Frequently Asked Question

Remote Access to DSM 2FA
Last Updated 22 hours ago

Remote Access to DSM 2FA

Remote Access to DSM 2FA – Why It’s Vital, Vulnerabilities, and Secure Alternatives

Remote access to your Synology DiskStation Manager (DSM) is essential for managing your NAS from outside your local network. However, securing this access is critical. Two-factor authentication (2FA) and robust network configuration are key to protecting your data from remote attacks.

Why 2FA is Vital on Synology DSM

Two-factor authentication adds an extra layer of security beyond your password. Even if an attacker obtains your login credentials, they cannot access your NAS without the second factor (such as a time-based one-time password from an authenticator app or a hardware token).

Key reasons to enable 2FA:

  • Prevents brute-force attacks: Passwords alone are vulnerable to automated guessing attempts.
  • Mitigates credential stuffing: If your password is reused elsewhere, 2FA stops attackers from using stolen credentials.
  • Compliance and audit readiness: Many organisations require multi-factor authentication for secure access.
  • Protects sensitive data: Your NAS may store backups, files, and business-critical information.

How to enable 2FA on DSM:

  1. Log in to your Synology DSM.
  2. Go to Control Panel > Security > Two-step verification.
  3. Choose your preferred method:
  • Authenticator app (e.g., Google Authenticator, Microsoft Authenticator)
  • SMS (less secure due to SIM swapping risks)
  • Hardware token (e.g., YubiKey)
  1. Follow the setup wizard to link your device.
  2. Save the recovery codes in a secure place (e.g., encrypted password manager).
⚠️ Note: Avoid using SMS-based 2FA if possible. It’s less secure than app-based or hardware tokens.

Critical Vulnerabilities in Synology DSM That Enabled Remote Compromise

Synology devices have been targeted in the past due to known vulnerabilities. While Synology regularly releases security patches, unpatched systems remain at risk.

Notable vulnerabilities include:

  • CVE-2021-28430 (RCE in Synology DSM): A remote code execution flaw in the DSM web interface allowed attackers to execute arbitrary code on the NAS. This was exploited via unauthenticated access in some cases.
  • CVE-2020-11084 (Authentication Bypass): A flaw in the DSM login system allowed attackers to bypass authentication under certain conditions.
  • Unpatched DSM versions: Older DSM versions (e.g., DSM 6.2 and earlier) are no longer supported and are vulnerable to known exploits.

Why these matter:

  • Attackers can exploit unpatched systems to:
  • Gain full control of the NAS.
  • Encrypt data for ransomware.
  • Use the NAS as a pivot point to attack other devices on the network.
  • Steal backups or sensitive files.
???? Best Practice: Always keep your DSM updated. Enable auto-update in Control Panel > System > Update & Restore.

Why QuickConnect Does Not Provide Adequate Protection

QuickConnect is a Synology service that allows remote access without configuring port forwarding or a public IP. While convenient, it has significant security limitations.

Why QuickConnect is not secure:

  • Centralised service: Your connection goes through Synology’s servers, which are a potential target for attackers.
  • No control over access: You cannot enforce granular access controls or firewall rules.
  • Limited logging: You have minimal visibility into who accesses your NAS.
  • Dependent on Synology’s security: If Synology’s infrastructure is compromised, your NAS could be at risk.
Do not rely on QuickConnect for sensitive data. It is suitable only for low-risk, non-critical access.

Secure Alternatives: Use a Proper rDNS Service with Port Mapping and Firewall Rules

To securely access your NAS remotely, use a combination of a reverse DNS (rDNS) service, port forwarding, and firewall rules on your router.

Recommended Solution: Use GENDNS (or a similar dynamic DNS service)

GENDNS is a reliable, free dynamic DNS service that allows you to assign a consistent hostname to your NAS, even if your public IP changes.

Steps to set up GENDNS with your Synology NAS register with GEN and follow the instructions on the www.gendns.uk website. 

  1. Set up port forwarding on your router:
  • Log in to your router’s admin panel.
  • Forward port 5001 (HTTPS) to your NAS’s local IP address.
  1. Configure firewall rules:
  • Restrict access to your NAS to specific IP addresses (e.g., your home or office IP).
  • Enable IP blocking for failed login attempts.
  1. Use a VPN (recommended):
  • Set up a zero trust VPN service to access your NAS, like GENs GENAccess service, which provides a managed and tightly scoped VPN service. - This avoids exposing your NAS directly to the internet.
Best Practice: Zero Trust VPN, or Combine rDNS (GENDNS) with firewall rule and 2FA. 

Next Steps

  • If you haven’t already, enable 2FA on your Synology NAS.
  • Check your DSM version and update if necessary.
  • Test your remote access using a secure method (e.g., via a VPN).
  • Monitor login attempts in Control Panel > Security > Log.

For further assistance, contact our support team via the HelpDesk


This website relies on temporary cookies to function, but no personal data is ever stored in the cookies.
OK
Powered by GEN UK CLEAN GREEN ENERGY

Loading ...