Posted by4 years ago
While Synology DSM is a wonderful product, that was designed to be easy to be used, it seems that there a few areas where it lacks documentation (even from online sources). In fact most of the problems I am encountering would apply for any NAS devices you may want to configure for home.
Archived
I've recently spent some time figuring out how to best secure my Synology DiskStation and educating myself a bit better on TLS/SSL. I compiled all the steps I took and thought I would share them here. Please give feedback or point out any holes or flaws in my strategy. Note that I am using a Mac as my primary computer and an Apple AirPort as my router.
- Disable default admin account
- Disable guest account
- Create new user with admin privileges (I only use this when needed and use regular user accounts for 95% of activity on the NAS).
- Generate and save complex passwords for all users and admins via a password app (e.g. 1Password)
- Set up 2-factor authentication for the admin account (or all if you prefer). https://www.synology.com/en-us/knowledgebase/tutorials/615#t5 ** before going down this path you may want to read about the challenges some users have had with 2FA http://forum.synology.com/enu/viewtopic.php?f=19&t=67693 **
- Encrypt all shared folders on the NAS. Make sure to save encryption keys as well.
- Disabled QuickConnect
- Under Control Panel->Network->DSM Settings: Enabled/force all connections to HTTPS and change the default port numbers for HTTP and HTTPS (for the purposes of this post we'll call the new HTTPS port 50XX)
- Under Control Panel->External Access->Advanced: Update the default number for HTTPS port with the new port number (50XX) since I am not using HTTP I did not update it, but this could be done as well if HTTP is needed
- Under Control Panel->Application Portal: Edit Video Station and enable the custom HTTP port 9007 (or whatever you want) for Video Station access. This solves an issue where the DS Video mobile app will often give errors if you try to play video via HTTPS, even when on the local network.
- Under External Access->Router Configuration: Enable port forwarding for only the ports needed: 50XX, VPN (1701,4500,500), 443, 9007 & 22 (if needed for SSH) etc... as per your needs. Note that you will need to create and enable a custom port (50XX or whatever) for your HTTPS connection to work.
- Because I am using an AirPort Extreme Router with Apple's 'Back to My Mac' feature, in order to open up ports 4500 and 500 and successfully use L2TP/IPSec VPN I had to manually disable ‘Back to my Mac’ and manually assign the ports 1701,4500,500 on my router via the network tab in Airport Utility.
- Under Control Panel->Security->Firewall: Block all other ports not in use
- Under Control Panel->Security->Protection: Enable DoS protection
- Under Control Panel->Security->Auto Block: Enable auto block for 10 attempts in 10 mins.
- Under Security->Certificate: Create and upload appropriate keys, certificates and third-party certificates for SSL/TLS to work. I created the certificates using StartSSL against the domain I own (mydomain.com) under the subdomain synology.mydomain.com.
- Instead of using Synology’s DDNS service I decided to install ‘DDNS Updater’ (available from cphub.net) to update the DDNS settings of my sub domain (synology.mydomain.com) which I own via namecheap.com. You should be able to update the DDNS settings for your domain through most hosting/domain registration services, like GoDaddy. This allows me to use the address https://synology.mydomain.com to access my NAS and the certificate I have created matches the domain so there is no error in the browser.
This site has a great walk through of steps 16-17: http://erictummers.wordpress.com/2013/04/26/resolve-certificate-error-for-synology-diskstation-part1/
18) Set up the VPN server and all mobile apps using the new synology.mydomain.com (with DSvideo using synology.mydomain.com:9007)
Enjoy
Edits: Additions feedback/suggestions in comments and a bit of formatting.
19 comments
While Synology DSM is a wonderful product, that was designed to be easy to be used, it seems that there a few areas where it lacks documentation (even from online sources).
In fact most of the problems I am encountering would apply for any NAS devices you may want to configure for home. The only specific issue is the inability to configure ports 80/443 for the admin interface (because they are used by the local webserver)
Here are few requirements or facts:
- A certified SSL certificate is a must (no self-signed would do it)
- SSL certificate must be mobile friendly, otherwise no mobile apps, nor ChromeCast support
- You need to redirect HTTP to HTTPS
- You need to make it work on 80 and 443, no other custom ports (how!?)
- Be able to access the NAS from both intranet and internet using the same FQDN, even if the NAS is behind a problematic NAT-ed router (like the BT ADSL ones)
Regarding issuers, I found Comodo Essential SSL Certificate at 10$/yr with no SAN support so it will not work with both: mynas.synology.me and mynas.example.com at the same time.
mtak11.3k22 gold badges3333 silver badges5353 bronze badges
sorinsorin
4,7061717 gold badges4848 silver badges6565 bronze badges