II. Tutorial DS: 11 essential security tips for your cloud

What is the security of your own cloud now?


All necessary requirement are now done after my first tutorial:

  • User and Password
    Both are unique and cannot be guessed easily; the password is super strong
    2-Step-Verification with your mobile devise is set up
    Additional users were created for the Internet access
  • WebDav
    Can also be used on a "special" port and is on HTTPS/2
    There is no "anonymous" WebDav user any more.
  • Synology
    Synology's account password is super long and hard to guess or remember :)
    An almost bizarre Quick-ID was created .


Well, the security is quite good now if you have followed all requirements on my first tutorial to this series. Using so many passwords it really makes sense to use a password manager like Enpass. Why? Because it has not got subscription and can use WebDav!

As your own cloud is now connected to the "outside world" and the Internet using your strong Quick-ID we will have to strengthen the security of your Synology.

Noise is your worst enemy to keep save!


You should try to get as less as possible attention to your own cloud to keep it secure. Loads of villain -automated or in person- are around and either to harm your are get some valuable information. Therefore, it is important to make it as hard as possible for an attacker to spy on your own cloud and potentially get some information they should not have or in the worst case they take over your own cloud.

With making no noise, I do not mean that you should not:

  • Share links with your friends
  • Share and link pictures with your family
  • Invite some people for collaboration to get a project done


but what I mean is, that not:

  • every of your shared folders should be shared.
    Just use some shared folders which are supposed to go to the Internet and link or copy all data needed to these folders.
  • a shared link is to easily to guess. Just use one with crazy letters, numbers and symbols.


Please make sure, that not all folders having the full access right and so on.

Everybody knows that is a fairytale of getting 100% security but at least you should make it as hard as possible for a potential attacker to get to your own cloud.

Your Quick-ID is the way to your own cloud from the Internet to where it stands - your home! - and that's why you should pay attention to your security settings.

First of all there are some stuff to apply to your Synology which are:

Antivirus


As already mentioned in my first tutorial, just use the packet centre to get your antivirus app and install it. Ready to use!

Internet security


Now, as your own cloud is in the middle of the Internet universe you should control who can do what and more importantly who can access what. Secure your own cloud with a firewall!

Firewall


System - Security - Firewall - Amend rules .

Activate and your profile


Activate your firewall and enable the email feature. Once activated, your own cloud will inform you by email once someone has been blocked.

The firewall profile

manages everything what should happen or what should not happen at all. You can use the "default" profile and then please click on amend rules.

Ports on firewall


In your profile you will see all needed programs for your NAS (managed programs) which should be allowed to access your NAS.

Go to "Edit" and get your first overview over the functions:


Go to choose ports:


Important programs like:

  • Administrative settings
  • Web Station, Photo Station and all the other stations
  • Bonjour, in the case you have activated it in the First Part of this tutorial
  • AFP - Protocol for MAC


The following should be turned off:

  • Encrypted Terminal (SSH)
  • Telnet (Telnet).


After you made all adjustments you can save.

Please go now on protection (third tab) and check if "LAN" and DoS protection are activated.


DoS has nothing to do with the "old" and "new" DOS which you can find even on today computers running Windows.

DoS stands for „Denial of Services“, which an attacker will use in order to get access to the server or any other computer.

How does this work?

The attacker will send loads of requests to the server/computer via HTTP or it's relative protocols like WebDav, HTTPs/w, CardDav etcetera. At some point the server will give up because it cannot handle all these requests any more - it will crash sort of speak. But before it will eventually "die" it gives away important information to the attacker or "forgets" that it should protect other computers within the network. If that is going on - that's called Distributed Denial of Service (DDoS)..

Block unauthorised logins


System-Security- Account

Here you will determine that protection level you like to have for all your accounts and user names. You can choose how many failed logins within a time frame are allowed. In the case these levels get exceeded, the IP address will be blocked and no access is possible any more.

Be careful with these settings - not that you get blocked and cannot access your own cloud any more and get locked out!


Also you can set a release option for blocked IPs and computers. How many days or weeks should this particular IP/computer being blocked before it can released again.


Below you will find that option to release users and computers. It will display as a list and you can easily release these if you are sure that they are not a thread to you.

SSL - Certificates on your Synology


With an SSL certificated (Secure Socket Layer) the transfer of data takes place within a secure environment / connection. You can see this security on the green marked lock if you visit an HTTPs site..


Further to this will be certified if the computer or server is trustworthy and has a certificate from an trusted source which issues those SSL certificates.
A certificate is separated in two parts:

  • private / public key of your Synology
  • Request file to issue a SSL with the so called CSR file (Certificate Signing Request).


Both of them need to be send to the certification institution and afterwards you will receive your SSL certificated for your DS716 II.

The connections between source (requester) and target computer will then use the encryption standard of AES 256 bit with a length of 2.048 Bit.

Do you really need a purchased one?

Well, this depends on your needs - but in any case I recommend to do at least a self-registered certificate and delete the standard Synology certificate.


ust click on add and you will be guided through the process. You need to add some information and after this you will be presented with a new certificate. You should then edit the preferences of this newly created certificate:

  • set this to the default certificate
  • give the access rights for the protocols HTTP, WebDav etcetera.

Cost of a SSL certificate


The costs range from "almost" free over EUR 5 per annum to ....well... There are offers around for annual or every three years subscription.

Which of these offers you should take depends on the criteria like:

  • Validation of domain and/or owner
  • with or without extended validation
  • some offers depending on browser acceptance
  • others can verify addons too.


