How to make your Synology Disk station (NAS) more secure?

Introduction

Recently I bought the network attached storage (NAS) DS1513+ from Synology and integrated it into my home network in order to have a central place to store and access my data. This NAS has several server functions, making it convenient to access data remotely, but also making it vulnerable to unauthorized intrusion. So the question arises, how to mitigate this risk without restricting the remote functionality of the NAS. There is a lot of information available in the web; yet for me it took some time to identify and understand the most important modifications and to implement them:

  1. VPN Virtual Private Network – to remotely access the local area home network
  2. SSH Secure Shell – for secure login as root user or admin to fully access the (embedded) operating system
  3. SSL/TLS – to secure traffic between website and browser (HTTPS)
  4. Enable 2-Step Verification for DSM web access
  5. Store all critical data (certificates and private keys) on an encrypted memory card

1. VPN Virtual Private Network

Whenever possible, use VPN to access your NAS. I decided for the openVPN protocol, as it will work under Windows and iOS and allows for a flexible configuration of ports, protocol and authentications. The standard port for openVPN is 1193 UDP. I changed it to 8080 TCP  in order to have the possibility to tunnel through firewalls.

Necessary steps and modifications

  • Install Synology VPN server and use openVPN to remotely access your disk station and local network.
  • Generate your own set of certificates using EasyRSA or OpenSSL.
  • Change the VPN server configuration to make authentication with client certificates mandatory
  • Ensure verification of server certificate and server name on the client side.

Certificates

For openVPN I use self-signed certificates. All server and client certificates can be generated using EasyRSA and OpenSSL.

You need to generate a

  1. Root certificate ( self signed, will replace ca.crt), a
  2. Server certificate (to replace server.crt) with the
  3. Server key (server.key), and a
  4. Client certificate (user.crt) with the private
  5. Client key (user.key).

Root and server certificates, as well as the server key, are found in the directory /var/packages/VPNCenter/target/etc/openvpn/keys/. Login to the Synology NAS as root user, using a terminal program, change to this directory and place your own certificates and server key there. Rename the original files ca.crt, server.cer and server.key before copying, to keep them as backup.

On the client system under Windows, the client certificate can be imported with the command (“run”) certificate manager certmgr.msc, or it can be part of the openVPN client configuration file using <cert> </cert> and <key> </key> (necessary for iOS).

OpenVPN Server configuration (DSM 5.2)

Then change the authentication procedure for openVPN and make the use of a client certificate and password mandatory. The openVPN server configuration file can be found under /usr/syno/etc/packages/VPNCenter/openvpn. Use vi editor in the BusyBox build-in shell to modify the openvpn.conf file.

Replace the lines starting with cacert and key with

ca /var/packages/VPNCenter/target/etc/openvpn/keys/your_ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/your_server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/your_server.key

Then comment out (#) the line client-cert-not-required:

#client-cert-not-required

OpenVPN Client configuration

On the client side use the following lines in your openVPN client configuration file:

#Root certificate (self signed)
<ca> Copy and paste your ca root certificate here </ca>
#verify type of certificate to be server authentication:
remote-cert-tls server
#verify correct server name:
verify-x509-name ‘xxx.com’ name

#either get client certificate in pkcs12 format from an encrypted memory card:
pkcs12 Y:/pki/private/[user name].p12

#or get client certificate using Microsoft crypto api for windows PCs:
cryptoapicert “THUMB:XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX”

#or for iOS devices copy/paste public and private part of the client certificate:
<cert> copy/paste client certificate here </cert>
<key> copy paste your client key here </key>
auth SHA1

#login with user name – password
auth-user-pass
auth-nocache

2. SSH – Secure Shell

With SSH root login you have full access to the embedded OS and can modify any configuration of the NAS. Therefore, if you really need to allow SSH access remotely, you should always be extremely careful and verify the correct connection. In addition the login should be changed from user name/password authentication to RSA key authentication. SSH works under windows with Pageant/Putty, on iOS devices I use iTerminal Pro.

Necessary steps and modifications

  • Always verify server fingerprint of your SSH host
  • Change SSH standard TCP port 22 to a high port number
  • Replace user- password log in with RSA key authorization

SSH Host

The ssh server (host) keys can be found in the directory /etc/ssh. By default there are key pairs for DSA, ECDSA and RSA. The public key files have the extension .pub. Note down the fingerprint of the host keys using the command ssh-keygen -l -f [public key file name], for example ssh_host_rsa_key.pub

When you call the SSH terminal program and the server key is not cashed, you will be prompted with the fingerprint of the server key to trust the server. To delete a cashed fingerprint under Windows using PuTTY

  1. Open the registry (regedit)
  2. Go to HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys

Delete the cashed key.

SSH Client

First generate an RSA key pair (public and private) with the program puttygen. I use an SSH2-RSA key with 2048 bits. By default the public key of the root user is expected to be found in the directory /root/.ssh/ under the file name authorized_keys.

#AuthorizedKeysFile .ssh/authorized_keys

So you need to create the directory .ssh and put the public key, generated with puttygen, into this directory under the name authorized_keys.

In order to disable password login for the root user, you then need to modify the file sshd_config in the directory /etc/ssh. Change the line

#PasswordAuthentication yes to
PasswordAuthentication no

3. SSL Secure Sockets Layer – to secure traffic between website and browser (HTTPS)

Though SSL does not protect from unauthorized access, it helps to avoid eavesdropping of your data when using the web interface. Most critical is the web access to the disk station manager with admin rights. The standard access ports are 5000 (HTTP) and 5001 (HTTPS).

Steps and modifications

  • Disable standard admin user account
  • Allow access via HTTPS only
  • Use a really strong password with 15 characters or more

For administration via web interface disable the standard admin account and use a different user name first. Then allow DSM login under https (default port 5001) only, in addition you could use port forwarding in your router to change to a high port number). The most important measure is to use a really strong password. The password should be at least 15 characters long and consist of a mixture of small/capital letters, numbers and special chars.

4. Enable 2-Step Verification for DSM web access

DSM allow to introduce a second layer of authentication. You can enable 2-step verification for the admin user. A good step-by-step description can be found 2-step-authentication.

5. Storage of critical Data

All measure shown above will be useless, if the private keys are not kept secret. Your passwords, key pairs and certificates should never be made accessible to any unauthorized users. Here I use a mountable encrypted memory card. When leaving the computer I can unmount the card or take it with me.

6. Useful links

How to connect to Synology’s VPN Server using a Windows PC or Mac http://www.synology.com/en-us/support/tutorials/592

Incoming search terms:

  • HowtomakeyourSynologyDiskstation(NAS)moresecure?|BPMSG
  • synology change ssh port
  • synology webstation ssl
  • install easy-rsa on synology
  • dsm default ssh port
  • x509 synology self signed puttygen
Share on Facebook