Securing Internet login to NAS newb help please?

Topics including remote access and management can go here, including port forwarding, telnet, ssh, and advanced network settings.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.

Securing Internet login to NAS newb help please?

Postby AllenG » Tue Jun 26, 2012 11:18 am

Hi.

I am wanting to secure my DS412+ (DSM 4) as much as possible on the internet but keep things simple on the LAN at home.

I have my NAS behind a Linksys ADSL router with ports 5000 & 5001 port forwarded to the NAS. I have tested logging on from my PC webbrowser using my Dyndns domainname and can logon with any of the three users on my NAS. I havn't tried it from the internet yet as I don't want to leave port forwarding on and my NAS exposed to the internet until i'm sure it's as secure as I can make it.

I have enabled HTTPS and setup autoblock in the NAS.

I have three users, but only want one to be able to logon via the internet and only use filestation.
Is it possible to configure users as local users only so that only one user is allowed to logon via the internet and the others are blocked? IE I want one external user with a strong password and the local users with simple passwords.

Also, because my NAS is on my local network with NAT being done by my router is it possible to setup the NAS firewall to allow any IP address on my lan and only selected IP addresses from the internet or does every IP address appear as local because of the NATting?
IE can I allow any address on my lan(192.168.1.1 - 192.168.1.254) and the static IP addresses at my work?
How do I specify a subnet? IP 192.168.1.0? Subnet mask 255.255.255.0
I have looked through the wiki and forums but there isn't much detail on setting the firewall subnet settings behind a router with NAT.

I don't want to enable the firewall with a subnet until I know what to put there in case I lock myself out.

Any advice would be appreciated
Regards Allen.
AllenG
Trainee
Trainee
 
Posts: 11
Joined: Wed Jun 20, 2012 9:57 am

Re: Securing Internet login to NAS newb help please?

Postby bigboboz » Tue Jun 26, 2012 12:31 pm

I asked something similar, http://forum.synology.com/enu/viewtopic.php?p=203069#p203069

So it wasn't just me that found that there seems to be zero info on security?

The forum's search facility isn't brilliant either...might be in here somewhere.
bigboboz
Beginner
Beginner
 
Posts: 21
Joined: Sat Nov 27, 2010 1:14 am

Re: Securing Internet login to NAS newb help please?

Postby AllenG » Tue Jun 26, 2012 7:52 pm

Hi bigboboz

I posted a few questions and this is the first response I have got from anyone. The forums don't appear to be very active?

I might try logging a support request and asking directly. Did you log a request with Synology?

Regards Allen.
AllenG
Trainee
Trainee
 
Posts: 11
Joined: Wed Jun 20, 2012 9:57 am

Re: Securing Internet login to NAS newb help please?

Postby bigboboz » Sat Jun 30, 2012 12:26 pm

AllenG wrote:I might try logging a support request and asking directly. Did you log a request with Synology?

Regards Allen.


I haven't yet, still mucking around with the NAS but will at some stage, especially if I don't stumble over something that helps.

Rob
bigboboz
Beginner
Beginner
 
Posts: 21
Joined: Sat Nov 27, 2010 1:14 am

Re: Securing Internet login to NAS newb help please?

Postby AllenG » Sat Jun 30, 2012 11:05 pm

I've had a bit of a play and think I've figured out most of what I was trying to achieve.

I put complex passwords on all accounts and disabled the default admin account.
I enabled autoblock
Under WEB services I enabled HTTPS
Under DSM Settings/HTTP Service I enabled HTTPS connection and automatic redirection to HTTPS
Under WEBDAV I enabled WEBDAV HTTPS Connection so I can use DSfile on my android
In my Router I forwarded ports 5001 (HTTPS)and 5006 (WEBDAV). Only forward ports for the NAS apps that you access to from the internet.

