How to Secure your Synology NAS (Best Practices)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

securing a sonology nest is an interesting topic because the reality is you can really only follow a set of best practices which may or may not help you secure your sonology Nas what we're going to do is break this down into two sections the first is going to be a set of settings that you can configure that will help you ensure you're following some of the best practices and the second step is going to be some data Integrity protection now the goal of this is to ensure that the settings that we configure help you ensure you're never going to have to use any of this data Integrity protection that we're going to configure but the data Integrity protection is there in the event that any of these settings are incorrectly configured and you have to ever roll back now obviously as time goes on there's going to be situations where you have to restore individual files Etc but your goal is really to protect yourself from things like ransomware attacks and if you configure this the goal is to help you ensure that if that was was to ever occur you will have a full roll back plan that you can use to restore your data so we are going to jump right into it and the first thing that you have to do a lot of this just so we're clear is going to be pretty basic stuff we're going to kind of go through this quick but the first thing you have to do is ensure that this admin account is deactivated if it's not deactivated you will get a bunch of popups as soon as you sign into your sonology NZ that basically says that the admin account is enabled and it'll suggest that you disable it so for most people it will be deactivated but if it's not edit it and deactivate the account obviously you want to ensure that you have a user account that is part of the administrators group so you'll have to go through and create a user that has admin permission if you do not have that set up but your goal is to ensure that the admin account is disabled because in a worst case scenario the first user account that everybody's going to try and sign in with is admin now the second thing we are going to look at is in the security tab you're going to ensure that this protection for auto block is enabled and this will just ensure that if x amount of login attempts occur within x amount of minutes and they're incorrect that IP address will be blocked it can be an internal IP address or it can be an external IP address which we'll get to in a second here but by default you'll have users that fail this test go into this block list here and any IP addresses will be here so if you indirectly have a user on your local network that forgets their password and locks themselves out you could always go back and remove them you can also enable a block expiration which will ensure that after X amount of days IP addresses inside of the block list will be automatically removed I'd probably recommend that you don't have this configured but the point is you can if you want the next thing we're going to take a look at is SSH so SSH is used for a lot of different things a lot of docker containers um you have to go in and create a macvan network interface so that could have been done in the past or you might do it in the future but the point here is that SSH is a very powerful feature that can be exploited if a different device on your network is ever compromised so your goal here is really to turn SSH on and off when you are and are not using it now I've read in the past where people say that disabling this is not a good idea because if you ever need to you can access your device through SSH and if you disable it you can't access it this is just my opinion on that but my opinion on that is really if you're in a scenario like that there are various other things you could do to get access back so let's say you have networking issues you can reset the network configuration let's say you have account issues you can't log in you can actually reset the admin account back to the default value if you have access to the physical device so you're able to access it if you have SSA enabled and you have a device on your local network that gets compromised and they have you know shell access and they're able to actually go through and attempt to SSH into other devices and their goal is to access other devices through that compromis device enabling SSH here and leaving it enabled will allow them to do that while leaving it disabled will not so the choice is yours but I would recommend disabling it the next thing is a quick one we're just going to look at update settings so you want to go in and you want to ensure that from an update settings perspective this automatically install important updates is enabled now you can install the latest update I'd probably recommend that you don't do that but the critical security update should be installed automatically this setting I would recommend that you turn it on finally we're going to quickly talk about Sony's firewall now I have the firewall on this test device configured and I am doing a test at this point which will be a later video uh hopefully and the thing with sonology firewall is that there's there's two sides of this the first side is that if you're not exposing your Nas externally you don't have to use sonies firewall uh and when I say externally I mean through port forwarding you don't have to use anology firewall because no one will have a direct path to it if you are using that you really have to use Sony's firewall um I use Sony firewall