Synology Hardening steps to change the default settings to improve security on a Synology NAS.
Synology DSM 6.1 hardening settings:
Using the Security Advisor:
Install and run the Synology Security Advisor and consider changing the advised mentioned settings.
Control Panel, Update & Restore, DSM Update:
- Update Settings. Change the settings accordingly with in mind that security fixes are applied as soon a possible.
Control Panel, user:
- make a new user with full administrative rights, test this new user and disable admin.
- Advanced, Password Settings, Select Allow non-administrator users to reset forgotten passwords via email.
- Avanced, Password Settings, Apply password strength rules, select;
- Exclude name and description of user from password.
- Include mixed case
- Include numeric characters
- Include special characters
- Exclude common password
- Minimal password length: 8
- Password history (times): 1
- Advanced,Password Expiration, select;
- Enable password expiration
- Maximum password valid duration (days): 183 (except administrator users). Check administrator user Password is always valid. Manually change this password regularly.
- Minimum password valid duration (days): 1
- Prompt users to change password upon login before expiration (days): 14
- Send expiration notification emails; sent at 12:00, Days before the expiration; 14,10,5,3,2,1
- Advanced, 2-Step Verification,
- Enforce 2-step verification for the following users, all users
Control Panel, Terminal & SNMP, Terminal:
- (in case) SSH service, advanced settings, High
Control Panel, Security, Security:
- Improve protection against cross-site request forgery attacks
- Improve security with HTTP Content Security Policy (CSP) header.
- Do not allow DSM to be embedded with iFrame.
- Clear all saved user login sessions upon system restart.
Control Panel, Security,Firewall:
- consider enabling firewall which depends on the IT infrastructure. Firewall rules can be enabled for VPN services which can improve security or protect a access for Hyperbackup. This can be implemented with an allow and deny rule for certain services.
Control Panel, Security, Protection:
- consider enable DoS protection depending on your IT infrastructure.
Control Panel, Security,Account, Auto Block:
- select Enable auto block, login attempts: 10, Within (minutes): 5. Enable block expiration, Unblock after (days): 1. Consider using an allow/block list.
Control Panel, Security, Account, Enable Account Protection, Untrusted Clients:
- login attempts:5
- Within (minutes):1
- Cancel account protection (minutes later):30
Control Panel, Security, Account, Account Protection, Trusted clients:
- Login attempts:10
- Within (minutes):1
- Unblock (minutes later):30
Control Panel, security, advanced, TLS/ SSL Cipher Suites:
- Select Modern compatibility
Control Panel, Network, DSM settings,
- Selecteer Automatically redirect HTTP connections to HTTPS ( Web Station and Photo Station excluded ).
- Enable browser's incognito mode or using guest browsing feature when accessing Synology NAS with a public computer