This is the Blog of the technical experts at GEN and its companies

Protecting Your Synology NAS from Internet Threats


Today we were informed by Synology that large scale brute force attacks are targeting Synology NAS devices accessible from the internet, and whilst this is fairly easy to thwart the default configuration (Depending on the version of DSM when you first installed your NAS) does not. These changes will protect your NAS from the majority of internet threats but not all, and we'll deal with those later. Firstly let's look at the steps we need to take initially. 

The admin user

When you first install your Synology NAS the administrative user is called admin. This is bad because you don't even need to guess it, its always admin, but we're not stuck with it and we can resolve this by creating a new administrative user and then disabling the admin user. To do this, login to you NAS as admin and then go to control panel, and User. User Creation Wizard Add GroupUser Creation Wizard

Be sure to select a GOOD password. That is a password of at least 12 characters and containing at least one upper case, one lower case, one number and one symbol. An example would be S!n0LoG6nAs% but please don't use that one, pick your own. 

Next you need to select the group and in this case you MUST pick administrators or there will be real problems later on. As long as you've selected Administrators as the group then you can safely NEXT through the following screens since the administrative group has access to all things. 

Now that's done, logout of your NAS and then login using your newly created user. 

Assuming that works, go back into the control panel, select User, select Admin and then EDIT. Now place a tick in the "Disable this account" box, and make sure "Immediately" is selected below it. This will disable the admin account so that it can no longer be used to login. Press OK. From this point onwards you will not be able to login to your NAS using 'admin', but you should continue to use the new account you're currently logged in as. *IF* there is more than one administrator then create a second login, make it a member of Administrators instead of sharing logins, which is bad practice on many levels. 

*IF* You have other users logging onto your NAS, you may want to take a look at the Advanced Tab from User and set some password strength rules along the lines of the above. Whilst a non-administrative user has greatly reduced access, a compromised account can still do long term damage to your business so ensuring passwords expire periodically, and making sure they are strong is best practise. 

2-Step Verification is a good idea, but unfortunately Synology do not support the common two factor authentication tools like Ubikey, etc. So for now, unless you want to have a mobile phone with you all the time, leave this turned off. 

Account ProtectionAccount Protection

Your Synology NAS has some powerful features to protect accounts from compromise, but you need to turn them on in some cases. You will find these in the Control Panel, Security and Account Tab. 

Enable Auto Block - This is probably the most important feature here and will block or ban IP Addresses that fail password authentication a set number of times. The best practise setting here is Login Attempts = 4, within 60 Minutes, and disable "Enable block expiration". 

This does mean that from time to time a real user will lock themselves out, but you can remove that block from the Allow/Block list button just beneath the settings. 

Untrusted and Trusted Clients

One really powerful feature of your Synology box is the ability to differentiate between clients and set different limits for each. In our example left we're giving trusted clients 10 login attempts within 5 minutes, but untrusted only get 8 attempts in 999 minutes. Unfortunately Synology won't allow you to set 1440, i.e. 24 hours since 999 is the maximum minutes you can select. Feel free to change these as needed, and if your genuine users screw up then you can manage their restrictions using the "Manage Protected Accounts" and "Managed Trusted Clients" buttons by each section. 


The Synology NAS Firewall can be unnecessarily complex to setup, but its also very powerful when used correctly. You should open the firewall configuration from the Firewall Tab in Control Panel / Security, and select the currently active Firewall Profile. In the next dialogue you can configure a number of rules (and in the case of larger NAS units, the interface upon which they apply). The Synology Help does a good job of explaining the firewall rules but we'll give a brief overview here. 

Firstly, you need to understand how the firewall works and what it actually does. The firewall inspects each incoming request to the NAS, and looks at the SOURCE ADDRESS, DESTINATION ADDRESS, PORT and PROTOCOL for each. The firewall then compares that against its allow rules to determine if the request should be honoured or rejected. An example would be to allow access to DSM on port 5001 via TCP for your LAN only. In this case, assuming your Lan is then we would setup an allow rule for 

Ports 5001, Protocol TCP, Source 

By default if no rules are matched for the source, destination, port and protocol the packet is rejected, so please do not change this unless you know exactly what you're doing. 

Synology makes it easier to add rules by allowing you to select applications instead of ports, but behind the scenes it just converts applications to ports and protocols for you. The source address can be a single IP, a subnet, subnet's or location. Now be careful of location because whilst its pretty good its not foolproof and we have had experience of users allowing GB (Great Britain) but clients being rejected even though they are in the UK. Remember you can add multiple rules here but every rule you add is another risk so limit the applications (ports/Protocol's) exposed to the internet unless absolutely necessary. 

