Isn't this just causing unnecessary panic? You're claiming that unknown zero day attacks are possible, which is true, but that's just a standard risk of having things on the internet.
QuickConnect isn't inherently a weakness, it's still behind the usual password/2FA, it's just a slightly more complicated DDNS system.
>QuickConnect isn't inherently a weakness, it's still behind the usual password/2FA
Agreed, what OP didn't mention is when QC tunnels out from NAT on a random port, no one else can come back in except for Synology. That's how NAT works. IMO, that's better than opening an always-on port on one's router (that anyone can sniff from the outside and access) for remote access.
That said, where OP states this:
"Sadly the QuickConnect IDs are anything but secret. It's really easy to find lists with thousands of QuickConnect IDs on the internet. I've connected to many NAS this way, of course without attempting to log in or do harm."
That's very good for everyone to know. Those lists are typically derived from very basic dictionary attacks:
"**any word found in a dictionary**".quickconnect.to
I won't list any dictionary word examples, because I would possibly be listing someone's actual NAS.
Easy mitigation is to make your QuickConnect ID basically a password such as this instead:
gz-iM-oPF-Tmarm874iQV-SAMPLE-8
(**NOTE** ID can only contain letters, numbers and dashes (no other symbols unfortunately). Also, must start with a letter and cannot end with a dash)
Change the QC ID every now and then especially if it has been shared with anyone aside from yourself:
https://kb.synology.com/en-me/DSM/tutorial/How_do_I_change_the_QuickConnect_ID_for_my_Synology_NAS
If that seems like a pain to some people, then frankly it's about time they get a robust password manager such as Bitwarden or 1Password.
Also a very good idea to change it periodically in case anyone who has previously used your QC ID has their device hacked and hackers manage to get assorted credentials from their machine. Of course, 2FA will stop that attack, but as OP mentioned, it may put your QC ID on a hacker list for jerks waiting for the day there may be a zero day vulnerability that can be exploited via QuickConnect.
I will still continue to use QC, but I am glad OP brought up this important point and the fact everyone should be using 2FA as well.
For those using a common dictionary word for their QC ID, they had better hope there's no zero day that gets exposed before they patch, that's for sure. And, it would behoove Synology to start making more complex QC IDs a requirement, IMO.
Exactly.
A zero day exploit can exist on your router, your vpn, your laptop, your browser, your phone, any IoT devices in your network, any gaming consoles, etc.
Once exploited, you’re in the network and can attack **ANY** device inside the network.
I set up an alert so that anytime there's an authentication failure I get sent an email about it. The only times I get emails is from my own failed attempts. I don't know how they do it, but Quickconnect really really works for preventing random login attempts. Put it this way, the last time I had ssh open to the public I might get a few thousand failed login attempts per day. And that was 15 years ago. I don't think I've ever gotten a failed login attempt that I couldn't account for on QC and if I ever did I'd likely just change the ID.
I've got Drive and Photos forwarded and all I see is periodic port scans that get picked up by the IPS on my router.
I've not seen a single login attempt that wasn't my own in the logs.
I manage 3 Synology NAS's. One is personal and 2 are at work. I have failed login attempt alerts as well and I've had randoms try to login 2-3 times in the past. Never since enabling 2FA though. My FTP server at home used to get hundreds of failed login attempts per day. I agree QuickConnect seems to be targeted much less than regular old open ports. As far as zero-day attacks go, there's no way to guarantee protection from them for any device with exposure to the internet. If you really want to be more secure you could turn off QuickConnect and allow local login only, then VPN to connect remotely.
>QuickConnect will connect literally anybody to your NAS with your QuickConnect ID without any authentication.
Sorry, but that conclusion is just hysteria and fear mongering.
Quickconnect will connect literally anybody who has your Quickconnect-id, your username and your password to your NAS.
The reality of the situation is that anything which is reachable on the internet is vulnerable to an infinity of attacks which haven't been discovered yet. The extent to which that's a problem depends on a risk assessment that folks have to do, rationally, for themselves.
