IP based only. Note that secure channel like https will also blind the deep inspection. So unless you have some sort of SSL decryption and do the checks, this is one blind spot.
Nonetheless build defence in depth. Some suggestion.
1. Access Control.
Create new administrator and disable the system default admin account.
2. Enforce Password policy.
Complexity of password is needed and not allow simple ones.
3. Restrict suspicious IP addresses with auto block.
Blocking after a pre defined failed login threshold. Such failed login attempts include via SSH, Telnet, rsync, Network Backup, Shared Folder Sync, FTP, WebDAV, Synology mobile apps, File Station, or DSM.
4. Avoid unnecessary service open to Internet and opt for secured ones.
Disable and avoid vulnerable service that tends to be exploited by hacker like WebDAV. Ensure SFTP is used. Note Secure FTP by default when you enable the FTP service. Verify that.
5. Strong authentication using 2FA.
Enable 2-step verification is enabled, you will need to enter your password in addition to a one-time verification code when logging into DSM. The code comes from authentication apps (e.g. Google Authenticator) installed on your mobile device.
6. Secure channel for access.
HTTPS connection is enabled, connecting to DSM, Web Station, Photo Station, File Station, Audio Station, and Surveillance Station will be encrypted using TLS.
7. Validation testing and exercise regime.
Always review regularly the account, setting hardened, audit trail available and notifications setting are in proper and not tampered. Check for anomalies in the log trail and have notification email on correlate events such as error or violation. Review the point starting from (1) onwards again.
Plan out in event of outage or infection, the contingency actions to kick in so that business have minimal impact. You may not want to put all your egg in one basket. Segregate critical data to other NAS which is not exposed to Internet. Have additional backup and backup media for the extra assurance on critical data used for core business. If you cannot afford losing or rebuilding those data, they would be your "critical data"
https://originwww.synology.com/en-us/knowledgebase/DSM/tutorial/General/How_to_add_extra_security_to_your_Synology_NAS
====================
You probably have to check if there is NIPS capabilities for detecting intrusion and malware by the firewall. Traditional ones are just port and IP based only. Note that secure channel like https will also blind the deep inspection. So unless you have some sort of SSL decryption and do the checks, this is one blind spot.
Nonetheless build defence in depth. Some suggestion.
1. Access Control.
Create new administrator and disable the system default admin account.
2. Enforce Password policy.
Complexity of password is needed and not allow simple ones.
3. Restrict suspicious IP addresses with auto block.
Blocking after a pre defined failed login threshold. Such failed login attempts include via SSH, Telnet, rsync, Network Backup, Shared Folder Sync, FTP, WebDAV, Synology mobile apps, File Station, or DSM.
4. Avoid unnecessary service open to Internet and opt for secured ones.
Disable and avoid vulnerable service that tends to be exploited by hacker like WebDAV. Ensure SFTP is used. Note Secure FTP by default when you enable the FTP service. Verify that.
5. Strong authentication using 2FA.
Enable 2-step verification is enabled, you will need to enter your password in addition to a one-time verification code when logging into DSM. The code comes from authentication apps (e.g. Google Authenticator) installed on your mobile device.
6. Secure channel for access.
HTTPS connection is enabled, connecting to DSM, Web Station, Photo Station, File Station, Audio Station, and Surveillance Station will be encrypted using TLS.
7. Validation testing and exercise regime.
Always review regularly the account, setting hardened, audit trail available and notifications setting are in proper and not tampered. Check for anomalies in the log trail and have notification email on correlate events such as error or violation. Review the point starting from (1) onwards again.
Plan out in event of outage or infection, the contingency actions to kick in so that business have minimal impact. You may not want to put all your egg in one basket. Segregate critical data to other NAS which is not exposed to Internet. Have additional backup and backup media for the extra assurance on critical data used for core business. If you cannot afford losing or rebuilding those data, they would be your "critical data"
https://originwww.synology.com/en-us/knowledgebase/DSM/tutorial/General/How_to_add_extra_security_to_your_Synology_NAS
ASKER
>That said, you can create an ssh tunnel from your local machine to a hosted machine somewhere on the net + interact with your >Synology device easily. This means you can run massive local storage (for $0/month) + allow your public machines to access it.
How that is done? I don' thave public hosting (yet) and don't actually need it. I could buy just for this purpose. Should I, then which one and how to setup the tunnel & is it a stable solution?
How that is done? I don' thave public hosting (yet) and don't actually need it. I could buy just for this purpose. Should I, then which one and how to setup the tunnel & is it a stable solution?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For author advice
Answering them all here.
You'll never put your Synology out in the open as this is a disk subsystem.
You'll expose other systems, like Apache + your SMTP server on public ports. Just be sure to secure these with SSL certs + you'll be good.
Now... next point, which may be bad news.
Most residential + business ISPs have clear references in their TOS (Terms of Service) which state they disallow any listening servers (like Apache + SMTP) + they reserve the right to throttle or disable your account, till you disable these services.
Also, ISPs assign IPs at random + these can change each time, so you can't really point DNS to your local IP + expect it to work continuously.
If you somehow have deployed a Synology device via a colo (co-location) hosting company great.
If not, best not to expose any servers on your local IP.
Best to run services like Apache + mail via public hosting companies or provisioning companies like OVH, if you do your own admin.
That said, you can create an ssh tunnel from your local machine to a hosted machine somewhere on the net + interact with your Synology device easily. This means you can run massive local storage (for $0/month) + allow your public machines to access it.
You'll require initiating your tunnel from your local machine to your remote machine, so your connection is outgoing, rather than listening.
Refer to the many ssh tunnel guides for how to do this.