Securing Synology NAS

Securing Synology NAS

SSL Certificates In Another Post

I will be writing several posts about Synology. I recently setup Let's Encrypt SSL certificates and will write all of that in a separate post. This article is just about the basic security steps for your new NAS.

Read the Official Documents

Synology provides a nice tutorial that covers the basic setup. Most of this document is based on that tutorial. I am just rewriting it to ensure I have a copy myself and as a quick checklist for my next NAS. Also URLs are subject to change from time to time.

I also found a nice article by Mike Tabor. He has three firewall rules I copied. Especially since I recently setup WebDAV and now my NAS is exposed to the internet.

Another good document lists all of the ports used by Synology.

Brief Synopsis

I will perform the following steps. At the time of this writing I am running DSM 6.1.6-15266 on a DS413. It is assumed you have already setup the LAN connection and setup your disks.

  1. Create a new system administrator
  2. Disable the default admin account & guest
  3. Setup password strength rules
  4. Restrict suspicious IP addresses with auto block
  5. Setup firewall rules
  6. Setup 2 Factor Authentication
  7. Force HTTPS connections
  8. Enable SSH access
  9. Disable IPv6 (Optional)
  10. Setup NTP
  11. Secure File Services
  12. Setup notifications
  13. Other Steps
  14. Encryption
  15. VPN
  16. Security Advisor
  17. Update folder permissions
  18. Enable Automatic Updates

I am not covering the following topics. They will be covered in future posts.

  1. Map your Synology NAS with your own domain and dynamic IP address
  2. Enable Let's Encrypt SSL certificates
  3. Setup WebDAV
  4. Setup CalDAV (Calendar)
  5. Setup OpenVPN

Most if not all of the following steps will be performed within the Synology Control Panel. Below is a picture of the advanced panel.

Synology Control Panel
Synology Control Panel

1. Create a New System Administrator

Open the User panel and click on 'Create'. Fill in the information as desired. Select a nice long secure password that will meet your password rules. Click next.

Create User Panel
Create User Panel

Add the user to the 'administrators' group. Add the user to all of the other groups except the guest group. Your list may vary. Click next.

New User Join Groups Panel
New User Join Groups Panel

Assign shared folders permissions. (not shown) For the new admin user I select RW for all shared folders. However, that is not necessary. I was lazy for a long time and only had the default admin user. I will be setting up a normal user for day to day access. But I want to ensure my new admin has access to every existing folder. Click next.

Click next on the user quota settings panel. I never enabled this feature.

Assign application permissions. (not shown) For now I am allowing my new admin access to every application. Click next.

I am not setting up any user speed limits. Click next on the user speed limit setting panel.

Confirm your settings and click apply.

LOG IN WITH YOUR NEW ID!!

2. Disable Admin User and Guest User

Go back to the user panel. Click on the admin user. Click 'Edit'. Click 'Disable this account' and click 'OK'. Repeat these steps for the guest ID.

NOTE: You need to create additional users and possibly groups for day to day usage of the NAS. You should limit using the new admin user. This document does not cover all the steps needed to create new users and groups.

3. Setup the Password Strength Rules

Go to:  Control Panel > User > Advanced Tab

I am not sharing my NAS with other users. Otherwise I would be even more strict. But I will enforce strong passwords and click all of the options and select a nice long minimum length. I am not setting up password expiration or password history. My new admin ID and any ID available from the web will have 2FA (Two Factor Authentication aka 2 Step Verification) enabled. Click 'Apply'.

I recommend setting up a test ID and verifying you can log into the NAS with that ID. Better safe than sorry.

4. Restrict Suspicious IP Addresses

Go to:  Control Panel > Security > Account Tab

Click 'Enable auto block'. If desired change the login attempts and the number of minutes. I don't enable block expiration. See the picture below.

Scroll down and click 'Enable Account Protection' (not shown). I keep the default values. Click 'Apply'.

Security - Account Tab
Security - Account Tab

Enable Additional Security Options

While you are in the security panel go to the other tabs and enable some additional options.

Security Tab

Check the following and then click 'Apply'.

