Jim is right. Security is complicated.
If we upload a lot of photos to Google, then we risk someone getting the photos, but not the personal data we keep on our laptop. But if someone jacks our Synology, then we risk all the data on the Synology and even our laptop and desktop computers.
Companies with highly skilled professional staffs get hacked all the time, so we can get hacked at home. At the least, we should understand how to configure out systems to minimize risk and maximize protection.
I thought you were saying that Google handles all your security? Do they not need an open port on your router? I told you before I trust Synology more than Google. I think we must agree that we have different views on the matter and further going back and forth is a waste of time, especially if you ignore time after time significant points raised that contradict your views. I guess that's your corporate education kicking in.
All the best.
No they don't. Synology handles it because it's an OUTGOING port that initiates the request. And, by default on routers, outgoing ports are allowed.
Alan
And one of the first things I do with my firewalls is shut down all but the ones that I need open. Actually, I shut them all down and open the ones I need. I've never trusted the firewalls that come built into ISP-supplied routers, with the possible exception of the big Cisco routers, but I've never had an ISP let me program their Cisco router.
Leaving all outgoing requests wide open sounds to me like a bug, not a feature.
You ask me questions and then say that further conversation is a waste of time? Sorry I irritated you. OK, I'll not continue any conversation with you, if that is your wish.
This is key. Don't put servers that can be accessed from the 'net on the same network segment as your internal devices.
If your data is stored on a hosting service, that data is at risk, but only that data.
Well, obviously it's far less stressful that's for certain, reading your comments, worries and fears
Gents, lets stay playing nicely.
Back to the Synology.
Jim, if my system has been hacked, then closing down outgoing ports won't make much difference - there will be ways to get out. So, I am happy that I have closed off all the incoming ports on my ISP router (actually, I have a double router setup and I've changed the default IP range so it's even harder) and I let the Synology box do what it needs to.
Alan
If the system is hacked, and, for example, root access has been obtained, then you're beyond what can be managed with firewall rules, and everything on your LAN is at risk. I was talking about ways to manage dangerous interactions between devices on your LAN and the 'net in order to keep your devices from being compromised. It's been a surprise to me the outgoing traffic that I found unwanted that I've discovered through firewall logs.
The worst thing I've found is that someone has guessed my "connect to" name and tried to use it to log on as 'admin' with various passwords. Of course, my admin is not named 'admin' and the system blocks login attempts after a few (I think I have to set to 10). And, I get an email telling me what IP address was trying it.
I am reasonably happy that my system is secure from outside interference. I did have a situation a few years ago when, everytime I opened port 22 (secure ftp, I think), somebody from China would notice and try hacking. They never got in and I found a better way of doing it. I think they'd got an "in" to my ISP and was sitting there monitoring network traffic.
Alan
Good luck to you. We all have different risk tolerances and attack modalities that we are concerned with, as well as tolerance for network management. My web sites are attacked 10,000's of times a day, and reading those logs is a bit scary.
You are more public and popular than I am. A target.
Alan
[and I feel honoured to be able to talk to you 😁]
This is the only issue I've had on this box since Feb 21 (when I set it up)
On my web sites, anyone logging in with an invalid userid locks that IP address out for a few days. But people have figured that out, and I get strings of attempted log ins using the same bogus userid from 40 or 50 different IP addresses in the space of a few minutes. I also use whitelists of trusted IP addresses that avoid those hurdles, but I use them sparingly and watch the logs.
Does anyone know if there's a way to remotely turn the NAS (Synology) on from the powered down/off state? Would that option be available in a UPS?
Wake on LAN is avaiable:
kb.synology.com/en-nz/SRM/help/SRM/NetworkTools/wol?version=1_3
That would require the purchase of a Synology router? Rather than the one provided by my fiber optic cable internet provider?
That's not clear to me. Sounds like at least some Synology NASs support wake on LAN. So there are probably other ways than using a Synology router to get a Synology NAS box to act like a wake on LAN client.
en.wikipedia.org/wiki/Wake-on-LAN
Sounds like any device that can send the magic packet can wake a wake on LAN client.