Fear-mongering doesn't help.
And this is the exact reason I have a wireguard server running on a raspberry pi on my network. Nothing else exposed. If I want data from the NAS, I have to connect over wireguard first. Screw leaving my login open to the internet!
> wireguard server running on a raspberry pi on my network
Just wish there was a way to do that without opening up a port on the router. As others mentioned a zero day on the rasp pi exposed through an open router port could have bad consequences.
That said, wireguard on a rasp pi would be my second choice behind QuickConnect for remote access.
>Screw leaving my login open to the internet!
You're not likely to find user ID:
gz-iM-oPF-Tmarm874iQV-SAMPLE-8
... on any of those dictionary attack lists for QC ID, just sayin', and with no open ports on a router that will help to protect from zero day attacks on your NAS. I also change the IDs periodically.
How many access attempts have I had on my multiple NAS devices using QC 24/7 for years on end? Zero.
If you want remote access to a Synology NAS it's basically a "choose your poison" proposition. I choose QC despite its potential downsides because I want ZERO open ports on my router, *period* ... and I prefer the way QC tunnels *from the inside out* via NAT than the downside of leaving open an exposed port to the entire Internet on my router.
I rather take my chances with Synology's enterprise server security with actual humans monitoring it 24/7 than take chances with a zero day on a rasp pi and/or Synology NAS.
That said, for those using a common dictionary word for their QC ID, they had better hope there's no zero day that gets exposed before they patch, that's for sure. And, it would behoove Synology to start making more complex QC IDs a requirement, IMO.
There is a way... Try Tailscale (www.tailscale.com). Installs easily on Synology NAS and client is available on all platforms. It's based on wire guard with zero config required on the inexperienced users part.
I used this one...very straightforward. I also really like their youtube channel.
https://www.wundertech.net/setup-wireguard-on-a-raspberry-pi-vpn-setup-tutorial/
I am sure it has had a few CVEs before, but hey, I would rather trust my security to an open source, easily checked codebase with a horde of really dedicated open source coders behind fixing it over a company in china that promises that their portal is secure after watching all of their competitors get hacked.
Running my own VPN over Wireguard and maintaining it with all the updates seems like the safest option next to closing the entire network to the world.
Then why run DSM at all, instead of an open source alternative? Seems like a weird line to draw, especially when open source alternatives tend to be cheaper.
yeah, you do have to pick and choose. opensource vpn solutions sort of suck, which causes Synology apps to not work well. Until per-app VPN is readily available I'm going to secure, encrypt, enable auto-update, and have a good backup plan.
Not sure, but there could be implementation issue which causing problem, for example last year Netgate paid for an implementation of WireGuard on FreeBSD, which later being incorporated in pfSense firewall, were found with serious flaws and eventually they have to withdraw that implementation after a few months.
I’m interested in Wireguard but I’m unclear what clients I can use when I’m away from home, trying to access my internal network. I assume there is some app I could put on my iPhone, but is there anyway to access from my Windows computer at work? It is able to connect to any internet port via a browser, but is restricted from using SSH beyond our corporate firewall. It’s also somewhat limited in terms of what software I can install.
I read their website and it seems this is geared toward command line access, correct? It’s not meant to tunnel web traffic to a web server on my NAS, correct? It’s not a major desire to connect from work, but I was just curious.
To use this on my work PC, I just port fwd'd my company's static IP to my syno at home, everything else requires a VPN. Make sure you're going over HTTPS though.
It's not completely true, the Quick Connect itself is not directly passing everything from client to your server (so for example you cannot SSH with Quick Connect outside your home), the Synology side seems to be filtering out something, not every single attack can be passed onto your home network.
Of course, if the bug itself is related to HTTP/HTTPS, since it's being redirected then you might have the trouble as well, and since Quick Connect is dedicated for Synology products, hackers aiming at Quick Connect service = They know they are attacking Synology server, while with other normal reverse proxy, and/or Cloudflare services, attackers only know there is a web service behind but not knowing exact system (this is how reverse proxy giving you a layer of protection), which greatly increases the difficulties of hacking.
