Homelab

Speaking as someone who decided to "just be a consumer and trust that my NAS manufacturer had appropriately hardened the login interface", and was using 2FA, and subsequently fell victim to a ransomware attack:

Do not expose any port on your NAS to the internet.

If you really want it available to you when you're away from home, set up a VPN using a separate device as the VPN server.

With cloudflare authen it is probably gonna be fine with ip block filter etc. it would probably filter 99.999% of the malicious attack already.

But still why do you need to expose it? I only have my jellyfin expose cos idc much about jf data and network cos it on a separate vlan network and stuff. All my management and nas are only accessible through vpn cos i wouldnt need access outside that often only when something happends.

Surprised no one posted this, the web and cyber threat look like that : https://livethreatmap.radware.com/

I wouldn't trust Synology on that aspect, better have an entry over VPN.

if you must, have you looked at the azure application proxy? if you configure it properly it should work from the outside world, and still remain private. This does put a lost of trust into azure, and your tenant's users not getting broken into.

because attackers can now access it. this gives them unlimited amount of times to try and break in. this isn’t as safe as not exposing it to attackers.

Zero day exploits.

Kinda like the others have stated, you’re trusting the company to have fixed any known vulnerabilities, but also that there aren’t any unknown exploits.

Ultimately the question isn’t should you or not, but is the risk worth it? If your home finances are contained there in, if those impossible to recover or reproduce pictures are stored on there, then if you were to have your system locked with ransomware, how important is that data? Do you have their camera system? Would you mind the random internet looking at those cameras? That’s the real question.

If you only have some downloads you could find again and if you lose everything on the system, then you’re not risking much, so it’s kinda why not?

It’s a matter of risk tolerance and how much you trust Synology.

It's basically the same as any other time people expose something to the internet.

Most don't know what they're doing or how to do it safely so they put a vulnerable device out in a vulnerable state.

The only reason a NAS is worse is because it's more common for a home user to have a NAS then it is to do something like host a WordPress, and a NAS has more personal stuff than a WordPress does (usually)

I'm by no means any security expert, but my 2 cents are these:

• Zero-day attacks, where the name refer to how many days a vulnerability has been known when first used. These are more or less impossible to safe-guard against. The only thing that would delay an attacker in your setup is 2FA. But can you be sure there aren't any weaknesses or vulnerabilities on your 2FA setup? Kaspersky mentions a few interesting zero-days on their resource center.
• Blocking all countries except the one you live in can create a false sense of security because VPS are a thing and hosted in most countries. That means that a malicious person could spin up a VPS in a country which is allowed to access your public-facing address.
• Depening on what kind of services you run, there could be privilege escalations which could grant an attacker with more leverage to find weaknesses in software. I think Darknet Diaries' episode on the LinkedIn incident explains this well.

https://www.synology.com/en-us/security/advisory

https://www.cvedetails.com/vulnerability-list/vendor_id-11138/Synology.html

You can look through all known issues.

But don't get me wrong, I'm glad they provide the information!

Don't know how much a Cloudflare tunnel protects you. Maybe it's only security by obscurity.

NAS appliances aren't known for their login security

It'd be best to host a vpn publically instead, and get to the synology via the VPN.

Most NAS aren't designed to be exposed to the World Wide Net. The login page isnt designed to handle things like DDOS or brut force attacks. Most of them don't have 2 factor login option built in.

This plus, the fact you are exposing all of your data via this web interface. Allowing hackers to easily crypt mine/delete/steal your data.

Tbh if you set up MFA on the account, its ok to open it the internet.

Because you're going to be hit by the next of the countless pre-authentication vulnerabilities that constantly pop up for appliance's like yours.

All your security measure will do absolutely nothing in that case.

I don't get why you don't just set up a VPN? It isn't more complicated than what you did, and offers far superior protection. And for 99% of use cases, you don't loose any functionality either.

See my other comment, but the basic problem is you are only putting one layer of protection if you expose directly to the Internet. If there is a vulnerability in NAS, then bots can exploit just that layer and get in.

