NAS security help.

[wallacemarino]

Hi all.

I'm new here, so apologies if this is posted in the wrong place.

I recently added a Synology NAS to my home network. It has a dedicated IP that is entirely detached from all my other network hardware.

The NAS is used as a backup server for an identical unit at my business address and set-up for remote access via FTP.

This all works fine in principal, except for the fact that every day there are tens upon tens of attempts to access the NAS from countless IP addresses that I have no desire to do so, resulting in my service provider locking out my connection, anything from a few minutes up to a few hours every day for, quote, "unusual behaviour"

I want to lock this connection down in order to stabilise my connection and secure my data from all those random actors trying to brute force their way in.

I want to limit access to this NAS to a single IP address, however neither the NAS nor my router has a software solution to achieve this.

I'm guessing a hardware firewall solution is the way forward, but I'm a complete newbie to this market so am looking for recommendations.

Essentially I'm after a reasonably priced, high-speed, single connection, hardware firewall that will allow me to whitelist one IP address and exclude all others. I'd appreciate any suggestions.

I'm also open to alternative solutions should any spring to mind.

Thanks

 

[L&LD]

Turn off those remote access features now. Not only do 'they' have access to the NAS, but to your entire network too through it.

Which router and what firmware are you running on it?

Assuming an Asus router (and ideally, one running RMerlin firmware), set up an OpenVPN Server on the router and allow access to only the NAS through it.

 

[wallacemarino]

Turn off those remote access features now. Not only do 'they' have access to the NAS, but to your entire network too through it.

Which router and what firmware are you running on it?

Assuming an Asus router (and ideally, one running RMerlin firmware), set up an OpenVPN Server on the router and allow access to only the NAS through it.

Just to be clear. When I say a dedicated IP address, I'm not referring to a to a reserved address within my local network, the NAS has a unique public ip address with no other hardware attached. All my other home hardware operates on a different public ip.

As for Open VPN, that doesn't seem to be an option in my service provider's firmware and I don't have the option to install additional features. Hence my inclination towards a hardware solution.

 

[L&LD]

Does that mean you have two ISP services? Or a single ISP line with two dedicated/static (business) IP's?

If the NAS doesn't have OpenVPN support, that is what I would be looking to replace. If that is not possible, then buy a router with OpenVPN support just for that dedicated IP.

Before you do though, how fast is your ISP to the NAS? Also, how fast is the business ISP? If up/down is less than about 50Mbps at the lowest limits of either, then almost any current (Asus) router can do that. If it is over 100Mbps (up or down) you may want to consider only the RT-AC86U or the RT-AX88U which have AES-NI acceleration for OpenVPN connections that some have tested to over 250Mbps.

 

[wallacemarino]

As it happens I use an RT-AC86U at my business location and like it very much

Here at home I have a single ISP with multiple dedicated business IP adresses.

The NAS itself it seems, does support Open VPN via a downloadable package, but I'm not familiar with how to set it up to achieve what I'm trying to do here. I'm sure I could probably figure it out with sufficient googling, but if you felt compelled to point me in the direction of a relevant tutorial or two, I would certainly appreciate the gesture

 

[wallacemarino]

In answer to your question regarding speed, 500mbs down 35mbs up.

Business ISP is 500mbs up & down

 

[ColinTaylor]

I don't have a Synology NAS and you haven't specified which model you have but from what I've read online it should have its own firewall where you can specify a source IP addresses. I would turn that on as a matter of urgency.

 

[L&LD]

In answer to your question regarding speed, 500mbs down 35mbs up.

What is your business up/down ISP speeds (or, are they identical)?

That 35Mbps up will limit downloads to maximum 35Mbps to your home if they are the same speeds.

If the above assumptions are true, then even an RT-AC66U_B1 would be sufficient to use as an OpenVPN Server.

But, seeing how the NAS unit itself supports OpenVPN connections, checking the model's documentation will point you to the 'how to set it up' procedure for it.

Alternately, give us the model number and we can assist as we can.

 

[wallacemarino]

I don't have a Synology NAS and you haven't specified which model you have but from what I've read online it should have its own firewall where you can specify a source IP addresses. I would turn that on as a matter of urgency.

Hi Colin,

Thanks for your reply. The built in Synology firewall allows you to blacklist IP addresses, but sadly doesn't allow you to whitelist, hence my post here.

 

[ColinTaylor]

Hi Colin,

Thanks for your reply. The built in Synology firewall allows you to blacklist IP addresses, but sadly doesn't allow you to whitelist, hence my post here.

Does your device not have something like this?

Firewall | DSM - Synology Knowledge Center

Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.

www.synology.com

 

[wallacemarino]

What is your business up/down ISP speeds (or, are they identical)?

That 35Mbps up will limit downloads to maximum 35Mbps to your home if they are the same speeds.