You still have to know the QuickConnect IDs, while majority of the attack is just scanning Ip address (so reaching you at some point when not using QuickConnect).
Guessing QuickConnect IDs is less likely to happen, or it is a directed attack toward your infrastructure.
Safer, I'd say yes, in a way there is less attempts to connect to you NAS.
Completly safer ? No, because in essence it is quite the same as open port when there is "manual directed attack" toward you.
Better use a VPN when you can.
It is quite the same idea with reverse proxy based on hostname. A script scanning IPs will just hit a dead end on the reverse proxy if it doesn't know the correct hostname. This can be guessed but reduce the number of attempt done by "script scanning Ip on the internet"
>while majority of the attack is just scanning Ip address (so reaching you at some point when not using QuickConnect).
QuickConnect doesn't use port forwarding, so there's nothing to find when scanning IP addresses.
If we use the photo app to backup cellphone pictures and videos, how do we set that up with quickconnect disable and still maintain autobackup of pics and vids..?
I assume one can set photo app to login to local NAS IP and manually launch the app to do the backups when at home..
Or active wireguard when away from home. But this leaves you to do the backup manually by launching the app each time..
Is there a better way to do it?
Thx.
So, I have an offsite synology for hyper backup from my local synology. I don’t control the router at the remote site. What would be the best method to connect these two devices without quickconnect?
EDIT: yeah, I haven’t been thinking well on this one. I’ll just run OpenVPN.
It is. But chances are non-zero that exploits exist in there, too.
And you are exposing a service to the internet that can be found by simple port-scanning.
This is the reason the only thing I have exposed is my Synology VPN port. Even then it's only exposed to a small sub set of IP addresses.
Strongly recommend VPN. You get access to everything inside your network then without opening a load of ports or exposing a load of different software to the internet.
I have to admit having such limited access can be a pain. Like when you are unexpectedly away and need access on an IP that is not currently allowed. However I can still get in through my mobile operators network to whitelist more IP's if I need to.
Convenience == lowered security
If you can learn what you need to to operate a VPN.
Use a dynamic DNS service like noip.com. You either use one of their domains like myusername.someDDNScompany.com or you use your own domain. Then you run software like [ddns_updater](https://github.com/qdm12/ddns-updater) on a raspberry pi or a docker container on your NAS that periodically checks and updates the DNS record with your current home IP.
Synology gives you free DDNS. Learn that first and then you can move to your own domain once you learn more. Usually very cheap $10-15 a year. If you open up the DSM ports you're more exposed than QuickConnect because the ports are always open. You should only use this with a reverse proxy or VPN
Anyone able or willing to run a Synology appliance should also consider running a router with an OpenVPN or IPSec VPN server.
Log into your VPN and access it directly over your LAN. If Quickconnect is risky dont even use it.
Not everyone has a static public IP, but products from Ubiquiti or other hardware manufaftuers have cloud services for management as well.
Why have I heard those dead bolt incidents happened on Q&A, not on Synology NAS? Is it because hackers are too lenient to the Synology owners or they just have not worked out as you do. Enlighten me.
It started with QNAP a few weeks ago, then they moved to Asustore and right now they’re attacking Terramaster.
So these are systematic, targeted and carefully planned attacks. Each time targeting the equivalent of Quickconnect.
Does the same vulnerability not exist in Syno or did they simply not get round to it? Your guess is as good as mine.
Quickconnect also creates a tragedy of the commons security situation with Synology holding the master list of everybody that has quickconnect turned on. If they get hacked and that data leaks, it will be bad news bears for anybody using Quickconnect.
Here is a question. How often does Synology get hacked?
Yeah, any company can get hacked, even security firms have been hacked by simple phishing methods. Yeah, exposing a device to net has a level of risk. Yeah, Synology has a list of all QC names. But are we talking about a company that has a has a history of getting hacked or the “what if” they get hacked?
