Homelab

NAS vendors aren't known for understanding security. Opening ssh to the world is no problem, because ssh is everywhere, it's constantly attacked, and half the world would know if an exploitable vulnerability was found.

If NAS vendor ABC has a vulnerability in the login code written by a programmer who hasn't done much more than CSS, it would surprise nobody, and you wouldn't hear about it on any IT news sites. It would just be exploited until all the machines were exploited or until they're all patched.

It really is a world of difference between something known and secure and some random login page.

If your DS920+ is completely inaccessible to outside your network except for the Cloudflare tunnel, then the Synology firewall and IP blocklist aren't going to do squat for you since all connections will appear to originate from either inside your network or from Cloudflare. So you're 100% dependent on Cloudflare to keep bad actors out.

I'm not familiar with Cloudflare but the impression I had from looking at it was that you can decide which authenticated Cloudflare users can access your tunnel. So it's a matter of credential management. Supposing some bad actor gets your credentials, they would then be able to access the entirety of your NAS, and you're now hoping that there isn't some undiscovered or unpatched security hole that they can use.

All software has bugs. Sometimes bugs let you do things you weren't intended to be able to do (e.g. access data on a NAS without knowing the login password). Your NAS might have a bug that hasn't been discovered (or publicized yet) or hasn't been fixed yet.

If you put your NAS on the internet, you give "bad guys" am opportunity to exploit those bugs to get your data or to use your NAS as a jumping off spot to attack other things inside your home network.

Security for systems are designed for their target use case. The NAS login page was designed to be easily usable and assumed to only live within a private network. By opening to the internet you are opening it up to be targeted in a way the designers may not have accounted for.

Good conversation. Great comments.

What are you protecting, what is the value to you, how much are you willing to protect it.

Convenient is unsecured, Secure is inconvenient.

Look, what you have is probably fine, but you just have to accept that you now have this page open to the world and you are relying on Synology to be on top of their security and you to be up-to-date.

I use Cloudflare tunnels myself for Plex and the like (separate VLAN), but I keep my local Network and all portals only available via a VPN.

Like all others here have said, it’s an unnecessary risk. You can set up a VPN to your home network with DDNS on your router (if you have a public IP) and that will be much better

Cyber Security seems to bring out weird bravado where people pretend like they know more than they do. This thread is literally dozens and dozens of people spouting nonsense.

The bottom line is if you're running a cloudflare tunnel with authentication on the tunnel itself to a trusted auth provider and then enable 2FA on that auth provider, you have a zero trust model that is about as secure as most modern companies. All of the people saying BUT WHAT ABOUT ZERO DAY are beyond dumb. Enable auto-updates on everything you can, script the rest. The chances of there being a zero day vulnerability to cloudflare and then a bot is able to hit your synology page which then has its own security they need to get past, it's not likely at all. Monitor your Synology login attempts just in case it's all built in.

Evil hacker want to login. You are making it much easier.

Are you going to update the firmware upon every release? Are you going to monitor for vulnerabilities?

TA have automated software that will find it, and mess with it for funsies

Simple, no vendor can create completely secure software. The main way to prevent someone from breaking into your front door when a new vulnerability is discovered is to not present a front door to the internet.

It is impossible to overstate how exposed you really are when leaving interfaces like this open to the internet to be scanned, catalogued, then exploited and used (or damaged) as soon as a new vulnerability is weaponized.

Not exactly related to your question, but why not just use tailscale to access your NAS remotely?

Hi OP, someone using nmap would have a fun time trying to find any open ports to exploit.

For one thing, it announces to the internet that your device is there. If there is one thing you could do to make it easy on a hacker it is to tell them what and where to hack. There might not be any complete exploits today, but there will be tomorrow, and when it happens, there will be a race between you and the bad guy to either patch or exploit. Are you updating often enough to protect your device from any possible random point in time in the future? If you have nothing to lose, don't worry about it, but most people store things they feel are worth storing.

simple rule, if you don't want something viewable by others then don't expose it to the internet. Its not a complicated rule, however many people fail this simple bit of logic.

An example, family photos, holiday videos, music and tv shows. All things that don't really matter if someone gains access to. It's at most an invasion of privacy.

Another example, bank statements, birth certificates, financial documents, scans of your credit and debit card, IoT. These are all things that pose a potential risk to you if someone gains access to them. Don't put them on the internet, nobody can ever find them on the internet.

The internet by its very nature is built to share data, the easiest way to avoid sensitive data from being breached is to not have it on a device connected to the net in the first place.

Question: and I ask here because I think it pertains to the conversation but I’m not sure. I enjoy using the remote connect features of my Synology NAS. I do DDNS and quick connect. I use 2FA and a 14-16 character password. I’ve disabled the default admin account and I use the firewall.

I like to use my iPhone to stream movies and look at docs while on the road.

Am I at a huge risk?

This guy! If they can hack the us govt in hours your synology is a piece of cake

After all of this, how would someone be able to break in via the DSM login?

You trust Synology that much? Yikes

Get hacked by some vulnerability.

Everyone: this is a bad idea.

OP: well im getting mixed signals

It all comes down to risk management at the end of the day. And the good old equation threat X asset X vulnerability = risk.

So how sensitive is your data? At the end of the day this is the asset you are protecting. Is it all of your family photos and memories with no backup? Or is it your animated GIF collection from ‘99 before giphy made it absolete. What is the IMPACT if this gets compromised.

In terms of threats what do you worry about? Ransomware, script kiddies, organized crime? And which do you think you can reasonably mitigate against.

