Below I will explain how I reduced the number of direct attacks on my Synology NAS by correctly setting the GeoIP Firewall inside the powerful DSM operating system. I blocked all geographical regions except my own, my static ip and my subnet mask. Most brute force attempts came from outside my home country, Romania. With these detailed settings you will not only reduce the number of notifications received for possible attacks on port 22 like SSH login attempts, but also bring them down to almost 0. I thought I’d share how I implemented it for others wanting to reduce the surface area for attacks and make their Synology NAS device more secure.
You will have to follow the scheme below exactly as it is: allow, allow, allow, deny. And the order of insertion must be respected! I’ve been running these firewall settings on my Synology NAS with geo ip deny rules for about a month now and everything seems to be working fine as I’ve had no unauthorized login attempts in my Log Center from all the countries I’ve denied.
After you finish completing it following all steps in this article, your Firewall profile should look like this:
- Ports All – Protocol All – Source Ip: “Your Subnet Mask” 192.168.0.0/255.255.255.0 Action: Allow.
- Ports All – Protocol All – Source Ip: “Your Static ip” Action: Allow (Set your Static IP if you have one from your Provider.) I strictly recommend having a static ip if you use Synology.
- Ports All – Protocol All – Source Ip: “Your Country” Action: Allow (I set my country to Romania, but you have to set your own country. You can access your NAS from any IP in the country you have chosen, for example from an IP from school or from your office.
- Port All – Protocol All – Source Ip All – Action: Deny. (You will block all ip’s from all over the world from accessing your Synology NAS, except for the ones in your chosen country. In my case, I only allow ports 80 and 443 to be visible from any country, so this is why you can read my blog from anywhere.
- Warning: The order of insertion must be respected. Rules are prioritized according to their positions in the list.
Go to Control Panel / Security / Firewall and follow the instructions in the image below.
After Clicking Apply go to “Edit Rules” / Create. Follow the instructions in the images below. First of all Select “All interfaces” in the drop-menu at the top right. Please disregard existing rules in the screenshot below – these will be created in the following steps using your preferences.
Follow the instructions in the images below to add first Firewall rule. Create your first firewall rule to allow your internal/home network.
Follow the instructions in the images below to add second firewall rule. Create your second firewall rule to allow your static IP, if you have one.
Follow the instructions in the images below to add third Firewall rule. Create your third firewall rule to allow your country.
Follow the instructions in the image below to add the fourth rule. Create your fourth firewall rule to deny all countries/locations.
If you’re using your Synology NAS for web hosting or if you have a service which must be accessible to all, follow the instructions in the images below. As mentioned above, if you are using your Synology NAS for web hosting, MailPlus server etc, you have to select from a list of built-in applications and exclude your service. In my case I excluded from Deny list Virtual host port 80 and port 443 to make my website accessibile from all over the world. In the “Select from a list of built-in applications” you can choose which app/port/services can be accessible from all countries/locations.
Test-reach your Synology NAS on your internal network and from external networks in your country like your office, school or a free Wi-Fi area. You can also make sure (validate) if the firewall is working and blocking deny countries/locations by using a Tor browser or a VPN service to send traffic from a different country. Alternatively you can contact a friend from another part of the world by providing him with your synology Quickconnect address. If he can’t connect, that means the firewall is working perfectly. These tests will help you see if your firewall rules are working properly. Contact me by leaving a message if you have any problems regarding Firewall Rules.
Note: If you don’t have static ip set only rule 1 and rule 3 described in this article.
Note: In some screenshot you will see 192.168.0.108 (this is personal setting rule) you have to set 192.168.0.0/255.255.255.0