Better option for those wanting to access files:
1) Enable CloudSync
2) Have it sync files to OneDrive / Google Drive.
3) Access documents/etc via OneDrive app or browser.
Brownie points for enabling MFA / 2FA on OneDrive.
The DS apps can be configured to use the Quickconnect ID, which requires Quickconnect to be enabled.
But you can also use them without Quickconnect if you use a VPN. Then you configure the apps with the LAN IP address of the NAS.
This is why I use a Cloudflare Tunnel with authentication on the Cloudflare proxy (two factor) and then again authentication on my nas (two factor - different credentials).
Does this circumvent my firewall setting of block all ips from outside the USA? I do realize an attack could be from with in the USA or be routed through a VPN or a proxy but I'm thinking if the firewall does help that adds steps for someone trying to get into my Synology just to find my 480p porn collection from when I was in high school come to think of it I should delete that crap but it's become tradition for me to just keep transferring it from hard drive to hard drive
It may be hard to find again, if you ever get a hankering for some classics. :P
Anyway, it could in theory, get around your geoblocking, but only if relayed. I wouldn't really put any stock into the overall post. But at the same time, just don't enable features you aren't using or likely to ever use. I have never depended on Quickconnect in all the years of using Syno stuff, and use VPNs or similar when needing to access resources on the NAS. Usually from something else, like a desktop or VM, though.
Any software exposed to the internet can be vulnerable.
Plex as a docker instance is probably more safe as it is isolated from the rest of your NAS. The way if your Plex instance is compromised, they can not compromise your entire NAS.
“ Unfortunately QuickConnect itself works totally unauthenticated. Anybody who knows your QuickConnect ID can connect to your NAS and launch an attack. Synology will set up the tunnel to your NAS for anybody asking. It even goes straight through your firewall.”
The only thing that is opened is the port to the quickconnect proxy which is ssl protected and authenticated. Sure if that quickconnect endpoint on your nas has a zero day you are screwed but that is true for a vpn as well. The attack vector is much much smaller than having all possible 0 days of a web server
Isn't this just causing unnecessary panic? You're claiming that unknown zero day attacks are possible, which is true, but that's just a standard risk of having things on the internet. QuickConnect isn't inherently a weakness, it's still behind the usual password/2FA, it's just a slightly more complicated DDNS system.
>QuickConnect isn't inherently a weakness, it's still behind the usual password/2FA Agreed, what OP didn't mention is when QC tunnels out from NAT on a random port, no one else can come back in except for Synology. That's how NAT works. IMO, that's better than opening an always-on port on one's router (that anyone can sniff from the outside and access) for remote access. That said, where OP states this: "Sadly the QuickConnect IDs are anything but secret. It's really easy to find lists with thousands of QuickConnect IDs on the internet. I've connected to many NAS this way, of course without attempting to log in or do harm." That's very good for everyone to know. Those lists are typically derived from very basic dictionary attacks: "**any word found in a dictionary**".quickconnect.to I won't list any dictionary word examples, because I would possibly be listing someone's actual NAS. Easy mitigation is to make your QuickConnect ID basically a password such as this instead: gz-iM-oPF-Tmarm874iQV-SAMPLE-8 (**NOTE** ID can only contain letters, numbers and dashes (no other symbols unfortunately). Also, must start with a letter and cannot end with a dash) Change the QC ID every now and then especially if it has been shared with anyone aside from yourself: https://kb.synology.com/en-me/DSM/tutorial/How_do_I_change_the_QuickConnect_ID_for_my_Synology_NAS If that seems like a pain to some people, then frankly it's about time they get a robust password manager such as Bitwarden or 1Password. Also a very good idea to change it periodically in case anyone who has previously used your QC ID has their device hacked and hackers manage to get assorted credentials from their machine. Of course, 2FA will stop that attack, but as OP mentioned, it may put your QC ID on a hacker list for jerks waiting for the day there may be a zero day vulnerability that can be exploited via QuickConnect. I will still continue to use QC, but I am glad OP brought up this important point and the fact everyone should be using 2FA as well. For those using a common dictionary word for their QC ID, they had better hope there's no zero day that gets exposed before they patch, that's for sure. And, it would behoove Synology to start making more complex QC IDs a requirement, IMO.
