I had 1 Synology NAS for about 8 years and I've had my upgraded one for about 3 years. I'm that guy who knows enough to get things working, but likely just barely, and with several (unknown to me) security holes. In the past week I've decided to dig in, learn more, and harden the security and functionality of my system. I've mostly done this with the help of your fantastic videos. You are a great teacher. Thank you sincerely! Cheers
If you open SSH, change the default port to something else, bots are scanning TCP/22 and will try to connect, trying brute forcing the login. By changing the default, you would decreasing this behaviour by far.
Timely! I'm in the process of replacing a client's aging QNAP NAS with a Synology model. (I have a lot more experience with QNAP, but went with Synology this time because I'm uncomfortable with how many times QNAP has been successfully targeted by ransomware criminals in the past few years and not impressed with the alacrity of their responses nor with how seriously they took each incident. Taking a pass on QNAP for awhile.) Your videos have been a great help to me, but this one is a real treasure trove! I'm implementing each and every thing you recommended. You've earned yourself a new member, my friend!
I bought my DS216+II in 2018. As a non-tech person, I was glad that I managed to set things up and used my NAS as a backup using Synology Drive. However, I really did not know what I was doing. All those years, I did not have the NAS security set up properly as you explain here. Thank you for your video. It's really helpful.
Thank you, great tutorial. I am setup pretty much exactly as you described and I thought I knew my stuff, however I still learned a couple things from you!
thanks for making this video much appreciated it has helped me removing the security risk and getting my head around this NAS system i have. i have to say i hate the fekn thing its way to complex and massively expensive for just storing files on as a replacement to two desktop hard drives mirrored by chronosync only upside i see is you can access it from anywhere.
Thank you for this very important tutorial! I have set my hyperbackup external device to be ejected after the backup. Just to make sure that there is no access in case of an attack. I also unplug it. I always wanted to suggest to zoom your screencasts to maximize the window you are showing.
Great info, you convinced me to use snapshots even though my NAS backs up my file server, i see the advantages of using snapshots. Too bad syno doesn't describe the use more in depth in their Package Center or more people would be using this tool
In our firm, see a lot of our clients that have been hit with ransomware. One of the key areas the cybercriminals target is the backups. So it's vital to protect the backup as well, and snapshots are the bomb for this. I run one NAS with snapshots and MFA required for all access, and all those protection settings, plus it is not available to internet. Then I have an occasionally connected NAS that backs up the primary. Yep. I'm paranoid. It's not a matter of being a "high priority" target for hackers. They run scripts to automatically hunt for "easy targets." You really, really don't want to be an easy target.
Great stuff again Will, I just saw it to check if I'm still ok with my settings, because I follow everything from you. It was fine, learned a lot from you, thanks for that, your a great teacher.
Good job on this video. Common sense approaches anyone can take to secure their files. Synology is king for not putting any of these features behind a paywall. Lets give them praise!
Love the info! Snapshots saved me once when I accidentally overwrote some files. I was easily able to back and retrieve them. Snapshots is one of the coolest features ever.
One important suggestion before restoring a snapshot. Make sure you identify the computer that got the ransomeware virus and disconnect it from the network or else after you restore the snapshot your company files will just get encrypted again!!! You will want to reimage the computer before connecting it back to the network. I battled many cryptolocker ransomeware and was able to restore with snapshots and was able to get customer back working in a couple hours. Was a true feeling of having a superpower!!!!
Good advice. Snapshots are great. I wish there were a solution that would allow more granularity for the /homes snapshot though. Snapshots work only at the shared folder level, so users can't self-admin restores for their particular /homes/username folder. Drive Client has previous versions, but still... I enjoy it when people don't bug me. :)
Just a word on the NTLMv1 auth. It's not that it can be easily bruteforced, it's that it's a weak hash and is trivial to crack. It's also very trivial to "pass" the hash to the NAS or another target.