If you have tunnel/VPN then NAS, they have to have a vulnerability in the VPN, then also be able to use the VPN to exploit the NAS (or some other device on the VPN).

Add another layer, like IP limitations on the tunnel, then you have to have 3 exploits. Etc...

Synology sells based on convenience of features, and good enough security as a second thought. VPN or tunnel software exists to provide security. So you want to mix the focus and the providers to minimize chance any one provider or mistake will let you get hacked.

The biggest risk for a typical home lab is from bot scanners and not targeted attacks, so they are unlikely to target a connection with more than one layer as there are many, many simpler targets.

Did you Google or ask chat gpt about risks of letting bad actors brute force or potentially use some zero day with some crazy url that can let them encrypt all your family pictures and other data? If you want to access from outside do that thru some reverse proxy like find proxy manager or traefik

🍿

https://youtu.be/Az49aNuYeJs?si=l2eRSmFbcMduTcLx

From experience most NAS drives, cctv boxes are built cheap and dirty. They are often slow and the proud product of a shite company/software developer.

Bad actors are running scripts on their servers, automated looking for know exploits in pages, ports and software. They are actively scanning thousands of WAN facing devices a minute.

Web pages are often written with poor practices. There is little to no care for security but just enough to satisfy the end user.

Java script protected pages (may aswell just write the password on the page)

Usernames and passwords embedded into source code. Session variables stored in cookies in plain text. Vulnerable to session hijacking, man in the middle attacks, and more.

One device we pen tested a few years back allowed access to the settings page without logging in. This is due to a header redirect being incorrectly used. The page served the form and tried to redirect the browser. We just stopped the redirect. Changed the password and logged in normally. Potato Security at its best.

These devices often do not have any rate limiting or firewall, which means brute forcing is nothing but pure playground for a nice database of known usernames and passwords. GPUs are fantastic for brute forcing. The more you have the faster you can test usernames and password combinations.

If you must share file access. Setup a VPN. Tunnel into your network securely and then access your NAS.

Assume everyone is gonna get you.

If you open your login page to internet without security, someone one day will have a field trip inside your NAS files and will find all your "i know what you did last summer" photos.

I do have DS423+ and i am too using Cloudfare tunnel to access it from anywhere.

My CF Tunnel setup done like this:

Domain: nas.example.com points to http://1.2.3.4: and i have 2 access rules added.

One of these rules NEEDS to match otherwise - "You Shell Not Pass"
#1: Public IP needs to be matched as my public IP
#2: Person who wants to login needs to authenticate via Google Authentication. Google authentication needs to match test1@gmail.com or test2@gmail.com

While i am at home, i use nas.example.com to access my nas instead of using its local IP and cloudflare allows access with no questions asked.
While i am outside my home network i get asked to authenticate via google and gain access this way.

+CF Tunnel adds https automatically for me.

I don't use any firewall setup or any other rules inside NAS.

Here’s the way I think of it. Imagine you live in a house at the end of a long street. Your front door is the login page to your Synology. All the measures you’ve put in place (cloudlfare, ip blocklists, firewall) are the equivalent of putting up a guard booth/gate at the end of your driveway that only allows cars with a license plate of a specific state.

You haven’t made yourself significantly more secure, just lined the traffic up in a more organized fashion. You are still trusting the people that made your door lock to not be vulnerable.

Yes, it’s easier to access vs having a big metal gate that only you have the code to open (VPN) in front of your house. But why open yourself up to a single point of failure?

Here’s just one recent example of an attacker being able to bypass the authentication on a synology. All the things you have implemented wouldn’t prevent a single person in the internet from using this exploit. https://www.zerodayinitiative.com/advisories/ZDI-23-660/

Millions of hostile computers are cruising the internet looking for literally anything that can be exploited. Do not give them an opportunity by exposing a login page unnecessarily.

HEY MAN,

Just go ahead and get hacked and learn, there’s literally no point in even asking if you lean toward not taking anything anyone says with a grain of salt.

Otherwise VPN or Cloudflare tunnel into the machine.

Bye

facepalm