,
This article provides instructions on how to stop malicious sign-in attempts to your Synology NAS from countries other than your own.
A few days ago on a Synology NAS device I realized that “Someone attempted too sign in as admin by typing passwords but failed (brute force attacks)”, and immediately applied all the recommended actions suggested by Synology (Enable automatic blocking, Account Protection, etc.).
But because these steps were not enough to stop the malicious attempts to connect to Synology, I decided to block the access from other countries using Synology Firewall. After I did that and made sure that this works and stops the intruders, I decided to write this article with the steps I followed for anyone else facing the same problem.
How To Block Other Countries From Accessing a Synology NAS using DSM Firewall.
Step 1. Check Network Configuration.
Before adding the Firewall rules, check Synology’s LAN settings. To do that:
1. Open the Synology DSM Control Panel and select Network.
2. Select the Network Interface tab and then expand the LAN settings.
3. Here notice the IP Address range (e.g. “192.168.1.x” and the Subnet Mask (e.g. 255.255.255.0) of your Internal Network. Once done, continue to next step.
Step 2. Configure Synology Firewall to Block Access from Other Countries.
To prevent access to your Synology NAS device from other countries, you need to create the following three (3) rules:
- Rule 1 (Important): Allow Access from the Internal Network.*
- Rule 2 (Important): Allow Access from your Country.
- Rule 3 (Important): Deny Access from all other countries.
- Rule 4 (Optional): Allow access from your Static IP Address (if your own a Static IP from your ISP)
* Note: This rule is the most important rule to set up, otherwise you will lose your access to Synology.
To create the above rules:
1. Open the Synology DSM Control Panel, select Security and then select the Firewall tab.
2. Select Enable Firewall and then click Edit Rules.
3. In ‘Edit Profile’ window, click Create to create the first rule, as described below.
RULE 1: ALLOW ACCESS TO SYNOLOGY FROM LAN.
The first and most important rule that you must create is to allow the access from your Internal Network (LAN) to Synology. If you don’t create or create wrong this rule you’ll block yourself from accessing your Synology.
4a. In ‘Create Firewall Rules’ window, ensure that the action is set to Allow and then select Specific IP and click Select.
4b. Here select the Subnet option and below:
a. Type the IP Address range of your internal network (e.g. “192.168.1.1” in this example).
b. Then type the Subnet mask of your Internal Network (e.g. “255.255.255.0” in this example).
* Note: The IP settings “192.168.1.1 & 255.255.255.0″ in this example, allow the access on Synology NAS from all IP’s/Devices on the local network. Alternately here you can specify the LAN IP Range (e.g. FROM: 192.168.1.1 TO:192.168.1.254”)
c. When done, click OK.
RULE 2: ALLOW ACCESS TO SYNOLOGY FROM YOUR COUNTRY.
5a. Now click again the Create button to setup the 2nd rule: Allow the access to Synology from your Country.
5b. In ‘Create Firewall Rules’ window, ensure that the action is set to Allow and then select Location and click Select.
5c. In the search box, type your country’s name (or locate your country from the list) and then place a checkmark next to its name to select it.
5d. When done, click OK.
RULE 3: DENY ACCESS TO SYNOLOGY FROM ALL OTHER COUNTRIES.
6a. Click the Create button again to create the rule that will block access to Synology NAS from other countries.
6b. In ‘Create Firewall Rules’ window, leave selected the All Ports & All Source IP options, check the Deny action and click OK.
RULE 4: ALLOW ACCESS TO SYNOLOGY FROM YOUR ISP STATIC IP (OPTIONAL).
If you own a static ISP from your ISP is suggested to allow also the access on Synology from it. To do that:
* Note: If you don’t own a static IP from your ISP skip steps 7a, 7b & 7c.
7a. Create a new rule and then choose Specific IP and click Select.
7b. At Source IP window, choose Single Host, type next your Static IP (ISP) and click OK.
7c. After adding the rule to allow your Static IP (ISP), move the rule to the 2nd position in the Rules list as shown below.*
* Note: The “Deny” action must be the last rule in the sequence.
8. Click OK to save the changes.
9. Finally click Apply to apply your Firewall rules.
That’s it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.