Sooo helpful thanks. Still running DSM 7.1 after the drama of 7.2 - so not everything matches up, but still great. Still debating on making the jump to 7.2 - but your other vid makes it sound more stable now.....
Remote Desktop can be used as long you don’t use the default port and setup secure connections only i picked a port on my router that’s drcure to use plus i have software to block RDP connections unless they go through that port and not on that ban list and drop list
Thanks. I am also wondering about the best way to give access to a folder on the Internet so I can backup and access pictures remotely without giving additional access to my NAS.
It's great but not truly immutable if anyone who can log in is able to turn it off and wait a few weeks before encrypting the data. The key is making it impossible to disable immutability remotely and having a physical button on the NAS that must be pressed before immutability can be disabled or altered in any way. It could then allow a window of 5 or 10 minutes before the settings are locked again. I currently have something like this on a much more expensive enterprise system that requires myself and someone else (2 people) to provide support with a secret pin via a zoom call before the lock-down mode is disabled, allowing me to make changes to immutability settings. Any system can be compromised, requiring some sort of physical access to make changes is the key to protection against ransomware.
Time machine requires AFP to be on. If you turn that off, you will get "The selected network backup disk does not support the required capabilities. Please be sure Time Machine capabilities are enabled on the server for this volume or choose a different network backup volume.". Thanks for the tips.
So this can be a glitch. You can use SMB with time machine and should! You want to just make sure you have a few SMB settings enabled, I have a video on it
Hi, nice basic tutorial! For the part on port-forwarding: You could have added information about implemented VPN or e.g. Tailscale VPN (available in Synology packages) and Firewall rules that allow all ports via these services and blocking all others, so that there is no need to open any more ports than for the VPN service (in case of Synology implemented VPN used), or allow Tailscale subnet (in case of Tailscale service used). Nonetheless. Thank You! :)
I just received my 923+ but was reluctant to even open it to due to its complexity. This video is proving to be hugely helpful and give confidence about this purchase! Question for you: my main purpose of getting Synology is to store/access my huge library of RAW + JPG image files as a photographer. The appeal of the NAS was also to access photos from anywhere in the world since I travel for work a lot. Currently I have 12TB's worth of photos on a G-DRIVE external HD which desperately needs to be backed up (and expand). I purchased 3x IronWolf Pro 12TB drives and I'm not sure if I should set it up as SHR or RAID 5? I bought the 3rd drive with the intention of doing RAID 5 however seeing SHR as an option I could return the 3rd drive to save some money as I likely will be ok with 24TB for now. Once the NAS is all setup I plan to backup everything onto Backblaze and/or those old HDD's. All that being said, in my case what do you recommend?
Under the hood, SHR utilizes RAID technology. The benefit is the ability to later on expand the array without having to completely delete it. No reason to not use SHR over RAID as SHR is a lot more user friendly.
Thanks for the video. Your channel convinced me to switch to Synology from QNAP. One question - is having rsync (port 22) open for off-site backup a concern?
This is a simply way to stop all ransomware new or old. Just won't let it to run. You can use a library/folder based whitelist that has all authorized programs/scripts can be run safely. This whitelist can only be modified in safe mode. So, hackers or disgruntled employee can't run any unauthorized programs/scripts.
If you have movies/Plex, would it be best to make a new Shared Folder, and not use Snapshots? I probably will not delete many files from it, but I'm guessing if I did, then it won't free up space until the end of the snapshot retention period (7 days currently which isn't too bad, but if it was 2 yrs then I wouldn't want that)
Why is under Protection > Autoblock your 'enable block expiration' off? If for some reason you fail after 10 attempts, can't you lock yourself out of your Synology?
You've got a good basic security tutorial here that I think could be expanded and split into a separate video. Then you could spend more time in this video that focuses on just the snapshot and replication stuff.