The trouble is that every company offers their own criteria and you really need to compare.

Tip:


Do you like to buy on? Then you should keep an eye on that:

  • The company is certified , like the TüV in Germany
    This will give you added security as your will send to this company your personal data and the data of your own cloud
  • The company should be known and has a good reputation.
    It does not make sense to save some money but get a crapy company which sells your data afterwards and so on.
  • All bigger telecommunication, websites and hosting companies offer SSL certificates.


The market is huge and you really need to compare. Also the question is how long should your SSL certificate being used. Depending on this and much more the price will be made.

Do you like an post only about SSL certificate and how to apply? Then just leave a comment.

[infobox]

A good video guide how to get a free SSL certificated you can find at iDomiX. The guide is a bit older but still applies to current version s of NAS. (German)

[/infobox]

Advanced properties


HTTP Compression

HTTP can be compressed so that all data are in one single line and browser get full information immediately. This can influence your broadband to the good.


I do not use it, as I will access my own cloud mostly. My friends, family have not had any issues so far. Surely, it makes sense if you hosting a website which has thousands of visitors every hour.

TLS/SSL Encryption

Clearly, the latest compatibility should always be used. Some older browser version might have their issues but not all modern browser have not got any issues with it.

That was it :)

Change Ports


This is an option I really do like to gain more control and security for my own cloud. All standard ports will be changed to something else:

External Access

WebDav-Server Access


Here, it makes sense to change ports 5000/5006 to something else as they are really standard ones.

Access for software and apps


All DS software can be also changed using System - App portal.

In this screen you can change (again) the ports for the apps used which are accessible by browser:


under edit you will find some rules for the access:


I recommend to change the alias name and the port for instance:

  • Alias name: MyAUD10Coll3ct
  • HTTP/HTTPS: 8432


hence the browser URL to access DS Audio would be:

http://QuickConnect.to/MyAUD10Coll3ct:8432

You do not need reverse proxy.

Login-Style



the Login-Style you can change the appearance of your webpage / login site.

IT makes sense for the FileStation for instance if you like to exchange some documents which are protected by password. In order to show your friends and user that they are on the correct URL and site, you can use your logo or some other information.

Updates and Backup


The best way is to use the automatically backup function, so you will not miss any important update. Also make sure to save your system configuration from time to time or then you do major upgrades or updates.

The settings for these you find in the System-Update and Recovery section.

Task Manager


You will find under System - Task Manager

For what do you need this?


I tend to forget some stuff immediately and recurring task I hate really. For this instances I use the task manager to apply some common tasks which are run automatically. Once set up there is no need to check or execute task - it runs nicely according to a schedule.


The easiest task is to empty all bins on all locations depending on my time scheduled applied and there are some services available too.

With services you can start or turn off your Synology automatically or start/stop other services like WebDav, HTTP should be turned off over night but available at 6 a.m. etcetera.

Who to heck is ROOT ?


Oh dear! Such a laughing Root makes me nervous...

Well, it is the highest user within Linux and Root got all rights enabled. As you know under Windows all user have full rights but not so under Linux! No user - except Root - got rights. If a user wants to use a service only Root can apply this level of access to this particular user.

This goes so far, that a user - if he has not got the correct rights - cannot even open a DVD drive.

Where is he located?


It is the account, which I have recommended to deactivate in my first tutorial - THE ADMIN.

Root will be preferably used within a shell environment - similar to terminal under MAC or cmd.exe under Windows.

The reason for deactivation is simple - it is a standard name and you really do not need to access your Synology using a terminal or shell environment unless your are into Linux and want to change some stuff which will not be available under the GUI on your NAS. But even if you are an expert; after you have done your work - the best is to deactivate it again.

The task manager is based under the shell environment and need to have the highest rights to execute all tasks. Therefore Root will be displayed as user even thought it is deactivated.

Back to the Task Manager:




Here you can edit the settings for the the automatic run. In the next step you will have to decide if you like to stop or start a service:


Antivirus, WebDav, Cloud services and all administrative programs should be started - otherwise you will have issues to access your NAS.

Personally, I use the task manager for:

  • Backup of entire NAS to another NAS / disc
    using HyperBackup for instance as one backup solution.
  • Empty all bins on all locations
  • Start dn stop all services and turn off / turn on DS to a certain point of time and day
  • Execute some scripts to ease the burden of recurring tasks :)

Summary of your security now:


Additional to all the points from the beginning of this posts your DS is now even more secure:

  1. No noise and no attention in the Internet.
  2. No VPN Connection
    I just like to note, that VPN has it's advantages but also waits (listens) for input on a specific port within the Internet to be ready once needed. If you configure your VPN not correctly, it will scream out to the Internet like "Hello - I am here - Who like to connect with me). That is also the reason why I have not included VPN in this tutorial.
  3. Antivirus is ready and activated
  4. Firewall is configured
    One more tip: Please take your time and work slowly and change one setting once a time and test it if it works
  5. Telnet and SSH are turned off
    Hence, the laughing root cannot use this anymore
  6. Login is secured
    After three or four invalid login trials the IP gets blocked and you get informed about this.
  7. All ports are changed
  8. All DS-Apps got their own access
  9. Updates and backup will now run automatically
  10. SSL certificates are either self-generated or bought in
  11. Have a quick look that the user account "ADMIN" is deactivated so that ROOT has not got any chance to laugh at us




How secure is your own cloud and what are your experiences?

Comments