…without snark or jumping down my throat. I genuinely want to know why it’s so unsafe.
I’m running a Synology DS920+, with my DSM login exposed through a Cloudflare tunnel. I have 2FA enabled, Synology firewall enabled with these rules in place. I also have this IP blocklist enabled.
After all of this, how would someone be able to break in via the DSM login?
NAS vendors aren’t known for understanding security. Opening ssh to the world is no problem, because ssh is everywhere, it’s constantly attacked, and half the world would know if an exploitable vulnerability was found.
If NAS vendor ABC has a vulnerability in the login code written by a programmer who hasn’t done much more than CSS, it would surprise nobody, and you wouldn’t hear about it on any IT news sites. It would just be exploited until all the machines were exploited or until they’re all patched.
It really is a world of difference between something known and secure and some random login page.
Opening ssh to the world is no problem
That seems to go against the general consensus… Why is everyone/everything online telling me to either disable SSH entirely, or change the SSH port to something incredibly obscure (and even that’s not safe)?
Because they’re being silly. There is no other public facing service more secure than a relatively modern OpenSSH.
In some instances, yes, it’s best to disable the ssh that comes with whatever NAS OS you’re running, because they often ship old code and don’t care about updates and security.
But if you’re running a relatively up to date OpenSSH and you’re using keys, not passwords, then you are as secure as you can reasonably be. There’s no math suggesting otherwise. Moving to a different port will reduce the frequency of attack, but that will have zero impact on the possibility of intrusion.
Put it this way: if relatively recent OpenSSH has a remotely exploitable vulnerability, you’ll see it on the news on TV. You’ll see it and hear about it literally everywhere. The world will stop for 24 hours and there will be widespread panic. You’ll know.
If your NAS has an exploit, you might read about it on The Register a few months later.
Well said!
if you must, have you looked at the azure application proxy? if you configure it properly it should work from the outside world, and still remain private. This does put a lost of trust into azure, and your tenant’s users not getting broken into.
If your DS920+ is completely inaccessible to outside your network except for the Cloudflare tunnel, then the Synology firewall and IP blocklist aren’t going to do squat for you since all connections will appear to originate from either inside your network or from Cloudflare. So you’re 100% dependent on Cloudflare to keep bad actors out.
I’m not familiar with Cloudflare but the impression I had from looking at it was that you can decide which authenticated Cloudflare users can access your tunnel. So it’s a matter of credential management. Supposing some bad actor gets your credentials, they would then be able to access the entirety of your NAS, and you’re now hoping that there isn’t some undiscovered or unpatched security hole that they can use.
Not true, cloudflare will forward the real IP in the headers, and if your nas is correctly configured (trusts the forwarded header), it can block the source based on IP.
Security for systems are designed for their target use case. The NAS login page was designed to be easily usable and assumed to only live within a private network. By opening to the internet you are opening it up to be targeted in a way the designers may not have accounted for.
Don’t expose the login to internet. Use twingate, headscale/tailscale. It’s super easy to setup and use zero trust network access.
Speaking as someone who decided to “just be a consumer and trust that my NAS manufacturer had appropriately hardened the login interface”, and was using 2FA, and subsequently fell victim to a ransomware attack:
Do not expose any port on your NAS to the internet.
If you really want it available to you when you’re away from home, set up a VPN using a separate device as the VPN server.
All software has bugs. Sometimes bugs let you do things you weren’t intended to be able to do (e.g. access data on a NAS without knowing the login password). Your NAS might have a bug that hasn’t been discovered (or publicized yet) or hasn’t been fixed yet.
If you put your NAS on the internet, you give “bad guys” am opportunity to exploit those bugs to get your data or to use your NAS as a jumping off spot to attack other things inside your home network.
Surprised no one posted this, the web and cyber threat look like that : https://livethreatmap.radware.com/
I wouldn’t trust Synology on that aspect, better have an entry over VPN.
Here’s the way I think of it. Imagine you live in a house at the end of a long street. Your front door is the login page to your Synology. All the measures you’ve put in place (cloudlfare, ip blocklists, firewall) are the equivalent of putting up a guard booth/gate at the end of your driveway that only allows cars with a license plate of a specific state.
You haven’t made yourself significantly more secure, just lined the traffic up in a more organized fashion. You are still trusting the people that made your door lock to not be vulnerable.
Yes, it’s easier to access vs having a big metal gate that only you have the code to open (VPN) in front of your house. But why open yourself up to a single point of failure?