The Security Advisor

Security Advisor

Synology have empowered your NAS with a tool which can analyse your security configuration and make suggestions on how to improve it. Not all suggestions must be acted upon but having the analysis is really handy. Open up the Security Advisor and then select RUN. 

After a few minutes you should see an overview of recommendations. Hitting Results on the left gives you detailed suggestions and some guidance. 

Don't panic, there may be lots of red triangles but these are just warnings. For example, we have unencrypted FTP enabled, because some dumb devices still need that, and that gives us a red triangle but we know its ok and we can ignore it. Do the same for each, understand the warning or suggestion and take action. 

Evolving Environment

Unfortunately, flaw's and exploits are being discovered daily and whilst Synology is very good at releasing fixes and patches for discovered vulnerabilities, you should never rely on them to be infallible. Instead ensure you have a good, tested and working backup strategy for your NAS so that in the event that your NAS is compromised, data is lost or damaged, you can swiftly recover with minimal loss. 

At this point its worth mentioning that GEN not only provide Synology Technical Support but we also host Synology RackStations in our datacentres and unless you want to DIY it, we'll take care of all these things for you including disaster recovery. 

Continue reading
  8043 Hits
8043 Hits

Synology Auto-Update


We've been actively promoting Synology Rackstations for many years now and they do provide exceptional performance for our customers, but they also come with a few gotcha's that you need to be aware of when running them. If you have managed storage or any of our support or outsourcing services then we'll take care of these units for you, but if not then please read on. 

Auto-Update is an important part of any strategy and of course Synology provides the same functionality which can be found in Control Panel / Update & Restore / Update Settings

Here we have updates to be applied automatically at 3am when available. This will mean your system will always be up to date with the latest patches and fixes. 

A second level of protection comes from the package centre auto-updates which can be enabled in Package Centre / Settings / Auto Update and will look something like...

But you can never leave your Synology servers to just update themselves without intervention as we've discovered today, for example when we found that all our customers who have managed storage were showing package updates available (via CMS) but they weren't auto-updating. We investigated this further and found that Synology have made a change that seemingly effects everyone ... 

When opening the package centre from DSM on the server you find this dialogue 

and of course all the updates have stopped auto-updating because of this.

Now we have 300+ Synology Servers on management and so far today we've only managed to do a fraction of that, but over the next few days we'll login to each of the boxes, tick the box and then let auto-update do its thing. If you are using Synology NAS then double check this now and make sure you've got it ticked, then apply any outstanding updates.  



Continue reading
  6307 Hits
6307 Hits

Synology CloudStation in the Corporate Environment

Synology CloudStation in the Corporate Environment

If you've invested the time and money into Synology RackStations then your probably going to want to take advantage of some pretty cool embedded features. One such feature is CloudStation and its associated CloudStation Sync and CloudStation Backup, which collectively allow for realtime'ish local file synchronisation with a server which provides up to date files for remote users, a multiversioned backup for desktops and laptops and realtime sync between servers across sites. There is however one serious flaw in the plan that you need to be aware of before you go and roll this out across the business and that's SSL. 

When you setup your RackStation(s) you probably setup SSL and would have used the build in 'LetsEncrypt' support which promises a valid certificate every 90 days or you would have installed a paid certificate which renews annually in most cases. Having setup your SSL certificate you would of course want your clients to use SSL when connecting to the server so the transfer is a little more secure, but here's where it all goes down the tubes; If you did make the mistake of selecting SSL when you setup the clients then every 90 days (or annually) all the clients are going to silently stop working and no one is going to notice for a while. 

If a user actually opened CloudStation Backup to restore a file then they will be met with

And should they click on Version Explorer they get the equally helpful...

In fact there is no way out of this without going into Settings then Connection and re-entering the User/Password and Applying,  and in a corporate environment the end user may well not be privy to the Synology User/Password but even if they were its now too late because the CloudStation Backup hasn't been backing up since the last certificate renewal. The ONLY way around this is to turn off SSL or you'll be back here again before you know it. It's a real shame that you cannot use SSL as it's a nice feature but in a corporate environment its not essential unless your allowing remote sync.  

I have no doubt that Synology will resolve this in due course, but until then keep SSL off to save a bunch of time and effort.

Continue reading
  5241 Hits
5241 Hits