This article provides several methods that can help you make your Synology NAS more secure.

Enable Security Advisor

Security Advisor is a built-in DSM app that scans your Synology NAS, checks your DSM settings, and gives you advice on how to address security weaknesses. To configure Security Advisor, refer to this article.

Configure DSM users' permission settings

• Make sure the default admin account is deactivated to prevent malicious attacks.
• Manage access to your Synology NAS by configuring user privileges to shared folders and applications as well as set up usage quota and speed limit for different services. You can do this on a group level or individual level and during the group/user creation process or at a later time in Control Panel > User (for DSM 6.2 and earlier) or User & Group (for DSM 7.0 and later).

Configure password strength rules

You can make sure users set strong passwords to reduce the risk of hacking. Select Apply password strength rules at the following locations:

• For DSM 7.0 and above: Go to Control Panel > User & Group > Advanced > Password Settings.
• For DSM 6.2 and earlier: Go to Control Panel > User > Advanced > Password Settings.

For more information on password strength rules, refer to this article.

Set expiration for passwords

You can force users to change their passwords after a period of time. Select Enable password expiration at the following locations:

• For DSM 7.0 and above: Go to Control Panel > User & Group > Advanced > Password Expiration.
• For DSM 6.2 and earlier: Go to Control Panel > User > Advanced > Password Expiration.

For more information on password expiration, refer to this article.

Use multi-factor authentication

Multi-factor authentication provides additional security for your DSM account. If enabled, you are required to provide a second identity verification on top of your password when logging in to DSM. For more information on multi-factor authentication, refer to the respective help articles for DSM 7.0 and DSM 6.2.

• For DSM 7.0 and above: Go to Options > Personal > Account > 2-Factor Authentication.
• For DSM 6.2 and earlier: Go to Options >Personal > Account, select Enable 2-step verification.

Enable auto block and account protection

You can enable auto block to block an IP address after a pre-defined number of login attempts. This function is applicable to login attempts via SSH, Telnet, rsync, Network Backup, Shared Folder Sync, FTP, WebDAV, Synology mobile apps, File Station, and DSM. Configure Auto Block at the following locations:

• For DSM 7.0 and above: Go to Control Panel > Security > Protection.
• For DSM 6.2 and earlier: Go to Control Panel > Security > Account.

You can enable account protection to reduce the risk of accounts being attacked by brute-force. This function supports the following services and packages: DSM, File Station, Audio Station, Video Station, Download Station, Mail Station, Cloud Station, and Synology mobile apps. Configure Account Protection in Control Panel > Security > Account.

Use encrypted connections

To encrypt connections with SSL/TLS, use HTTPS to access DSM and web-based packages like Synology Chat, Synology Drive, Synology Photos, and Surveillance Station. This secures client communication with your Synology NAS. You can enable HTTPS using the following methods:

• For DSM login, go to Control Panel > Login Portal > DSM to select either Automatically redirect HTTP connection to HTTPS or Enabling HSTS forces browsers to use secured connections (select this if you are using a customized domain). Do not enable both options simultaneously to avoid connection issues.
• For portal or reverse proxy settings, select checkboxes related to HSTS when you are configuring the following:
  • Customized application domains
  • Web service portals
  • Reverse proxies
• For mobile app and utility login, select HTTPS on the login screen of Synology mobile apps or desktop utilities.

Once you've finished the settings above, make sure to add a valid SSL certificate.

In addition, as some services or packages also provide connection encryption, you can try the following methods to make your Synology NAS more secure:

• Enable FTPS or SFTP instead of FTP, as FTP offers no encryption to secure data transfers.
• Select Transfer encryption when backing up data to remote destinations via Hyper Backup.
• Select Enable SSH transfer encryption when using Shared Folder Sync.

Open only public ports for needed services on the router

Synology NAS is designed to be easily accessed via the Internet. Refer to this tutorial to learn how to configure remote access. To ensure the security of your Synology NAS, we strongly recommend only opening public ports for the needed services on the router.

Enable DoS protection

You can enable Denial-of-service (DoS) protection to prevent malicious attacks over the internet. To do so, go to Control Panel > Security > Protection, select Enable DoS protection, and click Apply.

Once enabled, your Synology NAS will respond differently depending on your DSM version:

• For DSM 7.0 and above: The NAS will respond to up to 1,000 ICMP ping packet per second. If the frequency exceeds 1,000 pings per second, the NAS will stop responding to the extra requests.
• For DSM 6.2 and earlier: The NAS will respond to only one ICMP ping packet per second. If more than one ping is received per second, the NAS will ignore the additional requests.

Change default management ports

You can customize ports to block malicious login attempts. The default ports are as follows:

• HTTP: 5000
• HTTPS: 5001
• SSH: 22

You can change the default HTTP/HTTPS ports at the following locations:

• For DSM 7.0 and above: Control Panel > Login Portal > DSM.
• For DSM 6.2 and earlier: Control Panel > Network > DSM Settings.

You can change the default SSH port in Control Panel > Terminal & SNMP > Terminal.