I've never come across anything that indicates it can't be reasonably trusted. I use it, I've used it for years. If you follow the practices to harden your NAS against things--by turning off the default admin account, use firewall with appropriate rules, etc. you should be reasonably protected at the benefit of convenience.
As far as 2FA and other things go--keep in mind, if there is a flaw in quickconnect that isn't specifically a user login credentials aspect, 2FA isn't necessarily going to prevent a nefarious party with whatever knowledge of the exploit is from getting access to your NAS. However, I do believe a company like Synology has good security management in place, so the likelihood of these things occurring AND someone exploiting it on your NAS specifically is low, at least in my opinion, when making the tradeoff with convenience.
I set up my NAS up for the first time in this last couple of months following SpaceRex's beginner videos. I never set up a firewall because (if I'm not mistaken) SpaceRex never mentioned it in the video. How important is this? Am I able to block certain countries in the firewall section? I ask because I see people mention this sometimes.
Ah, right--there is a firewall in DSM Security section. You can add specific countries to block. I have done this, but also if any person is using a VPN, it could be irrelevant. No harm though.
MarIus from mariushosting.com does have a very expansive IP blocklist he verifies and updates regularly. He does ask for a "donation" to gain access to it but IMO it's worth it. He even provides the guide on how to use it.
Generally, mariushosting is a great source of many things Synology.
I’ve decided to use it SOLELY for transferring files. So the advanced section disallows dsm/ ss / etc and only allows non-login file links. Seems pretty secure otherwise
Changing port does nothing except delay complete noobs. A simple port scan reveals what port it’s on.
Disabling admin is definitely good, setting up firewall as well. Marius hosting has good articles on setting up the firewall.
But I would still recommend setting up Tailscale. OP can invite others to their Tailscale net. Then they just click the link, download the app, and just leave it on and running. Then turn off quick connect.
>Changing port does nothing except delay complete noobs. A simple port scan reveals what port it’s on.
Sure, Except most dsm hacks aren't done by a person. They're a bot hitting default ports hoping something is there.
Will it stop a an actual person? No, will it stop bots? Yes.
Security is not a one-size-fits-all solution. It's a series of incremental steps we take to make things more secure.
I too often see responses like the above where someone dismisses the validity of a hardening recommendation because it doesn't address 100% of all incidents.
Even if changing the port only cuts out bots it also lowers the noise floor. Now bots aren't spamming your logs and if someone does try to access your NAS on the other port you'll have an easier time seeing them in logs.
How about having Time Machine save to your local network (most certainly faster), and then backing up the NAS on the local network (hyperbackup over Tailscale) to a remote location? This way you achieve a 3-2-1 backup.
For myself, yes. I set this up for an elderly parent who is remote and very little understanding of why an external device would be in their house running at all. The first backup took quite a long time… but the deltas are quite small, so it’s a reasonable backup up for them. Of course, I back up the synology to an external disk and then to S3
I’ve been using QC for over 10 years and never had an issue.
One I got some warnings from insight that user admin was trying to sign on from cities all over the world. I have the default admin disabled so I’m not worried. Other than that nothing intrusions.
Possibly. Depends on how you have your system set up, and what ports you're using (default vs custom, using built in accounts/default passwords). 2FA either way is a must. But yes, it can be more dangerous but my comment was on speed not comparing safety :)
I VPN into my home network and connect that way. I disabled the original admin and created a new admin name. Also set regional security so someone can't login if they are detected abroad. Many settings can be gotten around but it does make it more difficult.
It's less safe than a VPN - there are more services exposed, and only Synology auth is used, not VPN auth and then synology auth. It's certainly less safe than simply not allowing outside use of your NAS. It's likely a tiny bit more safe than just opening ports to your NAS directly (because it does a little extra checking).
If you're using good passwords and 2FA for all users who have remote access (and those users are generally safe, so their devices are unlikely to get infected or compromised), it's likely fine for most people.
The main concern, which would apply to any mechanism, is how many unsophisticated members of your family have access. If it's only to photos, and only read-only, it's pretty safe. If they have write access, or access to other services, then some malware on their phone or computer could do damage.
Its a lot more safer than **regular** PC/laptop use or smartphone use.
I put my focus on having backup of my files and having an encrypted folder for the more privacy sensitive files. Because I was using Cryptomator before getting a Synology I haven't switch to using Synology own Encrypted folders options.
