Synology NAS: How To Best Adjust Security Settings
How to set up your Synology NAS and protect the stored information. How to activate device management remotely without taking risks. The NAS server is a device which, by its very nature, stores personal information and sensitive data. When installing one or more NAS within your Network, it is essential to carefully weigh all the settings that have to do with Security.
Synology NAS are complete and highly versatile products which, due to their features, also offer adjustments to prevent unauthorized access and protect the integrity and confidentiality of stored data. Here are some practical tips for securing your Synology NAS.
How To Secure Synology NAS
Always Keep The Firmware Of Your Synology NAS Up-To-Date
Synology is one of the most dynamic companies in fixing bugs and any vulnerabilities identified in its products. The DiskStation Manager (DSM) operating system notifies you that a new update is available, which you can apply by clicking the Update and Recovery icon in the Control Panel.
Deactivate The Administrative Account And Create A New One
Every Synology NAS comes with a pre-set administrator account: while you can change the associated password, you cannot alter its name, which always remains admin. The advice is to create a new administrator account on the Synology NAS and then deactivate the default admin user. By doing so, any attackers who want to try to access the contents of the NAS will not have to concentrate their efforts on the password without even knowing the name of the administrative account.
To create a new administrator account, access the Synology NAS configuration panel, click the User icon, then click Create, Create User. After entering your name and password (choose one that is sufficiently long and complex), you must assign all rights to the new account, including administrator rights. The next step is to assign read/write rights to all shared folders on your Synology NAS. Being an account with administrative privileges, it can subsequently be used to modify the permissions with total autonomy and freedom.
The usage quota (i.e. the amount of space the administrator account can occupy on the NAS) is automatically considered unlimited. At the same time, in the following screenshot, we suggest that you give the account all the rights on each installed application. Finally, you can leave the data transfer speed settings unchanged ( User speed limit setting ) and click Apply to add the new administrator account.
You can log out of the Synology NAS administration interface by clicking the Options icon at the top right and then choosing the Log Out item. You can check if everything works correctly by logging in with the credentials corresponding to the newly added administrative account. Therefore you will have to deactivate the default admin account.
To proceed, return to your Synology NAS Control Panel, click User, select the default admin account, and click the Edit button. On the About tab, tick the Disable this account box and leave the Immediately option checked. In the Status column, once you click OK, Disabled will appear to the right of the admin account.
Turn On Two-Factor Authentication
Two-factor authentication is one of the most effective mechanisms to secure your accounts properly. Its operation is based not only on using standard credentials (username and password) but also on inserting a verification code received by the User, for example, on his mobile device.
Google and Synology call two-factor authentication 2-Step Verification, but the concept is essentially the same: Google 2-Step Verification: Only 10% of users use it. If it is essential to protect online and cloud accounts that contain personal data and sensitive information, it is equally essential to activate two-factor authentication for the accounts configured on the Synology NAS and, above all, for the administrative ones.
You will find the Enable two-step verification checkbox by clicking on the Options icon at the top right of the NAS configuration panel and then on the Custom item within the Account section. You must install an app capable of handling two-step verification on your mobile device: Synology recommends Google Authenticator (Android, iOS and BlackBerry) or Authenticator (Windows Phone, Windows Mobile), but you can use alternative apps such as Authy 2- Factor Authentication or Duo Mobile.
By scanning the QR code shown in the Synology NAS administration interface from the app installed on your device, you will get a confirmation code that you must enter when prompted. Also, remember that the confirmation code is valid for a limited time: you must be quick when requesting it from the Synology NAS interface. Synology recommends activating the email notification service, which lets you receive information about account status changes or essential events affecting your NAS through an email message.
DSM supports all significant accounts and can authenticate via the OAuth protocol (therefore, without the User even having to type the password). However, you can use any SMTP server. For example, we preferred to use Google’s SMTP server by performing traditional authentication with username and password (see Unable to access Gmail: Web login required ).
Block Suspicious Login Attempts
Synology NAS prevents an attacker from carrying out brute force attacks to trace the passwords used to protect accounts. To strengthen your protection, we suggest accessing the Control Panel, typing Security in the search box and then clicking on the Account tab. Usually, the settings in the figure are more than enough to block any brute-force attack.
Close The Ports On The Router And Activate The VPN Server
As we have repeatedly highlighted in the articles dedicated to Synology NAS, these devices are complete and versatile, allowing the secure storage of files and their periodic backup and the installation of software with server functions.
You can thus use, even remotely, tools for sharing files and folders, collaborating with multiple hands on the drafting of documents, to access photo archives and video collections ( How to collect and organize your photos with Synology Moments ), managing all the video cameras that make up your video surveillance system ( Video surveillance: integration and management of video cameras that are completely different from each other ) and much more.
Each application installed on Synology NAS with server functionality uses one or more ports that must be open on your router to access them remotely. As highlighted in the article Port scanning: a double-edged sword. Defend yourself. The advice is to not open any incoming port on the router nor configure port forwarding to the local IP corresponding to the Synology NAS. Instead, it’s a good idea to set up the VPN server offered by the Synology NAS and connect remotely to web services and applications through the VPN network only.
In this way, the device from which you will connect will appear connected to the LAN like all other local devices. The data sent and received will transit through an encrypted channel (tunnel), making it impossible to monitor and modify it by unauthorized users and cybercriminals. Instructions for setting up a VPN server on Synology NAS can be found in the article VPN server, how to create it using a NAS.
Set To Use HTTPS
Especially if you intend to enable remote access to your Synology NAS and, in particular, do not use VPN, it is essential to enable the HTTPS protocol. Otherwise, an attacker could quickly recover your NAS login credentials and then monitor, steal or modify your files and settings.
To activate the use of HTTPS (the protocol allows you to encrypt and, therefore, effectively protect the data exchanged between client and server, and vice versa), go to the Synology NAS Control Panel, click on NetworkNetwork, on DSM Settings and activate the Automatically redirect HTTP connections to HTTPS check box.
When you restart web services on your Synology NAS, you will get an error similar to the following: While the error may seem threatening at first glance, its appearance is completely normal because your Synology NAS uses an HTTPS connection.
Still, it does not use valid digital certificates issued by a recognized certificate authority. To proceed, click Advanced and then Proceed to… (not sure). To make the invalid digital certificate error disappear, type Security in the Control Panel search box, select the Certificate tab, and click the CSR button .
By creating a certificate signing request, you will obtain a compressed file containing the.CSR file to be submitted to a certification authority to obtain the digital certificate corresponding to the domain name indicated. Synology NAS also integrates a feature to receive (and renew) a free certificate through the Let’s Encrypt service: Get a wildcard digital certificate for HTTPS with Let’s Encrypt.
Read Also: VSE / SME: 8 Tips To Avoid Cyberattacks