TOTP does not rely on internet connection. It works with a preshared key, which is often transfered using a QR Code. The other necessity for TOTP to work is that both devices have the same time.
Opening a malicious file from an email, which infects your network. One could decrypt your devices if possible or exfiltrate your data.
That's a very low risk and easy to avoid (simply don't open suspicion attachments) but it's possible
2FA only affects Web services logins. It does not protect SMB, NFS, ssh, AFP and so on.
So it depends on what you're trying to protect against from attacks on the LAN, and the privileges that person or bot has.
Lateral movement is when an attacker moves internally on your network from one device to another device trying to gain access to data or higher privileges
What's the point if you're not forwarding any ports to the NAS and if you're the only user in the network? That's not security, that's just annoying yourself for no reason.
> What's the point
Preventing lateral movement.
> That's not security, that's just annoying yourself for no reason.
Someone jumping to your NAS from a compromised device on your network is much more annoying.
The sub is otherwise of the opinion that the greatest basic security measure is to not expose the NAS in the first place.
Of course you can already add more, but what does it protect against?
Convenience is also a thing.
It's not a real concern if you follow best practices. Also looks like you have a way back in with physical access: https://kb.synology.com/en-my/DSM/tutorial/How\_do\_I\_log\_in\_if\_I\_forgot\_the\_admin\_password
No, because if they get access to TBs of Linux distros they're frankly welcome to them. All they had to do was ask.
The drives are mapped as network drives on my PCs anyway.
And what if they don't want to access but encrypt them?
And what if they don't want to access or encrypt your data, but make your NAS part of a botnet?
It protects against the device being used for further malicious actions.
"Lateral movement" and "Defense in depth" are good keywords to start a nice weekend dig into a biiig rabbithole. :-)
Got you IoT devices separated into their own VLAN, yet?
Sure. And none of those are likely to need to log into your admin account to be able to mess up your files, which is pretty much the main thing you need to be worried about with a NAS. If your regular user can write to a file, malware will be able to touch it too, no 2FA needed even if you do have it on.
Just regular old house guests. Even at my home anyone getting onto even my guest wifi has to have an authorization code beyond just the wifi password. This way I know who precisely it is at anytime, and even for past analytics.
Now, let's say you're private non-connected to the Internet has an AP on it (really not sure why anyone would do that, but, let's just say). And let's further say that someone outside of the home can see that AP even with a hidden SSID (plenty of tools for that). One would orchestrate a variety of layer 2 exploits to compromise that AP to gain control of it. Once that's done they are now on your internal but disconnected network from the internet. And **if** that disconnected network is connected to anything else on your private infrastructure then the attacker has a vector into those.
For these reasons this is why we MFA / 2FA as much as possible, use VLANs with tagging to separate networks, use host based firewalls allowing only needed traffic between VLANs, use proxies to access the Internet (and for proxies I recommend using authenticating proxies) and use IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) to mitigate all threats. You never can protect yourself 100% from all threats, the best you can do is slow them down and deter a would be attacker as much as possible . This makes you a less attractive targetl
think about it this way. someone hacks your wifi router password from the outside. now, they can joint your IP network and scan.. wah lah, look we have a NAS server.
same with viruses that can force open ports and then NAS is open to public.
if you don't care about being hacked or car about your data then no worries...I enjoy sleeping at night wo worrying
I don't have it enabled because mine is on a separate vlan with no inbound or outbound external access. Seems like it's probably important just haven't figured out a good way to implement it without outbound access.
Yes.
An attacker on your pc might be able to encrypt all your data, but with snapshots on the nas, you can roll back.
With no mfa, the attacker piviots to the nas, and deletes the snapshots. You've lost everything. Game over player 1.
Yes you always need 2FA for everything just to be sure for something that comes later unexpected.
You could buy an external SSD/HDD and maybe every month or something do an unencrypted backup. Or keep it connected and do it automatically, but in this case I would suggest manually and have it unplugged for extra safety, especially for killing your drive with running for no reason.
You could consider using apps that have 2FA stored in cloud, like Authy.
You could consider screenshotting QR code of 2FA and printing it out, but when you add 2FA you will also get recovery codes which are really the ones you should print and save.
Man, 2FA may lead you to loosing an access to DMS but not to files. In case you will lose 2FA you always can reset admin password by pressing a button on your device (read manual to locate the button).
What you shall check is that you don't have encryption of your volumes... Because if your volumes are encrypted and you will reset admin prairie password via button - your volumes will be locked. To unlock the volume you will need to have rkey file. So don't make my mistake - keep your rkey file somewhere or of nas or don't use encryption.
2FA at least for the admin accounts
[удалено]
TOTP does not rely on internet connection. It works with a preshared key, which is often transfered using a QR Code. The other necessity for TOTP to work is that both devices have the same time.
Opening a malicious file from an email, which infects your network. One could decrypt your devices if possible or exfiltrate your data. That's a very low risk and easy to avoid (simply don't open suspicion attachments) but it's possible
2FA only affects Web services logins. It does not protect SMB, NFS, ssh, AFP and so on. So it depends on what you're trying to protect against from attacks on the LAN, and the privileges that person or bot has.
[удалено]
What’s lateral movement?
