Knowledge Base

How to secure your Synology NAS server on the Internet (DSM 4)

Overview

When you connect to DiskStation to the Internet, there are chances that hackers and virus will attack your DiskStation and try to gain unprivileged access of your sensitive data. The article will guide you to follow the best practices including configurations on the Synology and tips for users to reduce attack surfaces of your DiskStation and minimized risk of your DiskStation being compromised by intruders.

Contents

  1. Before you start
  2. Create a new account as the system administrator and disable the system default admin account on DiskStation
  3. Enable Password Strength service
  4. IP Auto Block
  5. Enable HTTPS connection
  6. Secure FTP service
  7. Only open the public ports for needed services on the router
  8. Enable browser's incognito mode or using guest browsing feature when accessing DiskStation with a public computer

1. Before you start

This article assumes that you have done the following tasks for your DiskStation:

  • Hardware installation for Synology DiskStation.
  • Software installation for Synology DiskStation Manager (DSM, web-based operating system of DiskStation).
  • Creating volumes and shared folders (See here).

Refer to Quick Installation Guide for more information about hardware and software installation. You can also see Synology DiskStation User's Guide (available at Synology's Download Center) for a general idea about topics related to this article.

Return to top

2. Create a new account as the system administrator and disable the system default admin account on DiskStation

By default, the administrator's account of your DiskStation is admin and the password is blank. It is unsecure to keep using this default account. Interested parties can run some password cracking programs in order to hack into your DiskStation.

Therefore, we strongly recommend you to create a new private account as the system administrator and then disable the system default admin account. This section will guide you through the steps required.

To create a new account as the system administrator:

  1. Log in to DSM as admin.
  2. Go to Main Menu > Control Panel > User.
  3. On User page, click Create, and then choose Create User from the drop-down menu.
  4. Enter your credentials and then click Next.
  5. Add the newly created user to System default admin group by ticking the Add checkbox and then click Next.
  6. Assign shared folders' privileges to the newly created administrator account by ticking the Read only, Read/Write, or No access checkbox, and then click Next.
  7. Assign usage quota if needed. Firstly, tick the Enable quota checkbox. Secondly, fill in how many GB you would like to assign to the newly created administrator account. Finally, click Next.
  8. Grant the newly created administrator access right to applications by ticking the Grant checkboxes and then click Next.
  9. Click Apply to confirm settings for the newly created administrator account.
  10. In the admin drop-down menu, click Logout in order to log out from DSM.

To disable the system default “admin” account for a DiskStation:

  1. Log in DSM with the newly created administrator account.
  2. Go to Main Menu > Control Panel > User.
  3. On the User page, click the System default user “admin” row. Once this row was highlighted in blue, click Edit.
  4. Click Disable this account and then click OK.

Return to top

3. Enable Password Strength service

DSM offers multiple password rules. The risk of being hacked will be reduced by enabling these passwords' restrictions.

Note1: Password restriction can only apply to new password. That is to say, it can only apply when creating a new user or when a user changes his password. Besides, the passwords of imported user accounts are excluded from the restriction.

To enable Password Strength service:

  1. Go to Main Menu > Control Panel > User.
  2. On the User page, click Password Strength.
  3. Ticking the Apply password strength rules checkbox and then ticking the checkboxes of the rules which you want to activate, then click Apply.
  4. Note2: Detailed regulation of each password strength rule is listed as below for your information:

    Exclude name and description of user from password: The password must not contain the user name or the user description. But UTF-8 encoded characters are excluded.

    Allow mixed case: Mixed case letters are allowed in password.

    Include numeric character: The password must contain at least one numeric character (0~9).

    Include special character: The password must contain at least one ASCII special character (i.e., ~, `, !, @, #, $, %, ^, &, *, (, ), -, _, =, +, [, {, ], }, \, |, ;, :, ', ", <, >, /, ?).

    Minimal password length: The password must be longer than this value. The length should be a number between 6 and 127.

Return to top

4. IP Auto Block

Blocking an IP address after a pre-defined number of failed login attempts further strengthens the security of the DiskStation against unauthorized access. Failed login attempts via SSH, Telnet, rsync, Network Backup, Shared Folder Sync, FTP, WebDAV, Synology mobile apps, File Station, or DSM will all add up.

To enable IP auto block:

  1. Go to Main Menu > Control Panel > Auto Block.
  2. Tick Enable auto block.
  3. Enter a number for Login attempts and Within (minutes) to block an IP address after the pre-defined number of failed login attempts within the specified minutes.
  4. Tick Enable block expiration and enter a number to remove a blocked IP address after the specified number of days. Blocked IP will remain indefinitely on the block list unless manually removed from the list if this option is not selected or if Unblock after (days) is set to 0.
  5. Click Apply.
  6. You can manage or remove blocked IP addresses by clicking Block List.

Return to top

5. Enable HTTPS connection

HTTPS is a secure way of interacting with your Synology NAS using the HTTP standard. When HTTPS connection is enabled, connecting to DSM, Web Station, Photo Station, File Station, Audio Station, and Surveillance Station will be encrypted using SSL/TLS. Thus, your connection to Synology NAS can be secured. This how-to article will guide you through the steps required.

6. Secure FTP service

Synology NAS supports Secure FTP by default when you enable the FTP service. Please see here for details.

7. Only open the public ports for needed services on the router

Synology NAS is designed to be easily accessed via the Internet. Its EZ-Internet feature guides you through all the steps to establish remote Internet access to your Synology NAS. If your router is not supported by EZ-Internet, Synology NAS also allows you to configure the router's settings without EZ-Internet Wizard. This how-to article will guide you through the steps required.

To ensure the security of your Synology NAS, we strongly recommend you only open the public ports for needed services on the router.

8. Enable browser's incognito mode or using guest browsing feature when accessing DiskStation with a public computer

Whenever you browse in the incognito mode, pages you view won't appear in the browser history or search history, and they won't leave other traces, like cookies, on the computer after you close all open incognito windows. Therefore, we encourage users enable browser's incognito mode when accessing DiskStation with a public computer. Below websites guide you on how to enable incognito modes in the most popular browsers:

Return to top

Is this information useful for you? Yes No

Need technical support? Submit Support Form