6

...without snark or jumping down my throat. I genuinely want to know why it's so unsafe.

I'm running a Synology DS920+, with my DSM login exposed through a Cloudflare tunnel. I have 2FA enabled, Synology firewall enabled with these rules in place. I also have this IP blocklist enabled.

After all of this, how would someone be able to break in via the DSM login?

top 50 comments
sorted by: hot top controversial new old
[-] johnklos@alien.top 5 points 11 months ago

NAS vendors aren't known for understanding security. Opening ssh to the world is no problem, because ssh is everywhere, it's constantly attacked, and half the world would know if an exploitable vulnerability was found.

If NAS vendor ABC has a vulnerability in the login code written by a programmer who hasn't done much more than CSS, it would surprise nobody, and you wouldn't hear about it on any IT news sites. It would just be exploited until all the machines were exploited or until they're all patched.

It really is a world of difference between something known and secure and some random login page.

[-] OneBreakfastPlease@alien.top 4 points 11 months ago

Opening ssh to the world is no problem

That seems to go against the general consensus... Why is everyone/everything online telling me to either disable SSH entirely, or change the SSH port to something incredibly obscure (and even that's not safe)?

[-] johnklos@alien.top 2 points 11 months ago

Because they're being silly. There is no other public facing service more secure than a relatively modern OpenSSH.

In some instances, yes, it's best to disable the ssh that comes with whatever NAS OS you're running, because they often ship old code and don't care about updates and security.

But if you're running a relatively up to date OpenSSH and you're using keys, not passwords, then you are as secure as you can reasonably be. There's no math suggesting otherwise. Moving to a different port will reduce the frequency of attack, but that will have zero impact on the possibility of intrusion.

Put it this way: if relatively recent OpenSSH has a remotely exploitable vulnerability, you'll see it on the news on TV. You'll see it and hear about it literally everywhere. The world will stop for 24 hours and there will be widespread panic. You'll know.

If your NAS has an exploit, you might read about it on The Register a few months later.

[-] MozerBYU@alien.top 1 points 11 months ago
[-] Jess_S13@alien.top 2 points 11 months ago

Security for systems are designed for their target use case. The NAS login page was designed to be easily usable and assumed to only live within a private network. By opening to the internet you are opening it up to be targeted in a way the designers may not have accounted for.

[-] androidwai@alien.top 2 points 11 months ago

Don't expose the login to internet. Use twingate, headscale/tailscale. It's super easy to setup and use zero trust network access.

[-] ervwalter@alien.top 2 points 11 months ago

All software has bugs. Sometimes bugs let you do things you weren't intended to be able to do (e.g. access data on a NAS without knowing the login password). Your NAS might have a bug that hasn't been discovered (or publicized yet) or hasn't been fixed yet.

If you put your NAS on the internet, you give "bad guys" am opportunity to exploit those bugs to get your data or to use your NAS as a jumping off spot to attack other things inside your home network.

[-] Unfair-Plastic-4290@alien.top 2 points 11 months ago

if you must, have you looked at the azure application proxy? if you configure it properly it should work from the outside world, and still remain private. This does put a lost of trust into azure, and your tenant's users not getting broken into.

[-] DaGhostDS@alien.top 2 points 11 months ago

Surprised no one posted this, the web and cyber threat look like that : https://livethreatmap.radware.com/

I wouldn't trust Synology on that aspect, better have an entry over VPN.

[-] kwarner04@alien.top 2 points 11 months ago

Here’s the way I think of it. Imagine you live in a house at the end of a long street. Your front door is the login page to your Synology. All the measures you’ve put in place (cloudlfare, ip blocklists, firewall) are the equivalent of putting up a guard booth/gate at the end of your driveway that only allows cars with a license plate of a specific state.

You haven’t made yourself significantly more secure, just lined the traffic up in a more organized fashion. You are still trusting the people that made your door lock to not be vulnerable.

Yes, it’s easier to access vs having a big metal gate that only you have the code to open (VPN) in front of your house. But why open yourself up to a single point of failure?

Here’s just one recent example of an attacker being able to bypass the authentication on a synology. All the things you have implemented wouldn’t prevent a single person in the internet from using this exploit. https://www.zerodayinitiative.com/advisories/ZDI-23-660/

[-] k1shy@alien.top 2 points 11 months ago

Speaking as someone who decided to "just be a consumer and trust that my NAS manufacturer had appropriately hardened the login interface", and was using 2FA, and subsequently fell victim to a ransomware attack:

Do not expose any port on your NAS to the internet.

