…without snark or jumping down my throat. I genuinely want to know why it’s so unsafe.

I’m running a Synology DS920+, with my DSM login exposed through a Cloudflare tunnel. I have 2FA enabled, Synology firewall enabled with these rules in place. I also have this IP blocklist enabled.

After all of this, how would someone be able to break in via the DSM login?

  • johnklos@alien.topB
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    NAS vendors aren’t known for understanding security. Opening ssh to the world is no problem, because ssh is everywhere, it’s constantly attacked, and half the world would know if an exploitable vulnerability was found.

    If NAS vendor ABC has a vulnerability in the login code written by a programmer who hasn’t done much more than CSS, it would surprise nobody, and you wouldn’t hear about it on any IT news sites. It would just be exploited until all the machines were exploited or until they’re all patched.

    It really is a world of difference between something known and secure and some random login page.

    • OneBreakfastPlease@alien.topOPB
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Opening ssh to the world is no problem

      That seems to go against the general consensus… Why is everyone/everything online telling me to either disable SSH entirely, or change the SSH port to something incredibly obscure (and even that’s not safe)?

      • johnklos@alien.topB
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Because they’re being silly. There is no other public facing service more secure than a relatively modern OpenSSH.

        In some instances, yes, it’s best to disable the ssh that comes with whatever NAS OS you’re running, because they often ship old code and don’t care about updates and security.

        But if you’re running a relatively up to date OpenSSH and you’re using keys, not passwords, then you are as secure as you can reasonably be. There’s no math suggesting otherwise. Moving to a different port will reduce the frequency of attack, but that will have zero impact on the possibility of intrusion.

        Put it this way: if relatively recent OpenSSH has a remotely exploitable vulnerability, you’ll see it on the news on TV. You’ll see it and hear about it literally everywhere. The world will stop for 24 hours and there will be widespread panic. You’ll know.

        If your NAS has an exploit, you might read about it on The Register a few months later.

  • Jess_S13@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Security for systems are designed for their target use case. The NAS login page was designed to be easily usable and assumed to only live within a private network. By opening to the internet you are opening it up to be targeted in a way the designers may not have accounted for.

  • k1shy@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Speaking as someone who decided to “just be a consumer and trust that my NAS manufacturer had appropriately hardened the login interface”, and was using 2FA, and subsequently fell victim to a ransomware attack:

    Do not expose any port on your NAS to the internet.

    If you really want it available to you when you’re away from home, set up a VPN using a separate device as the VPN server.

  • ervwalter@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    All software has bugs. Sometimes bugs let you do things you weren’t intended to be able to do (e.g. access data on a NAS without knowing the login password). Your NAS might have a bug that hasn’t been discovered (or publicized yet) or hasn’t been fixed yet.

    If you put your NAS on the internet, you give “bad guys” am opportunity to exploit those bugs to get your data or to use your NAS as a jumping off spot to attack other things inside your home network.

  • Unfair-Plastic-4290@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    if you must, have you looked at the azure application proxy? if you configure it properly it should work from the outside world, and still remain private. This does put a lost of trust into azure, and your tenant’s users not getting broken into.

  • kwarner04@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Here’s the way I think of it. Imagine you live in a house at the end of a long street. Your front door is the login page to your Synology. All the measures you’ve put in place (cloudlfare, ip blocklists, firewall) are the equivalent of putting up a guard booth/gate at the end of your driveway that only allows cars with a license plate of a specific state.

    You haven’t made yourself significantly more secure, just lined the traffic up in a more organized fashion. You are still trusting the people that made your door lock to not be vulnerable.

    Yes, it’s easier to access vs having a big metal gate that only you have the code to open (VPN) in front of your house. But why open yourself up to a single point of failure?

    Here’s just one recent example of an attacker being able to bypass the authentication on a synology. All the things you have implemented wouldn’t prevent a single person in the internet from using this exploit. https://www.zerodayinitiative.com/advisories/ZDI-23-660/

  • zedkyuu@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    If your DS920+ is completely inaccessible to outside your network except for the Cloudflare tunnel, then the Synology firewall and IP blocklist aren’t going to do squat for you since all connections will appear to originate from either inside your network or from Cloudflare. So you’re 100% dependent on Cloudflare to keep bad actors out.

    I’m not familiar with Cloudflare but the impression I had from looking at it was that you can decide which authenticated Cloudflare users can access your tunnel. So it’s a matter of credential management. Supposing some bad actor gets your credentials, they would then be able to access the entirety of your NAS, and you’re now hoping that there isn’t some undiscovered or unpatched security hole that they can use.

    • wavehockeysandwich@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Not true, cloudflare will forward the real IP in the headers, and if your nas is correctly configured (trusts the forwarded header), it can block the source based on IP.

  • androidwai@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Don’t expose the login to internet. Use twingate, headscale/tailscale. It’s super easy to setup and use zero trust network access.

  • FredrickandNeval@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    From experience most NAS drives, cctv boxes are built cheap and dirty. They are often slow and the proud product of a shite company/software developer.

    Bad actors are running scripts on their servers, automated looking for know exploits in pages, ports and software. They are actively scanning thousands of WAN facing devices a minute.

    Web pages are often written with poor practices. There is little to no care for security but just enough to satisfy the end user.

    Java script protected pages (may aswell just write the password on the page)

    Usernames and passwords embedded into source code. Session variables stored in cookies in plain text. Vulnerable to session hijacking, man in the middle attacks, and more.

    One device we pen tested a few years back allowed access to the settings page without logging in. This is due to a header redirect being incorrectly used. The page served the form and tried to redirect the browser. We just stopped the redirect. Changed the password and logged in normally. Potato Security at its best.

    These devices often do not have any rate limiting or firewall, which means brute forcing is nothing but pure playground for a nice database of known usernames and passwords. GPUs are fantastic for brute forcing. The more you have the faster you can test usernames and password combinations.

    If you must share file access. Setup a VPN. Tunnel into your network securely and then access your NAS.

    Assume everyone is gonna get you.

    • bosshogg111@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Oh. My. God. I just spent the last hour diving back into homestarrunner. It’s been over 20 years! Thank you, my friend!

  • MRP_yt@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    If you open your login page to internet without security, someone one day will have a field trip inside your NAS files and will find all your “i know what you did last summer” photos.

    I do have DS423+ and i am too using Cloudfare tunnel to access it from anywhere.

    My CF Tunnel setup done like this:

    Domain: nas.example.com points to http://1.2.3.4: and i have 2 access rules added.

    One of these rules NEEDS to match otherwise - “You Shell Not Pass
    #1: Public IP needs to be matched as my public IP
    #2: Person who wants to login needs to authenticate via Google Authentication. Google authentication needs to match test1@gmail.com or test2@gmail.com

    While i am at home, i use nas.example.com to access my nas instead of using its local IP and cloudflare allows access with no questions asked.
    While i am outside my home network i get asked to authenticate via google and gain access this way.

    +CF Tunnel adds https automatically for me.

    I don’t use any firewall setup or any other rules inside NAS.

  • MiteeThoR@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Millions of hostile computers are cruising the internet looking for literally anything that can be exploited. Do not give them an opportunity by exposing a login page unnecessarily.

  • R8nbowhorse@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Because you’re going to be hit by the next of the countless pre-authentication vulnerabilities that constantly pop up for appliance’s like yours.

    All your security measure will do absolutely nothing in that case.

    I don’t get why you don’t just set up a VPN? It isn’t more complicated than what you did, and offers far superior protection. And for 99% of use cases, you don’t loose any functionality either.