Homelab

It’s kinda like leaving your car unlocked and leaving your purse or wallet visible in your dashboard. Some may see it and choose not to exploit but some people will. What if you didn’t park your car there in the first place?

Zero day exploits.

I'm by no means any security expert, but my 2 cents are these:

• Zero-day attacks, where the name refer to how many days a vulnerability has been known when first used. These are more or less impossible to safe-guard against. The only thing that would delay an attacker in your setup is 2FA. But can you be sure there aren't any weaknesses or vulnerabilities on your 2FA setup? Kaspersky mentions a few interesting zero-days on their resource center.
• Blocking all countries except the one you live in can create a false sense of security because VPS are a thing and hosted in most countries. That means that a malicious person could spin up a VPS in a country which is allowed to access your public-facing address.
• Depening on what kind of services you run, there could be privilege escalations which could grant an attacker with more leverage to find weaknesses in software. I think Darknet Diaries' episode on the LinkedIn incident explains this well.

Did you Google or ask chat gpt about risks of letting bad actors brute force or potentially use some zero day with some crazy url that can let them encrypt all your family pictures and other data? If you want to access from outside do that thru some reverse proxy like find proxy manager or traefik

🍿

From experience most NAS drives, cctv boxes are built cheap and dirty. They are often slow and the proud product of a shite company/software developer.

Bad actors are running scripts on their servers, automated looking for know exploits in pages, ports and software. They are actively scanning thousands of WAN facing devices a minute.

Web pages are often written with poor practices. There is little to no care for security but just enough to satisfy the end user.

Java script protected pages (may aswell just write the password on the page)

Usernames and passwords embedded into source code. Session variables stored in cookies in plain text. Vulnerable to session hijacking, man in the middle attacks, and more.

One device we pen tested a few years back allowed access to the settings page without logging in. This is due to a header redirect being incorrectly used. The page served the form and tried to redirect the browser. We just stopped the redirect. Changed the password and logged in normally. Potato Security at its best.

These devices often do not have any rate limiting or firewall, which means brute forcing is nothing but pure playground for a nice database of known usernames and passwords. GPUs are fantastic for brute forcing. The more you have the faster you can test usernames and password combinations.

If you must share file access. Setup a VPN. Tunnel into your network securely and then access your NAS.

Assume everyone is gonna get you.

Evil hacker want to login. You are making it much easier.

Question: and I ask here because I think it pertains to the conversation but I’m not sure. I enjoy using the remote connect features of my Synology NAS. I do DDNS and quick connect. I use 2FA and a 14-16 character password. I’ve disabled the default admin account and I use the firewall.

I like to use my iPhone to stream movies and look at docs while on the road.

Am I at a huge risk?

Get hacked by some vulnerability.

It all comes down to risk management at the end of the day. And the good old equation threat X asset X vulnerability = risk.

So how sensitive is your data? At the end of the day this is the asset you are protecting. Is it all of your family photos and memories with no backup? Or is it your animated GIF collection from ‘99 before giphy made it absolete. What is the IMPACT if this gets compromised.

In terms of threats what do you worry about? Ransomware, script kiddies, organized crime? And which do you think you can reasonably mitigate against.

It is impossible to predict potential future vulnerabilities in a product. There could be unauthenticated remote code execution vulnerabilities that grant an attacker remote access. Vulnerabilities are reduced with controls so you have some in place. What about patch management, etc? With your controls in place what is the likelihood that the threat you care about could impact you?

Out comes a risk value (low, medium, high).

Do you accept it or not?

For me I have a tiny FreeBSD server running that I’ve hardened (pf firewall, no root login, ssh keys only auth method, ansible playbook to check for an apply updates daily). Its sole purpose in life is to run wireguard. My various devices including NAS are clients that I allow access to the NAS over wireguard. I run PF on the wireguard interface and only allow access to specific services on the NAS. I don’t store anything sensitive on the NAS and I send encrypted backups to backblaze for files I don’t want to lose

In my equation it’s a level of risk I am happy with. And if something bad happens I’m prepared to rebuild everything in my home network from scratch.

Good luck deciding.

Running a service through a Cloudflare tunnel is not exactly the same as "exposing the service on internet". Its more towards a VPN/Overlay kinda approach and not exactly the same as forwarding ports and pointing DNS entries to actually "expose" your service on the wider internet (other users may feel free to correct me here). Still won't recommend this with any "sensitive data" but if all you have is a bunch of music and TV shows then you're good there. At the end it all depends on the level of security that you are willing to work with.

https://tailscale.com/kb/1131/synology/

Baseline, STiG, Harden. Is you MFA SMS?

your NAS runs software that is neither hardened for nor designed for direct internet access...

synology has had a plethora of exploits over the years... https://www.synology.com/en-global/security/advisory including but not limited to ransomware taking over the nas and encrypting all of your data... and that's just the exploits THEY KNOW ABOUT. synology often takes MONTHS if not over a year to resolve critical issues that normal customers won't be affected by with best practices...

synology's own guidelines clearly state

Do not expose DSM to the Internet unless necessary.