If you really want it available to you when you're away from home, set up a VPN using a separate device as the VPN server.

[-] zedkyuu@alien.top 2 points 11 months ago

If your DS920+ is completely inaccessible to outside your network except for the Cloudflare tunnel, then the Synology firewall and IP blocklist aren't going to do squat for you since all connections will appear to originate from either inside your network or from Cloudflare. So you're 100% dependent on Cloudflare to keep bad actors out.

I'm not familiar with Cloudflare but the impression I had from looking at it was that you can decide which authenticated Cloudflare users can access your tunnel. So it's a matter of credential management. Supposing some bad actor gets your credentials, they would then be able to access the entirety of your NAS, and you're now hoping that there isn't some undiscovered or unpatched security hole that they can use.

load more comments (1 replies)
[-] Sipheren@alien.top 1 points 11 months ago

Look, what you have is probably fine, but you just have to accept that you now have this page open to the world and you are relying on Synology to be on top of their security and you to be up-to-date.

I use Cloudflare tunnels myself for Plex and the like (separate VLAN), but I keep my local Network and all portals only available via a VPN.

[-] PizzaCurrySpecial3@alien.top 1 points 11 months ago

Simple, no vendor can create completely secure software. The main way to prevent someone from breaking into your front door when a new vulnerability is discovered is to not present a front door to the internet.

It is impossible to overstate how exposed you really are when leaving interfaces like this open to the internet to be scanned, catalogued, then exploited and used (or damaged) as soon as a new vulnerability is weaponized.

[-] littelgreenjeep@alien.top 1 points 11 months ago

Kinda like the others have stated, you’re trusting the company to have fixed any known vulnerabilities, but also that there aren’t any unknown exploits.

Ultimately the question isn’t should you or not, but is the risk worth it? If your home finances are contained there in, if those impossible to recover or reproduce pictures are stored on there, then if you were to have your system locked with ransomware, how important is that data? Do you have their camera system? Would you mind the random internet looking at those cameras? That’s the real question.

If you only have some downloads you could find again and if you lose everything on the system, then you’re not risking much, so it’s kinda why not?

[-] DarkChoomba@alien.top 1 points 11 months ago

The other risk to that is they’d possibly gain access to your internal network through your NAS. No telling what a bad actor would do.

load more comments (5 replies)
load more comments (4 replies)
[-] lesigh@alien.top 1 points 11 months ago
load more comments (1 replies)
[-] antaresiv@alien.top 1 points 11 months ago

It’s a matter of risk tolerance and how much you trust Synology.

[-] Fallyfall@alien.top 1 points 11 months ago

I'm by no means any security expert, but my 2 cents are these:

  • Zero-day attacks, where the name refer to how many days a vulnerability has been known when first used. These are more or less impossible to safe-guard against. The only thing that would delay an attacker in your setup is 2FA. But can you be sure there aren't any weaknesses or vulnerabilities on your 2FA setup? Kaspersky mentions a few interesting zero-days on their resource center.
  • Blocking all countries except the one you live in can create a false sense of security because VPS are a thing and hosted in most countries. That means that a malicious person could spin up a VPS in a country which is allowed to access your public-facing address.
  • Depening on what kind of services you run, there could be privilege escalations which could grant an attacker with more leverage to find weaknesses in software. I think Darknet Diaries' episode on the LinkedIn incident explains this well.
[-] horus-heresy@alien.top 1 points 11 months ago

Did you Google or ask chat gpt about risks of letting bad actors brute force or potentially use some zero day with some crazy url that can let them encrypt all your family pictures and other data? If you want to access from outside do that thru some reverse proxy like find proxy manager or traefik

[-] OneBreakfastPlease@alien.top 1 points 11 months ago

Did you Google or ask chat gpt

No, I didn't, because I wanted to start up a conversation with real humans who are in the same situation as me... Or, you know, the entire purpose of Reddit.

load more comments (1 replies)
[-] Missing_Space_Cadet@alien.top 1 points 11 months ago
[-] OneBreakfastPlease@alien.top 1 points 11 months ago

Very helpful. Thanks for your contribution to the community.

load more comments (1 replies)
[-] MRP_yt@alien.top 1 points 11 months ago

If you open your login page to internet without security, someone one day will have a field trip inside your NAS files and will find all your "i know what you did last summer" photos.

I do have DS423+ and i am too using Cloudfare tunnel to access it from anywhere.

