NAS vendors aren’t known for understanding security. Opening ssh to the world is no problem, because ssh is everywhere, it’s constantly attacked, and half the world would know if an exploitable vulnerability was found.

If NAS vendor ABC has a vulnerability in the login code written by a programmer who hasn’t done much more than CSS, it would surprise nobody, and you wouldn’t hear about it on any IT news sites. It would just be exploited until all the machines were exploited or until they’re all patched.

It really is a world of difference between something known and secure and some random login page.

Speaking as someone who decided to “just be a consumer and trust that my NAS manufacturer had appropriately hardened the login interface”, and was using 2FA, and subsequently fell victim to a ransomware attack:

Do not expose any port on your NAS to the internet.

If you really want it available to you when you’re away from home, set up a VPN using a separate device as the VPN server.

Surprised no one posted this, the web and cyber threat look like that : https://livethreatmap.radware.com/

I wouldn’t trust Synology on that aspect, better have an entry over VPN.

Security for systems are designed for their target use case. The NAS login page was designed to be easily usable and assumed to only live within a private network. By opening to the internet you are opening it up to be targeted in a way the designers may not have accounted for.

Here’s the way I think of it. Imagine you live in a house at the end of a long street. Your front door is the login page to your Synology. All the measures you’ve put in place (cloudlfare, ip blocklists, firewall) are the equivalent of putting up a guard booth/gate at the end of your driveway that only allows cars with a license plate of a specific state.

You haven’t made yourself significantly more secure, just lined the traffic up in a more organized fashion. You are still trusting the people that made your door lock to not be vulnerable.

Yes, it’s easier to access vs having a big metal gate that only you have the code to open (VPN) in front of your house. But why open yourself up to a single point of failure?

Here’s just one recent example of an attacker being able to bypass the authentication on a synology. All the things you have implemented wouldn’t prevent a single person in the internet from using this exploit. https://www.zerodayinitiative.com/advisories/ZDI-23-660/

Don’t expose the login to internet. Use twingate, headscale/tailscale. It’s super easy to setup and use zero trust network access.

if you must, have you looked at the azure application proxy? if you configure it properly it should work from the outside world, and still remain private. This does put a lost of trust into azure, and your tenant’s users not getting broken into.

All software has bugs. Sometimes bugs let you do things you weren’t intended to be able to do (e.g. access data on a NAS without knowing the login password). Your NAS might have a bug that hasn’t been discovered (or publicized yet) or hasn’t been fixed yet.

If you put your NAS on the internet, you give “bad guys” am opportunity to exploit those bugs to get your data or to use your NAS as a jumping off spot to attack other things inside your home network.

If your DS920+ is completely inaccessible to outside your network except for the Cloudflare tunnel, then the Synology firewall and IP blocklist aren’t going to do squat for you since all connections will appear to originate from either inside your network or from Cloudflare. So you’re 100% dependent on Cloudflare to keep bad actors out.

I’m not familiar with Cloudflare but the impression I had from looking at it was that you can decide which authenticated Cloudflare users can access your tunnel. So it’s a matter of credential management. Supposing some bad actor gets your credentials, they would then be able to access the entirety of your NAS, and you’re now hoping that there isn’t some undiscovered or unpatched security hole that they can use.

because attackers can now access it. this gives them unlimited amount of times to try and break in. this isn’t as safe as not exposing it to attackers.

Your reasons why are https://www.cvedetails.com/vulnerability-list/vendor_id-11138/Synology.html?page=1&cvssscoremin=8&order=1&trc=250&sha=3d655d1befa87d00b4ee6efb440f2b83c057d878

It only takes one exploit abused by a nation state threat actor and you’ll be part of the next news where 100s of thousands of NAS appliances were cryptoed with ransomware.

I would say you’re safer with Cloudflare tunnel providing you’re utilizing blacklisting on Cloudflare where only certain trusted IPs are allowed.

For a better solution I’d ask you to look at Tailscale and their easy VPN technology. https://tailscale.com/kb/1131/synology/

Stay safe out there.

Signed, Your friendly cybersecurity leader

It all comes down to risk management at the end of the day. And the good old equation threat X asset X vulnerability = risk.

So how sensitive is your data? At the end of the day this is the asset you are protecting. Is it all of your family photos and memories with no backup? Or is it your animated GIF collection from ‘99 before giphy made it absolete. What is the IMPACT if this gets compromised.

In terms of threats what do you worry about? Ransomware, script kiddies, organized crime? And which do you think you can reasonably mitigate against.

It is impossible to predict potential future vulnerabilities in a product. There could be unauthenticated remote code execution vulnerabilities that grant an attacker remote access. Vulnerabilities are reduced with controls so you have some in place. What about patch management, etc? With your controls in place what is the likelihood that the threat you care about could impact you?

Out comes a risk value (low, medium, high).

Do you accept it or not?

For me I have a tiny FreeBSD server running that I’ve hardened (pf firewall, no root login, ssh keys only auth method, ansible playbook to check for an apply updates daily). Its sole purpose in life is to run wireguard. My various devices including NAS are clients that I allow access to the NAS over wireguard. I run PF on the wireguard interface and only allow access to specific services on the NAS. I don’t store anything sensitive on the NAS and I send encrypted backups to backblaze for files I don’t want to lose

In my equation it’s a level of risk I am happy with. And if something bad happens I’m prepared to rebuild everything in my home network from scratch.

Good luck deciding.

The internet is like the wild west. There are bandits and outlaws everywhere. But automated. Bandit bots and outlaw bots who scan the internet all the time for open ports, trying to see if they can find an outdated version of software for which they have exploits. Some bots even have zero day exploits, which are unknown to the manufacturer of the software (the manufacturer has known zero days about the exploit, hence the name). When they find a match they will automatically hack the software running on the port and try do privilege escalation (essentially become admin). Then they might install a copy of themselves on your machine, fortifying their bandit army (botnet). Most of the time the criminal behind the botnet can now also control your machine and do anything with it. Many times acces to these hacked machines also get sold on the darkweb to other criminals.

It’s a matter of risk tolerance and how much you trust Synology.

Zero day exploits.