Synology Security

Introduction

If you are accessing your Synology DiskStation from outside your home network, there are a few things that can help you with regards to security and hacking.

 

SynoLocker Ransomware

Issues like the SynoLocker ransomware shouldn’t have happened.  This particular ransomware was possible because people didn’t patch and update their devices in a timely manor, for whatever reason.  The patch for this vulnerability was actually released several months before the first attack.

It is understandable that people were upset about getting hit with this ransomware, but some basic security would have prevented it.

 

Synology Security Advisor

The new Security Advisor in DSM 5.1 is a big help for people securing their devices.  It performs up to 35 checks (currently) to make sure your device is working securely.  There are three available settings for the baseline checks,

  1. For home and personal use,
  2. For work and business use,
  3. Custom.

The first two options select a specific subset of the checks to run.  Personally, I would choose Custom and select all of the checks.

Once you have picked an option, run a scan and see how you fair.  If there are any warnings or errors, try to fix the issue.  If you are not sure about a setting, check the Synology Forums, they are a great source of information.

If you have green across the board, you are going great.

 

Extra Steps

Here is my list of extra steps that people should consider doing to help secure their Synology devices.  These go above and beyond the list of checks that Synology do in their Security Advisor, so if you have all green ticks for the checks above, then give these a go…

1.  Disable The Default Administrator Account

This one is not so obvious, but everyone who has a Synology device knows the name of the default admin account.  It will be the account that all hackers will try to attack.

  1. Go to the Users section in the Control Panel,
  2. Create a new user.  Call  this user something other than “admin”,
  3. Make sure it’s a member of the Administrators group,
  4. Logout, and login as this new user account,
  5. Disable the default “Admin” account.

 

2.  Use 2-Step Verification

2-step verification helps with making sure only you can login with your account.  It consists of a 6-digit number than changes every 60 seconds.  The numbers appear to be random, but are actually calculated from a complicated mathematical formula.

You will need to install an app on your phone to give you the 6-digit numbers.  I use the Google Authenticator app but there are many others available.  the Google version is only available on the Google Play Store and the Apple App Store.  For the Windows Phone Store, I picked the Microsoft Authenticator as I believe it uses the same algorithm…

store-google  store-apple   store-windows

Before you enable 2-step verification, you need to make sure the date and time on your device is accurate.  The best way to do this is to use a reliable time source…

  1. Log on to your DiskStation with an administrator account,
  2. Open the Control Panel,
  3. Go to the Regional Options section,
  4. Under the Time Setting part, select Synchronise with NTP server,
  5. Enter pool.ntp.org into the Server Address box
  6. Click Update Now

 

To enable 2-step verification for an account…

  1. Log on to your DiskStation with the account you want to use,
  2. Click the Person Icon in the title bar, top right,
  3. Click the Options menu item,
  4. Tick the box labelled Enable 2-Step Verification,
  5. Run through the wizard that appears, make sure you read the instructions…

2sv-1  2sv-2  2sv-3  2sv-4  2sv-5

To test, simply logout, and log back in again.  When you enter your username and password, instead of being logged in, a new box appears asking for the 6-digit code that is displayed on your phone.

 

3.  Default Ports

The default ports that the Synology DiskStations use for the web interface are 5000 and 5001.  It’s a very good idea to change these ports to something else.

To do this, first pick a number between 1024 and 65000, I’ll use 12345 as an example…

  1. Open the Control Panel,
  2. Go to the Network section,
  3. Select the DSM Settings tab,
  4. Enter the port number you thought of (12345) into the HTTP field,
  5. Enter the port number plus one (12346) into the HTTPS field,
  6. If you are using HTTP, you should consider HTTPS.

 

4.  Firewall

The Synology DSM has a built in firewall.  You can use this to block access to your DiskStation.

The default way the firewall it set up by Synology is to have separate firewall rules for each application or port that is used.  Personally I find this messy, as there are too many rules which could overlap and conflict.

Access the firewall settings in the Control Panel, Security section.

 

firewallInstead I have just three rules.  While this works for me, your situation may call for more rules than this…

  1. Allow all traffic on all ports from my local network,
  2. Allow only HTTPS port (12346 from the example above) from IPs in England (where I live),
  3. Allow only various application ports (web, owncloud, etc) from IPs in England,

If no rules are matched, then deny access.

Now, I know that IP addresses can be spoofed quite easily, but this helps beat a lot of the mass attacks coming from China, Russia and the USA.

You may want to have a few more rules, just remember to try and keep it simple.  If you over complicate things, you may open a hole in your network.

 

5.  Auto Block

The Auto Block feature is another new addition to DSM 5.1.  It allows you to block users on specific IP addresses trying to login to your DiskStation too many times.  Auto Block is also in the Security section of the Control Panel.  two tabs over from the Firewall.

  1. Tick the box labelled Enable auto block,
  2. Enter a number for the Login attempts field, (I have mine set to 5),
  3. Enter a number for the Within (minutes) field, (again I have 5 for this),

This means that anyone entering their password incorrectly 5 times, within the space of 5 minutes, will get their IP address blocked.  This is a low enough number of attempts in a long enough time window that I can catch quite a lot of attempts.

  1. If you want to enable block expiration option, tick the box.  This will automatically allow a blocked IP address to become unblocked.  I don’t have this set.  Once blocked, you stay blocked.

One thing to be aware of however, since I am not automatically unblocking IP addresses, there is a chance I might get blocked myself.  The way around this is to add a known internal IP address to the Allow/Block List.  This way, if you do get blocked, you just need to change your IP address to this specific address and connect to your device.  You can then unblock yourself.  Never specifically allow an external (internet) address.

 

6. More Coming Soon

I will add any more security options here, if you know of any good tips that you think other people should know about, leave it in the comments.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *