Securing Internet login to NAS newb help please?

Topics including remote access and management can go here, including port forwarding, telnet, ssh, and advanced network settings.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
AllenG
Trainee
Trainee
Posts: 11
Joined: Wed Jun 20, 2012 9:57 am

Securing Internet login to NAS newb help please?

Postby AllenG » Tue Jun 26, 2012 11:18 am

Hi.

I am wanting to secure my DS412+ (DSM 4) as much as possible on the internet but keep things simple on the LAN at home.

I have my NAS behind a Linksys ADSL router with ports 5000 & 5001 port forwarded to the NAS. I have tested logging on from my PC webbrowser using my Dyndns domainname and can logon with any of the three users on my NAS. I havn't tried it from the internet yet as I don't want to leave port forwarding on and my NAS exposed to the internet until i'm sure it's as secure as I can make it.

I have enabled HTTPS and setup autoblock in the NAS.

I have three users, but only want one to be able to logon via the internet and only use filestation.
Is it possible to configure users as local users only so that only one user is allowed to logon via the internet and the others are blocked? IE I want one external user with a strong password and the local users with simple passwords.

Also, because my NAS is on my local network with NAT being done by my router is it possible to setup the NAS firewall to allow any IP address on my lan and only selected IP addresses from the internet or does every IP address appear as local because of the NATting?
IE can I allow any address on my lan(192.168.1.1 - 192.168.1.254) and the static IP addresses at my work?
How do I specify a subnet? IP 192.168.1.0? Subnet mask 255.255.255.0
I have looked through the wiki and forums but there isn't much detail on setting the firewall subnet settings behind a router with NAT.

I don't want to enable the firewall with a subnet until I know what to put there in case I lock myself out.

Any advice would be appreciated
Regards Allen.
bigboboz
Novice
Novice
Posts: 43
Joined: Sat Nov 27, 2010 1:14 am

Re: Securing Internet login to NAS newb help please?

Postby bigboboz » Tue Jun 26, 2012 12:31 pm

I asked something similar, http://forum.synology.com/enu/viewtopic.php?p=203069#p203069

So it wasn't just me that found that there seems to be zero info on security?

The forum's search facility isn't brilliant either...might be in here somewhere.
AllenG
Trainee
Trainee
Posts: 11
Joined: Wed Jun 20, 2012 9:57 am

Re: Securing Internet login to NAS newb help please?

Postby AllenG » Tue Jun 26, 2012 7:52 pm

Hi bigboboz

I posted a few questions and this is the first response I have got from anyone. The forums don't appear to be very active?

I might try logging a support request and asking directly. Did you log a request with Synology?

Regards Allen.
bigboboz
Novice
Novice
Posts: 43
Joined: Sat Nov 27, 2010 1:14 am

Re: Securing Internet login to NAS newb help please?

Postby bigboboz » Sat Jun 30, 2012 12:26 pm

AllenG wrote:I might try logging a support request and asking directly. Did you log a request with Synology?

Regards Allen.


I haven't yet, still mucking around with the NAS but will at some stage, especially if I don't stumble over something that helps.

Rob
AllenG
Trainee
Trainee
Posts: 11
Joined: Wed Jun 20, 2012 9:57 am

Re: Securing Internet login to NAS newb help please?

Postby AllenG » Sat Jun 30, 2012 11:05 pm

I've had a bit of a play and think I've figured out most of what I was trying to achieve.

I put complex passwords on all accounts and disabled the default admin account.
I enabled autoblock
Under WEB services I enabled HTTPS
Under DSM Settings/HTTP Service I enabled HTTPS connection and automatic redirection to HTTPS
Under WEBDAV I enabled WEBDAV HTTPS Connection so I can use DSfile on my android
In my Router I forwarded ports 5001 (HTTPS)and 5006 (WEBDAV). Only forward ports for the NAS apps that you access to from the internet.

In the DS412+ firewall rules I setup

For my LAN,

Ports: All, IP range: 192.168.1.0, Subnet: 255.255.255.0

For the internet I only wanted the three fixed IPs for my work to be able to see my NAS
For each IP I setup

Ports: (Select the apps you want to allow) I selected DSM HTTPS (port 5001) and WEBDAV (port 5006), Single IP: (external IP address you want to allow)

Don't forget to change the If no rules are matched to "Deny access"

When trying to login from an allowed IP address on the internet use
https://yourdomain.com:5001 where yourdomain.com is your domain name or static IP address

I tried from my work and was able to login. I tried from my sisters who is not on my firewall rules and got a Page not found.

