Knowledge Base

How to add extra security to your Synology NAS

Overview

When you connect your Synology NAS to the Internet, there is a chance that hackers and viruses will attack your Synology NAS and try to gain unprivileged access of sensitive data. This article will give you tips and guide you through the best way to configure your Synology NAS so you can minimize security risks and protect your Synology NAS from being hacked into.

Contents

  1. Before you start
  2. Create a new account as the system administrator and disable the system default admin account
  3. Set up password strength rules
  4. Restrict suspicious IP addresses with auto block
  5. Protect your account with 2-step verification
  6. Enable HTTPS connection
  7. Secure FTP service
  8. Only open the public ports for needed services on the router
  9. Enable browser's incognito mode or using guest browsing feature when accessing Synology NAS with a public computer

1. Before you start

This article assumes that you have done the following:

  • Completed hardware setup for your Synology NAS.
  • Installed and set up DiskStation Manager (DSM) on your Synology NAS.

Return to top

2. Create new administrator and disable the system default admin account

By default, the administrator's account of your Synology NAS is admin and the password is blank. Because of this default setting, the login details of this account can be easily guessed by malicious parties trying to hack into your Synology NAS.

Therefore, to protect your Synology NAS, you should create a new administrator account as the system administrator and then disable the system default admin account. This section will guide you through the required steps.

To create a new account as the system administrator:

  1. Log in to DSM using an account belonging to the administrators group.
  2. Go to Main Menu > Control Panel > User.
  3. Click Create, and then choose Create user from the drop-down menu.
  4. Enter a username and password of your choice and then click Next.
  5. Add the newly created user to administrators group by ticking the Add checkbox and then clicking Next.
  6. Assign shared folders permissions to the newly created administrator account by ticking the Read only, Read/Write, or No access checkbox, and then clicking Next.
  7. Assign usage quota if needed. Click Next.
  8. Grant the newly created administrator access to applications by ticking the Grant checkboxes and then clicking Next.
  9. Click Next.
  10. Click Apply to confirm settings for the newly created administrator account.
  11. In the Options menu, click Logout in order to log out from DSM.

Now we'll disable the default admin account so malicious parties won't be able to access it:

  1. Log in to DSM with the newly created administrator account.
  2. Go to Main Menu > Control Panel > User.
  3. Select the admin account and click Edit.
  4. Click Disable this account and then click OK.

Return to top

3. Set up password strength rules

Several types of password rules can be enabled in order to reduce the risk of hackers breaking into user accounts.

Note: Password restriction can only apply to new passwords. That is to say, it can only apply when creating a new user or when a user changes his password. The passwords of imported user accounts are excluded from this restriction.

To set up password strength rules:

  1. Go to Main Menu > Control Panel > User.
  2. On the User page, click Advanced.
  3. Tick the Apply password strength rules checkbox and enable any of the following rules:
    • Exclude name and description of user from password: The password must not contain the user name or the user description. But UTF-8 encoded characters are excluded.
    • Allow mixed case: Mixed case letters are allowed in password.
    • Include numeric character: The password must contain at least one numeric character (0~9).
    • Include special character: The password must contain at least one ASCII special character (i.e., ~, `, !, @, #, $, %, ^, &, *, (, ), -, _, =, +, [, {, ], }, \, |, ;, :, ', ", <, >, /, ?).
    • Minimal password length: The password must be longer than this value. The length should be a number between 6 and 127.

Return to top

4. Restrict suspicious IP addresses with auto block

Blocking an IP address after a pre-defined number of failed login attempts further strengthens the security of the Synology NAS against unauthorized access. The number includes all failed login attempts via SSH, Telnet, rsync, Network Backup, Shared Folder Sync, FTP, WebDAV, Synology mobile apps, File Station, or DSM.

