I like the idea of “Drive” and apps like DSget and DSfile over the internet so you have access to your files everywhere. Problem is, you need to port forward the port 5001 and it make me a little nervous.
In one month, I had over 10 login attempts from China with the user admin. I had to block almost all countries but nonetheless, an attacker could use in VPN so…
My syno is so awesome but everything is in the same box and I fear that, someday, a security breach could give access to the whole box (and all it’s data of course).
So, do you use it on the internet ? I wondering what others are doing.
For now, I removed the port forwarding and only access it through VPN.
VPN is much safer especially if setup with strong passwords and certificates. Stick to it.
You could use an online drive service like Google Drive then use CloudSync on the Synology to synch your files. You don’t even need VPN then and Google tends to have better security than you at home.
VPNs are proabbyl safest, but i find it so frustrating to try and get these working stably with other things, especially when I have to connect to multiple VPNs in my life (work, home etc)
Set a very tight block on the synology login section. Like three failed attepmts in 5 minutes = block forever.
IF you can are you able to look at upgrading your firewall/router? I use Sophos UTM 9 which has fairly robust anti portscanning / country block tech…but pfsense or something like that is fine too.
Change ports of the services, a lot of attemtps can be removed by swapping port 22 to something like 2222 or equivalant.
I have my NAS set as a DMZ in my network for almost three years now (basically just opening up ALL ports to it). It is running two personal websites, being my e-mail server and doing tons of other stuff. Haven’t had a problem ever. BUT… I did by default block all annoying countries like Russia, Turkey, China. Which will mean people from there also won’t be able to visit my website and mail servers from those countries will be refused by my mail server, but that is just a bonus, because I don’t want any Russians, Turkish people or Chinese hackers to contact or visit me anyways.
I do use SSH connections myself, but don’t enforce them. You can also connect “unsafe” to my NAS.
Again, having my system absolutely wide open never caused me any troubles, but I did spend a decent amount of time setting up the firewall. I am using two factor authentication on ALL accounts that are on the NAS and I have a very unforgiving policy on failed login attempts. Any IP doing three invalid login attempt in a MONTH will be blacklisted indefinitely.
Two things you can do to help protect your NAS that I use. Use an SSL certificate that you can get free from Let’s Encrypt or you can purchase one. Second is setting up the security service to setup the geo-ip blocking on the NAS so you can block by country\region. One thing I noticed is that the regional blocking tends to not work so I had setup a few multiple rules blocking countries (I think its only 15 max per rule)
There’s really no such thing as “safe.” It really comes down to what you consider to be a justifiable risk.
What kinds of risks people find to be justifiable is a very subjective thing. On one end of the spectrum, I have a friend who goes base jumping. On the other, there’s my grandmother refused to get on an airplane a single time in her 92 years.
For me personally, the data on my NAS and in my home network is sensitive. The cost and difficulty involved with setting up an L2TP VPN on my Ubiquiti USG router wasn’t too severe. I went with the VPN solution and I’m glad I did.
You don’t need to port forward for these apps to work. All synology apps can use QuickConnect, which will relay connection if on both sides ports can’t be open.
I’ve tried both, direct and VPN and my go to today is VPN. Though technically possible through your NAS, opening ports on your router and Synology, I found it difficult to keep track of all the various ports, protocols and apps and who was opening what. Much of which is done automatically by the NAS to your router.
So for me I just felt very uncomfortable not knowing at a deep enough level all the apps, ports and other details to let that all get managed by the NAS.
I found it a better use of my time to turn all that off and just install a VPN connection and be done with it.
for #2, I used Sophos for a long time (Astaro as the time). Now I’m using edgerouter from Ubiquity. The reason was that I was using UTM in a virtual machine and I wanted to move to a physical device without any fan (low noise)
Then I switched to pfsense but I upgraded to a 1gbs connection and having an appliance with that speed was pricey.
I missed the advanced features of pfsense and sophos UTM…
edit :
Oh this new box do 1gbs for a decent price ! I may return to pfsense
to have this you need to enable the “relay” if I’m not mistaken. Does this mean that all your date have to go though their servers or it’s just for connection ?
Note, it will incur some latency but for file transfer apps that does not matter.
Another approach would be to use VPN, forwarding port for vpn server only.
And the third approach — open ports, but configure firewall to only allow connections from networks and countries your clients are expected to be connecting from. In your example, if you are not in China, your firewall should block connections from there even before they reach your open port.
I would implement the combination of two — VPN with geo-restrictions on who can connect to it.