Securing the DSM desktop when accessed from the internet

Home / Securing the DSM desktop when accessed from the internet

Recently I was looking for a way to make Synology’s DSM desktop accessible from the internet. It’s a controversial thing to do. Some people think the DSM desktop is an administrators tool and must never be accessed from outside the local network, other people think that with the appropriate measures the desktop can be accessed outside the local network for non administrative tasks. This post is about these measures. The DSM desktop gives me the opportunity to drag and drop files from the local machine trough the browser into FileStation. This makes me less dependent from FTP. I would like to be able to do some basic tasks like FileStation, AudioStation, VideoStation and DownloadStation. To achieve this I have to resolve some issues before I make the desktop available on the internet:

  1. Synology uses a fixed account name for the administrator: Admin. This account is also the one with root:root privileges on the DiskStation. There is no way to rename this account. It isn’t rocket science to find out that I use Synology and that it uses the account name Admin as administrator. As a hacker I only have to find the password from this account. An administrator account witch can have any account name makes it a lot more difficult to hack the Admin account.
  2. Only password authentication for the administrator account isn’t enough. This account needs an extra layer of authentication.
  3. The DSM desktop must be accessed through a HTTPS connection.
  4. For regular tasks there must be a locked down user account. Only the administrators account must be used to administer.

The ‘one size fits all’ solution seems to configure the VPN server on the DiskStation and use a VPN connection to access remotely the DiskStation’s desktop. The drawback of this is that it is not always possible to create a VPN tunnel and it seems to be an overkill to initialize the VPN connection just to start Audio Station. So, I have to address the previously mentioned issues to have the DSM desktop accessible on the internet.

This solution requires you to have a smartphone. It will use Google’s two-step verification (See 1.5). More information on: http://www.google.com/2step

1. Prerequisites

Before you can continue, you have to configure some components that will be used. You will need the following:

1.1 SSL certificate

You need to have a SSL certificate installed on your DiskStation. Your DiskStation already has a self signed certificate. This one is sufficient for this task. You may have installed a third party certificate to accommodate HTTPS on your Web server. This certificate is also usable. Depending on the installed root certificates on your computer (client) you might get a warning that the certificate cannot be verified. You can choose to trust this one, because you know the source is trustworthy. Synology wrote a tutorial about SSL certificates here.

You can force the DiskStation’s log in to a HTTPS connection. Go to Control Panel > DSM Settings and select the HTTP Service tab. Tick the check box in front of Enable HTTPS connection and the check box in front of Automatically redirect HTTP connections to HTTPS… Make sure you entered the correct ports for HTTP and HTTPS. The defaults are 5000 for HTTP and 5001 for HTTPS.

Click Apply to save these settings.

1.2 E-Mail notification

To be able to use the 2-step verification you’ll have to enable the e-mail notification service. To enable and configure this go to Control Panel > Notification > E-Mail on your DiskStation’s desktop. Make sure you checked Enable E-mail notifications. Enter a SMTP server to deliver the outgoing mail to. This may be the SMTP server of your internet service provider if you don’t operate a mail server yourself. You also have to enter a Primary email address. This is the reply to address that will be used in e-mail that is send as notification. If the account you use to administer the notifications has a valid e-mail address, you can send a test email. Just press the Send a test email button. Click Apply to save these settings.

1.3 NTP client

The next thing to have in place is the NTP client of your DiskStation. 2-step authentication is mechanism based on the current time. When the time of your DiskStation is to far out of sync, you will have problems to use the 2-way authentication: You cannot log in. The time has to be consistent and a NTP server will help you to do just this. Go to Control Panel – Regional Options. In the first tab you see the settings that must be set. Select the Time zone that applies for your own region. Also make sure you select the radio button Synchronize with a NTP server. The default Network Time server will do, but you can change this if you want to. Click the Update now button and press the Apply button to save these settings.

1.4 Port forwarding

You need to have access to the router you are using to set a port forwarding rule. Port 5001 (the default HTTPS port to the DiskStation’s desktop) must be forwarded to your DiskStation from the internet. Please refer to your manual of your router on how to do this. wait to forward the port until the rest of the configuration in this article is done.