Here’s just one recent example of an attacker being able to bypass the authentication on a synology. All the things you have implemented wouldn’t prevent a single person in the internet from using this exploit. https://www.zerodayinitiative.com/advisories/ZDI-23-660/
Look, what you have is probably fine, but you just have to accept that you now have this page open to the world and you are relying on Synology to be on top of their security and you to be up-to-date.
I use Cloudflare tunnels myself for Plex and the like (separate VLAN), but I keep my local Network and all portals only available via a VPN.
Simple, no vendor can create completely secure software. The main way to prevent someone from breaking into your front door when a new vulnerability is discovered is to not present a front door to the internet.
It is impossible to overstate how exposed you really are when leaving interfaces like this open to the internet to be scanned, catalogued, then exploited and used (or damaged) as soon as a new vulnerability is weaponized.
Kinda like the others have stated, you’re trusting the company to have fixed any known vulnerabilities, but also that there aren’t any unknown exploits.
Ultimately the question isn’t should you or not, but is the risk worth it? If your home finances are contained there in, if those impossible to recover or reproduce pictures are stored on there, then if you were to have your system locked with ransomware, how important is that data? Do you have their camera system? Would you mind the random internet looking at those cameras? That’s the real question.
If you only have some downloads you could find again and if you lose everything on the system, then you’re not risking much, so it’s kinda why not?
The other risk to that is they’d possibly gain access to your internal network through your NAS. No telling what a bad actor would do.
Much more likely to gain access via a compromised desktop, or smart phone.
The NAS runs its own OS and is just as vulnerable as a desktop or smartphones. They’re all computers.
Yes, but the other computers I listed have a person behind them that will click things. Like a “close” button that actually installs malware. A NAS does not click things.
True, but, what if you host VMs on the NAS? Or data for some application? Those can result in an attacker running code on them, and from there, in most homelab networks, i assume is a short way from owning everything in your network
When you turn your NAS into a hosting platform, it is no longer just a NAS.
It’s bad enough we have to trust VPN server code; but at least that should be the only thing you have to trust public facing.
VPNs are complicated enough that security experts are the only ones typically working on them… and they have a relatively small surface area with few 3rd party dependencies. So it’s about the best you could hope for. I agree there’s still a deep amount of trust. Your OS is generally a greater threat though… and your network gear probably a lesser one.
Where something like synology’s web admin involves a webserver running their software on a runtime (php? Python?) possibly with a database where the webserver, runtime, db drivers, db engine, orm, web framework, and all their third party modules are under continuous development and may not be patched. Plus they’re a targeted system because of their popularity. And they’re meant to be user friendly more than secure.
But having a Cloudflare reverse proxy helps a little. So would running something like fail2ban on the logs or a software level firewall configured to detect abnormal data.
Better would be to simply require a client certificate that you generate and distribute from an offline CA and have cloudflare do tls termination then whitelist only their IP(s) and your intranet IPs on the synology firewall.
Or… just use a VPN lol
I have setup a wireguard in server with dedicated ip. I followed the documentation and open few ports nothing else regarding security. I connect my home machine and my phone when needed to the wireguard serverso I can access jellyfin and other services.
Do I need to setup anything else, or is it already secure?
One more thing, is it recommended to connect my proxmox host to the wireguard VPN?
Sounds like you did a decent job. Why would you connect the Proxmox host to the VPN? Typically you’ll route certain local addresses (or whole subnets) via chain forwarding. That way, when you connect to the VPN it’s as if you’re on the local network. The way you’re describing it, you would need to know it’s VPN IP which is usually dynamic. And you don’t typically want VPN clients to be able to access each other - just the local network. It really all depends how you set everything up.
Zero day exploits.
Exactly this. I worked in a data center and when big zerodays hit, you could be certain you were wiping a few servers.
For a home lab, it could be anything from NAS access to the drives or access to your Voip cameras
It’s a matter of risk tolerance and how much you trust Synology.
I’m by no means any security expert, but my 2 cents are these:
- Zero-day attacks, where the name refer to how many days a vulnerability has been known when first used. These are more or less impossible to safe-guard against. The only thing that would delay an attacker in your setup is 2FA. But can you be sure there aren’t any weaknesses or vulnerabilities on your 2FA setup? Kaspersky mentions a few interesting zero-days on their resource center.
- Blocking all countries except the one you live in can create a false sense of security because VPS are a thing and hosted in most countries. That means that a malicious person could spin up a VPS in a country which is allowed to access your public-facing address.
- Depening on what kind of services you run, there could be privilege escalations which could grant an attacker with more leverage to find weaknesses in software. I think Darknet Diaries’ episode on the LinkedIn incident explains this well.