Jump to content

Brand spankin ' new owner to a Synology 218+ here Questions:


G+_Joel Pomales
 Share

Recommended Posts

Brand spankin' new owner to a Synology 218+ here. Questions:

 

How secure is getting to the NAS through Quickconnect? Should I get a cert to make sure traffic is https secure? Should I go the DDNS route? What's the general experience?

 

Two factor: if I enable it with Quickconnect, will it ask me every time I log in? Or just once on clients? Will it ask for a TFA code on the local network?

 

thx!

Link to comment
Share on other sites

I have an RS218 with TFA enabled, and quickconnect. Regardless of access (internal/external network), you are prompted for TFA.

 

However, I have some uncertainty regarding quickconnect, and I believe I will be turning it off.

 

I already have a DDNS setup through Google Domains, and an openvpn server run by my Pfsense firewall. I'd rather use a trusted VPN technology for my access.

Link to comment
Share on other sites

George Fromtulsa can you be more specific?

 

Quick connect makes your NAS start polling for connection requests from a known domain. It ensures you don't need to open ports on your router.

It will work fine without ddns.

 

If you want to setup a certificate that requires a response in setting up, like let's encrypt, then you need it setup (so LE can confirm it's talking to the right machine)

 

You can (and I recommend you do) set up secrity restrictions when connections come in, eg limit connection attempts and auto block.

 

I take security seriously, and think using QC is safe to use of you take these precautions.

Link to comment
Share on other sites

Marco van Laerhoven What I understood from a thread about using QuickConnect is that a Synology user set up QuickConnect then used the software, which I believe uses a Synology website as a connection point, to go fishing for other QuickConnected Synologies. And found some that indicated readiness to QuickConnect.

 

Writer did not say he tried to "break in."

 

So the takeaway is your Synology can be "found" by strangers through QuickConnect. That implies QuickConnect itself does not confer security, and may help identify connected Synologies. The security of a QuickConected Synology from "dictionary" attacks, etc., would depend on the robustness of passwords, Synology's response to failed connection attempts, etc.

Link to comment
Share on other sites

Thanks a lot for your response!

 

I would like to share my view, and hope others will chime in to create a joint view of the situation...

 

If I understand correctly the risk is that someone may be able to determine there is a Synology NAS listening and try to connect.

As security by obscurity is not really security at all, I think it is fair to assume our QuickConnect ID is publicly known.

 

In my view, compared to me opening a a port on a router (which can also easily be detected) this is still a lot better - with QuickConnect there is nothing open, and whenever someone actively tries to connect directly to my public IP address they will not get any response.

 

The only way is to connect is to setup a session (port 80) to the Synology domain and request my QuickConnect ID. This means the "hacker" is already seriously limited in the options of breaking in (as he is not initiating the connection).

 

And we can further enhance protection by enabling auto block and account protection (block IP address or account login after a number of unsuccessful login attempts).

 

All in all, I think this is a "safe enough" option to use - as I really like the benefits of my private cloud.

 

Looking forward to hear what others are thinking, please let me know your thoughts.

 

Link to comment
Share on other sites

Marco van Laerhoven So what we have on our work Synologies is important to protect. Payroll data with Tax ID numbers, employee medical insurance with possible HIPAA implications.

 

This current discussion is the deepest I've looked into the Synology <> Internet connection as we really don't need access away from workplace. Employess who need to "catch up" by working from home take the files they need with them on either encrypted laptops - or encrypted thumbdrives.

 

Nothing is absolutely secure, but the linked Synology article about QuickConnect does not build my confidence -

 

 

Our Synologies have no such content, but consider the scorched earth lawsuits of the RIAA and MPAA. Yet there's thouands of Synologies "broadcasting" music and video across the planet? Legal? Maybe, though a grey area I'd much prefer not to be defending in court. And that's content I bought in physical media and still own in physical media. Different case when re-broadcasting captured streams, OTA TV recorded on DVR, that Tor movie download, or ripped content from physical media sold on eBay . . .

 

https://www.synology.com/en-global/knowledgebase/DSM/help/DSM/AdminCenter/connection_quickconnect

Link to comment
Share on other sites

George Fromtulsa

That's clear, you basically don't want outside access to the NAS.

 

Our use cases are different, we need a way to backup and sync files me and my colleagues create into a central location. We work on different locations and we use the NAS as private cloud (no Google drive or Dropbox for us).

 

In your case the let's encrypt method won't work as the NAS needs to be able to connect to the internet to get the cert. If you've blocked non-locsl access that will not be possible

Link to comment
Share on other sites

Marco van Laerhoven And if I were more confident in the security of the NAS if it were online, I'd be doing what you do. Currently we share Mac files with other locations via encrypted DMGs and Linux files in 7-zips, using either Gmail or Google Drive. Not worried so much about anyone hacking "everything" (which they'd get by bursting into our Synologies) on Google Drive, and while the Goog has the processing power to break into our password protected uploads, it would be a big waste of Goog's resources. NSA, if you're listening, don't bother. Just get it from the IRS.

Link to comment
Share on other sites

NAILED IT!

 

I was missing a step. I did everything right except one thing: pointing my subdomain to the DDNS entry. Done and done. Works and SSL cert shows green. Booya!

 

Good bye to Quickconnect. Now to change passwords all around (longer, random) and enable TFA for the admin group. Happy camper.

Link to comment
Share on other sites

And I found out that I sort of cheated. I entered the CNAME record to refer to my provided, but I did not modify any port forwarding rules in my router. Synology Quickconnect did that for me. Thing is that when I disable Quickconnect, the port forwarding rules go away.

 

I also found out that the Linux Drive client doesn't like me entering the address that I set up for my NAS. So I went ahead and disabled all Quickconnect services but Drive. For all intents and purposes, the only way you can get to my NAS through Quickconnect is through Drive.

 

Found a relatively nice solution for it. I think it's a win.

Link to comment
Share on other sites

Quickconnect essentially does a third party connection to synology. So...

 

SynologyNAS <> QuickConnect Server <> Your Connection

 

If you use DDNS, you initiate a direct connection, just using a dynamic DNS to direct your connection to the correct IP, but it is still a direct connection.

Link to comment
Share on other sites

Joel Pomales I am pretty sure (without even looking under the hood) that QuickConnect will establish an SSL connection, using Synology servers.

 

"Back in the day" Apple's MobileMe provided optional {paid} secured / encrypted connections through iChat, and that enabled sorta' peer-to-peer encrypted chat, audio, video, file transfer, and remote desktop control. iChat connections passed through Apple servers,which functioned as a "switchboard." I suppose there was a theoretic danger Apple could have done a man-in-middle -

 

My issue with QC is the guy who reported he could "find" other Synolgies that weren't his. Meaning he was a password attack away from gaining access.

Link to comment
Share on other sites

Joel Pomales Like many things I only see from the "user" level, I have learned this "stuff" is complicated.

 

I'm planning to dive deeper into the Synology setup for the 'net - when the real work I have in the queue gets done, if ever I get it done -

developers.google.com - Preventing Mixed Content | Web Fundamentals | Google Developers

Link to comment
Share on other sites

 Share

×
×
  • Create New...