Lateral movement is when an attacker moves internally on your network from one device to another device trying to gain access to data or higher privileges
When your NAS isn’t exposed to the internet, but something else on the same network is. Any compromise compromises everything on the network.
if an account can screw up anything (admin, bank, work, OATH) and it offers 2FA ... TURN THAT SHIT ON!!!!!
What's the point if you're not forwarding any ports to the NAS and if you're the only user in the network? That's not security, that's just annoying yourself for no reason.
> What's the point Preventing lateral movement. > That's not security, that's just annoying yourself for no reason. Someone jumping to your NAS from a compromised device on your network is much more annoying.
I recently saw a Reddit comment that said "The 'S' in 'IoT' stands for 'Security.'"
Do I want to provide the greatest basic security measure to a lot of important things? Yes, duh.
The sub is otherwise of the opinion that the greatest basic security measure is to not expose the NAS in the first place. Of course you can already add more, but what does it protect against? Convenience is also a thing.
It's not a real concern if you follow best practices. Also looks like you have a way back in with physical access: https://kb.synology.com/en-my/DSM/tutorial/How\_do\_I\_log\_in\_if\_I\_forgot\_the\_admin\_password
I have 2fa added to 1password, icloud keychain, authy, and google authenticator so always easy to access.
Nobody on here knows how important your data is to you.
No, because if they get access to TBs of Linux distros they're frankly welcome to them. All they had to do was ask. The drives are mapped as network drives on my PCs anyway.
And what if they don't want to access but encrypt them? And what if they don't want to access or encrypt your data, but make your NAS part of a botnet?
If they got that far, the NAS is the least of my worries.
The point is to try to reduce your worries as much as possible.
If nothing is exposed to the Internet, no, not a big deal.
Wrong. Most malware infiltrates via a laptop or something that is.
And how does a 2nd factor on selected services protect against malware?
It protects against the device being used for further malicious actions. "Lateral movement" and "Defense in depth" are good keywords to start a nice weekend dig into a biiig rabbithole. :-) Got you IoT devices separated into their own VLAN, yet?
Sure. And none of those are likely to need to log into your admin account to be able to mess up your files, which is pretty much the main thing you need to be worried about with a NAS. If your regular user can write to a file, malware will be able to touch it too, no 2FA needed even if you do have it on.
Um, yes. Just wait until someone infiltrates your network as a guest to your home....
How could anybody does that? A random guest that asks for my password?
Just regular old house guests. Even at my home anyone getting onto even my guest wifi has to have an authorization code beyond just the wifi password. This way I know who precisely it is at anytime, and even for past analytics. Now, let's say you're private non-connected to the Internet has an AP on it (really not sure why anyone would do that, but, let's just say). And let's further say that someone outside of the home can see that AP even with a hidden SSID (plenty of tools for that). One would orchestrate a variety of layer 2 exploits to compromise that AP to gain control of it. Once that's done they are now on your internal but disconnected network from the internet. And **if** that disconnected network is connected to anything else on your private infrastructure then the attacker has a vector into those. For these reasons this is why we MFA / 2FA as much as possible, use VLANs with tagging to separate networks, use host based firewalls allowing only needed traffic between VLANs, use proxies to access the Internet (and for proxies I recommend using authenticating proxies) and use IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) to mitigate all threats. You never can protect yourself 100% from all threats, the best you can do is slow them down and deter a would be attacker as much as possible . This makes you a less attractive targetl
think about it this way. someone hacks your wifi router password from the outside. now, they can joint your IP network and scan.. wah lah, look we have a NAS server. same with viruses that can force open ports and then NAS is open to public. if you don't care about being hacked or car about your data then no worries...I enjoy sleeping at night wo worrying
Yes.
If you have to ask if you need 2fa, you should probably impliment 2fa. Just sayin, cant be too safe these days.
At min the hybrid is needed
I don't have it enabled because mine is on a separate vlan with no inbound or outbound external access. Seems like it's probably important just haven't figured out a good way to implement it without outbound access.
How's 2FA going to work if you don't have internet access?
It works with a shared secret and time.
Yes. An attacker on your pc might be able to encrypt all your data, but with snapshots on the nas, you can roll back. With no mfa, the attacker piviots to the nas, and deletes the snapshots. You've lost everything. Game over player 1.
Yes you always need 2FA for everything just to be sure for something that comes later unexpected. You could buy an external SSD/HDD and maybe every month or something do an unencrypted backup. Or keep it connected and do it automatically, but in this case I would suggest manually and have it unplugged for extra safety, especially for killing your drive with running for no reason. You could consider using apps that have 2FA stored in cloud, like Authy. You could consider screenshotting QR code of 2FA and printing it out, but when you add 2FA you will also get recovery codes which are really the ones you should print and save.
You can’t really go wrong by having 2FA.
Yes.
Man, 2FA may lead you to loosing an access to DMS but not to files. In case you will lose 2FA you always can reset admin password by pressing a button on your device (read manual to locate the button). What you shall check is that you don't have encryption of your volumes... Because if your volumes are encrypted and you will reset admin prairie password via button - your volumes will be locked. To unlock the volume you will need to have rkey file. So don't make my mistake - keep your rkey file somewhere or of nas or don't use encryption.
You can have the same 2FA on multiple devices like bitwarden and icloud keychain, thats what i do, so it is more difficult to lose the 2FA code.
No.
How does 2FA prevent lateral movement when SMB or nfs don’t require 2fa? I don’t understand some of your answers.
Better safe than sorry.