Securing your Synology NAS, Part 2

synology logo

Earlier this year I posted instructions on how to install an SSL certificate on your Synology NAS. That was before the Dogecoin malware were found infecting Synology NAS boxes early this summer or now the “SynoLocker” ransomware that encrypts all the data on your NAS and forces you to pay $350 to decrypt the data. Below I’m going to list several ways to help protect your NAS, I’ll be using my Synology DS412+ for demo.

Securing and Protecting your Synology NAS

1. Keep your Synology Up-to-date

First and foremost would be to keep your Synology updated. So far, in both the dogecoin malware and Synolocker ransonware attacks it seems attackers were able to use known exploits in the DSM 4.3-3810 builds – a build that’s nearly 9 months old and has seen 6 updates to the DSM 4.3 builds alone. That’s NOT counting the newer DSM 5.0 builds and updates.

Update your stuff man! I know in DSM 5.0 you can actually make the NAS look for updates and notify you when there are updates available. Check the box!

Synology auto update

2. Install a SSL Certificate

The best way to prevent an attacker from the outside from reaching your NAS is to not even make it available online. However, this isn’t always possible. The Synology has a plethora of wonder features and many of those features become even better (or only possible) with the Synology NAS accessible on the internet. If your Synology NAS is going to be accessible via the internet, then you should also install a valid SSL certificate and stop using the default self-signed cert that can be forged. A $9.00 /year SSL cert from NameCheap is all you need.

Be sure to read: Secure your Synology NAS, install a SSL certificate

Synology ssl certificate

3. Configure the Synology Firewall

By default the Synology firewall is setup to allow everyone and their brother access. With your Synology accessible to the internet this is, in nearly every single case, a very bad idea. Setting up firewall rules are quick and easy – in DSM 5.0 go to Control Panel > Security > and select the Firewall tab.

I have three Synology firewall rules:

  • one rule to block several countries (this is redundant, you’ll see below)
  • a second rule to permit only certain ports to US IP addresses (all other ports are also blocked)
  • a third rule is to allow every port open to my internal network.

The final setting you should enable is “Deny Access” for “If no rules are matched” which makes my first rule redundant. This option does as it sounds, if there are no ALLOW firewall rules above matching the request then the request is blocked.

synology firewall

NOTE: It’s also a good idea to enable Auto-Block so that after X number of failed login attempts within X minutes the firewall will block that IP address. I like to set my auto block with very few failed attempts within a very long time period.

4. Enable 2-Step Verification

Since we’re on the subject of login attempts another feature you should enable is 2-step (or 2 factor) authentication. In a nut shell 2 step authentication requires both “something you know” (like a password) and “something you have” (like your phone). You’ll need to install the Google Authenticator app on your phone (Android / iphone) first then log into your Synology NAS and enable 2-step verification within your user options.

synology 2-factor verification

NOTE: 2-Step Verification should not be a reason to use weak passwords. Strong passwords should still be used!

5. Disable unused services and applications

I’ve seen several people enable and leave enabled SSH. There shouldn’t be any reason to leave SSH open all the time. If you need to do something via command line, enable it and do your work then disable when finished. I don’t even leave SSH enabled on my ESXi home lab and those hosts are not even available to the internet in the first place.

Other apps like Photo Station and so on are great but if you don’t use them uninstall them and make sure those ports are no longer open to the internet. Just because you can enable something on your Synology doesn’t mean you should. Think of it this way, the less open ports and running apps on your Synology secures it that much more but also frees up resources that can be used elsewhere.

This is also a good idea to think about changing the default ports (example: 5001) to something different.

6. Disable unused accounts

I prefer to disable the default admin account as well as ensure that the built-in Guest account is also disabled. I then create a new account and assign it administrator access which is used only for administrative tasks and then use regular user accounts for day to day tasks and access.

7. Install Antivirus Essentials

Synology Antivirus Essentials

Located in the Synology package center is an app called “Antivirus Essentials“, which I’d also recommend installed on your NAS as you can have it scheduled to scan files as often as you like. I have mine setup to update virus definitions before each scan and have full scans kick off very late at night when I know I won’t be using the NAS.

I haven’t seen any reports or reviews on how this compares to other anti-virus programs you’d normally install on your desktop such as BitDefender, AVG, McAfee, etc and I don’t expect Antivirus Essentials to out do those other programs but it certainly doesn’t hurt to have yet another layer of protection.

8. UPDATE: Use the built-in Security Advisor

Synology Security Advisor

On November 6, 2014 Synology released DSM 5.1-5004 and within this update they included a package called Security Advisor which can be used to scan a limited number of settings they have configured to check and give you suggestions on ways to better secure your NAS.

My suggestion would be to configure the Security Baseline to “CUSTOM” and then check all items and perform a security scan.

Synology security advisor custom

After the scan you’ll then be given suggested changes based on the following categories: Malware, Account, Network, Settings, Update.

Wrapping it up

One final thing I highly recommend would be to also backup your Synology NAS. That is, if you are using your NAS for more than an ESXi home lab as many people aren’t overly worried about their home lab VM’s being backed up. If you are using it for more than a home lab or do want those VM’s backed up then I’d suggest taking a look at setting up CrashPlan on your Synology.

CrashPlan is very affordable, encrypts the backups and provides file versions which is great if you get hit by Synolocker as you’ll be able to wipe the Synology and restore your files from a previous version!

HOW-TO: Install Crashplan on Synology NAS.

Do you have any other suggestions to secure a Synology NAS? If so share them in the comments below!

If you’re looking to get in touch, follow me on Twitter!