If the above assumptions are true, then even an RT-AC66U_B1 would be sufficient to use as an OpenVPN Server.

But, seeing how the NAS unit itself supports OpenVPN connections, checking the model's documentation will point you to the 'how to set it up' procedure for it.

Alternately, give us the model number and we can assist as we can.

I very much appreciate your input and will take some time to check the documentation and help files etc before I ask any further about Open VPN.

With speeds of 500/500mbs at my business address and 500/35mbs at home I've been seeing maximum transfer speeds of 25-30mbs business to home via FTP (I do not need to transfer in the other direction). If you have any thoughts on other factors that may be limiting this speed then I'd very much appreciate your input, otherwise I thank you kindly for your assistance thus far.

 

[wallacemarino]

Does your device not have something like this?

Firewall | DSM - Synology Knowledge Center

Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.

www.synology.com

Hi Colin

Yes it has this setup of very similar. The issue is it will allow you to allow or deny a specific IP, but as far as I can tell will not allow you to deny all others, which is what I'm trying to achieve. Forgive me if I'm being stupid here, like I said I'm new to this technology.

 

[L&LD]

With your business ISP offering 500Mbps uploads. and your home ISP offering 500Mbps downloads and you're only achieving 25-30Mbps, which indicates to me that the NAS is woefully underpowered to be used as the 'connection'. Let alone as the 'secure connection'.

If your budget can spring for another RT-AC86U, you should be able to achieve closer to the 200Mbps speeds. Even the RT-AC66U_B1 has been reported to be in the 70Mbps range on optimized OpenVPN connections which will more than double your current speeds.

The router won't just give you faster speeds, but it will also properly isolate (secure) your NAS too.

 

[wallacemarino]

With your business ISP offering 500Mbps uploads. and your home ISP offering 500Mbps downloads and you're only achieving 25-30Mbps, which indicates to me that the NAS is woefully underpowered to be used as the 'connection'. Let alone as the 'secure connection'.

If your budget can spring for another RT-AC86U, you should be able to achieve closer to the 200Mbps speeds. Even the RT-AC66U_B1 has been reported to be in the 70Mbps range on optimized OpenVPN connections which will more than double your current speeds.

The router won't just give you faster speeds, but it will also properly isolate (secure) your NAS too.

This is very good food for thought. Thanks.

FYI the NAS is the Synology DS-1817

 

[L&LD]

This NAS?

Download Center - download | Synology Inc.

Centralize data storage and backup, streamline file collaboration, optimize video management, and secure network deployment to facilitate data management.

www.synology.com

Possibly, your FTP setup is what is making it slow then?

 

[ColinTaylor]

... but as far as I can tell will not allow you to deny all others, which is what I'm trying to achieve.

It looks fairly straight forward to do that from what I can see, but I'm not actually sitting in front of it. You setup multiple rules, remembering that rules at the top take precedence over the lower ones. So the first rules are the allowed addresses and the bottom rule denies everything else.

Side note on FTP: Plain old FTP is totally insecure because all data (including passwords) are sent in clear text over the link. So unless your data is public domain stuff you really shouldn't be using it. At the very least use FTPS for a public facing server, but preferably SFTP. Also use different ports than the defaults.

 

[wallacemarino]

This NAS?

Download Center - download | Synology Inc.

Centralize data storage and backup, streamline file collaboration, optimize video management, and secure network deployment to facilitate data management.

www.synology.com

Possibly, your FTP setup is what is making it slow then?

Yes that NAS with a bridged 10g connection at the business end and a bridged 1g connection at home.

 

[wallacemarino]

Yesb

It looks fairly straight forward to do that from what I can see, but I'm not actually sitting in front of it. You setup multiple rules, remembering that rules at the top take precedence over the lower ones. So the first rules are the allowed addresses and the bottom rule denies everything else.

Side note on FTP: Plain old FTP is totally insecure because all data (including passwords) are sent in clear text over the link. So unless your data is public domain stuff you really shouldn't be using it. At the very least use FTPS for a public facing server, but preferably SFTP. Also use different ports than the defaults.

It's set up for FTPS, but will switch to SFTP exclusively once I have got the basics properly sorted.

 

[L&LD]

I am not sure I understand what a 'bridged' 10GbE or 1GbE connection is?

Maybe this bridge is what is the cause of the speed reduction?

 

[wallacemarino]

It looks fairly straight forward to do that from what I can see, but I'm not actually sitting in front of it. You setup multiple rules, remembering that rules at the top take precedence over the lower ones. So the first rules are the allowed addresses and the bottom rule denies everything else.

Side note on FTP: Plain old FTP is totally insecure because all data (including passwords) are sent in clear text over the link. So unless your data is public domain stuff you really shouldn't be using it. At the very least use FTPS for a public facing server, but preferably SFTP. Also use different ports than the defaults.

I'll double check the firewall settings. Thanks.