After your Synology DiskStation is available on the Internet, you will need to safeguard it against any attacks from Internet hackers.
This chapter explains how to enhance browsing security, set up the firewall, and enable auto block.
Enhance Browsing Security
Click the Options button at the top-right corner of Main Menu to enhance DSM's browsing security.
Modify HTTP Service Options
Click the HTTP Service Options to change the port number or enable HTTPS connection.
When the HTTPS connection is enabled, any connection to Synology DiskStation via the HTTP protocol will be encrypted with the SSL/TLS encrypting mechanism.
To change the default HTTP or HTTPS port number (for DSM and Audio Station):
1 Enter the port number in the HTTP or HTTPS field.
2 Click OK.
To enable HTTPS connection:
1 Tick Enable HTTPS connection.
2 Click the optional Import Certificate or check Automatically redirect HTTP connections to HTTPS. (See the section below for more information.)
Synology DiskStation User's Guide Based on DSM 3.0
55 Chapter 6: Enhance Internet Security
More Information
About redirecting to HTTPS connection:
When the option Automatically redirect HTTP connections to HTTPS is checked, you will be redirected to
port 5001 while trying to access the web management UI through port 5000.
Ports used for HTTPS connection:
DSM: The port number is 5001, so you can access the management UI through the secure channel:
https://Synology_Server_IP:5001/
Web Station: The port number is 443, so you can access Web Station through the secure channel:
https://Synology_Server_IP:443/ or https://Synology_Server_Name:443/
Photo Station: The port number is 443, so you can access Photo Station through the secure channel: https://Synology_Server_IP:443/photo/ or https://Synology_Server_Name/photo/
About importing certificate:
If you have a certificate issued by the trusted Certificate Authority (CA), please click Import Certificate to
upload your own certificate and private key in order to host a valid SSL server. The certificate should match the
private key. Please keep your private key safely.
Adjust Session Security
Click the Session Security tab to modify the security level for each DSM browsing session.
You can adjust session security by doing the following:
Set the logout timer: An automatic logout occurs if you are inactive for the time period you specified in the logout timer.
Skip IP checking: If you access DiskStation through a HTTP proxy and encounter random logouts, you can skip IP checking to avoid this problem. Nonetheless, skipping IP checking will lower the security level.
To set the logout timer:
1 Enter any value between 1 to 65535 in Logout timer (minutes) to specify the idle time period before the automatic logout.
56 Chapter 6: Enhance Internet Security
To skip IP checking:
1 Tick Enhance browser compatibility by skipping IP checking.
2 Click OK.
Enable File Browser log
Click the File Browser tab to start monitoring the File Browser activities of all users.
Note: For more information about File Browser, see "Access Files via File Browser" on Page 84.
To enable File Browser log:
1 Tick Enable File Browser log.
2 Click OK.
To see the File Browser log:
Go to Main Menu > System Information > Log, and choose File Browser log from the drop-down menu. The user activities are shown under the Event column, including Upload, Download, Delete, Rename, Move, Copy
Synology DiskStation User's Guide Based on DSM 3.0
57 Chapter 6: Enhance Internet Security
Prevent Unauthorized Connection with Firewall
The built-in firewall can prevent unauthorized logins, and control which services can be accessed. In addition, you can choose to allow or deny access to certain network ports from specific IP addresses.
Go to Main Menu > Control Panel > Firewall to create firewall rules.
Note: You can create up to 100 rules for Synology DiskStation.
To create a firewall rule:
1 Click the General, LAN 1, LAN 2 (dual LAN models only), LAN, PPPoE, or Wireless Network tab, depending on the type of your network connection.
2 Click Create to open the settings window.
3 Choose an option in the Ports section. You can apply the rule to all ports or selected ports using one of the following options:
All: Choose this option to apply the rule to all ports on Synology DiskStation.
Select from a list of built-in applications: Tick the system services that will be included in the rule. Custom: Specify the type and protocol of the port, and enter the custom port number.
You can enter up to 15 ports separated with comma, or by specifying a port range.
4 Specify the source IP address in the Source IP section. You can choose to allow or deny access from a particular source IP using one of the following options:
All: Choose this option to apply the rule to all source IP addresses. Single host: Choose this option to apply the rule to an IP address. Subnet: Choose this option to apply the rule to a subnet.
5 Choose Allow or Deny in the Action section to allow or deny the source IP address to access the specified ports.
58 Chapter 6: Enhance Internet Security Note:
When you combine 2 networks with link aggregation, firewall will apply the rules from the first network interface, and reserve the rules of the second network interface1 Link Aggregation
. For more information about link aggregation, see " " on Page 25.
If your system has 2 network ports connecting to the same subnet, the firewall rules might not work properly.
To change the priorities of rules:
Reorder the rules by dragging any of them up or down. Rules at the top will have higher priorities.
To disable rules:
Uncheck the checkboxes next to the rules.
To delete rules:
Select the rules you want to delete and click Delete.
Automatically Block Suspicious Login Attempts
Auto block allows you to prevent unauthorized loginvia SSH, Telnet, rsync, FTP, mobile devices, File Station, and the management UI. After enabling the service, an IP address will be blocked automatically if it has too many failed login attempts.
Go to Main Menu > Control Panel > Auto Block to use the auto block function.
To enable auto block:
1 Tick Enable auto block.
2 Enter the following information to block an IP address with a number of failed login attempts within the
specified minutes :
Login attempts: The number for failed login attempts Within (minutes): The number of minutes
---
1
Synology DiskStation User's Guide Based on DSM 3.0
59 Chapter 6: Enhance Internet Security
3 Tick Enable block expiration and enter a number of days in the Unblock after (days) field if you want to unblock the IP address after the specified days.
Note: The IP address will remain blocked if Unblock after (days) is set to 0.
4 Tick Enable email notification to receive email notification when an IP address is blocked. Make sure email notification is enabled for your Synology DiskStation before using this option.
Note: For more information about email notification, see "Receive Email Notification" on Page 169.
To manage the blocked IP addresses:
1 Click Block List to check the blocked IP addresses.
60