1.5 Google Authenticator

To use the 2-way authentication, you’ll need to install an app on your smartphone. Google offers for all major brands an app.
[wcbc_notmobiledevice]

Scan the QR code for your device:


Google Play

Apple AppStore

Microsoft Phone Store

[/wcbc_notmobiledevice]
[wcbc_mobiledevice]

Click on the button to go to the Store of your device to install the Google Authenticator. Follow the instructions during the installation of the app on the screen of your device. Make sure you have a Google account:

[wcbc_android]
Google Play
[/wcbc_android]
[wcbc_ios]
Apple Store
[/wcbc_ios]
[wcbc_windowsphone]
Windows Phone Store
[/wcbc_windowsphone]
[/wcbc_mobiledevice]

1.6 A regular user account

You will need to have a regular user account to work with your DiskStation. Create one if you haven’t already.

2. Implementation

With all the prerequisites in place you now can start putting the pieces together. This section describes the steps to do this.

2.1 The admin account

As mentioned before, Synology has a fixed admin account. There is no way to change this without breaking something. To minimize the risk of a successful brute force attack of this account, it has to have a very strong password and the Auto Block feature must be turned on. Besides that you should stop using this administrative account. (Only use this when a job can’t be done otherwise.) But before doing that, you have to create a new account that is being used to do the common administrative tasks. The default Admin account is the equivalent of a root account on a Linux system. The new administrative account will have administrative privileges on you DiskStation, but isn’t that powerful as the default Admin account.

2.1.1 create new admin account

Before you can stop using the default Admin account you have to create a new account on your DiskStation. Go to Control Panel > Users and click the Create button:

Enter a name for the account. In this example I’ll use ShadowAdmin. Provide the account with a strong password that you can remember. Make sure it contains a mix of character (uppercase and lowercase), numbers and special characters. It also should be at least 8 positions long. The account also should have a valid and working e-mail address. (This is the address Synology uses to send an emergency verification code when you lost your phone.). Click Next to continue.

In the second screen of the wizard will give you the opportunity to make the ShadowAdmin account member of the administrators group. This group provides the administrative privileges to the account.

Tick the box behind administrators and click the Next button.

Continue with the defaults of the wizard by clicking the Next button until you arrive in the last screen of the wizard. Click Apply in the last screen to create the account for ShadowAdmin. When the account is created you can log off the Admin from the DiskStation’s desktop.

2.1.2 configure 2-way for the new admin

Log on with the credentials of the ShadowAdmin account in the DiskStation. Click the user symbol in the upper right corner to open the user menu and click Options:

This is the part where your smartphone with the Google authenticator is needed. In the first tab (Account) check the box in front of Enable 2-step verification. This will start a wizard.

In the first screen you can change the e-mail address of the ShadowAdmin account if you want to. This address has to be valid and working. Click Next to continue.

On the next screen you will see a QR code. This code contains a secret key that must be entered into the Google Authenticator installed on your smartphone. You can choose to enter it manually or let Google Authenticator scan it for you from the monitor. Either way you have to tell the app you want to add a new account. Depending on if you already using Google Authenticator or not and on the type of device you are using you might have to give the app the command to add a new account. There you can choose if you want to enter the secret key manually or by reading the QR code from the screen. This description reads the QR code.

When the smartphone has read the QR successfully you can click the Next button.

Your phone will reply with a verification code you have to enter:

Enter the code and click Next.

The following screen will confirm that you have successfully set up the 2-step verification for your ShadowAdmin account.

2.1.3 Test the new Admin account

Now it is a good time to test the ShadowAdmin account. You still have the opportunity to access your DiskStation as a administrator by using the Admin account. Log off the current session and log in as ShadowAdmin. It uses the regular Username/Password screen. Enter the credentials and click the arrow to log in.

If you entered valid credentials the DiskStation sees that the account has a 2-step authentication.

Enter the 6 digits generated by the Google Authenticator app on your smartphone and click the arrow.

