Dumb remote security question

[enewmen]

Hi all.

I got SSL working and the domain with SSL points to my Synology DDNS.
Right now I'm only using WebDAV with a secure connection ( very high & obscure port number forwarded) and that account has limited access.

The dumb question is can I be comfortable with HTTPS port 5001 wide open 24/7 with the root/web access available for anyone that has the username/password?
OR better to just be paranoid?

Just trying to understand how good SSL really is.

thanks!

 

[theonlyski]

SSL will help prevent someone from capturing your traffic between the two devices (including passwords and usernames). It will NOT help prevent a hacker from attacking your system and gaining access due to weak passwords or intrusion prevention methods.

 

[htismaqe]

SSL will help prevent someone from capturing your traffic between the two devices (including passwords and usernames). It will NOT help prevent a hacker from attacking your system and gaining access due to weak passwords or intrusion prevention methods.

Correct.

I personally would not leave that port open 24x7 without some kind of FW/IDS in front of it to stop front door attacks.

 

[enewmen]

Thanks for the posts!

It seems it not as simple as having SSL and a long/strong/ugly username & password - for leaving company data available 24/7 using the same port.

Paranoid wins this time

 

[theonlyski]

Thanks for the posts!

It seems it not as simple as having SSL and a long/strong/ugly username & password - for leaving company data available 24/7 using the same port.

Paranoid wins this time

I don't know of any company in their right minds (or people for that matter) that allow access to internal files without a VPN. Ideally you'd have two factor authentication for the VPN.

The internet can be a scary place and there are always holes being found. Look up Shell Shocking... that was vulnerable for 22 years!

The best intrusion prevention and data safekeeping method for wired networks that I've ever seen is http://tinyurl.com/pmmvrfc

 

[htismaqe]

He didn't say he was necessarily hosting "internal only" data on the web server - it could be a B2B or B2C site, so using a VPN might not be practical (or even possible) depending on his consumer base.

 

[stevech]

One suggestion for small NASes is

admin password is very long and complex, random chars or some such.

non-admin users are forced to use two-factor authentication - where you
have google's or some other sync'd passcode generator on your smart phone. Or PC.

 

[enewmen]

The two factor authentication sounds interesting for a small NAS.
I didn't think this was possible on a NAS. How can do this on a Synology for example? -> Just point me in the right direction please.

thanks!

 

[stevech]

My Synology DSM 4.3 NAS has an option for two factor login authentication - on a per user basis. When a user with the option enabled logs in, the account password must be entered as usual, then the access 6 digit code must be entered. This code, on my system, is provided by a free app on my android cell phone. App downloaded from google's app store. You can also use a desktop PC app for the code but the phone is easier.

Beware enabling two factor on every login, including admin - you can get locked out, except for SSH access - and I don't open remote SSH access through the router.

I assume QNAP also has two factor - but don't know.

 

[azazel1024]

My Synology DSM 4.3 NAS has an option for two factor login authentication - on a per user basis. When a user with the option enabled logs in, the account password must be entered as usual, then the access 6 digit code must be entered. This code, on my system, is provided by a free app on my android cell phone. App downloaded from google's app store. You can also use a desktop PC app for the code but the phone is easier.

Beware enabling two factor on every login, including admin - you can get locked out, except for SSH access - and I don't open remote SSH access through the router.

I assume QNAP also has two factor - but don't know.

I would deffinitely go this option, especially if VPN wasn't a possibility.

Frankly I'd belt and suspenders it and add a VPN setup too.

Frankly I just don't allow remote access to my stuff, period. It might bite me in the butt some day, when I haven't really needed it on the road ever and the rare time at work I might really want access to something, I'd be stuck with an LTE connection, limited data plan and probably something like 200-300Kbps link (based on my testing from my desk. If I move outside to a decent place on campus to sit on a bench I can get around 12Mbps or so...but again see limited data plan). I haven't NEEDED access though, just really wanted it a few times.

Back-ups of the data too are that much more important if the data is accessible externally. Pick which makes the most sense for you. Echo, contribute or mirror and also figure out which way you want it to go. Editing files externally and uploading, probably need from NAS to backup. If it'll only ever really be downloading, set read only mode for external users AND set it up to be mirroring from the backup to the NAS, so if anyone does manage to compromise it, none of the compromised files get written to, or overwritting something on the backup.

I'd also personally go with a seperate NAS than what I was using for internal hosting as the "backup" with it pulling from the internal "backup" NAS to the external facing one periodically (every 24hrs?).

Me = paranoid though. Not quite tin hat paranoid, but paranoid. I hold my data sacred.

 

[htismaqe]

Me = paranoid though. Not quite tin hat paranoid, but paranoid. I hold my data sacred.

In this day and age, there's a very thin line between "paranoid" and "practical".

 

[azazel1024]

In this day and age, there's a very thin line between "paranoid" and "practical".

And then there is practically paranoid

 

[stevech]

Yeah, I do NOT like opening my NAS to the Internet. I do so rarely.

I prefer to copy all my likely-needed files to a 32GB flash drive on my key ring. That includes a 1GB encrypted virtual disk I use on the road and on my desktop. I use SafeHome software for that virtual disk. Free, very good.

I have the two-factor authentication on when I do use it on the road.
I don't use the admin login when on the road - keyloggers/snoops and all.

Sorry - I'm talking about how I use my Synology NAS and this is a thread about Netgear.
But this applies to any NAS with two-factor authentication.