It is impossible to predict potential future vulnerabilities in a product. There could be unauthenticated remote code execution vulnerabilities that grant an attacker remote access. Vulnerabilities are reduced with controls so you have some in place. What about patch management, etc? With your controls in place what is the likelihood that the threat you care about could impact you?

Out comes a risk value (low, medium, high).

Do you accept it or not?

For me I have a tiny FreeBSD server running that I’ve hardened (pf firewall, no root login, ssh keys only auth method, ansible playbook to check for an apply updates daily). Its sole purpose in life is to run wireguard. My various devices including NAS are clients that I allow access to the NAS over wireguard. I run PF on the wireguard interface and only allow access to specific services on the NAS. I don’t store anything sensitive on the NAS and I send encrypted backups to backblaze for files I don’t want to lose

In my equation it’s a level of risk I am happy with. And if something bad happens I’m prepared to rebuild everything in my home network from scratch.

Good luck deciding.

Your reasons why are https://www.cvedetails.com/vulnerability-list/vendor_id-11138/Synology.html?page=1&cvssscoremin=8&order=1&trc=250&sha=3d655d1befa87d00b4ee6efb440f2b83c057d878

It only takes one exploit abused by a nation state threat actor and you’ll be part of the next news where 100s of thousands of NAS appliances were cryptoed with ransomware.

I would say you’re safer with Cloudflare tunnel providing you’re utilizing blacklisting on Cloudflare where only certain trusted IPs are allowed.

For a better solution I’d ask you to look at Tailscale and their easy VPN technology. https://tailscale.com/kb/1131/synology/

Stay safe out there.

Signed, Your friendly cybersecurity leader

https://tailscale.com/kb/1131/synology/

The internet is like the wild west. There are bandits and outlaws everywhere. But automated. Bandit bots and outlaw bots who scan the internet all the time for open ports, trying to see if they can find an outdated version of software for which they have exploits. Some bots even have zero day exploits, which are unknown to the manufacturer of the software (the manufacturer has known zero days about the exploit, hence the name). When they find a match they will automatically hack the software running on the port and try do privilege escalation (essentially become admin). Then they might install a copy of themselves on your machine, fortifying their bandit army (botnet). Most of the time the criminal behind the botnet can now also control your machine and do anything with it. Many times acces to these hacked machines also get sold on the darkweb to other criminals.

Running a service through a Cloudflare tunnel is not exactly the same as "exposing the service on internet". Its more towards a VPN/Overlay kinda approach and not exactly the same as forwarding ports and pointing DNS entries to actually "expose" your service on the wider internet (other users may feel free to correct me here). Still won't recommend this with any "sensitive data" but if all you have is a bunch of music and TV shows then you're good there. At the end it all depends on the level of security that you are willing to work with.

It’s kinda like leaving your car unlocked and leaving your purse or wallet visible in your dashboard. Some may see it and choose not to exploit but some people will. What if you didn’t park your car there in the first place?

> how would someone be able to break in via the DSM login?

They probably couldn't. But, at the end of the day, the risk is yours to take. Nothing is 100% secure; it's all about degrees of security vs usability. You seem to have taken a reasonable approach to protecting the web service, so that's a good start. Other things would be to ensure that access is logged, and that failed attempts are delayed between retries (preventing brute forcing to be completed in a reasonable time) - not sure if Synology has that or not.

Baseline, STiG, Harden. Is you MFA SMS?

Don't expose the login to internet. Use twingate, headscale/tailscale. It's super easy to setup and use zero trust network access.

Use 2fa and you'll be fine.

your NAS runs software that is neither hardened for nor designed for direct internet access...

synology has had a plethora of exploits over the years... https://www.synology.com/en-global/security/advisory including but not limited to ransomware taking over the nas and encrypting all of your data... and that's just the exploits THEY KNOW ABOUT. synology often takes MONTHS if not over a year to resolve critical issues that normal customers won't be affected by with best practices...

synology's own guidelines clearly state

Do not expose DSM to the Internet unless necessary.

If you must access file services over the Internet, it is strongly recommended that you use a VPN to connect to your Synology device.

https://kb.synology.com/en-ro/DSM/tutorial/How_can_I_prevent_ransomeware_attacks_on_my_Synology_device

direct internet access to your nas is a timebomb. you will lose your data, others will view your data, and you put your entire network at risk by doing do.

It's a matter of risk management, and your personal situation and willingness to sacrifice convenience to reduce risk. There are many aspects that can affect risk, e.g. how often a software is updated, if it's open or closed source, how widely used it is, your personal level of relevant IT knowledge, the likelihood of a serious attack, what you are actually protecting, and so on.

One central rule is that more attack surface leads to a higher risk of security breaches (e.g. by discovering new vulnerabilities), and hiding everything behind a VPN reduces the attack surface to just one piece of software that's mainly focused on security. Additional public entry points add convenience but also increase your attack surface, so you have to find a level you are personally comfortable with.

In my opinion and experience, if an app is made for public access, in a production ready state and already widely used, if you trust the creator in general and with security updates in particular, and if you trust your own knowledge and ability to configure it correctly and keep all the relevant doors closed, then it's completely fine to make it publicly accessible in most cases. The security risk is not zero, but it's way overblown by some people in tech forums.

In your case, the login page behind a CF tunnel with 2FA enabled and yourself on the lookout for possible vulnerabilities sounds like an acceptable level of risk to me, unless the data on your NAS could start a nuclear war or something.

i almost couldn't tell this is an advertisement

Even if your login page is not easy to break, it will be indexed by robots or hackes in their list. And they will test on it every vulnerability that will be published for any DSM component. Using VPNs like ZeroTier or Tailscale is definetly MUCH more secure than all of those tweaks and easier to setup too.

But offcourse its YOUR data so ... good luck :)