Guides Synology

How To Secure Synology NAS

A Synology NAS is a fantastic tool for organizing your digital files and can also provide a variety of services and apps for you to use both locally on your network and remotely. However, you want to make sure you know how to secure your Synology NAS before you start accessing it remotely, or even just as a best practice for home use.

I will break this apart into two topics, securing the DSM portal, and enabling and configuring the NAS’s firewall. There are settings in each area that should be enabled for the most secure configuration.

The DSM portal settings include things like login restrictions, auto-blocking, two-factor authentication (2FA), and other settings that relate just to the DSM software or the logon procedure. The built-in firewall will specify what traffic is allowed to pass through to the internal services and apps.

How To Secure your Synology NAS

Configuring DSM Portal Security

To start securing the DSM portal, go to the control panel, and choose the Security menu (note – you may need to click “Advanced Mode” at the top right to view all of the control panel menu options).

The first tab called Security, contains some general options, most of which should already be checked. Here you can set the logout timer to automatically log you out of the DSM portal and other web applications.

How To Secure Synology NAS General Security

The next main section will cover the built-in firewall so for now go to the Protection tab and turn on the DoS (denial-of-service) protection option. This is recommended if you have any ports forwarded from your router to the Synology.

Synology DoS Option

Move to the next tab called Account. Here, you can turn on auto block and account protection options.

I recommend just using auto-block because it will block failed login attempts by IP address. You can also choose to allow the block to expire or turn off expiration which results in a permanent block. You can manually edit the block list if needed.

Synology Account Auto Block

The last two tabs under the Security menu allow you to manage certificates for your NAS and services and allow you to change SSL browser options. I would recommend choosing at least intermediate or modern options for the SSL Profile Level.

One last section to check is the Advanced menu under the User section of the the Control Panel. Here you can force 2-Step verification for all users, or just administrator users. If you’re going to have a login screen available on your NAS, you should definitely enable 2-Step verification.

Secure Synology NAS with 2-step verification

Configuring DSM Firewall

By default (at least for me) the built-in DSM firewall is disabled after setting up the NAS for the first time. However, if you are going to have any services on your NAS available over the internet, you absolutely should have the built-in firewall turned on and configured properly, to secure your Synology NAS.

Under the Control Panel’s Security menu, go to the firewall tab. On this tab you can turn on and off the entire firewall and/or notifications. You are also able to switch between firewall profiles if you want to have more than one. Simply click the drop-down arrow to create or manage them.

Firewall tab in Synology

Clicking the Edit Rules button brings up the window to edit and create individual firewall rules. Take note of the menu at the top right. You can select individual interfaces to manage firewall rules for just that interface. There may be instances where you need this advanced capability but for most purposes, I would simply use the “All Interfaces” option and delete any rules from the other interfaces in the list. This way, you can manage them all in one view.

Firewall Rules interfaces

In the screenshot below are some rules that I have set up. I don’t need to have a ton of rules to explicitly block traffic, I only need to make rules to allow certain traffic. If traffic does not match one of these rules, it is dropped anyway.

Secure Synology NAS with Firewall Rules

The first three rules are specific to my local network. I’ve allowed access to the NAS across two local subnets and even though it’s probably redundant, I’ve also specifically allowed the “Encrypted terminal service” port group (more on that in a moment) so that I can SSH into my NAS, but only from within my network. Obviously SSH is closed to outside traffic.

The other two rules at the bottom allow traffic from my country only, and only for HTTP/S and a specific port for another application.

The great thing about the Synology Firewall is that if you need to allow traffic to a new service on the NAS, you can create a rule and choose ports based on a list of built-in applications. This automatically applies the ports for those built-in apps, to your new rule.

Secure Synology NAS built-in applications

Then you just need to specify the source IP either by location or a specific IP address, subnet or IP range.

Of course, if you want to manually specify a port instead of picking an app from the list, you can do that as well. However, keep in mind that the main goal is to make the least number of firewall exceptions as possible.

So if your NAS only needs to host the Moments app, only make a rule allowing traffic to that app (port) and your internal network’s firewall rules, and then you’re good to go.

**Side Note – this doesn’t mean you need to put all of your ports and apps into one rule, you should definitely separate out your rules for ease of management.

Once you have the firewall rules set, click OK to return back to the Control Panel firewall tab and don’t forget to click Apply to save all your changes. I hope you found this guide on how to secure your Synology NAS helpful!

Physical Reset Button

One last thing to note, if you somehow manage to lock yourself out of your NAS with a firewall rule, there is a way for you to get back in. Find the physical reset button on the back of the NAS and use a paperclip or something small to push the reset button.

You’ll need to hold it for about 5 seconds, until you hear a beep, then let go immediately! This will disable the built-in firewall and reset your network settings and admin account password. However, doing this 5 second button press twice in a row will reset the DSM software completely. Your data should remain intact but the DSM environment will be reinstalled.

If you’re looking to buy a new NAS, consider checking out their products on Amazon:

Synology Diskstation DS220+
Synology Surveillance Station License
Crucial 4GB DDR4 Memory Upgrade
Seagate Ironwolf 6TB NAS HDD 3.5″

Products mentioned are available through affiliate links at no extra cost to you. Using these affiliate links to purchase helps support the blog and allows me to bring you new content. Thank you!

Amazon Associate Program: As an Amazon Associate I earn from qualifying purchases.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Alex Dunn

This is a great guide. I followed it to compare your settings with what I had already done. I have one area of uncertainty which is the firewall.

I have services set up for External Access (and they work perfectly). The firewall is activated with the default profile, but does this apply any rules? I see nothing in the list of rules for the default profile. I would expect the default behaviour to be block all, so why can I reach services externally?

Cliff Etzel

As a full time working photographer, I just purchased a DS920+ with 4-4TB WD Enterprise drives to use as my photo archive as well as allow clients to access shoots I do for for them. Although I have worked on PC’s since the mid 90’s (Windows and a smattering of Linux) and recently moved to all M1 Macs, I’m still really confused on how to properly set up my NAS to afford as secure an environment while exposed to the net, yet not hinder my ability to access it (or my select clients). Since I’m on Comcast/Xfinity, I’m not sure… Read more »