Trying to figure out best security solution for two pairs of NAS units that need remote acess.

[SoundSamK]

So I've set up a total of 4 synology file servers split across two locations, with one at each location serving as a backup to the other. So one server each for local file access and storage, and then a backup of that server at the other location.  Up until now I've been using quickconnect to log into them, but i've heard that isn't safe long term.

 

So,

I've set up DDNS on all four servers, checked my router to make sure that only the needed ports are open, then on each server disabled SMB1, disabled IPV6, turned on DoS protection, set up snapshots as a hopeful way to save my local data if somehow I get hacked and encrypted. Also the backups are encrypted locally with 30 character passwords  i keep in my 1Password, and encryption keys i keep air-gapped on an SSD i keep with me whenever I'm away from home for more than a day.

 

My question is, am I doing enough? I've thought about setting up a site to site VPN for my servers with Ubiquiti Security Gateways, but I'd love to hear the community's opinions on this. Just want to keep my stuff as safe as i can without giving my self too much to hassle with when trying to access my data.

[Biomecanoid]

13 minutes ago, SoundSamK said:

So I've set up a total of 4 synology file servers split across two locations, with one at each location serving as a backup to the other. So one server each for local file access and storage, and then a backup of that server at the other location.  Up until now I've been using quickconnect to log into them, but i've heard that isn't safe long term.

 

So,

I've set up DDNS on all four servers, checked my router to make sure that only the needed ports are open, then on each server disabled SMB1, disabled IPV6, turned on DoS protection, set up snapshots as a hopeful way to save my local data if somehow I get hacked and encrypted. Also the backups are encrypted locally with 30 character passwords  i keep in my 1Password, and encryption keys i keep air-gapped on an SSD i keep with me whenever I'm away from home for more than a day.

 

My question is, am I doing enough? I've thought about setting up a site to site VPN for my servers with Ubiquiti Security Gateways, but I'd love to hear the community's opinions on this. Just want to keep my stuff as safe as i can without giving my self too much to hassle with when trying to access my data.

You don't need complex stuff unless its an business / enterprise environment. All you need is a VPN, or ssh access to the servers and if you have ssh access you can then tunnel all other ports you may need thru the ssh tunnel. I prefer ssh.

[Applefreak]

8 minutes ago, SoundSamK said:

So I've set up a total of 4 synology file servers split across two locations, with one at each location serving as a backup to the other. So one server each for local file access and storage, and then a backup of that server at the other location.  Up until now I've been using quickconnect to log into them, but i've heard that isn't safe long term.

 

So,

I've set up DDNS on all four servers, checked my router to make sure that only the needed ports are open, then on each server disabled SMB1, disabled IPV6, turned on DoS protection, set up snapshots as a hopeful way to save my local data if somehow I get hacked and encrypted. Also the backups are encrypted locally with 30 character passwords  i keep in my 1Password, and encryption keys i keep air-gapped on an SSD i keep with me whenever I'm away from home for more than a day.

 

My question is, am I doing enough? I've thought about setting up a site to site VPN for my servers with Ubiquiti Security Gateways, but I'd love to hear the community's opinions on this. Just want to keep my stuff as safe as i can without giving my self too much to hassle with when trying to access my data.

I haven't used on of those NAS boxes so I am not sure if that would work but I have a home and a work storage server that communicate with a third server that serves as a comm link between them. That way the ip can change, no need for ddns as the clients (the storage servers) will link up with the static host that has no data on it, just makes the hand shake. I cannot elaborate on the details too much but it is similar to what cloud providers do. The server connection is encrypted and both locations have a dedicated 500 mbit uplink. Both of those also have switching ip addresses (every 4 hours) and sit behind a hardware firewall that blocks all other traffic. 

 

I hope you have a backup for those keys. SSDs are not unbreakable (meaning damage). Heat and cold can corrupt the file structure as well.

[SoundSamK]

3 minutes ago, Applefreak said:

I haven't used on of those NAS boxes so I am not sure if that would work but I have a home and a work storage server that communicate with a third server that serves as a comm link between them. That way the ip can change, no need for ddns as the clients (the storage servers) will link up with the static host that has no data on it, just makes the hand shake. I cannot elaborate on the details too much but it is similar to what cloud providers do. The server connection is encrypted and both locations have a dedicated 500 mbit uplink. Both of those also have switching ip addresses (every 4 hours) and sit behind a hardware firewall that blocks all other traffic. 

 

I hope you have a backup for those keys. SSDs are not unbreakable (meaning damage). Heat and cold can corrupt the file structure as well.

already in the process of getting some more flash drives to make a few backups i will keep in a safe.

[Applefreak]

4 minutes ago, SoundSamK said:

already in the process of getting some more flash drives to make a few backups i will keep in a safe.

I am changing the keys daily because it is used for work related stuff. Our office safe is in plain sight but does not contain the right keys. If any of those are entered, the data is gone. If the other side will not receive a a valid connection or a manual keep alive command, it will encrypt itself to the point where it needs a physical encryption key (another drive). Even with that, it takes about a week to restore data. We do daily backups as hard copies and discs where not applicable, just in case. So far this solution seems a bit overkill but I have gotten used to and given that I am the one who implemented it, I am sticking with it. I know of a company that has metal punch cards to decrypt data on their servers. I believe the ones who have access need to first create one of those metal sheets in a press, which is behind several locked doors. The key is changed weekly and to create it you need to solve a complex equation. Both guys who invented that stuff are professors in physics an chemistry. Now that is overkill.

[Akolyte]

7 hours ago, SoundSamK said:

So I've set up a total of 4 synology file servers split across two locations, with one at each location serving as a backup to the other. So one server each for local file access and storage, and then a backup of that server at the other location.  Up until now I've been using quickconnect to log into them, but i've heard that isn't safe long term.

 

So,

I've set up DDNS on all four servers, checked my router to make sure that only the needed ports are open, then on each server disabled SMB1, disabled IPV6, turned on DoS protection, set up snapshots as a hopeful way to save my local data if somehow I get hacked and encrypted. Also the backups are encrypted locally with 30 character passwords  i keep in my 1Password, and encryption keys i keep air-gapped on an SSD i keep with me whenever I'm away from home for more than a day.

 

My question is, am I doing enough? I've thought about setting up a site to site VPN for my servers with Ubiquiti Security Gateways, but I'd love to hear the community's opinions on this. Just want to keep my stuff as safe as i can without giving my self too much to hassle with when trying to access my data.

I would definitely set up a VPN.  I was going to suggest wireguard, but any solution really is fine as long as you trust it. 

 

Also you should lock down the management interface behind a jumphost at each location, and that jumphost should be behind a different VPN.  My recommendation would be using something like F5's VPN since it's quite easy to use.  Or use something like OpenVPN. 

 

Another thing that is highly advised is to get a central logging server(s) and put all of your NAS's syslogs into it and all of the jumphost logs.