Today we will see how to secure a NAS Synology. The SIN is a server that will allow you to share files, photos, video, but can be used for many other things thanks to the many built-in applications.
It is possible to make your SIN accessible to other users, whether on your local network or from outside via the Internet.
It is, therefore, essential before you even put your SIN on the Internet to secure it. Indeed, the Internet is full of malicious people and robots who will undoubtedly try to access your NAS server.
The idea is to use a VPN that will allow you to access your SIN without having to open multiple ports. However, that is not what we will cover here. Here we’ll talk about the few steps to put in place on your SIN to secure it.
As with your computer or other connected devices, updates provide additional features and fill security gaps.
Tips To Secure NAS Synology
It is essential to keep your server regularly updated. Minor updates can be installed automatically. However, significant updates will need to be installed manually and sometimes require a restart of your SIN.
Enable automatic updates on a NAS Synology
From your NAS Synology configuration panel, click “Update and Restore.”
This panel allows you to check that there are no updates on hold. By clicking “Update Options,” you’ll automatically let your SIN automatically install updates according to the schedule you’ve set.
To increase your odds of not missing an update, you can set up email notification. It is available in the “System” and “Notifications” configuration panel.
Automatic blocking
Attacks can be targeted attacks, but in most cases, they come from robots that Bruteforce password tests via password dictionaries.
You can set up an automatic blocking for these attacks via DSM feature. Thus, the IP addresses of the attackers will be blocked after a few attempts.
To set up this blockage, go to the Configuration panel ‘Connectivity’ Account, then check the box to activate the auto-lock. You can change the number of failed attempts that will lead to a blocking of the IP address.
This blockage may be temporary or permanent.
Turn off the Admin account.
Some of the attempts to intrude into your SIN will be made with a known username. The default account is “admin,” so it will be used to the test. To minimize an intrusion, it is strongly recommended to disable the admin account. If you use it, then create another account, grant it the admin rights, and disable it. Avoid common names such as ‘admin,’ ‘administrator,’ ‘root’ when setting up your SIN.
You can disable the admin account via the configuration panel and then click “user” and then access the admin account properties. Be careful. You will have to do so from another administrative account than the admin account.
I recommend doing the same for the Guest/Guest account.
A strong password for all
I can’t say it enough. Choose a strong password. Forget your date of birth, the first name of your dog, or your children. If you can generate a random password and use a password manager, it’s even better.
You can force the use of a strong password for all users from the configuration panel and then into “User” and “Advanced.”
Enable double authentication
And yes, I couldn’t help but invite you to set up dual authentication on your SIN.
To put dual authentication, head to the user configuration panel and then the “Advanced” tab to select “Apply 2-step verification for the following users.”
You can only activate the option for administrators or all users.
You will then be asked to activate dual authentication. I suggest Authy as a dual authentication application.
So when you log in to your SIN, you’ll be asked to use dual authentication, which significantly improves security when connecting to DSM on your Synology.
HTTPS Everywhere!
HTTPS will allow you to encrypt and secure network traffic between your NAS and your customers/PC/Smartphone. It will protect you from man-in-the-middle attacks.
Here we’ll see how to use https, but especially how to force access to HTTPS by making an HTTPS redirection to HTTPS.
From the DSM Settings Network. Check the box to redirect HTTPS connections to HTTPS automatically. Now, every time you log in to DSM, you’ll go through the HTTPS protocol.
If you want to bypass the certificate absence/error warning, don’t forget to place a certificate.
Change the default HTTPS port.
While changing ports will not limit the SIN from being subjected to intrusion attempts, it will avoid bots that target only the default Synology 5000 and 5001 ports.
To change these ports, go to the Network configuration panel and then the tab in the “DSM Settings” tab.
You can change the port as you wish, the ports already used, and especially one of the ports between 1024 and 65535.
Turn off the SSH and Telnet
SSH and Telnet protocols may be useful for specific tasks, but they are rare to need continuously. So I encourage you to turn them off if you don’t need them (they’re not enabled by default), and if you need them, change the SSH and Telnet ports since the default ones (22 and 23) are far too attacked.
You can check it all out in the Configuration Panel ‘ Applications’ – Terminal and SNMP.
Turn on DDos protection.
Activating DDos protection will help you avoid DDoS-type attacks on your SIN. Indeed, with this option, your NAS Synology will only respond to one packet of ICMP ping type per second. If the frequency is higher than once per second, the NAS Synology will not meet the ping demand.
This option is available in the Security Connectivity configuration panel and then in the Protection tab.
Select your network interface and then check the “Enable DoS Protection” box.
Activate the firewall
As on a computer, the firewall will allow you to put strict rules to allow or not to connect to specific services.
The advantage here is that you can quite put a rule that allows only your IP or, for example, only French IP addresses. It all depends on your needs, but here again, you can increase the security of access to your data.
The firewall is available in the “Firewall” configuration panel.
Activate the firewall by checking the box and change the rules as needed.
Here, for example, from the Internet, I only allow French IPs to access certain services. And since the LAN, everything is permitted.
Test your SIN with the Security Advisor
That’s it; we’re almost done putting in place the security of our NAS Synology. Finally, it may be worth testing the security of your SIN Synology with the Security Advisor app. Indeed, this application allows you to run a test on the safety of your SIN.
This tool is available from the main menu by clicking “Security Advisor.”
You can run an analysis to make sure your SIN is adequately protected. If there are anomalies, your SIN will offer you solutions. Top!
We’re done here if you’re thinking of other methods, other tips to secure your NAS Synology, don’t hesitate.