this is my test n so it's not configured here I use tenology firewall because it allows me to keep myself in check so what I mean by that is if I go through and let's say I enable SSH I want to ensure that I go in and I create a firewall rule for SSH so that I can access it but I want to ensure that if I accidentally enable SSH for whatever reason the firewall is going to block it until I go in and explicitly allow it so that's mainly what I use syy firewall for now there could be some downsides to it meaning that you're going to have another layer that you have to check if you're running into issues so there have been various times where I've configured things like Docker containers and they don't work and the reason is because Sony's firewall is blocked it so if you enable sonology firewall you really have to go through and ensure that you create allow rules for all of your services and until you do they're not going to work but I do have a video on Sony firewall and I'm proud of how that video came out so I'm really not going to go through it here but I'm going to give you a very quick overview of how it works with a link in the description to that full video if you want to enable sonology firewall so with sonies firewall you basically have a few options here by default all interfaces is selected I would probably recommend you do that if you pick a specific interface you can change rules for that specific interface but just know that you have to do it for every interface when you do the all interfaces tab what you're doing is applying rules for all of your interfaces so rules are configured from top to bottom so what I mean by that is when they are run through they'll be run through in the order of top to bottom so in this case we are allowing ports 6281 and 6251 to the source IP address 192168 25420 so your very last rule should really be a deny all rule this was from my testing but what I'll do here is I'll go through and then I will just create a deny all rule so what this ensures is that when a service is attempted to be accessed it's going to come in here it's going to check if it does not match this criteria then it will deny the rule but this would not be a good idea for us to enable right now because we're not allowing access to our management interface DSM so the very first service you have to allow is DSM you must enable DSM and it must be above your deny all rule or you will lock yourself out now you can reset the network configuration on your Nas If you have access to the physical device so you know it's not like this is going to permanently lock you out but you don't want to get into that if you don't have to so your goal at this point is to really go through if if you want to use this and pick specific services that you're using so for example that 6281 rule that was hyper backa Vault um I could go in and I could pick the specific service or you can Define the port manually which I'll get to in a second but one of the common uh ports that most people would would use is this Windows file server this would be for SMB so I believe the SMB ports are 139 and 445 so until you actually create a rule for this if you configured sonology firewall until you create the rule and you add it above the deny all rule you will not be able to access your data through SMB so when you configure sonology firewall you have to go through and configure these firewall rules based on whatever Services you're using I can't tell you what services you're using but if you're using a reverse proxy server you have to allow 80 and 443 if you're using SMB you have to allow the 139 and 445 rules if you're using any Docker containers they're all going to be using different ports you have to allow those as well the way that you would allow those unique ports is just to Def find this custom section here and then go in and type in your custom Port you can also put a comma there and you can Define multiple ports or you can do a port range so what this would ensure is that every port from 8080 to 8085 would be allowed now that's 8081 82 83 884 and 85 finally these this other section is just if you want to explicitly allow or deny traffic from a single ho so this would be an individual IP address or an entire subnet which you can do as well which would give access to the entire subnet finally if you are exposing this externally you can actually limit it by location so if for whatever reason you are port forwarding the DSM Port which I would not recommend that you do but if you are or you're using a reverse proxy whatever it is you can actually go in and pick your country and this would ensure that if you create an allow rule for that Port this would ensure that only that specific spe ific country can actually access it your goal with sonology firewall is to limit the pool as much as you humanly can so if you are really looking for internal access only you can allow it for your entire internal subnet if you're doing it for external access you can allow it for your country for example better scenario would be individual IP addresses but a lot of times that's not possible because of dynamic external IP addresses and stuff like that but the point Point here is that soni's firewall you want to try and limit access as much as you can what I recommend that you do this I would recommend it from the perspective that you are keeping yourself in check that's why I use it will you see a ton of value from it if you're not externally exposing your assas no probably not but regardless if security is on your mind configuring syy firewall is an important