Hope this helps.
Regards Allen.
bigboboz
Novice
Novice
Posts: 43
Joined: Sat Nov 27, 2010 1:14 am

Re: Securing Internet login to NAS newb help please?

Postby bigboboz » Mon Jul 02, 2012 12:32 pm

Thanks for your update. I've done most of those things except for the IP filter for fixed external addresses, I doubt I'll only need to access from a few IP addresses.

Would prefer to limit which accounts can get access external access or not. Don't suppose you found that option?

Thanks,
Rob
User avatar
CoolRaoul
Seasoned
Seasoned
Posts: 520
Joined: Tue May 18, 2010 7:08 pm

Re: Securing Internet login to NAS newb help please?

Postby CoolRaoul » Mon Jul 02, 2012 3:02 pm

AllenG wrote:I have my NAS behind a Linksys ADSL router with ports 5000 & 5001 port forwarded to the NAS.

I have three users, but only want one to be able to logon via the internet and only use filestation.


Since you want to only use filestation for remote access, why did you forward ports 5000 and 5001, giving remote access to DSM admin interface?

You'd better start by assigning ports to file station via "control panel->application portal" (one port for https and maybe another for http) and configure your router to forward only those ports (or only https one to prevent remote user to be able to connect with unencrypted connection)

Also, because my NAS is on my local network with NAT being done by my router is it possible to setup the NAS firewall to allow any IP address on my lan and only selected IP addresses from the internet or does every IP address appear as local because of the NATting?


For incoming packets, NAT only changes *destination address*: you're still able to use firewall to filter on remote source address
CR
AllenG
Trainee
Trainee
Posts: 11
Joined: Wed Jun 20, 2012 9:57 am

Re: Securing Internet login to NAS newb help please?

Postby AllenG » Tue Jul 03, 2012 7:03 am

CoolRaoul wrote:Since you want to only use filestation for remote access, why did you forward ports 5000 and 5001, giving remote access to DSM admin interface?

Hi.
In my last post I updated what I have done. I have opened ports 5001 for HTTPS and 5006 for WEBDAV for DSfile on my android. Port 5000 or 5001 is needed for File Station.

For incoming packets, NAT only changes *destination address*: you're still able to use firewall to filter on remote source address

Thanks. I figured this out in the end.

Got things pretty much working as required now.

Regards Allen.
User avatar
CoolRaoul
Seasoned
Seasoned
Posts: 520
Joined: Tue May 18, 2010 7:08 pm

Re: Securing Internet login to NAS newb help please?

Postby CoolRaoul » Tue Jul 03, 2012 11:30 am

AllenG wrote:In my last post I updated what I have done. I have opened ports 5001 for HTTPS and 5006 for WEBDAV for DSfile on my android. Port 5000 or 5001 is needed for File Station.


Port 5001 give you have acces to full DSM administration interface with https (and, indirectly, file station, audio station and some other using "applet" mode)

But standalone filestation doesn't require neither port 5000 or 5001: you may chose a pair of dedicated ports (one for http and other for https) via control panel->application portal->file station
CR
sharkydog
I'm New!
I'm New!
Posts: 1
Joined: Wed Jun 08, 2016 3:54 pm

Re: Securing Internet login to NAS newb help please?

Postby sharkydog » Wed Jun 08, 2016 4:32 pm

This is a bit old topic, but since I have the same exact problem (restrict my main user from "being used" from outside) I might write what I've done.

CoolRaoul wrote:Port 5001 give you have acces to full DSM administration interface with https (and, indirectly, file station, audio station and some other using "applet" mode)

But standalone filestation doesn't require neither port 5000 or 5001: you may chose a pair of dedicated ports (one for http and other for https) via control panel->application portal->file station

This is true. Do not allow access to DS desktop (don't forward ports to 5000 and 5001), only allow File station through the router.

And then, in Control panel -> Applications -> Privileges, edit File station, there you have standard access control features including by IP/Subnet.
These privileges are set per application, like file station, rsync, ftp, cloud sync and others, meaning, you have to set your rules for every app you want them active.

My rules (in file station privileges):
On 'User' tab, find the user to be restricted and click IP checkbox, new window opens, on allow list tab hit 'add ip address' and then 'subnet' radio, input ip 192.168.1.0, subnet 255.255.255.0, OK, OK.
Back in file station privileges main window, go to 'Default privileges' and uncheck 'Grant this privilege to all users by default', OK, All done, now the selected user will be able to access file station only from 192.168.1.0/255.255.255.0

Return to “Remote Access and Network Management”

Who is online

Users browsing this forum: No registered users and 2 guests