In this blog post I will show you basic security settings that I highly recommend you to follow to increase the security of your files and NAS.
Before we get started, if you are still thinking about which synology to buy, check this guide instead: Synology 2019 Buying Guide, but if you are the happy owner of a new Synology, here is a guide on how to configure your brand new Synology!!
Here is the list of upcoming posts:
- Part 1: Install DSM in your Synology (operating system)
- Part 2: Configure your hard drives: Storage pool configuration
- Part 3: Upgrade your Synology RAM
- Part 4: Basic Security settings -this post
- Part 5: Move/copy files between NASes
Here is the list of the recommended security settings, the basic ones, I will do a part 2 for more advance settings like SSL and VPN.
Basic security settings for your NAS
Before starting moving files, or after in case you already moved them, here is the list of basic settings I recommend you configure in your NAS. I already have blog post on most of these, so I will link to them, but there are some new ones too.
- Enable 2-step authentication
- Disable guest and admin account
- Redirect connections to HTTPS (internal connection)
- Upgrade SSL profile level
- Change the default ports
- Keep your synology up-to-date
1. Enable 2-step authentication
I already have a blog post on it, so check it out here and come back for more 🙂
2. Disable guest and admin account
You are probably wondering why I am asking you to disable those accounts. Here is why, and it is specially true if you decide not to enable 2-step authentication: If somebody tries to hack your synology, they need to know two things: your username and your password. If you dont disable your username, they already have the username of at least two of your users (admin, and guest) and that way you are making it waaaaaaay to easy for them. If they want to hack your NAS, make it a bit cumbersome for them and they might leave you alone and look for an easier target 😉
Ok, now that we know why, lets see how:
- Control Panel
- Click on Users
- Now click on the user you want to disable, for example admin
- and click edit
That will take you to the next screen where you can disable those accounts.
3. Redirect connections to HTTPS
You want all your data traffic to be secure right? To do that, redirect all your HTTP connections to HTTPS. Here is how you do it:
- Control Panel
- Click on Network
- Click on Automatically redirect HTTP to HTTPS
oh! Is it that easy? Well, …….no, unfortunately.
Once you change that, and your web server re-starts, you will be presented with this message on all browsers (see image below).
Did I brake your NAS? No, don’t worry, the browsers are only complaining about the SSL setting as you dont have a certificate for that address.
To get to your NAS, click on “Advance”:
And then “Proceed to….” and you will regain access to your NAS:
But Ruth, I don’t want to do this every time!!! Ok, ok, got you, to avoid that, just add your ip as a trusted site and you are good to go. Here is a link on how to do it for all browsers.
4. Upgrade SSL Profile level
If you have a new NAS, you probably have Modern compatibility chosen as SSL Profile level, but if your NAS is old, chances are high you have Intermediate.
This setting specifies which protocols are used when connecting through SSL. Here is a post on how to add SSL when connecting to your NAS. Modern compatibility allows only modern browsers (which are more secure). Here is how you change it:
- Control Panel
- Go to security
- On SSL profile level, change it to Model Compability
- OK.
5. Change the default ports
Synology’s default ports to access your NAS are 5000 and 5001 and you should change them.
Why? Same reasons as step two: A hacker can find what ports you have open in your router, it is not that hard, but if you don’t have the default ports open, they will leave you alone as they are too lazy to scan your network and will move on to easier baits. So change them.
Here is how, go to:
- Control Panel
- Network
- Change the HTTP port
- Change the HTTPS port
- and apply
and now you will have to re-add the ip to your browsers as you did in step 3.
6. Keep your synology up-to-date
Goes without saying right? But you have two ways to keep your Synology up to date: Manually or let the synology do the job for you.
Here is how your synology can update itself:
- Control Panel
- Update& Restore
- Update settings
- Click “Newest DSM and all updates”
- and “check for DSM updates automatically”
and you are good to go for now.
We will continue with more advance settings on future posts, but if you dont want to wait for updated guides, check old guides here:
On the next post, I will show you how to access your synology from outside your network. It is time to let our NAS fly!
Synoguide 
Hi, great job, as Synology user I love it.
Just a question.. why did you choose the 6600 and 6606 port instead of the 5000 and 5001? Regards.
LikeLike
Hi Nicola!
It is a best practice to change the default port numbers so you don’t make it too easy for hackers 😉
/Ruth
LikeLike
Right, thanks.
LikeLike
Hi, this is all good advice. I did this and then tried to the Synology to use configure a Let’s Encrypt certificate. Let’s Encrypt’s validation server tries to connect to port 80 and it’s failing. I have port 8- NAT forwarded to the Synology and my firewall rules allow port 80 on the WAN and LAN for the Synology. It’s not logging any blocks.
Do these changes affect Synology’s Let’s Encrypt client?
LikeLike