step step that you can take and finally the most important setting would be actually configuring two Factor authentication so I have two Factor authentication enabled on this account this will ensure that if anyone gets access to your password they would still need that second factor to actually access it if you want to ensure that everybody on your nest uses two-factor authentication you can do that in the security section and then in the account section and you can enforce two Factor Authentication you will have to uh configure the email notification service but the point is that you can do that and then you can force either all of your users or only administrators to use two Factor authentication and then you won't be able to sign in with an account unless it actually is utilizing that now there are other settings as well um for example I know that AFP has had problems in the past there were some security risks I want to say it was 2021 or 2022 with AFP and sychology devices so you want to disable that there are SMB settings you can use which would you know ensure that you're utilizing more secure SMB transfer protocols than less secure ones but from a setting perspective I would say that if you really configure the ones we just looked at that will get you to a point where you're somewhat comfortable that your Nas is configur properly finally we're going to switch over to port forwarding so port forwarding is an interesting one because you want to ensure from a security perspective that no ports are forwarded to your Nas If you don't explicitly want them to be UPnP can be configured to port forward on your behalf so what you would do is come into this section and use this setup router section and if you actually click Start what it will do is it'll attempt to access the Gateway which would be your router and see if it can configure UPnP if it can at that point you can actually port forward ports on your Nas to your router automatically so generally you don't want to do this I'm running through this process but you don't want to do this um this is a test Network so I don't care but you explicitly want to port forward if you actually want to port forward just so you know one how it's done two how to remove it if you really wanted to if you have anything in this list personally I'd recommend you remove it log into your router and do the port forwarding there that will ensure that you know what it is know why you're doing it not having anything in this list doesn't mean that anything is not Port forwarded so if you want to check you can go into Google and you can use any of these Port Checkers I'm not going to say which one you should or shouldn't use but it'll specify your external IP address there and then you can test different ports um generally i' not recommend you do it that way just because I think you should log into your router and get an understanding of how it works but if you want the quick and easy way of doing it use a port Checker to check to see if any of these DSM ports are open check for you know 50001 if it's open you have a problem um check for 5,000 as well those are the two most common ones if you've changed it I'm I have 6251 here if you changed it check that make sure it's not open if it's open you have to go and find out why so doing that will ensure that you are only opening ports that you mean to open that's the idea behind it so at this point we looked at a lot of the settings now your goal with these settings is to ensure that you never get to the point where you have to actually restore from a backup or use snapshots Etc but you have to configure snapshots and a backup in order to protect yourself if your nest ever gets compromised now the settings we just went over does not guarantee that you're never going to have any problems we just checked a few best practices what you want to do is have a roll back plan so I'm going to mention this this is not fully related to it get a UPS I've said it a thousand times in multiple videos this will ensure that your Nas poers Down in the event of a power outage this will protect you against yourself I'll leave a few links in the description I have an article on why this is important I will leave that in the description as well I don't want to spend a lot of time on this but you need to ensure that you have one of these now that that's out of the way we're going to take a look at snapshots and backups so snapshots are your first line of defense what I mean by that is in the event that some of your data is lost you got hit with a ransomware attack um or if you just need to restore file you accidentally deleted it I always use snapshots as a first line of defense the way that you can configure them is by installing the snapshot replication tool selecting snapshot shot and then in each of these folders that you have here going through and enabling a snapshot schedule so I would recommend that you set it up to run daily and then I would recommend a retention policy and retention policies are tough because you can either set it for a set number of days so because we set the schedule as daily and we are setting this as 30 this would ensure we can roll back 30 days if you want to do an advanced retention policy you can and this will ensure that you can specify how many snapshots you want to keep based on hours days weeks months and years so the only other thing to mention here is this immutable snapshots immutable snapshots are extremely extremely powerful not all Nas devices support this so you would have to have a newer one um I want to say like the 920 plus