I have a Synology DS216j that I use as a local backup server. I've never enabled any port forwarding to it, so to my knowledge it's inaccessible from outside my local network. I just want to check that I'm doing this right before I do something dumb.
I want to take advantage of its 24/7 uptime to do a scheduled, scripted task for me involving pulling files off a website everyday, then sharing them via FTP for a friend. The files are public data and I'm not concerned about their security, however I want to make sure I don't compromise the whole NAS. It seems straightforward enough to add a user account for my friend, assign a strong password (which I'd communicate securely to him), and enable the FTP service (all covered here https://www.synology.com/en-us/knowledgebase/DSM/tutorial/File_Sharing/How_to_access_files_on_Synology_NAS_via_FTP)
In addition, I can register a free hostname via Synology and DDNS, making it easy for him to connect. Also, although I'm not concerned about the data I should probably still use FTPS to protect his user credentials, right?
What I don't understand entirely is port forwarding. Since all I want to do is FTP I believe all I need to do in the router is forward port 20 and 21 to the NAS (and the passive ports?) 989 and 990 for FTPS. What exactly is the risk of doing this? Is the worst case that someone would just have access to the shared files? That's assuming I lock down the user account so that it only has access to just those shared files and no other directories or admin rights. I know DSM and Synologys had a hacking problem a couple of years ago, but my understanding was that related to forwarding port 5000 or 5001 (which allows remote access to DSM) and not disabling the default admin account, which I've done. Are there any other risks I'm missing? Thanks!
I want to take advantage of its 24/7 uptime to do a scheduled, scripted task for me involving pulling files off a website everyday, then sharing them via FTP for a friend. The files are public data and I'm not concerned about their security, however I want to make sure I don't compromise the whole NAS. It seems straightforward enough to add a user account for my friend, assign a strong password (which I'd communicate securely to him), and enable the FTP service (all covered here https://www.synology.com/en-us/knowledgebase/DSM/tutorial/File_Sharing/How_to_access_files_on_Synology_NAS_via_FTP)
In addition, I can register a free hostname via Synology and DDNS, making it easy for him to connect. Also, although I'm not concerned about the data I should probably still use FTPS to protect his user credentials, right?
What I don't understand entirely is port forwarding. Since all I want to do is FTP I believe all I need to do in the router is forward port 20 and 21 to the NAS (and the passive ports?) 989 and 990 for FTPS. What exactly is the risk of doing this? Is the worst case that someone would just have access to the shared files? That's assuming I lock down the user account so that it only has access to just those shared files and no other directories or admin rights. I know DSM and Synologys had a hacking problem a couple of years ago, but my understanding was that related to forwarding port 5000 or 5001 (which allows remote access to DSM) and not disabling the default admin account, which I've done. Are there any other risks I'm missing? Thanks!
Facebook
Twitter
Instagram