this post was submitted on 23 Nov 2023
6 points (100.0% liked)

Homelab

371 readers
3 users here now

Rules

founded 1 year ago
MODERATORS
 

...without snark or jumping down my throat. I genuinely want to know why it's so unsafe.

I'm running a Synology DS920+, with my DSM login exposed through a Cloudflare tunnel. I have 2FA enabled, Synology firewall enabled with these rules in place. I also have this IP blocklist enabled.

After all of this, how would someone be able to break in via the DSM login?

you are viewing a single comment's thread
view the rest of the comments
[–] vdubster007@alien.top 1 points 11 months ago (1 children)

It all comes down to risk management at the end of the day. And the good old equation threat X asset X vulnerability = risk.

So how sensitive is your data? At the end of the day this is the asset you are protecting. Is it all of your family photos and memories with no backup? Or is it your animated GIF collection from ‘99 before giphy made it absolete. What is the IMPACT if this gets compromised.

In terms of threats what do you worry about? Ransomware, script kiddies, organized crime? And which do you think you can reasonably mitigate against.

It is impossible to predict potential future vulnerabilities in a product. There could be unauthenticated remote code execution vulnerabilities that grant an attacker remote access. Vulnerabilities are reduced with controls so you have some in place. What about patch management, etc? With your controls in place what is the likelihood that the threat you care about could impact you?

Out comes a risk value (low, medium, high).

Do you accept it or not?

For me I have a tiny FreeBSD server running that I’ve hardened (pf firewall, no root login, ssh keys only auth method, ansible playbook to check for an apply updates daily). Its sole purpose in life is to run wireguard. My various devices including NAS are clients that I allow access to the NAS over wireguard. I run PF on the wireguard interface and only allow access to specific services on the NAS. I don’t store anything sensitive on the NAS and I send encrypted backups to backblaze for files I don’t want to lose

In my equation it’s a level of risk I am happy with. And if something bad happens I’m prepared to rebuild everything in my home network from scratch.

Good luck deciding.

[–] _subtype@alien.top 1 points 11 months ago

It all comes down to risk management at the end of the day. And the good old equation threat X asset X vulnerability = risk.

Surprised to see this answer so low in the post! I agree; you want to reduce the attack surface and vectors as much as you can to a minimal footprint + security through layers and a good dash of obscurity