I think the 920 plus plus supports it but like the ds1019 plus doesn't so if you have a newer Nas you you will most likely have this option if you have an older Nash you probably won't but immutable snapshots cannot be removed cannot be removed hear that out that's an important thing because there are times in the past where I have gone in and deleted snapshots and it's been for just really reclaiming space purposes if you have a mutable snapshots configured you cannot delete any of this data so where would I use immutable snapshots I would use it on things like your documents um if you have a a shared folder that contains all of your documents I would go in and I would enable a mutable snapshots because that would ensure that for we'll say in this case 7 Days the snapshot cannot for any reason be removed by you or anybody else so if you're hit with a ransomware attack and let's say a user had access to your uh snapshots and they were they knew what they're doing they pull up your snap snot list and then they go in and they remove all these older snapshots let's say you have an immutable snapshot here well they can't remove it that's the protection but let's say I had 5 terabytes of data in this folder and I deleted all of it remember that snapshots will hold on to that data so in that case we have another 6 days and 21 hours where we will not be able to remove any of those snapshots so mutable snapshots are awesome especially from a data integrity and protection perspective but you could get yourself in trouble with it so you really have to sit down and think about your data think about how often it changes think about how large the files that you're adding and removing from it are and then determine if you really want to use immutable snapshots they are awesome but they're not awesome for every single shared folder you have so I can't tell you if you should or shouldn't use it but but that's how it works as soon as you have that configured at that point you have snapshots so if you're hit with a ransomware attack and you wanted to you know let's say everything in this media folder that I don't even know what's in it but let's say everything here was removed at that point you would be able to go in and you'd be able to select the recovery and you can recover that shared folder and then at that point you can restore from it and decide if you want to take a snapshot before restoring but at that point what you would do is you would see that your data is back so that's how snapshots work if you only lost certain data what you can do is you can actually go into the snapshot folder itself and ensure that this makes snapshot visible option is enabled and then from there you can go into this snapshot folder and you can actually browse the folders themselves so if you have an individual file you're looking for you can simply do that and restore it you don't have to restore it on a bulk folder level That's The Power of snapshots but snapshots are only valid if your storage pool is active and for whatever reason the snapshots are still available or for whatever reason they are not available you would have to restore from a backup now backups are interesting because I would recommend that you always try restore from your snapshot if possible if you cannot restore from your snapshot you then have to go to your next step which is backups so you have to one configure backups and you have to know how to restore from them the best way to do that in my opinion is through hyper backup now there's various ways to configure hyper backup and with Hyper backup you can come up with your own backup strategy so what I'm going to talk through right now is the data that you have that is the most important data to you so this entire system option is new great great option because it uses Block Level backups uh the downside is you can only use Sony C2 and a remote Sony Nas device so from a cost perspective if you want to back up your entire Nas and do not want to pay cloud storage fees because they're going to be expensive the cheapest option for most people is going to be to buy a second sonology Nas assuming that you can get it somewhere off site if you can get it somewhere off site and basically have a clone of your exact device you will ensure that you will have a full backup of that Nas somewhere offsite and it will be cost effective not right away but over time it will be cost effective because using Sony C2 if you have let's say 10 terabytes of data it's going to be about I want to say $70 a month so over time that's going to add up if you think about this in terms of years you're paying what's that $840 a year for 10 terabytes of storage assuming it never ever ever goes over 10 terabytes of storage so in 5 years you're at over $4,000 that you spent whereas with a remote Nas you get you know let's say you spend $800 or $1,000 you just saved yourself you know three grand so that assumes that you have a separate location that you are willing to set up a Nas able to set up a assas and willing to monitor it for you know things like hard drive failure and um security updates and stuff like that for most people you're going to use this folders and packages option this is going to be because you are only going to back up your most important data so I have a tutorial on how to use back Blaze which is uh utilized through using this S3 storage and it's a few additional steps um sonology C2 is easier to configure definitely because all you're doing is configuring your sonology C2 user account and then at that point you're just setting up a actual