  • Logout time (minutes): 15 (default value - change if desired)
  • Improve protection against cross-site request forgery attacks
  • Improve security with HTTP Content Security Policy (CSP) header
  • Do not allow DSM to be embedded with iFrame
  • Clear all saved user login sessions upon system restart
  • Show notification on DSM desktop when the current IP changes
Security - Security Tab
Security - Security Tab

Protection Tab

Click 'Enable DoS protection' and click 'Apply'.

Advanced Tab

Optionally click 'Enable HTTP Compression'. Under the TLS/SSL Cipher Suites click 'Modern compatibility'. Click 'Apply'.

5. Setup FW Rules

Go to: Control Panel > Security > Firewall Tab

Click 'Enable firewall'. Click 'Enable firewall notifications'. For the firewall profile select 'custom' from the drop down box. Then click 'Edit Rules'. Create three rules. I based this upon Mike Tabor's site mentioned above. As he says the first rule is a bit redundant. When you click 'Create' you will see the window below.

Create Firewall Rule Panel
Create Firewall Rule Panel

Here are the three rules. Make sure they are listed in this order as firewalls read the rules from top to bottom. The most restrictive rules should be on top.

  1. Block all ports and all protocols from from Russia and up to 15 countries. Do this by using the location option in the source IP section. You can create additional groups of countries to block. Obviously don't block your own country.
  2. Allow Virtual Host 80/TCP, Virtual Host 443/TCP, and WebDAV 5006/TCP from the USA. For the port list use 'Select from a list of built-in applications' and then select the appropriate applications from the list. Adjust this list for other services you may wish to access via the internet. This list is for Let's Encrypt and WebDAV.
  3. Allow all ports and protocols from your local LAN. (RFC 1918 addresses)

Click OK. And then click 'Apply'.

NOTE: I previously enabled Synology QuickConnect. It enables a few additional ports in the FW. I need to update the rules for QuickConnect or disable QuickConnect. I disable UPnP on my router which disables some of the usefulness of QuickConnect. I would like to use a couple of the DS apps on my phone. Use this document for more information on how to use QuickConnect and the flows.

A Few Notes about Let's Encrypt

Let's Encrypt offers two validation methods. You can use DNS validation or HTTP validation. I have read that the TLS validation method is being deprecated. The Synology NAS device uses HTTP validation. All that is required is 80/TCP access from the web to the NAS. However, Let's Encrypt will follow redirects to 443/TCP. That is why 443/TCP is being added to the firewall rules. In a later post I setup a virtual host and use HSTS to force HTTPS connections.

6. Setup 2FA

For the current user click on 'Options' (upper right of the browser window) then click 'Personal'. See the screen shot below.

User Options Personal Panel
User Options Personal Panel

Click on 'Enable 2-step verification' and the wizard will start. Click 'Next' on the opening screen. See the screen shot below.

2FA Wizard
2FA Wizard

Scan the QR code with the authentication app of your choice. I drew a red line through the QR code to prevent scanning. Save the QR code or the secret key so you can add it to a new authentication app in the future if needed.

Scan QR Panel
Scan QR Panel

Enter the 6 digit code to verify it is working. And then click 'Next'.

Enter 6 Digit Code
Enter 6 Digit Code

Enter a valid email address for an emergency verification code. Note, if you haven't yet setup notifications it will ask you if you want to do that now. You can skip this for now. Just make sure you go back and do this later on.

Click 'Close'. Click 'OK'.

LOG OUT AND LOG IN WITH YOUR NEW 2FA!!

Optionally go back to the User panel and open the advanced tab. Scroll down and click 'Enforce 2-step verification for the following users'. And then select administrator groups only or all users.

7. Force HTTPS Connections

We will be using the default self-signed SSL certificate for now. But once the Let's Encrypt certificate is in place we want to ensure we always use a secure encrypted connection.