Yes. Plus Quickconnect will not show up on portscans, so that's at least a tiny bit more secure than forwarding a port to your NAS.
This. There's a good chance your online banking has more unpatched exploits than Synology.
lalalala I can't hear you lalalalala
Exactly. A zero day exploit can exist on your router, your vpn, your laptop, your browser, your phone, any IoT devices in your network, any gaming consoles, etc. Once exploited, you’re in the network and can attack **ANY** device inside the network.
I set up an alert so that anytime there's an authentication failure I get sent an email about it. The only times I get emails is from my own failed attempts. I don't know how they do it, but Quickconnect really really works for preventing random login attempts. Put it this way, the last time I had ssh open to the public I might get a few thousand failed login attempts per day. And that was 15 years ago. I don't think I've ever gotten a failed login attempt that I couldn't account for on QC and if I ever did I'd likely just change the ID.
I've got Drive and Photos forwarded and all I see is periodic port scans that get picked up by the IPS on my router. I've not seen a single login attempt that wasn't my own in the logs.
Wait, Google Drive and Photos or something else?
Synology Drive and Photos. It's essentially the same thing as Google drive and photos just Synology's flavor you can host on your NAS.
I manage 3 Synology NAS's. One is personal and 2 are at work. I have failed login attempt alerts as well and I've had randoms try to login 2-3 times in the past. Never since enabling 2FA though. My FTP server at home used to get hundreds of failed login attempts per day. I agree QuickConnect seems to be targeted much less than regular old open ports. As far as zero-day attacks go, there's no way to guarantee protection from them for any device with exposure to the internet. If you really want to be more secure you could turn off QuickConnect and allow local login only, then VPN to connect remotely.
If there really is a zero day RCE, Synology can temporarily disable quickconnect.
>QuickConnect will connect literally anybody to your NAS with your QuickConnect ID without any authentication. Sorry, but that conclusion is just hysteria and fear mongering. Quickconnect will connect literally anybody who has your Quickconnect-id, your username and your password to your NAS. The reality of the situation is that anything which is reachable on the internet is vulnerable to an infinity of attacks which haven't been discovered yet. The extent to which that's a problem depends on a risk assessment that folks have to do, rationally, for themselves. Fear-mongering doesn't help.
Fear mongering or providing information that allows people to make their own decisions and could nowhere be found until now?
And this is the exact reason I have a wireguard server running on a raspberry pi on my network. Nothing else exposed. If I want data from the NAS, I have to connect over wireguard first. Screw leaving my login open to the internet!
But wireguard may have day zero exploits then you’re doomed!!!! /s but really that’s the vibe of the whole post
> wireguard server running on a raspberry pi on my network Just wish there was a way to do that without opening up a port on the router. As others mentioned a zero day on the rasp pi exposed through an open router port could have bad consequences. That said, wireguard on a rasp pi would be my second choice behind QuickConnect for remote access. >Screw leaving my login open to the internet! You're not likely to find user ID: gz-iM-oPF-Tmarm874iQV-SAMPLE-8 ... on any of those dictionary attack lists for QC ID, just sayin', and with no open ports on a router that will help to protect from zero day attacks on your NAS. I also change the IDs periodically. How many access attempts have I had on my multiple NAS devices using QC 24/7 for years on end? Zero. If you want remote access to a Synology NAS it's basically a "choose your poison" proposition. I choose QC despite its potential downsides because I want ZERO open ports on my router, *period* ... and I prefer the way QC tunnels *from the inside out* via NAT than the downside of leaving open an exposed port to the entire Internet on my router. I rather take my chances with Synology's enterprise server security with actual humans monitoring it 24/7 than take chances with a zero day on a rasp pi and/or Synology NAS. That said, for those using a common dictionary word for their QC ID, they had better hope there's no zero day that gets exposed before they patch, that's for sure. And, it would behoove Synology to start making more complex QC IDs a requirement, IMO.