Thanks for the VIDS They are GREAT and VERY Informative! I do have some questions: I have a Synology NAS 1821+ As I understand it, if I don't have SMB "ON" then I can not use File Explore to access my file via my inTRAnet. Currently, my port is open because I want to just add the folders to my explore as to logging into the dashboard. Is there a difference in the SMB? So right now the only open port is 443 (maybe I should not be posting that but...) I get MANY!, " IP address ***.***.*.* has been blocked by NAS VIA SMB." I have gotten as many as 25 a day. I add these IP addresses to my routers "Block sites containing these keywords or domains" I am not sure if that does me any good except making me feel better. How do I stop the attacks? Thanks
Thank you very much for this, it has been most informative and helpful. I wonder if I could ask a question about snapshots though, my nas is approximately 15TB in size, with around 10TB of files on there at any time. If I install snapshots and get hit by a ransomware attack that encrypts all 10TB of files, how would the snapshot be able to cope as each of the 10tb of files would be locked, but there isn't enough space for it to keep the older version of the file as they are rewritten/encrypted? I know you mentioned that this is complex and hard for some people to get their heads around (I guess I am one of those people) - but would snapshots save me in this instance?
As the ransomware would be encrypting each file, the file system stores the delta between the original and the new version. In your scenario, when the drive reaches 100% (consisting of your original data + a full new version of each file, generated by the ransomware) - there won't be any space left, so the malware won't be able to 'save' the file (in its encrypted form) because the disk will be full which stops the change to the file.
Spacerex, I've used GRC's Shields Up to check open ports. Do you have any thoughts on them? Also curious, when checking for open ports does is it per computer or router?
You cannot, as there is no way for a computer to tell an encrypted file from any other binary file. It would mean that you could not save things like zip files as the NAS may think those were encrypted.
What is the "normal" speed to transfer files to USB drive backup using Hyperbackup? I'm getting transfer rate of 100kbps sometimes. Not even 1mbps. This during the day when I' using. But is not fast either when the Nas is not in use.
hello, thanks for the video. I have a question: I have 4 disk total space 8TB with RAID 10 as volume1. and I have 1 disk 8TB as volume2. all my shared folder in volume1. and I want to use that snapshot replication to take all my files in volume1 and save them in volume2. is that possible ? I mean snapshot can use my volume2 for data store ?
How might regular snapshots and immutable snapshots affect the amount of data being backed up to a remote service such as Backblaze? I want to setup a remote backup service, but I am unsure about what should be remotely backed up, how to designate only those important files/folders, and how to estimate the total size (and thereby cost) of my backup.
I did not watch the entire video start to finish, but I believe you missed an initial requirement for LUN configuration that it has to be Thin Provision.
The inconvenient that I see with Snapshot Replication it not have folder excluding. For example, I have a shared folder that I want to replicate, but one of the folders inside that shared folder contains a LOT of videos, with a total of 9TB inside that shared folder and I don't want to replicate all of that. The only way I know is to make a new directories hierarchy. Is there any other solution?
So the way snapshots work is they are file unaware, they actually send the underlying volume over, rather than files (it’s what makes them so fast and safe) Otherwise you could use something like Synology drive share sync.
I will do a pretty non aggressive snapshot policy of 1x per week, and keeping 4x weekly versions of the hyperbackup folder, assuming there is space. This would allow the main NAS to be completely hacked, and delete its own backup, but still be able to recover from it
Because malware is interacting on the file system level, but the snapshots are actually a level lower than that, so malware cannot directly interact with them
@@SpaceRexWill I can't remembered what it called but my customer got their Synology NAS totally wipe out during the ransomware attacked in Q1 this year. They did have snapshots configured but no use. All theirs data is gone. If they have backup an off-site copy that would be much easier to restore, too bad they don't have.
If you enable MFA and stream DS Video to your smart TV you are practically scr*wed since your TV cannot resolve that MFA request. Dumb desicion from Synology.
Nah man, that "rambling" has provided me small details I have looked for and not found else where. I am happy the way he does it, many times I have been trying to figure out 1 setting and he has hit on it, when no one else has.