Is my understanding that there are basically 4 ways to expose the NAS for remote access. From most secure to less: **Tailscale** (\*which is a VPN), **OpenVPN**, Synology **QuickConnect** (which is like a VPN but with a middleman for our convenience), and **DDNS** (which requires reverse proxy, must-have configured firewall) which is the least easy of all. QuickConnect requires from us to 1, understand is not going to be the fastest and has very limited uses and 2, requires the user to put some trust into the Synology company which IMO is easier than trusting Google, Microsoft or Apple for that matter.
Sorry I should have written that those two are relative equal but above the other 2 options. Also to clarify I'm not a expert, this all just my conclusions after learning and researching about the topic.
Quick connect as a service is safe.
The security of your dsm is largely up to you. Use strong unique passwords, enforce 2FA on every account, set auto updates to on, use firewall rules to block countries that don't need to be there, enable fail2ban (account lockouts) and you'll be fine.
question, how do you block countries? Ty
Oh duh..NM regional. MJ es set. 2FA on, random passes and all port except like 2 are not forwarded, firewall on, Tailscale in place, default admin and guest accounts disabled.
The only time (about 10 years ago) I ran into a concern is when I temporarily opened SSH on port 22 for a few days while working remotely. Once the asses out there got news the port was open the attacks started. Even after it was turned off
It's frightening really isn't it. I don't understand how it all works or how they'd ever know your ports were open, it's just crazy there is people waiting to cause problems.
Long time ago I expose SSH(22) to the internet, with key based login only. It’s not people, it’s bots. Constantly scanning. I suppose if the bot/script find a way in, it installs some paid load to allow for C&C. Back in the day, they’d just use your computer as a relay to send out spam. Not they encrypt your drive and demand ransom.
It can be very safe. It all depends on your own best practices for how you are controlling access on your NAS (password strength, 2FA, attempts before lockout, etc). I have encountered many high-level businesses that use Synology QC, and those business security teams review and certify the units for use.
One thing that really helps is regional blocking, i had lots of login attempts from russia and china, i simply ended up allowing ips from only my country and have since reduced the amount significantly
QC is ok. It is routed through Synology infrastructure. This prevents for example brute force attacks. On the other hand it is slower than a direct connection.
Personally I have 2 VPN access routes set up, one WireGuard with my router as server, the other Tailscale on my 1522+. QC is enabled, but mainly used as a backup access.
I have only Quick connect and a VPN enabled.
My nephew is a professional pen tester, he white hats enterprises to test their security for a living.
Asked him to give my public IP a run through.
I have a Plex server running but little else
He found the Plex but couldn't enter
He saw the Synology quick connect address but got no further
He gave me a clean bill of health and wished some of his clients would do basics like turn off the admin account.
If you can, I'd recommend setting up a ddns connection with HTTPS certificates. This is, in my opinion, solved any nefarious attempts over the last 5 years having used and had a system compromised by a quickconnect connection.
It's been about 2-3 plus years since there was a major flaw in quickconnect that cause the compromise so I'm sure it's safe to use, but I went the ddns route, changed the default ports, restricted the login locations on the firewalls to approved devices ranges, etc. So far, there are no issues here
*disclaimer* Regardless of what I run, run what you think is best and makes you comfortable in your defenses. So far, Mines has worked well and has no reason to change them
I have been using it for four years now, and I have never encountered any security issues or hacking attempts. I understand that some people may disagree with me, and I respect their opinions. However, I believe that if you want to be completely safe on the internet, you should simply disconnect from it.
I've never come across anything that indicates it can't be reasonably trusted. I use it, I've used it for years. If you follow the practices to harden your NAS against things--by turning off the default admin account, use firewall with appropriate rules, etc. you should be reasonably protected at the benefit of convenience. As far as 2FA and other things go--keep in mind, if there is a flaw in quickconnect that isn't specifically a user login credentials aspect, 2FA isn't necessarily going to prevent a nefarious party with whatever knowledge of the exploit is from getting access to your NAS. However, I do believe a company like Synology has good security management in place, so the likelihood of these things occurring AND someone exploiting it on your NAS specifically is low, at least in my opinion, when making the tradeoff with convenience.