To enable IP auto block:

  1. Go to Main Menu > Control Panel > Security > Auto Block.
  2. Tick Enable auto block.
  3. Enter a number for Login attempts and Within (minutes) to block an IP address after the pre-defined number of failed login attempts within the specified minutes.
  4. Tick Enable block expiration and enter a number to remove a blocked IP address after the specified number of days.
  5. Click Apply.
  6. You can manage or remove blocked IP addresses by clicking Block List.

Return to top

5. Protect your account with 2-step verification

2-step verification provides improved security for your DSM account. If 2-step verification is enabled, you will need to enter your password in addition to a one-time verification code when logging into DSM. Verification codes are obtained from authenticator apps installed on your mobile device. Therefore, if someone wants to access your account, he will not only need your username and password, but also your mobile device.

Requirements: 2-step verification requires a mobile device and an authenticator app which supports the Time-based One-Time Password (TOTP) protocol. Authenticator apps include Google Authenticator (Android/iPhone/BlackBerry) or Authenticator (Windows Phone).

To enable 2-step verification:

  1. In the Options menu, click Options.
  2. Tick the Enable 2-step verification box to launch the 2-step verification setup wizard. Click Next.
  3. Enter an email address. Emergency verification codes can be sent to this email address in case your mobile device is lost. Click Next.
  4. Download and install an authenticator app, such as Google Authenticator (Android/iPhone/BlackBerry) or Authenticator (Windows Phone).
  5. Open your authenticator app and scan the QR code.
  6. Alternatively, you can click the link to manually enter a secret key. Click OK to close the window.
  7. Next, your authenticator app generates a 6-digit verification code. Enter this code into the wizard text field in order to confirm configurations are correct. If an error occurs, please make sure the system time of your mobile device is synchronized with the system time of DSM. Also, verification codes are updated periodically, so make sure the code you enter has not expired. Click Next.
  8. Click Close to finish the setup.
  9. Once the setup wizard is finished, click OK to save settings.

To log into DSM with 2-step verification:

When 2-step verification is enabled, you will be prompted to enter a 6-digit verification code when logging into DSM.

  1. On the DSM login screen, enter your username and password as usual.
  2. When prompted to enter a verification code, open the authenticator app on your mobile device.
  3. Find and enter the 6-digit verification code for your account. If your mobile device is lost, you can click the Lost phone? link, and an emergency code will be sent to your email address.
SMTP Settings: To receive emergency codes via email, SMTP server settings found in Control Panel > Notification must be properly setup.
  • Emergency Code Limit: Each user has a limit of 5 emergency codes. If you exceed your limit, you will need to disable and enable 2-step verification before receiving any more emergency codes.
  • Return to top

    6. Enable HTTPS connection

    HTTPS is a secure way of interacting with your Synology NAS using the HTTP standard. When HTTPS connection is enabled, connecting to DSM, Web Station, Photo Station, File Station, Audio Station, and Surveillance Station will be encrypted using SSL/TLS. This means your connection to Synology NAS will be secure. This how-to article will guide you through the steps required.

    7. Secure FTP service

    Synology NAS supports Secure FTP by default when you enable the FTP service. Please see here for details.

    8. Only open the public ports for needed services on the router

    Synology NAS is designed to be easily accessed via the Internet. Its EZ-Internet feature guides you through all the steps to establish remote Internet access to your Synology NAS. If your router is not supported by EZ-Internet, Synology NAS also allows you to configure the router's settings without EZ-Internet Wizard. This how-to article will guide you through the required steps.

    To ensure the security of your Synology NAS, we strongly recommend you only open the public ports for needed services on the router.

    9. Enable browser's incognito mode or using guest browsing feature when accessing Synology NAS with a public computer

    Whenever you browse in the incognito mode, pages you view won't appear in the browser history or search history, and nor will they leave other traces, like cookies, on the computer after you close all open incognito windows. Therefore, we encourage users to enable browser's incognito mode when accessing Synology NAS with a public computer. The websites below show you how to enable incognito modes in the most popular browsers:

    Return to top

    Tags :
    Security
    Is this information useful for you? Yes No

    Need technical support? Submit Support Form