My CF Tunnel setup done like this:

Domain: nas.example.com points to http://1.2.3.4: and i have 2 access rules added.

One of these rules NEEDS to match otherwise - "You Shell Not Pass"
#1: Public IP needs to be matched as my public IP
#2: Person who wants to login needs to authenticate via Google Authentication. Google authentication needs to match test1@gmail.com or test2@gmail.com

While i am at home, i use nas.example.com to access my nas instead of using its local IP and cloudflare allows access with no questions asked.
While i am outside my home network i get asked to authenticate via google and gain access this way.

+CF Tunnel adds https automatically for me.

I don't use any firewall setup or any other rules inside NAS.

[-] MiteeThoR@alien.top 1 points 11 months ago

Millions of hostile computers are cruising the internet looking for literally anything that can be exploited. Do not give them an opportunity by exposing a login page unnecessarily.

[-] R8nbowhorse@alien.top 1 points 11 months ago

Because you're going to be hit by the next of the countless pre-authentication vulnerabilities that constantly pop up for appliance's like yours.

All your security measure will do absolutely nothing in that case.

I don't get why you don't just set up a VPN? It isn't more complicated than what you did, and offers far superior protection. And for 99% of use cases, you don't loose any functionality either.

[-] hdd-housing@alien.top 1 points 11 months ago

https://www.synology.com/en-us/security/advisory

https://www.cvedetails.com/vulnerability-list/vendor_id-11138/Synology.html

You can look through all known issues.

But don't get me wrong, I'm glad they provide the information!

Don't know how much a Cloudflare tunnel protects you. Maybe it's only security by obscurity.

[-] btodoroff@alien.top 1 points 11 months ago

See my other comment, but the basic problem is you are only putting one layer of protection if you expose directly to the Internet. If there is a vulnerability in NAS, then bots can exploit just that layer and get in.

If you have tunnel/VPN then NAS, they have to have a vulnerability in the VPN, then also be able to use the VPN to exploit the NAS (or some other device on the VPN).

Add another layer, like IP limitations on the tunnel, then you have to have 3 exploits. Etc...

Synology sells based on convenience of features, and good enough security as a second thought. VPN or tunnel software exists to provide security. So you want to mix the focus and the providers to minimize chance any one provider or mistake will let you get hacked.

The biggest risk for a typical home lab is from bot scanners and not targeted attacks, so they are unlikely to target a connection with more than one layer as there are many, many simpler targets.

[-] GOVStooge@alien.top 1 points 11 months ago

NAS appliances aren't known for their login security

[-] CaptainWilder@alien.top 1 points 11 months ago

It'd be best to host a vpn publically instead, and get to the synology via the VPN.

[-] PreppyAndrew@alien.top 1 points 11 months ago

Most NAS aren't designed to be exposed to the World Wide Net. The login page isnt designed to handle things like DDOS or brut force attacks. Most of them don't have 2 factor login option built in.

This plus, the fact you are exposing all of your data via this web interface. Allowing hackers to easily crypt mine/delete/steal your data.

[-] Professional-Bug2305@alien.top 1 points 11 months ago

Are you going to update the firmware upon every release? Are you going to monitor for vulnerabilities?

TA have automated software that will find it, and mess with it for funsies

[-] mykesx@alien.top 1 points 11 months ago

Evil hacker want to login. You are making it much easier.

[-] sysblob@alien.top 1 points 11 months ago

Cyber Security seems to bring out weird bravado where people pretend like they know more than they do. This thread is literally dozens and dozens of people spouting nonsense.

The bottom line is if you're running a cloudflare tunnel with authentication on the tunnel itself to a trusted auth provider and then enable 2FA on that auth provider, you have a zero trust model that is about as secure as most modern companies. All of the people saying BUT WHAT ABOUT ZERO DAY are beyond dumb. Enable auto-updates on everything you can, script the rest. The chances of there being a zero day vulnerability to cloudflare and then a bot is able to hit your synology page which then has its own security they need to get past, it's not likely at all. Monitor your Synology login attempts just in case it's all built in.

[-] OneBreakfastPlease@alien.top 1 points 11 months ago

Cyber Security seems to bring out weird bravado where people pretend like they know more than they do. This thread is literally dozens and dozens of people spouting nonsense.

I know, right? I'm not going to lie, it's very amusing reading some of these replies...

I was literally just posting this in hopes of learning a thing or two, as I've always loved tech and this is a hobby that has given me great joy over the last couple of years.