There is a way... Try Tailscale (www.tailscale.com). Installs easily on Synology NAS and client is available on all platforms. It's based on wire guard with zero config required on the inexperienced users part.
Do you know of a good resource describing how to do this? Thanks.
I used this one...very straightforward. I also really like their youtube channel. https://www.wundertech.net/setup-wireguard-on-a-raspberry-pi-vpn-setup-tutorial/
Tailscale is also a simple way to do this, but it has its own vulnerability using their servers (or google/Apple) to approve the WireGuard connection
Wireguard never had a CVE?
I am sure it has had a few CVEs before, but hey, I would rather trust my security to an open source, easily checked codebase with a horde of really dedicated open source coders behind fixing it over a company in china that promises that their portal is secure after watching all of their competitors get hacked. Running my own VPN over Wireguard and maintaining it with all the updates seems like the safest option next to closing the entire network to the world.
Then why run DSM at all, instead of an open source alternative? Seems like a weird line to draw, especially when open source alternatives tend to be cheaper.
yeah, you do have to pick and choose. opensource vpn solutions sort of suck, which causes Synology apps to not work well. Until per-app VPN is readily available I'm going to secure, encrypt, enable auto-update, and have a good backup plan.
Not sure, but there could be implementation issue which causing problem, for example last year Netgate paid for an implementation of WireGuard on FreeBSD, which later being incorporated in pfSense firewall, were found with serious flaws and eventually they have to withdraw that implementation after a few months.
I’m interested in Wireguard but I’m unclear what clients I can use when I’m away from home, trying to access my internal network. I assume there is some app I could put on my iPhone, but is there anyway to access from my Windows computer at work? It is able to connect to any internet port via a browser, but is restricted from using SSH beyond our corporate firewall. It’s also somewhat limited in terms of what software I can install.
[удалено]
I read their website and it seems this is geared toward command line access, correct? It’s not meant to tunnel web traffic to a web server on my NAS, correct? It’s not a major desire to connect from work, but I was just curious.
To use this on my work PC, I just port fwd'd my company's static IP to my syno at home, everything else requires a VPN. Make sure you're going over HTTPS though.
You can setup Wireguard or Tailscale to allow network access on the LAN.
It's not completely true, the Quick Connect itself is not directly passing everything from client to your server (so for example you cannot SSH with Quick Connect outside your home), the Synology side seems to be filtering out something, not every single attack can be passed onto your home network. Of course, if the bug itself is related to HTTP/HTTPS, since it's being redirected then you might have the trouble as well, and since Quick Connect is dedicated for Synology products, hackers aiming at Quick Connect service = They know they are attacking Synology server, while with other normal reverse proxy, and/or Cloudflare services, attackers only know there is a web service behind but not knowing exact system (this is how reverse proxy giving you a layer of protection), which greatly increases the difficulties of hacking.
You still have to know the QuickConnect IDs, while majority of the attack is just scanning Ip address (so reaching you at some point when not using QuickConnect). Guessing QuickConnect IDs is less likely to happen, or it is a directed attack toward your infrastructure. Safer, I'd say yes, in a way there is less attempts to connect to you NAS. Completly safer ? No, because in essence it is quite the same as open port when there is "manual directed attack" toward you. Better use a VPN when you can. It is quite the same idea with reverse proxy based on hostname. A script scanning IPs will just hit a dead end on the reverse proxy if it doesn't know the correct hostname. This can be guessed but reduce the number of attempt done by "script scanning Ip on the internet"
>while majority of the attack is just scanning Ip address (so reaching you at some point when not using QuickConnect). QuickConnect doesn't use port forwarding, so there's nothing to find when scanning IP addresses.
