NAS vendors aren’t known for understanding security. Opening ssh to the world is no problem, because ssh is everywhere, it’s constantly attacked, and half the world would know if an exploitable vulnerability was found.

If NAS vendor ABC has a vulnerability in the login code written by a programmer who hasn’t done much more than CSS, it would surprise nobody, and you wouldn’t hear about it on any IT news sites. It would just be exploited until all the machines were exploited or until they’re all patched.

It really is a world of difference between something known and secure and some random login page.

All software has bugs. Sometimes bugs let you do things you weren’t intended to be able to do (e.g. access data on a NAS without knowing the login password). Your NAS might have a bug that hasn’t been discovered (or publicized yet) or hasn’t been fixed yet.

If you put your NAS on the internet, you give “bad guys” am opportunity to exploit those bugs to get your data or to use your NAS as a jumping off spot to attack other things inside your home network.

If your DS920+ is completely inaccessible to outside your network except for the Cloudflare tunnel, then the Synology firewall and IP blocklist aren’t going to do squat for you since all connections will appear to originate from either inside your network or from Cloudflare. So you’re 100% dependent on Cloudflare to keep bad actors out.

I’m not familiar with Cloudflare but the impression I had from looking at it was that you can decide which authenticated Cloudflare users can access your tunnel. So it’s a matter of credential management. Supposing some bad actor gets your credentials, they would then be able to access the entirety of your NAS, and you’re now hoping that there isn’t some undiscovered or unpatched security hole that they can use.

Security for systems are designed for their target use case. The NAS login page was designed to be easily usable and assumed to only live within a private network. By opening to the internet you are opening it up to be targeted in a way the designers may not have accounted for.

Tbh if you set up MFA on the account, its ok to open it the internet.

Good conversation. Great comments.

What are you protecting, what is the value to you, how much are you willing to protect it.

Convenient is unsecured, Secure is inconvenient.

Look, what you have is probably fine, but you just have to accept that you now have this page open to the world and you are relying on Synology to be on top of their security and you to be up-to-date.

I use Cloudflare tunnels myself for Plex and the like (separate VLAN), but I keep my local Network and all portals only available via a VPN.

Like all others here have said, it’s an unnecessary risk. You can set up a VPN to your home network with DDNS on your router (if you have a public IP) and that will be much better

Cyber Security seems to bring out weird bravado where people pretend like they know more than they do. This thread is literally dozens and dozens of people spouting nonsense.

The bottom line is if you’re running a cloudflare tunnel with authentication on the tunnel itself to a trusted auth provider and then enable 2FA on that auth provider, you have a zero trust model that is about as secure as most modern companies. All of the people saying BUT WHAT ABOUT ZERO DAY are beyond dumb. Enable auto-updates on everything you can, script the rest. The chances of there being a zero day vulnerability to cloudflare and then a bot is able to hit your synology page which then has its own security they need to get past, it’s not likely at all. Monitor your Synology login attempts just in case it’s all built in.

Evil hacker want to login. You are making it much easier.

Are you going to update the firmware upon every release? Are you going to monitor for vulnerabilities?

TA have automated software that will find it, and mess with it for funsies

Simple, no vendor can create completely secure software. The main way to prevent someone from breaking into your front door when a new vulnerability is discovered is to not present a front door to the internet.

It is impossible to overstate how exposed you really are when leaving interfaces like this open to the internet to be scanned, catalogued, then exploited and used (or damaged) as soon as a new vulnerability is weaponized.

Not exactly related to your question, but why not just use tailscale to access your NAS remotely?

Hi OP, someone using nmap would have a fun time trying to find any open ports to exploit.

For one thing, it announces to the internet that your device is there. If there is one thing you could do to make it easy on a hacker it is to tell them what and where to hack. There might not be any complete exploits today, but there will be tomorrow, and when it happens, there will be a race between you and the bad guy to either patch or exploit. Are you updating often enough to protect your device from any possible random point in time in the future? If you have nothing to lose, don’t worry about it, but most people store things they feel are worth storing.