carmody (dot) me

Periodic posts and projects

Securing a Synology NAS

I’ve owned a Synology DiskStation for around 3 years and where once I was using it as a basic media and storage server, these days I find it an invaluable solution to my self-hosting needs as I move away from online services and look to take back some control and privacy in my digital life.

Of course the safest way to protect your NAS is to simply ensure it isn’t exposed to the public internet at all, stick it behind a firewall and access it via a VPN but if like me you want to self-host services for yourself and your family then you need to make those services available easily over the public internet without introducing technical complexity to family members, so below are the steps I’ve taken to secure my own NAS but still provide an element of flexibility when accessing those essential services.

Authentication

Regardless of whether you carry out all the recommendations in this post at the very least you should disable the Synology’s default admin account and in it’s place create a new one with a username that can’t be easily guessed and with that new admin account ensure that 2-step authentication is enabled.

Two factor is worthy of a post to itself as there’s plenty MFA apps available and advice on best practice but for an additional level of security I would recommend a separate 2FA application rather than adding it to your password manager.

Finally in this section and to stop brute force attacks, the Synology has a handy ‘Auto Block’ feature whereby it will block authentication attempts from IP addresses that have attempted to log in unsuccesfully a number of times in a set period of time. I personally set mine quite agressive, after 5 failed login attempts within a 5 minute period.

Ports and Protocols

The default management ports on the Synology (5000 for HTTP) and (5001 for HTTPS) are well documented and that makes it an easy target for port scanners and script kiddies, so it’s highly recommended to change these to something else entirely that only you know. It doesn’t stop anyone from scanning all your ports but it’s still a useful step in increasing your security posture1.

Disable any unused protocols, particularly SSH, Telnet, FTP if you aren’t planning to use these. If you are then similarly to above, obfuscate the ports, particuarly SSH.

Set TLS/SSL profile’s to the highest levels of security (Modern compatibility), no one should be using outdated browsers and therefore shouldn’t be impacted by this change and in the same section Enable Kernal Page Isolation2.

Firewall and Hardening

Even if your Synology sits behind a router/firewall I would still recommend enabling the Synology’s own Firewall and hardening thereafter. In my own setup I have two specific rules set, however it has to be said that these are paricularly effective as I have a static IP address with my ISP, if you aren’t able to take advantage of a static IP then the third rule inparticular cannot be adopted;

First, I have a rule that always allows access from my local subnet (192.x.x.x), this ensures I never get locked out while I’m at home and this can be tied down further to a specific internal IP (such as your main laptop).

The second rule allows access from anywhere to my secure reverse proxy port(s) - more on that later but these provide access to the self-hosted services that I run.

Finally, the third rule only allows access to the Synology’s web management from my external static IP. So as long as I’m either at home or coming in to my network through a VPN, I’ll be able to log in to the Synology, everyone else is denied.

Docker and Reverse Proxies

As I mentioned at the start of this post, I run a number of Docker instances that provide essential services for myself and my family3 and they need to be accessible over the public internet for convenience but balanced with an appropriate level of security and this is where the Synology’s super useful Reverse Proxy comes in to play.

The Docker services that I run all run on local ports but externally they are accessed over a single secure port with their own SSL certificates from Let’s Encrypt configured. It’s effective and means I don’t need to open up numerous ports on my firewall and that way the internal Docker ports are also never exposed.

Notifications and Security Alerting

Finally, having said all that you can’t have effective security without knowing what’s going on in your network, so enabling notifications and alerts is an extremely important step to take. Regardless of what security you implement or how you harden, someone who wants access will probably get access, so being notified of a security event at least enables you to react in a timely way before it gets too late.

Hopefully you’ll find some or all of this useful to ensure you’re protecting yourself and your data and it has to be said that Synology have put an awful lot in to providing you with options to secure and harden the NAS.


  1. Just remember to also change these ports on any Synology Apps you may also use too. [return]
  2. The performance impact is minimal on my own NAS. [return]
  3. BitWarden and Tiny Tiny RSS are two essential services I self host. [return]
Posted on Aug 25, 2019