Today we were informed by Synology that large scale brute force attacks are targeting Synology NAS devices accessible from the internet, and whilst this is fairly easy to thwart the default configuration (Depending on the version of DSM when you first installed your NAS) does not. These changes will protect your NAS from the majority of internet threats but not all, and we'll deal with those later. Firstly let's look at the steps we need to take initially.
When you first install your Synology NAS the administrative user is called admin. This is bad because you don't even need to guess it, its always admin, but we're not stuck with it and we can resolve this by creating a new administrative user and then disabling the admin user. To do this, login to you NAS as admin and then go to control panel, and User.
Be sure to select a GOOD password. That is a password of at least 12 characters and containing at least one upper case, one lower case, one number and one symbol. An example would be S!n0LoG6nAs% but please don't use that one, pick your own.
Next you need to select the group and in this case you MUST pick administrators or there will be real problems later on. As long as you've selected Administrators as the group then you can safely NEXT through the following screens since the administrative group has access to all things.
Now that's done, logout of your NAS and then login using your newly created user.
Assuming that works, go back into the control panel, select User, select Admin and then EDIT. Now place a tick in the "Disable this account" box, and make sure "Immediately" is selected below it. This will disable the admin account so that it can no longer be used to login. Press OK. From this point onwards you will not be able to login to your NAS using 'admin', but you should continue to use the new account you're currently logged in as. *IF* there is more than one administrator then create a second login, make it a member of Administrators instead of sharing logins, which is bad practice on many levels.
*IF* You have other users logging onto your NAS, you may want to take a look at the Advanced Tab from User and set some password strength rules along the lines of the above. Whilst a non-administrative user has greatly reduced access, a compromised account can still do long term damage to your business so ensuring passwords expire periodically, and making sure they are strong is best practise.
2-Step Verification is a good idea, but unfortunately Synology do not support the common two factor authentication tools like Ubikey, etc. So for now, unless you want to have a mobile phone with you all the time, leave this turned off.
Your Synology NAS has some powerful features to protect accounts from compromise, but you need to turn them on in some cases. You will find these in the Control Panel, Security and Account Tab.
Enable Auto Block - This is probably the most important feature here and will block or ban IP Addresses that fail password authentication a set number of times. The best practise setting here is Login Attempts = 4, within 60 Minutes, and disable "Enable block expiration".
This does mean that from time to time a real user will lock themselves out, but you can remove that block from the Allow/Block list button just beneath the settings.
One really powerful feature of your Synology box is the ability to differentiate between clients and set different limits for each. In our example left we're giving trusted clients 10 login attempts within 5 minutes, but untrusted only get 8 attempts in 999 minutes. Unfortunately Synology won't allow you to set 1440, i.e. 24 hours since 999 is the maximum minutes you can select. Feel free to change these as needed, and if your genuine users screw up then you can manage their restrictions using the "Manage Protected Accounts" and "Managed Trusted Clients" buttons by each section.
The Synology NAS Firewall can be unnecessarily complex to setup, but its also very powerful when used correctly. You should open the firewall configuration from the Firewall Tab in Control Panel / Security, and select the currently active Firewall Profile. In the next dialogue you can configure a number of rules (and in the case of larger NAS units, the interface upon which they apply). The Synology Help does a good job of explaining the firewall rules but we'll give a brief overview here.
Firstly, you need to understand how the firewall works and what it actually does. The firewall inspects each incoming request to the NAS, and looks at the SOURCE ADDRESS, DESTINATION ADDRESS, PORT and PROTOCOL for each. The firewall then compares that against its allow rules to determine if the request should be honoured or rejected. An example would be to allow access to DSM on port 5001 via TCP for your LAN only. In this case, assuming your Lan is 192.168.1.0/24 then we would setup an allow rule for
Ports 5001, Protocol TCP, Source 192.168.1.0/24
By default if no rules are matched for the source, destination, port and protocol the packet is rejected, so please do not change this unless you know exactly what you're doing.
Synology makes it easier to add rules by allowing you to select applications instead of ports, but behind the scenes it just converts applications to ports and protocols for you. The source address can be a single IP, a subnet, subnet's or location. Now be careful of location because whilst its pretty good its not foolproof and we have had experience of users allowing GB (Great Britain) but clients being rejected even though they are in the UK. Remember you can add multiple rules here but every rule you add is another risk so limit the applications (ports/Protocol's) exposed to the internet unless absolutely necessary.
Synology have empowered your NAS with a tool which can analyse your security configuration and make suggestions on how to improve it. Not all suggestions must be acted upon but having the analysis is really handy. Open up the Security Advisor and then select RUN.
After a few minutes you should see an overview of recommendations. Hitting Results on the left gives you detailed suggestions and some guidance.
Don't panic, there may be lots of red triangles but these are just warnings. For example, we have unencrypted FTP enabled, because some dumb devices still need that, and that gives us a red triangle but we know its ok and we can ignore it. Do the same for each, understand the warning or suggestion and take action.
Unfortunately, flaw's and exploits are being discovered daily and whilst Synology is very good at releasing fixes and patches for discovered vulnerabilities, you should never rely on them to be infallible. Instead ensure you have a good, tested and working backup strategy for your NAS so that in the event that your NAS is compromised, data is lost or damaged, you can swiftly recover with minimal loss.
At this point its worth mentioning that GEN not only provide Synology Technical Support but we also host Synology RackStations in our datacentres and unless you want to DIY it, we'll take care of all these things for you including disaster recovery.