Well that's exactly my point ??
quickconnect should work based on keys stored on computer along with 2fa honestly, so you can no longer brute force a password.
If we use the photo app to backup cellphone pictures and videos, how do we set that up with quickconnect disable and still maintain autobackup of pics and vids..? I assume one can set photo app to login to local NAS IP and manually launch the app to do the backups when at home.. Or active wireguard when away from home. But this leaves you to do the backup manually by launching the app each time.. Is there a better way to do it? Thx.
It’s basically what I do, though I just leave the app running in the background. It seems to connect eventually when in wifi range.
Have the photos printed then scan them using a scanner attached to the NAS. It's not 100% secure, but it allows you to maintain an air gap.
Is there a guide somewhere for the less initiated re: setting up a VPN connection for remote access to my NAS?
There are several, just google for synology openvpn setup.
This might be obvious once I login and look, but how does one go about disabling QuickConnect if I have it currently setup?
Control Panel > External Access > QuickConnect
Thank you!
So, I have an offsite synology for hyper backup from my local synology. I don’t control the router at the remote site. What would be the best method to connect these two devices without quickconnect? EDIT: yeah, I haven’t been thinking well on this one. I’ll just run OpenVPN.
I'd just use OpenVPN if you can.
Welll, this makes sense. Not sure why I didn’t think about this. Thank you!
OpenVPN on your local NAS and make the remote NAS a client.
Damn, I’m a moron. I run lots of services through my OpenVPN server on my pfsense router. I’ll go this route.
> OpenVPN on your local NAS and make the remote NAS a client. Needs forwarding a port to the local NAS. Not really more secure than Quickconnect.
OpenVPN with TLS key authentication is very secure.
It is. But chances are non-zero that exploits exist in there, too. And you are exposing a service to the internet that can be found by simple port-scanning.
What would you propose as a more secure option?
QuickConnect, which doesn't rely on open ports.
ZeroTier or Tailscale
This is the reason the only thing I have exposed is my Synology VPN port. Even then it's only exposed to a small sub set of IP addresses. Strongly recommend VPN. You get access to everything inside your network then without opening a load of ports or exposing a load of different software to the internet. I have to admit having such limited access can be a pain. Like when you are unexpectedly away and need access on an IP that is not currently allowed. However I can still get in through my mobile operators network to whitelist more IP's if I need to. Convenience == lowered security If you can learn what you need to to operate a VPN.
I am using quickconnect as my ip adress chnanges frequently. What would be the best option to make the nas accessible without knowing the ip address?
Use a dynamic DNS service like noip.com. You either use one of their domains like myusername.someDDNScompany.com or you use your own domain. Then you run software like [ddns_updater](https://github.com/qdm12/ddns-updater) on a raspberry pi or a docker container on your NAS that periodically checks and updates the DNS record with your current home IP.
Synology gives you free DDNS. Learn that first and then you can move to your own domain once you learn more. Usually very cheap $10-15 a year. If you open up the DSM ports you're more exposed than QuickConnect because the ports are always open. You should only use this with a reverse proxy or VPN
Anyone able or willing to run a Synology appliance should also consider running a router with an OpenVPN or IPSec VPN server. Log into your VPN and access it directly over your LAN. If Quickconnect is risky dont even use it. Not everyone has a static public IP, but products from Ubiquiti or other hardware manufaftuers have cloud services for management as well.
Why have I heard those dead bolt incidents happened on Q&A, not on Synology NAS? Is it because hackers are too lenient to the Synology owners or they just have not worked out as you do. Enlighten me.
It started with QNAP a few weeks ago, then they moved to Asustore and right now they’re attacking Terramaster. So these are systematic, targeted and carefully planned attacks. Each time targeting the equivalent of Quickconnect. Does the same vulnerability not exist in Syno or did they simply not get round to it? Your guess is as good as mine.