backup um and Sony C2 is actually better from a viewing perspective because it has a hyper backup Explorer built right into it um I will at some point do a sonology C2 review um but sonology C2 to if Simplicity is what you want it's simpler than back Blaze it's more expensive because it's stepped pricing so if you use 1.01 terabytes of data you are paying for 2 terabytes of data whereas with back Blaze you're paying I want to say it's $6 a terabyte at this point so you're paying $6 and you know a few cents in that scenario with back Blaze you're spending I want to say it's 14 a month with um gc2 you are free to choose whatever option you want there are other options as well these are not the only options you're able to use the point is you're backing up your data that is the most important to you so keep in mind you can use this local shared folder USB I wouldn't use a local shared folder but if you wanted to use a USB you could and at that point if you want to back up your important data to an external hard drive you can do that but the most important data on your Nas which would be devastated if you lost you could back that up to back Blaze and then let's say it's I don't know 500 gigabytes you're going to be spending $3 a month to back up that data you'll ensure it's in a cloud location that is separate from your sonology Nas and if for whatever reason you ever had to restore that data you would ensure that you're able to restore it they also have a bunch of cool features um in terms of versioning and if you have a ton of data and you had to restore 5 terabytes for example it would take you forever but you could pay x amount of dollars to have that data actually sent to you on on a hard drive we're getting a little out of scope here but the point is that back Blaze gives you a lot of flexibility and you are able to ensure that your data is backed up in a Cloud Server location and you can restore it if you ever have to now I'm not recommending that you use back plays for any reason other than that's what I personally use um I don't have any affiliate links I'm telling you that because that's what I use but the point is that if you go in and you I'm just going to show you this as an example but if you go in and you start to set up back blazes which I'll leave a link in the description for you can select your important data so let's say in this media folder you know only my movies are important to me which is probably not a good example but that's just what I'm going to use here let's say my movies are the the only thing important to me I'm not going to go in and back up that entire media folder I'm just going to back up my movies which then will ensure that they get backed up to back blaz or whatever Cloud Server you're using now from a hyper backup perspective you are able to go back and actually view your prior backups so this ensures that you can go through and let's say you lost a file today or you were hit with ransomware 3 days ago and you need to restore you can go back a week and you can restore that data you can either restore individual files using the hyperbackup Explorer option here or you can restore an entire folder by connecting to that location which will also keep your system configuration which we're not going to look at today but you can go in and then you can restore this data these little warnings are here just to inform you that these folders exist on your Nas already so if if you restore the data it's going to overwrite whatever exists there but the point is you can restore the data that you have from wherever it's backed up to so like I said snapshots first line of defense backups second line of defense if you follow everything here what you're ensuring is that you're following some of the best practices from a settings perspective but from a data Integrity perspective if anything was to happen you you will have snapshots and backups configured that you will hopefully be able to restore your data from one of those options for hyper backup I also have a tutorial for that that I'll leave in the description um in case you want to configure other hyper backup options but the point is with security you unfortunately cannot guarantee that you're never going to run into problems you're trying to get ahead of those problems and figure out a way to get your data back if anything was to happen to it and data you know integrity and security does not only you know help in events of ransomware and stuff like that it helps from a perspective of hard drive failure let's say you know you're using raid five you have four hard drives you're using raid five you get unlucky and two of the hard drives fail and your whole storage pool is toast you are able to use the backups that you have to restore that data if you don't have any backups that data is gone can't use the snapshots because the storage pool's gone but you have the backups so when you configure stuff like this you're configuring it following best practices which do not guarantee you'll never run into problems but help in the event that you do so that you can try and get your data back so I am hopeful that this video helped you guys out if it did please consider giving it a thumbs up if you like this type of content please consider subscribing to the channel thanks guys

Info

Channel: WunderTech

Views: 15,499

Rating: undefined out of 5

Keywords: how to secure a synology nas, secure synology nas, how to secure synology nas, synology nas security

Id: B826kB0p8T0

Channel Id: undefined

Length: 29min 55sec (1795 seconds)

Published: Mon Jan 01 2024