If you must access file services over the Internet, it is strongly recommended that you use a VPN to connect to your Synology device.

https://kb.synology.com/en-ro/DSM/tutorial/How_can_I_prevent_ransomeware_attacks_on_my_Synology_device

direct internet access to your nas is a timebomb. you will lose your data, others will view your data, and you put your entire network at risk by doing do.

It's a matter of risk management, and your personal situation and willingness to sacrifice convenience to reduce risk. There are many aspects that can affect risk, e.g. how often a software is updated, if it's open or closed source, how widely used it is, your personal level of relevant IT knowledge, the likelihood of a serious attack, what you are actually protecting, and so on.

One central rule is that more attack surface leads to a higher risk of security breaches (e.g. by discovering new vulnerabilities), and hiding everything behind a VPN reduces the attack surface to just one piece of software that's mainly focused on security. Additional public entry points add convenience but also increase your attack surface, so you have to find a level you are personally comfortable with.

In my opinion and experience, if an app is made for public access, in a production ready state and already widely used, if you trust the creator in general and with security updates in particular, and if you trust your own knowledge and ability to configure it correctly and keep all the relevant doors closed, then it's completely fine to make it publicly accessible in most cases. The security risk is not zero, but it's way overblown by some people in tech forums.

In your case, the login page behind a CF tunnel with 2FA enabled and yourself on the lookout for possible vulnerabilities sounds like an acceptable level of risk to me, unless the data on your NAS could start a nuclear war or something.

Even if your login page is not easy to break, it will be indexed by robots or hackes in their list. And they will test on it every vulnerability that will be published for any DSM component. Using VPNs like ZeroTier or Tailscale is definetly MUCH more secure than all of those tweaks and easier to setup too.

But offcourse its YOUR data so ... good luck :)

With cloudflare authen it is probably gonna be fine with ip block filter etc. it would probably filter 99.999% of the malicious attack already.

But still why do you need to expose it? I only have my jellyfin expose cos idc much about jf data and network cos it on a separate vlan network and stuff. All my management and nas are only accessible through vpn cos i wouldnt need access outside that often only when something happends.

https://youtu.be/Az49aNuYeJs?si=l2eRSmFbcMduTcLx

If you open your login page to internet without security, someone one day will have a field trip inside your NAS files and will find all your "i know what you did last summer" photos.

I do have DS423+ and i am too using Cloudfare tunnel to access it from anywhere.

My CF Tunnel setup done like this:

Domain: nas.example.com points to http://1.2.3.4: and i have 2 access rules added.

One of these rules NEEDS to match otherwise - "You Shell Not Pass"
#1: Public IP needs to be matched as my public IP
#2: Person who wants to login needs to authenticate via Google Authentication. Google authentication needs to match test1@gmail.com or test2@gmail.com

While i am at home, i use nas.example.com to access my nas instead of using its local IP and cloudflare allows access with no questions asked.
While i am outside my home network i get asked to authenticate via google and gain access this way.

+CF Tunnel adds https automatically for me.

I don't use any firewall setup or any other rules inside NAS.

Because you're going to be hit by the next of the countless pre-authentication vulnerabilities that constantly pop up for appliance's like yours.

All your security measure will do absolutely nothing in that case.

I don't get why you don't just set up a VPN? It isn't more complicated than what you did, and offers far superior protection. And for 99% of use cases, you don't loose any functionality either.

https://www.synology.com/en-us/security/advisory

https://www.cvedetails.com/vulnerability-list/vendor_id-11138/Synology.html

You can look through all known issues.

But don't get me wrong, I'm glad they provide the information!

Don't know how much a Cloudflare tunnel protects you. Maybe it's only security by obscurity.

Millions of hostile computers are cruising the internet looking for literally anything that can be exploited. Do not give them an opportunity by exposing a login page unnecessarily.

NAS appliances aren't known for their login security

Your reasons why are https://www.cvedetails.com/vulnerability-list/vendor_id-11138/Synology.html?page=1&cvssscoremin=8&order=1&trc=250&sha=3d655d1befa87d00b4ee6efb440f2b83c057d878

It only takes one exploit abused by a nation state threat actor and you’ll be part of the next news where 100s of thousands of NAS appliances were cryptoed with ransomware.

I would say you’re safer with Cloudflare tunnel providing you’re utilizing blacklisting on Cloudflare where only certain trusted IPs are allowed.

For a better solution I’d ask you to look at Tailscale and their easy VPN technology. https://tailscale.com/kb/1131/synology/

Stay safe out there.

Signed, Your friendly cybersecurity leader

because attackers can now access it. this gives them unlimited amount of times to try and break in. this isn’t as safe as not exposing it to attackers.

HEY MAN,

Just go ahead and get hacked and learn, there’s literally no point in even asking if you lean toward not taking anything anyone says with a grain of salt.

Otherwise VPN or Cloudflare tunnel into the machine.

Bye

facepalm