When you did all the steps correctly, you’ll get to the DiskStation’s desktop. If you set the group membership correct for this account you must see the Control Panel icon on the desktop. You are now good to go! (Otherwise log on as Admin an correct the membership of the ShadowAdmin account and make it a member of the administrators group.)

2.1.4 Creating a regular user account

If you haven’t done so, now it is the moment to create a regular user account for accessing your DiskStation for daily tasks like using Audio Station or accessing the shares. This seems to be more complicated for you, but it actually protects you! Keep in mind that administering has to be done with an administrative account and using functionality must be done with a regular user account with just enough privileges to do just that. Make this your way of life! Make sure this regular user account has a fairly strong password that is better than your pet’s name but good enough to remember. I’ve read elsewhere that it is not a good idea to use 2-step verification on this account, because not all services can handle the 2-step verification. A strong password will do. To avoid brute force attacks enable the Auto Block feature.

Go to Control Panel > Users and create a regular user account if you haven’t already. Assign the applications the account is granted to use.

2.1.5 The default Admin account

Because it is not possible to rename the default admin account there is a new account created with administrative privileges. (ShadowAdmin). There is explicitly chosen not to apply 2-step verification to the default Admin account. This can make the account unusable when the mechanism fails. Therefore the account must have an extremely strong password. The extremely strong password is useful in combination with the Auto Block feature enabled. This reduces the risk of being hacked by a brute force attack by limiting the attempts. After you set up the default Admin account as described, you should disable the default Admin account. (You can still use the root account if you have to access your DiskStation over SSH.)

For the default Admin account you need a complex password. There are a lot of sites you can use to generate a password. You can use any of them as long as they allow you to include extended characters, numbers and characters (uppercase and lower case) and let you generate a password with at least 32 characters. You will probably get something like: $P0+e~69KKoH*l5u75X+KO@J%K7xi@q2%~0^FMW^l9#+^Z3P

Make sure you make a copy on paper and store this on a safe place. When you also choose to save this in a text file somewhere, then make sure you put it in a password protected zip archive or an electronic vault. (You may want to copy and paste this in the future.) Keep in mind that this is less safe than retype the password from a paper every time you need it. (You shouldn’t use this account until you can’t do the task otherwise.)

Change the default Admin account’s password in the one you just generated by entering the password in the Admin account. Click the OK button to make the new password persistent. (You may want to test this to by logging on with the new password. Make sure when you tested this you log on as ShadowAdmin again.)

Log on to DSM with your newly created administrator account (ShadowAdmin) with the 2-way authentication and disable the default Admin account. (You can’t disable an account that is logged on to DSM. So, you have to do this with the newly created Admin (ShadowAdmin) account.) If you ever run into problems with the new Admin account (e.g. the 2-way authentication fails or you cannot use the ShadowAdmin account to login to DSM any more.), you can perform a reset that leaves your DSM installation (including the installed packages) in place. The description on how to perform a reset can be found here: http://www.synology.com/en-global/support/tutorials/493.

2.2 The auto block function

To reduce the risks being hacked by a brute force attack on one of the accounts, Synology implemented an Auto Block function. It is a good idea to activate this. Go to Control Panel > Auto Block. There are two tabs that need some attention.

Enable the Auto Blocker by ticking the check box in front of Enable auto block. The default of 5 login attempts in 5 minutes will be sufficient. You can change this if you want to. You can lift the IP block by ticking the check box in front of Enable block expration. You don’t have to if you want the block to be permanent.

The second tab is the Allow list tab.

In this tab you can define IP addresses that should never be blocked. This is useful for those IP addresses that are in use on your local network. By entering them here you’ll always have access to your DiskStation, even when violating the Auto Block rule. You can enter the IP address per host (i.e. 192.168.1.101) or per network. (192.168.1.0).

2.3 The final step

There is one thing left to do: Forward port 5001 from the internet to the DiskStation. (See 1.4 Port forwarding) When you completed this step, you are good to go. Your DiskStation’s desktop can now be used from the internet.