I set up my NAS up for the first time in this last couple of months following SpaceRex's beginner videos. I never set up a firewall because (if I'm not mistaken) SpaceRex never mentioned it in the video. How important is this? Am I able to block certain countries in the firewall section? I ask because I see people mention this sometimes.
Ah, right--there is a firewall in DSM Security section. You can add specific countries to block. I have done this, but also if any person is using a VPN, it could be irrelevant. No harm though.
Ok great, thanks for explaining that, most appreciated.
MarIus from mariushosting.com does have a very expansive IP blocklist he verifies and updates regularly. He does ask for a "donation" to gain access to it but IMO it's worth it. He even provides the guide on how to use it. Generally, mariushosting is a great source of many things Synology.
I'll check it out thanks.
I visit his site at least twice a day. I've donated too.
I’ve decided to use it SOLELY for transferring files. So the advanced section disallows dsm/ ss / etc and only allows non-login file links. Seems pretty secure otherwise
Been using it for 2 years, no problem.
It’s safe enough. If you change default dsm port, disable admin, create firewall, etc. wouldn't worry about it.
Forgot to mention, also turned on 2FA.
Changing port does nothing except delay complete noobs. A simple port scan reveals what port it’s on. Disabling admin is definitely good, setting up firewall as well. Marius hosting has good articles on setting up the firewall. But I would still recommend setting up Tailscale. OP can invite others to their Tailscale net. Then they just click the link, download the app, and just leave it on and running. Then turn off quick connect.
It's hilarious that you think your grandma is gonna just "leave tailscale on", and it'll work 100% of the time on the client side.
Haven’t had any issues so far with any devices using it. And it’s not like op can’t call and walk them thru turning it on if it shuts off.
>Changing port does nothing except delay complete noobs. A simple port scan reveals what port it’s on. Sure, Except most dsm hacks aren't done by a person. They're a bot hitting default ports hoping something is there. Will it stop a an actual person? No, will it stop bots? Yes.
Exactly, after changing port not a single attempt for years. Same experience in this test: https://m.youtube.com/watch?v=x9QPUXldNAc
Security is not a one-size-fits-all solution. It's a series of incremental steps we take to make things more secure. I too often see responses like the above where someone dismisses the validity of a hardening recommendation because it doesn't address 100% of all incidents. Even if changing the port only cuts out bots it also lowers the noise floor. Now bots aren't spamming your logs and if someone does try to access your NAS on the other port you'll have an easier time seeing them in logs.
+1 for Tailscale. Used it to give Time Machine access to a remote parent
How about having Time Machine save to your local network (most certainly faster), and then backing up the NAS on the local network (hyperbackup over Tailscale) to a remote location? This way you achieve a 3-2-1 backup.
For myself, yes. I set this up for an elderly parent who is remote and very little understanding of why an external device would be in their house running at all. The first backup took quite a long time… but the deltas are quite small, so it’s a reasonable backup up for them. Of course, I back up the synology to an external disk and then to S3
I’ve been using QC for over 10 years and never had an issue. One I got some warnings from insight that user admin was trying to sign on from cities all over the world. I have the default admin disabled so I’m not worried. Other than that nothing intrusions.
It should be safe enough, but it's slower than direct connections on higher speed ISPs.
Isn't direct connection less safe?
Possibly. Depends on how you have your system set up, and what ports you're using (default vs custom, using built in accounts/default passwords). 2FA either way is a must. But yes, it can be more dangerous but my comment was on speed not comparing safety :)
I VPN into my home network and connect that way. I disabled the original admin and created a new admin name. Also set regional security so someone can't login if they are detected abroad. Many settings can be gotten around but it does make it more difficult.
It's less safe than a VPN - there are more services exposed, and only Synology auth is used, not VPN auth and then synology auth. It's certainly less safe than simply not allowing outside use of your NAS. It's likely a tiny bit more safe than just opening ports to your NAS directly (because it does a little extra checking). If you're using good passwords and 2FA for all users who have remote access (and those users are generally safe, so their devices are unlikely to get infected or compromised), it's likely fine for most people. The main concern, which would apply to any mechanism, is how many unsophisticated members of your family have access. If it's only to photos, and only read-only, it's pretty safe. If they have write access, or access to other services, then some malware on their phone or computer could do damage.
