Some people build their smart home based on Zigbee devices (smart switches, plugs). They are not a part of the LAN, they have a separate dedicated network, so they cannot theoretically access Internet.
They just released quts hero with zfs for the 453E. This is a major game changer for me. Smaller NAS devices can have enterprise level protection. Gotta hand it to QNAP they really have been working on the right stuff. Wish Synology didn't loose their minds as they had something special years ago. Now enjoying the same with their competitor. What you can do with the hardware and m2s is really cool. Lots of fun...
I thought security cameras were placed on a network that doesn't access the Internet. Use a second port on the Synology to join the security caamera network to get the video feed. Then the Synology has access to the Internet. That way you still have surveillance, but the cameras are not exposed to the Internet.
That’s a mistake. Use your own VPN on our own appliance, or firewall, and don’t ever expose your NAS to the Internet. And don’t ever put your security in a third party’s hands, even if it is Tailscale.
I was going to say precisely the opposite. Great, now Synology is forcing us to use Tailscale and Jellyfin instead of Synology’s in house software apps.
@@mitchellsmith4601 I wish Synology had an official WireGuard package. I don't understand why they only support Tailscale out of the box. Tailscale is based on WireGuard but you have to use and trust third-party infrastructure, which is what I want less of when I use my NAS.
I have 6 security cameras around my home. Rather than segmenting my network, I have created a filter on my Synology router to restrict those cameras so that they can only access the NAS to which they send the captured event JPG's and MP4's and zero internet access. Do you think that is sufficient ?
@@WunderTechTutorials I set it up as a web filter only to block all web site and only to allow it to get a time signal from nist.gov . I just changed it to block all categories as well. ( As an aside, I find the Synology router filter settings a bit odd. If you set up an Allow filter, that's all you get. But if you set up a Block filter, there is also an Allow tab. And sometimes, the filter name just shows a red frame and won't let you proceed. )
I do NOT recommend using your storage device as a router. You should have separation of duties with your network hardware. As any vulnerabilities discovered in the underlying firmware of your synology could compromise your entire NAS and in this case since it is also your router you have now given the attacker full control over your home network.
@@DeadlyDragon_ You may have misunderstood my post. I have a Synology ROUTER as well as my Synology NAS. I do not use my NAS as a router. And, I very much agree with you.
@@DavidM2002 whoaaa ok so today I learned synology has started making networking gear. huh.. I don't know how I feel about that but time will tell how reliable it is.
So when you say don't connect the Synology to the internet how far do you go with that statement? Are you talking don't enable quickconnect or are you saying directly connect to the internet through something like port forwarding? Turning quickconnect definitely adds a lot of flexibility when your out & about. You could essentially do the same thing different ways like for example using tailscale. You could take what your saying to extreme to by putting your synology into a vlan & not allowing internet (which becomes a pain because of updates). Can you explain?
Port forwarding. I don't think anyone should port forward the DSM port, and most probably shouldn't use a reverse proxy either outside of very specific scenarios. Your risk with just about anything is minimal when it's behind your firewall, and adding VLANs locally and following security best practices strengthens it even further.
Your current settings isn’t necessarily proof for that, for instance upnp, wasn’t active at an earlier point in time. If someone was logged in as admin they could have enabled and the disabled. No malware, but how about exfiltration?
It was disabled on the router so they wouldn't have been able to get it to work. They could have downloaded the data, but they didn't move or delete any data as there was nothing in the logs. My suspicion is they simply validated that they could sign in a few times and never did anything, but again, that's really just my thought with the information I have available.
Is there a way to test if my nas was attacked or has some kind of malware installed and running? Is there also a way to diagnose attacks on my router too? (Sorry, i feel like I'm a noob in this area). I did have dmz enabled for my xbox for a few months in the hope that i had a better and faster connection for multiplayer gaming (cod servers suck). I'm not sure if a way to examine attacks on my xbox though. I have some packages installed from syno community, are they checked thoroughly by the community before being made available?
The way I used Pi-hole in the video is the only way that I'm aware of, but that's assuming that you've had it installed and have been using it. Other than that, I don't think there's an answer right now on that but hopefully soon. I'd probably remove the DMZ from your Xbox. Depending on the router, you are potentially opening every single port to your Xbox which isn't good. If CoD requires port forwarding, check the specific ports required and manually handle them.
@@WunderTechTutorials thanks. I have got an Asus rog ax11000 gt pro router which includes guest network pro (a more user friendly vlan system, even though it is possible to install merlin and use actual vlan) and ai protection that actively blocks attacks etc. Hopefully it handled any attacks. I'll have a look at registered attacks on the router, but i think it just gives ip address instead of url so i wouldn't be able to search for that specific url. Information for other people with higher spec routers.
Thanks for another great informative video! So, you now make me wonder. I have Synology Routers and NAS’s. I only use Synology packages. I do use Tailscale and update it manually since it takes Synology a while to make the update available. I do have a VLAN with Primary, Guest, and IoT networks along with Firewall rule setup between them. I have a separate computer I’m using as a Plex server and that is the only port I am forwarding. Given all this and what you shared am I in pretty good shape or at great risk? Oh, of course I disabled the Admin account completely.
Thank you! Yes, it sounds like you're in good shape. With stuff like this, the malware could have come preinstalled (depending on the manufacturer) or installed from some sort of breach. The former is practically impossible to guard from, but that's why those devices go on an IoT network. The latter is what you protected against, so without looking at it and only giving an opinion, I'd say you're good!
The advice of don't expose NAs to internet = put your files on Google Drive or Microsoft One Drive (or similar service)! From my point of view, using a NAS implies to access my data from the internet, otherwise I would have get a big HD and connet it to my PC for the same results. Why pay for a NAS and not able to access my files when I'm out of my home/office? Instead NAS users should be instructed and NAS companies as Synology should build their systems based on this principle to expose safely as possible their NAS to the internet. Otherwise it would be like to have a car in my garage and avoid to drive because I might have an accident. Well learn to drive safely and get a good insurance or do not buy a car!
The advice really revolves around using a VPN. There are safe and unsafe ways of doing things, but exposing the NAS to the world is generally viewed as an unsafe approach, while using a VPN is generally viewed as the most safe approach. Every user should assess the situation themselves, but not exposing the NAS to the world doesn't mean you can't connect to it remotely.
@@Nasguy-b7q Plex does not expose your NAS to the internet. It connects via NFS on the backend. Now if your plex gets compromised sure an argument could be made there. But that is an additional layer an attacker would need to break through. If you properly setup plex to run under a service account with non root privileges the damage can be restricted to a specific scope vs your entire NAS. This is known as risk acceptance. Opening anything to the internet has an associated risk that you must accept or mitigate.
@@WunderTechTutorials Precisely this. VPN is the only way you should be accessing your NAS from the internet. The VPN sets up an encrypted tunnel between you on the outside world and it bridges you into your internal network. Your VPN should be using some form of certificate based authentication for example OpenVPN or Wireguard.
I checked my logs and saw my username accessed shared folders via smb3 through my laptop with my lan ip. I was asleep at these times. My firewall is set to block all IPs that aren’t on my LAN. Router UPNP was on without my knowledge. Does this sound like suspicious activity or is this routine connections for smb3?
@@matthewdavis7218 I'd say that it's most likely fine, but I can't say for certain. Either way, monitor everything for a few days and reset the password for your account if possible.