[-] eW4GJMqscYtbBkw9@alien.top 1 points 11 months ago

Not exactly related to your question, but why not just use tailscale to access your NAS remotely?

[-] u35828@alien.top 1 points 11 months ago

Hi OP, someone using nmap would have a fun time trying to find any open ports to exploit.

[-] StarSyth@alien.top 1 points 11 months ago

simple rule, if you don't want something viewable by others then don't expose it to the internet. Its not a complicated rule, however many people fail this simple bit of logic.

An example, family photos, holiday videos, music and tv shows. All things that don't really matter if someone gains access to. It's at most an invasion of privacy.

Another example, bank statements, birth certificates, financial documents, scans of your credit and debit card, IoT. These are all things that pose a potential risk to you if someone gains access to them. Don't put them on the internet, nobody can ever find them on the internet.

The internet by its very nature is built to share data, the easiest way to avoid sensitive data from being breached is to not have it on a device connected to the net in the first place.

[-] Accomplished-Feed123@alien.top 1 points 11 months ago

Question: and I ask here because I think it pertains to the conversation but I’m not sure. I enjoy using the remote connect features of my Synology NAS. I do DDNS and quick connect. I use 2FA and a 14-16 character password. I’ve disabled the default admin account and I use the firewall.

I like to use my iPhone to stream movies and look at docs while on the road.

Am I at a huge risk?

load more comments (1 replies)
[-] null_rm-rf@alien.top 1 points 11 months ago

Get hacked by some vulnerability.

[-] AspectSpiritual9143@alien.top 1 points 11 months ago

Everyone: this is a bad idea.

OP: well im getting mixed signals

[-] OneBreakfastPlease@alien.top 1 points 11 months ago

Not really if you read the thread, but who am I to stop your hate parade? Go off son.

[-] Realistic-Motorcycle@alien.top 1 points 11 months ago

This guy! If they can hack the us govt in hours your synology is a piece of cake

[-] touche112@alien.top 1 points 11 months ago

After all of this, how would someone be able to break in via the DSM login?

You trust Synology that much? Yikes

[-] ridiculousransom@alien.top 1 points 11 months ago

Your reasons why are https://www.cvedetails.com/vulnerability-list/vendor_id-11138/Synology.html?page=1&cvssscoremin=8&order=1&trc=250&sha=3d655d1befa87d00b4ee6efb440f2b83c057d878

It only takes one exploit abused by a nation state threat actor and you’ll be part of the next news where 100s of thousands of NAS appliances were cryptoed with ransomware.

I would say you’re safer with Cloudflare tunnel providing you’re utilizing blacklisting on Cloudflare where only certain trusted IPs are allowed.

For a better solution I’d ask you to look at Tailscale and their easy VPN technology. https://tailscale.com/kb/1131/synology/

Stay safe out there.

Signed, Your friendly cybersecurity leader

[-] vdubster007@alien.top 1 points 11 months ago

It all comes down to risk management at the end of the day. And the good old equation threat X asset X vulnerability = risk.

So how sensitive is your data? At the end of the day this is the asset you are protecting. Is it all of your family photos and memories with no backup? Or is it your animated GIF collection from ‘99 before giphy made it absolete. What is the IMPACT if this gets compromised.

In terms of threats what do you worry about? Ransomware, script kiddies, organized crime? And which do you think you can reasonably mitigate against.

It is impossible to predict potential future vulnerabilities in a product. There could be unauthenticated remote code execution vulnerabilities that grant an attacker remote access. Vulnerabilities are reduced with controls so you have some in place. What about patch management, etc? With your controls in place what is the likelihood that the threat you care about could impact you?

Out comes a risk value (low, medium, high).

Do you accept it or not?

For me I have a tiny FreeBSD server running that I’ve hardened (pf firewall, no root login, ssh keys only auth method, ansible playbook to check for an apply updates daily). Its sole purpose in life is to run wireguard. My various devices including NAS are clients that I allow access to the NAS over wireguard. I run PF on the wireguard interface and only allow access to specific services on the NAS. I don’t store anything sensitive on the NAS and I send encrypted backups to backblaze for files I don’t want to lose

In my equation it’s a level of risk I am happy with. And if something bad happens I’m prepared to rebuild everything in my home network from scratch.

Good luck deciding.

load more comments (1 replies)
load more comments
view more: next ›
this post was submitted on 23 Nov 2023
6 points (100.0% liked)

Homelab

371 readers
2 users here now

Rules

founded 1 year ago
MODERATORS