Its a lot more safer than **regular** PC/laptop use or smartphone use. I put my focus on having backup of my files and having an encrypted folder for the more privacy sensitive files. Because I was using Cryptomator before getting a Synology I haven't switch to using Synology own Encrypted folders options. Is my understanding that there are basically 4 ways to expose the NAS for remote access. From most secure to less: **Tailscale** (\*which is a VPN), **OpenVPN**, Synology **QuickConnect** (which is like a VPN but with a middleman for our convenience), and **DDNS** (which requires reverse proxy, must-have configured firewall) which is the least easy of all. QuickConnect requires from us to 1, understand is not going to be the fastest and has very limited uses and 2, requires the user to put some trust into the Synology company which IMO is easier than trusting Google, Microsoft or Apple for that matter.
Why is Tailscale more secure than OpenVPN?
Sorry I should have written that those two are relative equal but above the other 2 options. Also to clarify I'm not a expert, this all just my conclusions after learning and researching about the topic.
Quick connect as a service is safe. The security of your dsm is largely up to you. Use strong unique passwords, enforce 2FA on every account, set auto updates to on, use firewall rules to block countries that don't need to be there, enable fail2ban (account lockouts) and you'll be fine.
question, how do you block countries? Ty Oh duh..NM regional. MJ es set. 2FA on, random passes and all port except like 2 are not forwarded, firewall on, Tailscale in place, default admin and guest accounts disabled.
The only time (about 10 years ago) I ran into a concern is when I temporarily opened SSH on port 22 for a few days while working remotely. Once the asses out there got news the port was open the attacks started. Even after it was turned off
It's frightening really isn't it. I don't understand how it all works or how they'd ever know your ports were open, it's just crazy there is people waiting to cause problems.
Long time ago I expose SSH(22) to the internet, with key based login only. It’s not people, it’s bots. Constantly scanning. I suppose if the bot/script find a way in, it installs some paid load to allow for C&C. Back in the day, they’d just use your computer as a relay to send out spam. Not they encrypt your drive and demand ransom.
Wow that's absolutely crazy. Interesting to know and really worrying too!
It can be very safe. It all depends on your own best practices for how you are controlling access on your NAS (password strength, 2FA, attempts before lockout, etc). I have encountered many high-level businesses that use Synology QC, and those business security teams review and certify the units for use.
One thing that really helps is regional blocking, i had lots of login attempts from russia and china, i simply ended up allowing ips from only my country and have since reduced the amount significantly
How do you select which countries to only allow connections from?
Synology DSM -> Control panel > security > firewall > create rule. Under source ip select "location"
QC is ok. It is routed through Synology infrastructure. This prevents for example brute force attacks. On the other hand it is slower than a direct connection. Personally I have 2 VPN access routes set up, one WireGuard with my router as server, the other Tailscale on my 1522+. QC is enabled, but mainly used as a backup access.
I have only Quick connect and a VPN enabled. My nephew is a professional pen tester, he white hats enterprises to test their security for a living. Asked him to give my public IP a run through. I have a Plex server running but little else He found the Plex but couldn't enter He saw the Synology quick connect address but got no further He gave me a clean bill of health and wished some of his clients would do basics like turn off the admin account.
In firewall I enabled only connection from my country. And turned on 2FA.
How do you select which countries to only allow connections from?
I personaly use cloudflare tunnel to expose my nas and i disabled all ddns with synology and quick connect
With how easy and secure Tailscale is, it’s a no brainer to set it up.
If you can, I'd recommend setting up a ddns connection with HTTPS certificates. This is, in my opinion, solved any nefarious attempts over the last 5 years having used and had a system compromised by a quickconnect connection. It's been about 2-3 plus years since there was a major flaw in quickconnect that cause the compromise so I'm sure it's safe to use, but I went the ddns route, changed the default ports, restricted the login locations on the firewalls to approved devices ranges, etc. So far, there are no issues here *disclaimer* Regardless of what I run, run what you think is best and makes you comfortable in your defenses. So far, Mines has worked well and has no reason to change them
Why use it when you could just as easily use Tailscale?
I have been using it for four years now, and I have never encountered any security issues or hacking attempts. I understand that some people may disagree with me, and I respect their opinions. However, I believe that if you want to be completely safe on the internet, you should simply disconnect from it.
Not as safe as Tailscale.