Go to:  Control Panel > Network > DSM Settings Tab

Check the following:

  1. Optionally change the port numbers from the default ports. (5000/TCP & 5001/TCP)
  2. Check "Automatically redirect HTTP connections to HTTPS (Web Station and Photo Station excluded)
  3. Check "Enable HTTP/2"
  4. Check "Enable the "Server" header in HTTP responses
  5. Custom "Server" header = nginx (You may have different options based on which packages you have installed.)
Force HTTPS Connections
Force HTTPS Connections

8. Enable SSH Access

Go to:  Control Panel > Terminal & SNMP > Terminal Tab

Perform the following steps:

  1. Clear out "Enable Telnet service" to disable this service
  2. Check "Enable SSH service"
  3. Port: 22 - I leave the default port. At this time I am not opening SSH to the internet. The Synology security adviser recommends changing the default port. I would change the port if I opened it to the internet. One article I read mentioned that changing the port dropped the number of casual port scans by 98%. Better yet would be to have a pfSense firewall and update iptables for rate limiting. The Synology NAS can also do this as well. But more layers of security is always better.
  4. Click 'Advanced Settings'
    1. Click "High" to ensure the most recent encryption algorithms are used. Or you can click customize and select the exact algorithms you desire or require.
  5. Click 'Apply' and click 'Apply' again on the next screen.

It is also a good idea to setup public key authentication. And double check the sshd_config file and edit as appropriate.

You can also enable SFTP. To do this see '11. Secure File Services' below.

sudoers

This document does not cover setting up /etc/sudoers. But it is good practice to avoid using root. Use a normal user and run sudo when you need root access. However, Synology does not have 'visudo'. As of now I haven't played with the Synology sudoers file. You could just edit it with VI directly. Keep in mind that Synology is designed to be run with very little normal human intervention. And editing key files may cause issues with various packages.

Enable root SSH Access

By default you can SSH with the admin ID. And with the newly created admin ID. Note, you do not use 2FA when SSH'ing into the box. And you can sudo to root. But at times you may wish to SSH as root. Not the most secure access method. But until recently I was rather insecure on my NAS. If it doesn't work follow this article to enable root SSH access.

9. Disable IPv6

Most people are not using IPv6 as of yet. This is especially true on your internal LAN.

Go to: Control Panel > Network > Network Interface Tab

Edit the LAN connection. Switch to the IPv6 tab and choose 'Off' from the IPv6 setup drop down box. Click 'OK'.

10. Setup NTP

It is always good to have the correct time.

Go to: Control Panel > Regional Options > Time tab

Select the desired time zone from the time zone drop down box. Under time setting click 'Synchronize with NTP server'. For server address choose your desired NTP server. I use 'pool.ntp.org'. Click 'Update Now' to verify it is working. Click 'Apply'.

11. Secure File Services

Go to: Control Panel > File Services

Only open services you require. Unless required you should disable FTP and TFTP.

SMB/AFP/NFS Tab

If you enable SMB make sure you click on the Advanced Settings and disable SMBv1. That is no longer secure.

Ports = 139/TCP & 139/UDP (netbios-ssn), 445/TCP & 445/UDP (microsoft-ds), 137/UDP & 138/UDP (nmbd)

Optionally enable NSF. One of these days I need to learn how to setup kerberos and NFSv4.

Ports = 111/TCP & 111/UDP (rpcbind), 892/TCP & 892/UDP, 2049/TCP & 2049/UDP (NFS)

I no longer use my MAC. I have a couple of older MacBook Pros. But I actually prefer Windows. (sue me) Plus MAC hardware isn't as good anymore anyway.

FTP Tab

FTP should be disabled. But you can scroll down and enable SFTP. Change the port number if so desired.

TFTP Tab

Disable this unless required. (69/UDP)

rsync Tab

I like rsync. (873/TCP) If you enable this make sure you click on 'Edit rsync Account' and change the default 'admin' ID to your new administrator ID.

Advanced Tab

I disable Bonjour (5353/UDP - zeroconf) and SSDP (1900/UDP).  Disabling Bonjour may interfere with some of the DS packages. I need to verify this and see if I lose some of the packages I use.

Click Apply after making any changes on each tab.

12. Setup Notifications

Go to: Control Panel > Notification

You have three options for notifications. You can choose one or all three. The three options are SMS, email, or push notifications.

