Below I will explain how I reduced the number of direct attacks on my Synology NAS by correctly setting the GeoIP Firewall inside the powerful DSM operating system. I blocked all geographical regions except my own, my static ip and my subnet mask. Most brute force attempts came from outside my home country, Romania. With these detailed settings you will not only reduce the number of notifications received for possible attacks on port 22 like SSH login attempts, but also bring them down to almost 0. I thought I’d share how I implemented it for others wanting to reduce the surface area for attacks and make their Synology NAS device more secure.
You will have to follow the scheme below exactly as it is: allow, allow, allow, deny. And the order of insertion must be respected! I’ve been running these firewall settings on my Synology NAS with geo ip deny rules for about a month now and everything seems to be working fine as I’ve had no unauthorized login attempts in my Log Center from all the countries I’ve denied.
After you finish completing it following all steps in this article, your Firewall profile should look like this:
- Ports All – Protocol All – Source Ip: “Your Subnet Mask” 192.168.0.0/255.255.255.0 Action: Allow.
- Ports All – Protocol All – Source Ip: “Your Static ip” Action: Allow (Set your Static IP if you have one from your Provider.) I strictly recommend having a static ip if you use Synology.
- Ports All – Protocol All – Source Ip: “Your Country” Action: Allow (I set my country to Romania, but you have to set your own country. You can access your NAS from any IP in the country you have chosen, for example from an IP from school or from your office.
- Port All – Protocol All – Source Ip All – Action: Deny. (You will block all ip’s from all over the world from accessing your Synology NAS, except for the ones in your chosen country. In my case, I only allow ports 80 and 443 to be visible from any country, so this is why you can read my blog from anywhere.
- Warning: The order of insertion must be respected. Rules are prioritized according to their positions in the list.
Go to Control Panel / Security / Firewall and follow the instructions in the image below.
After Clicking Apply go to “Edit Rules” / Create. Follow the instructions in the images below. First of all Select “All interfaces” in the drop-menu at the top right. Please disregard existing rules in the screenshot below – these will be created in the following steps using your preferences.
STEP 4 (Rule 1)
Follow the instructions in the images below to add first Firewall rule. Create your first firewall rule to allow your internal/home network.
STEP 5 (Rule 2)
Follow the instructions in the images below to add second firewall rule. Create your second firewall rule to allow your Static IP “WAN” from your ISP “Internet Service Provider”, if you have one.
STEP 6 (Rule 3)
Follow the instructions in the images below to add third Firewall rule. Create your third firewall rule to allow your Country.
STEP 7 (Rule 4)
Follow the instructions in the image below to add the fourth rule. Create your fourth firewall rule to deny all countries/locations.
If you’re using your Synology NAS for web hosting or if you have a service which must be accessible to all, follow the instructions in the images below. As mentioned above, if you are using your Synology NAS for web hosting, MailPlus server etc, you have to select from a list of built-in applications and exclude your service. In my case I excluded from Deny list Virtual host port 80 and port 443 to make my website accessibile from all over the world. In the “Select from a list of built-in applications” you can choose which app/port/services can be accessible from all countries/locations.
Test-reach your Synology NAS on your internal network and from external networks in your country like your office, school or a free Wi-Fi area. You can also make sure (validate) if the firewall is working and blocking deny countries/locations by using a Tor browser or a VPN service to send traffic from a different country. Alternatively you can contact a friend from another part of the world by providing him with your synology Quickconnect or DDNS address. If he can’t connect, that means the firewall is working perfectly. These tests will help you see if your firewall rules are working properly. Contact me by leaving a message if you have any problems regarding Firewall Rules.
Note: Firewall rules are executed top to bottom. Meaning that all “Allow” rules must be at the top of the list, with a “Deny“rule at the bottom. When traffic enters the NAS, it will go through the list and if it isn’t explicitly permitted, the “Deny” rule will block the traffic.
Note: If you don’t have a static IP and you have a dynamic IP that changes every time you connect, set only Rule 1 and Rule 3 described in this article. Other countries are automatically disallowed to access your NAS if you allow your own country.
Note: If you set only Rule 1 and Rule 3 because you have a dynamic IP, you can connect to your NAS with VPN if you are planning to visit other countries, or you can allow your destination country on Rule 3 before leaving your own country.
Note: If you don’t allow your own Country on Rule 3 you will receive this message: Your computer has been blocked by the new firewall configuration. The firewall configuration has been reset to the previous state. Please make sure that no rule is blocking your computer and try again.
Note: As you add new packages to your NAS, new “Allow” rules will need to be created. Your NAS will generally inform you that you need to create a new rule when you finish installing/configuring a new package.
This post was updated on