The internet is like the wild west. There are bandits and outlaws everywhere. But automated. Bandit bots and outlaw bots who scan the internet all the time for open ports, trying to see if they can find an outdated version of software for which they have exploits. Some bots even have zero day exploits, which are unknown to the manufacturer of the software (the manufacturer has known zero days about the exploit, hence the name). When they find a match they will automatically hack the software running on the port and try do privilege escalation (essentially become admin). Then they might install a copy of themselves on your machine, fortifying their bandit army (botnet). Most of the time the criminal behind the botnet can now also control your machine and do anything with it. Many times acces to these hacked machines also get sold on the darkweb to other criminals.

Running a service through a Cloudflare tunnel is not exactly the same as "exposing the service on internet". Its more towards a VPN/Overlay kinda approach and not exactly the same as forwarding ports and pointing DNS entries to actually "expose" your service on the wider internet (other users may feel free to correct me here). Still won't recommend this with any "sensitive data" but if all you have is a bunch of music and TV shows then you're good there. At the end it all depends on the level of security that you are willing to work with.

https://tailscale.com/kb/1131/synology/

> how would someone be able to break in via the DSM login?

They probably couldn't. But, at the end of the day, the risk is yours to take. Nothing is 100% secure; it's all about degrees of security vs usability. You seem to have taken a reasonable approach to protecting the web service, so that's a good start. Other things would be to ensure that access is logged, and that failed attempts are delayed between retries (preventing brute forcing to be completed in a reasonable time) - not sure if Synology has that or not.

Baseline, STiG, Harden. Is you MFA SMS?

Use 2fa and you'll be fine.

your NAS runs software that is neither hardened for nor designed for direct internet access...

synology has had a plethora of exploits over the years... https://www.synology.com/en-global/security/advisory including but not limited to ransomware taking over the nas and encrypting all of your data... and that's just the exploits THEY KNOW ABOUT. synology often takes MONTHS if not over a year to resolve critical issues that normal customers won't be affected by with best practices...

synology's own guidelines clearly state

Do not expose DSM to the Internet unless necessary.

If you must access file services over the Internet, it is strongly recommended that you use a VPN to connect to your Synology device.

https://kb.synology.com/en-ro/DSM/tutorial/How_can_I_prevent_ransomeware_attacks_on_my_Synology_device

direct internet access to your nas is a timebomb. you will lose your data, others will view your data, and you put your entire network at risk by doing do.

i almost couldn't tell this is an advertisement

It's a matter of risk management, and your personal situation and willingness to sacrifice convenience to reduce risk. There are many aspects that can increase or reduce risk, e.g. how often a software is updated, if it's open or closed source, how widely used it is, your personal level of relevant IT knowledge, and so on. One central rule is that more attack surface leads to a higher risk of security breaches, and hiding everything behind a VPN reduces the attack surface to just one piece of software that's mainly focused on security. Additional public entry points add convenience but also increase your attack surface, so you have to find a level you are personally comfortable with.

In my opinion and experience, if an app is made for public access, in a production ready state and already widely used, if you trust the creator in general and with security updates in particular, and if you trust your own knowledge and ability to configure it correctly and keep all the relevant doors closed, then it's completely fine to make it publicly accessible in most cases, and the security risks of doing so are way overblown by some people in tech forums.

In your case, the login page behind a CF tunnel with 2FA (and hopefully HTTPS?) enabled and yourself on the lookout for possible vulnerabilities sounds like an acceptable level of risk to me, unless the data on your NAS could start a nuclear war or something.

Even if your login page is not easy to break, it will be indexed by robots or hackes in their list. And they will test on it every vulnerability that will be published for any DSM component. Using VPNs like ZeroTier or Tailscale is definetly MUCH more secure than all of those tweaks and easier to setup too.

But offcourse its YOUR data so ... good luck :)

With cloudflare authen it is probably gonna be fine with ip block filter etc. it would probably filter 99.999% of the malicious attack already.

But still why do you need to expose it? I only have my jellyfin expose cos idc much about jf data and network cos it on a separate vlan network and stuff. All my management and nas are only accessible through vpn cos i wouldnt need access outside that often only when something happends.

For one thing, it announces to the internet that your device is there. If there is one thing you could do to make it easy on a hacker it is to tell them what and where to hack. There might not be any complete exploits today, but there will be tomorrow, and when it happens, there will be a race between you and the bad guy to either patch or exploit. Are you updating often enough to protect your device from any possible random point in time in the future? If you have nothing to lose, don't worry about it, but most people store things they feel are worth storing.

It’s kinda like leaving your car unlocked and leaving your purse or wallet visible in your dashboard. Some may see it and choose not to exploit but some people will. What if you didn’t park your car there in the first place?

It's basically the same as any other time people expose something to the internet.

Most don't know what they're doing or how to do it safely so they put a vulnerable device out in a vulnerable state.

The only reason a NAS is worse is because it's more common for a home user to have a NAS then it is to do something like host a WordPress, and a NAS has more personal stuff than a WordPress does (usually)

From experience most NAS drives, cctv boxes are built cheap and dirty. They are often slow and the proud product of a shite company/software developer.

Bad actors are running scripts on their servers, automated looking for know exploits in pages, ports and software. They are actively scanning thousands of WAN facing devices a minute.

Web pages are often written with poor practices. There is little to no care for security but just enough to satisfy the end user.

Java script protected pages (may aswell just write the password on the page)

Usernames and passwords embedded into source code. Session variables stored in cookies in plain text. Vulnerable to session hijacking, man in the middle attacks, and more.

One device we pen tested a few years back allowed access to the settings page without logging in. This is due to a header redirect being incorrectly used. The page served the form and tried to redirect the browser. We just stopped the redirect. Changed the password and logged in normally. Potato Security at its best.

These devices often do not have any rate limiting or firewall, which means brute forcing is nothing but pure playground for a nice database of known usernames and passwords. GPUs are fantastic for brute forcing. The more you have the faster you can test usernames and password combinations.

If you must share file access. Setup a VPN. Tunnel into your network securely and then access your NAS.

Assume everyone is gonna get you.

https://youtu.be/Az49aNuYeJs?si=l2eRSmFbcMduTcLx

Tbh if you set up MFA on the account, its ok to open it the internet.

Good conversation. Great comments.

What are you protecting, what is the value to you, how much are you willing to protect it.

Convenient is unsecured, Secure is inconvenient.

Like all others here have said, it’s an unnecessary risk. You can set up a VPN to your home network with DDNS on your router (if you have a public IP) and that will be much better

because attackers can now access it. this gives them unlimited amount of times to try and break in. this isn’t as safe as not exposing it to attackers.

HEY MAN,

Just go ahead and get hacked and learn, there’s literally no point in even asking if you lean toward not taking anything anyone says with a grain of salt.

Otherwise VPN or Cloudflare tunnel into the machine.

Bye

facepalm