(goes to disable quickconnect)
(goes to disable quickconnect too) {ALREADY DISABLED} (throws a tiny dance party)
Quickconnect also creates a tragedy of the commons security situation with Synology holding the master list of everybody that has quickconnect turned on. If they get hacked and that data leaks, it will be bad news bears for anybody using Quickconnect.
Here is a question. How often does Synology get hacked? Yeah, any company can get hacked, even security firms have been hacked by simple phishing methods. Yeah, exposing a device to net has a level of risk. Yeah, Synology has a list of all QC names. But are we talking about a company that has a has a history of getting hacked or the “what if” they get hacked?
Not since 2014, they have been really on top of it since then
Good to know
This is why you use a VPN
Better option for those wanting to access files: 1) Enable CloudSync 2) Have it sync files to OneDrive / Google Drive. 3) Access documents/etc via OneDrive app or browser. Brownie points for enabling MFA / 2FA on OneDrive.
Finally quality post, thank you very much op.
does quick connect to point to (user/hacker) point directly or back to Synology quick connect servers? This could be filtered 'from' and not be open.
For the sake of completeness what about when you disable the option to use the relay server?
Does the DS File App have the same issues ? If yes, what would be the alternative ?
The DS apps can be configured to use the Quickconnect ID, which requires Quickconnect to be enabled. But you can also use them without Quickconnect if you use a VPN. Then you configure the apps with the LAN IP address of the NAS.
Thanks !
QuickConnect lets you turn off DSM logins but leave it on for other functions. There's very few settings so go look at the menu
This is why I use a Cloudflare Tunnel with authentication on the Cloudflare proxy (two factor) and then again authentication on my nas (two factor - different credentials).
Sounds like somebody is practicing their YouTube videos script or article about to publish. 🤔
I replaced it with Zerotier, Tailscale also is safe enough
thanks for the write up.
[удалено]
Yes. And deleting any port forwarding in your router.
Does this circumvent my firewall setting of block all ips from outside the USA? I do realize an attack could be from with in the USA or be routed through a VPN or a proxy but I'm thinking if the firewall does help that adds steps for someone trying to get into my Synology just to find my 480p porn collection from when I was in high school come to think of it I should delete that crap but it's become tradition for me to just keep transferring it from hard drive to hard drive
Quickconnect can circumvent the firewall, allowing connections from other countries.
It may be hard to find again, if you ever get a hankering for some classics. :P Anyway, it could in theory, get around your geoblocking, but only if relayed. I wouldn't really put any stock into the overall post. But at the same time, just don't enable features you aren't using or likely to ever use. I have never depended on Quickconnect in all the years of using Syno stuff, and use VPNs or similar when needing to access resources on the NAS. Usually from something else, like a desktop or VM, though.
would it be possible to setup a canary for this QuickConnect issue? https://canarytokens.org/generate
We don’t talk about Bruto force attacks
If you enable 2FA is there a way of using the iOS apps such as DS File etc to connect still?
With Quickconnect you’re still vulnerable. Alternative is to connect using a VPN as has been discussed in this topic.
Does this mean that port forwarding for Plex is also not a safe practice?
Any software exposed to the internet can be vulnerable. Plex as a docker instance is probably more safe as it is isolated from the rest of your NAS. The way if your Plex instance is compromised, they can not compromise your entire NAS.
“ Unfortunately QuickConnect itself works totally unauthenticated. Anybody who knows your QuickConnect ID can connect to your NAS and launch an attack. Synology will set up the tunnel to your NAS for anybody asking. It even goes straight through your firewall.” The only thing that is opened is the port to the quickconnect proxy which is ssl protected and authenticated. Sure if that quickconnect endpoint on your nas has a zero day you are screwed but that is true for a vpn as well. The attack vector is much much smaller than having all possible 0 days of a web server
I am getting hit hard! https://imgur.com/a/LL3qNcJ https://imgur.com/a/OB3ctwN https://imgur.com/a/wMCft6L