0

So I have SFTP running on a server that I'm working on. It works fine, and it has a very long random like 20 digit password to login. I've already looked at the Synology logs and since port 22 is exposed hackers have already tried and failed at guessing a way in (IPs from India) etc.

I'm thinking that it might be more secure to use a VPN which you can setup with Synology and then just accessing the files from there? That said, a VPN requires forwarding ports too so really how is this anymore secure than just using the SFTP service?

All of these services exposed to the WAN could have an exploit that is discovered (buffer overflow exploits) etc. that could be taken advantage of to gain remote access to the system or run arbitrary code etc.

What steps should I take to secure this? I have a decent amount of knowledge about this, but I'm always down to learn more. The first most obvious step to me is change from port 22 to a totally random port.

What else can I do? How can I keep from being exploited? We could just use the VPN server and OpenVPN on the clients into the Synology file server, and then use SMB or SFTP still, but since that opens ports too how is that more secure? Those services running on those ports could have exploits found in Synology itself

user2963603
  • 111
  • 3

1 Answers1

1

The generally accepted option is a VPN. To make it more secure (additional layer) you could use that VPN to access a jump box, a machine that can then be used to access the FTP service after logging in to it. I would suggest a full tunnel VPN and a jump box that allows you to upload files, maybe using a client like FileZilla. I would suggest that you do not use any RDP services directly on the internet.

vol
  • 31
  • 3
  • But a VPN does expose RDP ports to the WAN though? So how is that more secure technically? – user2963603 Dec 19 '19 at 05:01
  • A VPN doesn’t use RDP, you can configure it a variety of ways and using different ports. Different ports is not in itself a security feature of course. The Windows RDP protocol specifically has a known buffer overflow, BlueKeep, hence don’t use that directly exposed on the internet, among other reasons. A VPN can allow access to a network, then by using a jump box, further authentication is required to use any resources. Layered defence. – vol Dec 19 '19 at 05:08
  • I see, I think I'm going to just use OpenVPN. You can use this through the Synology server itself and then get to files and other services that way! – user2963603 Dec 19 '19 at 06:20
  • Thanks for your help! I can't really use a JumpBox Easily with this Synology setup we have. I would have to have another machine up wit OpenVPN etc. It wouldn't be practical. I'm assuming just having the OpenVPN server on the Synology NAS device and connecting via a client since it's encrypted etc. is a huge security boost versus just using SFTP with an exposed port 22 open? Also, my VPN is working correctly, but why when I use canyouseeme.org port 1194 is closed? I opened it to set this up, and forwarded it in the router. Everything works fine, but it doesn't show on port scanners? – user2963603 Dec 19 '19 at 08:01
  • With the info you have given I would have to guess. It may be that the port scanner tool is doing a pre-test and that pre-test might return an incorrect result, not proceeding with more comprehensive tests. If you can access the VPN port with the correct client software then I wouldn’t be concerned that it’s not visible. There are other tools you could use to test, GRC shields up, Binary Edge, Shodan, which might give more results. I don’t know if the SFTP server you have in mind might be as secure, but OpenVPN with multi factor enabled will be a secure option. – vol Dec 19 '19 at 23:20