Setting up email is pretty self explanatory. You can select one of the major email providers and sign into your account. Or you can choose custom SMTP and configure everything based on your requirements.

I haven't tried SMS yet. It appears you need to provide a custom URL with your password. I am not going to do that.

The push notifications require you to install the DS Finder app. It works. But I still am not planning on opening DSM (5001/TCP) to the web. And I don't really need push notifications.

One important note that once you setup notifications make sure you go to the advanced tab. Edit which notifications you receive and how you receive them. By default almost everything is sent via email.

13. Other Steps

I have the cloud storage packages installed. I need to examine the various DS apps and decide if I want to uninstall some of them. As mentioned above I also need to see if I want to disable QuickConnect. The fewer things installed the more secure you are.

14. Encryption

I have an older Synology NAS device. I can only encrypt certain folders. It is recommended to encrypt your most sensitive data.

15. VPN

I setup a VPN on my dd-wrt router. But I need to revisit that setup. I used this document to setup OpenVPN on my Synology NAS.

16. Security Advisor

Go to the main menu. Click on Security Advisor. Today I have it setup for home and personal use. Make sure you run the scan and fix any issues. Except I don't change my SSH port. It isn't open to the internet. So instead of using the home and personal scan I setup a custom scan based upon the home profile.

Go to the advanced tab. Select 'custom' as the security baseline. Click customize checklist. Update it based on the list below. Make any changes you desire.

  • Malware - Potentially malicious programs have been found on your system.
  • Malware - Malicious system configuration settings were found on your system.
  • Network - Automatic redirection from HTTP to HTTPS is disabled
  • Network - Default firewall policy is set to allow on interfaces with public IP
  • Network - LAN services are accessible from the internet.
  • Network - Telnet service is enabled
  • System - LDAP client service is not using encryption
  • System - FTP service w/o encryption is enabled
  • System - TFTP service is enabled
  • System - The option 'Enhance browser compatibility by skipping IP checking' is enabled
  • System - 'Improve protection against cross-site request forgery attacks' is disabled
  • System - 'Do not allow DSM to be embedded with iFrame' is disabled
  • System - Auto Block is disabled
  • System - Malicious startup scripts were found on your system
  • System - Optware has been found on your DSM
  • Update - DSM regular update checking is not enabled
  • Update - You are not using the latest version of DSM
  • Update - Email notification for new DSM updates is disabled
  • Update - Some of your packages are not up-to-date
  • Account - Password strength rules do not meet requirements for work and business
  • Account - Anonymous FTP is enabled
  • Account - The guest account is enabled
  • Account - Some users have weak passwords
  • Account - User home directory permission has been incorrectly modified
  • Account - Password strength rules do not meet requirements

Save your settings. Go back to the overview tab and scan your system. Verify everything is good.

Now schedule a weekly scan. Or scan it more frequently if you desire. Go back to the advanced tab and enable the scan schedule. Pick a day and time that works for you. And then click apply.

17. Update Folder Permissions

If you have previously created shared folders you need to go back and review the permissions of each folder.

It is assumed that you will be creating one or more users for general access. And a lot of the shared folders will only need RO (read-only) access for general usage. For example, if you have a video folder there is no need to allow write access to it to stream your movies around your house.

18. Enable Automatic Updates

Go to:  Control Panel > Update & Restore

Go to the DSM Update tab. Click on 'Update settings'. Now you can have DSM install the updates or just download the available updates. With notifications enabled you will be emailed when you need to perform updates.

I select the following options.

  • Newest DSM and all updates
  • Check for DSM updates automatically
    • Download DSM updates but let me choose whether to install them
  • Schedule it as desired
  • Click OK

You can also force automatic updates for your packages. That is done in the package center. Click on settings and then on auto update. Choose if you want to automatically update some or all of your packages.

Back Up Your Configuration

Now that everything is setup backup your configuration. From the 'Update and Restore' tab in the control panel click on the Configuration Backup tab. Then click on back up configuration and save the file. Save it someplace besides your NAS.