Here’s the way I think of it. Imagine you live in a house at the end of a long street. Your front door is the login page to your Synology. All the measures you’ve put in place (cloudlfare, ip blocklists, firewall) are the equivalent of putting up a guard booth/gate at the end of your driveway that only allows cars with a license plate of a specific state.

You haven’t made yourself significantly more secure, just lined the traffic up in a more organized fashion. You are still trusting the people that made your door lock to not be vulnerable.

Yes, it’s easier to access vs having a big metal gate that only you have the code to open (VPN) in front of your house. But why open yourself up to a single point of failure?

Here’s just one recent example of an attacker being able to bypass the authentication on a synology. All the things you have implemented wouldn’t prevent a single person in the internet from using this exploit. https://www.zerodayinitiative.com/advisories/ZDI-23-660/

Like all others here have said, it’s an unnecessary risk. You can set up a VPN to your home network with DDNS on your router (if you have a public IP) and that will be much better

It’s basically the same as any other time people expose something to the internet.

Most don’t know what they’re doing or how to do it safely so they put a vulnerable device out in a vulnerable state.

The only reason a NAS is worse is because it’s more common for a home user to have a NAS then it is to do something like host a WordPress, and a NAS has more personal stuff than a WordPress does (usually)

From experience most NAS drives, cctv boxes are built cheap and dirty. They are often slow and the proud product of a shite company/software developer.

Bad actors are running scripts on their servers, automated looking for know exploits in pages, ports and software. They are actively scanning thousands of WAN facing devices a minute.

Web pages are often written with poor practices. There is little to no care for security but just enough to satisfy the end user.

Java script protected pages (may aswell just write the password on the page)

Usernames and passwords embedded into source code. Session variables stored in cookies in plain text. Vulnerable to session hijacking, man in the middle attacks, and more.

One device we pen tested a few years back allowed access to the settings page without logging in. This is due to a header redirect being incorrectly used. The page served the form and tried to redirect the browser. We just stopped the redirect. Changed the password and logged in normally. Potato Security at its best.

These devices often do not have any rate limiting or firewall, which means brute forcing is nothing but pure playground for a nice database of known usernames and passwords. GPUs are fantastic for brute forcing. The more you have the faster you can test usernames and password combinations.

If you must share file access. Setup a VPN. Tunnel into your network securely and then access your NAS.

Assume everyone is gonna get you.

Even if your login page is not easy to break, it will be indexed by robots or hackes in their list. And they will test on it every vulnerability that will be published for any DSM component. Using VPNs like ZeroTier or Tailscale is definetly MUCH more secure than all of those tweaks and easier to setup too.

But offcourse its YOUR data so … good luck :)

Cyber Security seems to bring out weird bravado where people pretend like they know more than they do. This thread is literally dozens and dozens of people spouting nonsense.

The bottom line is if you’re running a cloudflare tunnel with authentication on the tunnel itself to a trusted auth provider and then enable 2FA on that auth provider, you have a zero trust model that is about as secure as most modern companies. All of the people saying BUT WHAT ABOUT ZERO DAY are beyond dumb. Enable auto-updates on everything you can, script the rest. The chances of there being a zero day vulnerability to cloudflare and then a bot is able to hit your synology page which then has its own security they need to get past, it’s not likely at all. Monitor your Synology login attempts just in case it’s all built in.

For one thing, it announces to the internet that your device is there. If there is one thing you could do to make it easy on a hacker it is to tell them what and where to hack. There might not be any complete exploits today, but there will be tomorrow, and when it happens, there will be a race between you and the bad guy to either patch or exploit. Are you updating often enough to protect your device from any possible random point in time in the future? If you have nothing to lose, don’t worry about it, but most people store things they feel are worth storing.

Get hacked by some vulnerability.

It’s a matter of risk management, and your personal situation and willingness to sacrifice convenience to reduce risk. There are many aspects that can affect risk, e.g. how often a software is updated, if it’s open or closed source, how widely used it is, your personal level of relevant IT knowledge, the likelihood of a serious attack, what you are actually protecting, and so on.

One central rule is that more attack surface leads to a higher risk of security breaches (e.g. by discovering new vulnerabilities), and hiding everything behind a VPN reduces the attack surface to just one piece of software that’s mainly focused on security. Additional public entry points add convenience but also increase your attack surface, so you have to find a level you are personally comfortable with.

In my opinion and experience, if an app is made for public access, in a production ready state and already widely used, if you trust the creator in general and with security updates in particular, and if you trust your own knowledge and ability to configure it correctly and keep all the relevant doors closed, then it’s completely fine to make it publicly accessible in most cases. The security risk is not zero, but it’s way overblown by some people in tech forums.

In your case, the login page behind a CF tunnel with 2FA enabled and yourself on the lookout for possible vulnerabilities sounds like an acceptable level of risk to me, unless the data on your NAS could start a nuclear war or something.

Good conversation. Great comments.

What are you protecting, what is the value to you, how much are you willing to protect it.

Convenient is unsecured, Secure is inconvenient.