In the DS412+ firewall rules I setup

For my LAN,

Ports: All, IP range: 192.168.1.0, Subnet: 255.255.255.0

For the internet I only wanted the three fixed IPs for my work to be able to see my NAS
For each IP I setup

Ports: (Select the apps you want to allow) I selected DSM HTTPS (port 5001) and WEBDAV (port 5006), Single IP: (external IP address you want to allow)

Don't forget to change the If no rules are matched to "Deny access"

When trying to login from an allowed IP address on the internet use
https://yourdomain.com:5001 where yourdomain.com is your domain name or static IP address

I tried from my work and was able to login. I tried from my sisters who is not on my firewall rules and got a Page not found.

Hope this helps.
Regards Allen.
AllenG
Trainee
Trainee
 
Posts: 11
Joined: Wed Jun 20, 2012 9:57 am

Re: Securing Internet login to NAS newb help please?

Postby bigboboz » Mon Jul 02, 2012 12:32 pm

Thanks for your update. I've done most of those things except for the IP filter for fixed external addresses, I doubt I'll only need to access from a few IP addresses.

Would prefer to limit which accounts can get access external access or not. Don't suppose you found that option?

Thanks,
Rob
bigboboz
Beginner
Beginner
 
Posts: 21
Joined: Sat Nov 27, 2010 1:14 am

Re: Securing Internet login to NAS newb help please?

Postby CoolRaoul » Mon Jul 02, 2012 3:02 pm

AllenG wrote:I have my NAS behind a Linksys ADSL router with ports 5000 & 5001 port forwarded to the NAS.

I have three users, but only want one to be able to logon via the internet and only use filestation.


Since you want to only use filestation for remote access, why did you forward ports 5000 and 5001, giving remote access to DSM admin interface?

You'd better start by assigning ports to file station via "control panel->application portal" (one port for https and maybe another for http) and configure your router to forward only those ports (or only https one to prevent remote user to be able to connect with unencrypted connection)

Also, because my NAS is on my local network with NAT being done by my router is it possible to setup the NAS firewall to allow any IP address on my lan and only selected IP addresses from the internet or does every IP address appear as local because of the NATting?


For incoming packets, NAT only changes *destination address*: you're still able to use firewall to filter on remote source address
CR
CoolRaoul
Knowledgeable
Knowledgeable
 
Posts: 315
Joined: Tue May 18, 2010 7:08 pm

Re: Securing Internet login to NAS newb help please?

Postby AllenG » Tue Jul 03, 2012 7:03 am

CoolRaoul wrote:Since you want to only use filestation for remote access, why did you forward ports 5000 and 5001, giving remote access to DSM admin interface?

Hi.
In my last post I updated what I have done. I have opened ports 5001 for HTTPS and 5006 for WEBDAV for DSfile on my android. Port 5000 or 5001 is needed for File Station.

For incoming packets, NAT only changes *destination address*: you're still able to use firewall to filter on remote source address

Thanks. I figured this out in the end.

Got things pretty much working as required now.

Regards Allen.
AllenG
Trainee
Trainee
 
Posts: 11
Joined: Wed Jun 20, 2012 9:57 am

Re: Securing Internet login to NAS newb help please?

Postby CoolRaoul » Tue Jul 03, 2012 11:30 am

AllenG wrote:In my last post I updated what I have done. I have opened ports 5001 for HTTPS and 5006 for WEBDAV for DSfile on my android. Port 5000 or 5001 is needed for File Station.


Port 5001 give you have acces to full DSM administration interface with https (and, indirectly, file station, audio station and some other using "applet" mode)

But standalone filestation doesn't require neither port 5000 or 5001: you may chose a pair of dedicated ports (one for http and other for https) via control panel->application portal->file station
CR
CoolRaoul
Knowledgeable
Knowledgeable
 
Posts: 315
Joined: Tue May 18, 2010 7:08 pm


Return to Remote Access and Network Management

Who is online

Users browsing this forum: No registered users and 5 guests